PP
Uploaded byPrashanth B. P.
PPTX, PDF628 views

DevSecOps : an Introduction

DevSecOps is a cultural change that incorporates security practices into software development through people, processes, and technologies. It aims to address security without slowing delivery by establishing secure-by-design approaches, automating security tools and processes, and promoting collaboration between developers, security engineers, and operations teams. As software and connected devices continue proliferating, application security must be a central focus of the development lifecycle through a DevSecOps methodology.

Technologyâ—¦

Embed presentation

Downloaded 28 times
z DevSecOps Prashanth Bharathi Prakash
z Its an evolution..
z The Facts • 159,700 total cyber incidents • 7 billion records exposed in first 3 Qtr • $5 billion financial impact • 93% of breaches could have been prevented *Online Trust Alliance report 2018
z How we manage software security? Source: “Managing Application Security”, Security Compass, 2017.
z Challenges of Secure Software Development  Legacy Software  Writing Secure code is hard  Lack of security skills  Emphasis on speed  Lack of risk focus, audits and controls points  Unsupervised collaboration  Wrong automated tools  Best practices are insufficient!  Vulnerabilities in development pipeline
z So we do last minute security..
z Lets define DevSecOps  Do we need Security? Obviously! → DevSecOps  Do we need order in configuration? Sure! → DevSecConfOps  And do we need to automate? Ideally yes. → DevSecConfAutoOps  Resilient? This is so important! → DevSecConfAutoResOps  Backups! We forgot about backups! → DevSecConfAutoResBackOps  Monitoring :-) → DevSecConfAutoResBackMonOp  Should I stop here? No → DevSecConfAutoResBackMonNoOp  Pigeons ate my breakfast while I was entertaining you → DevSecConfAutoResBackMonNoPigeonsAteMyBreakfastWhileIwasEntertaining YouOps
z Security becomes paramount in the new world of connected devices and must be addressed without breaking the rapid delivery, continuous feedback model!
z The Guiding Principles  Security is everybody’s business!  Start with the 3 Ps:  People  Process  Platform  Establish a process to enable people to succeed in using platform to develop secure applications  Build on existing people, process and tools
z The Guiding Principles Adopt Secure-by-Design rather than Secure-by-Test approach Enable development teams to create secure applications Automate as much as possible Reuse existing technology as much as possible Heavy collaboration between all stakeholders
z People  Invest in training on security skills!  Make learning a fun exercise!  Collaborate heavily (Dev Sec Ops)  Secure Design Decisions  Secure Environment Configuration  Secure Deployment planning  Secure code review
z Platforms  Automate environment creation and provisioning  Maintain parity between environments: dev, QA and production  Automated infrastructure testing  Be Open-Source aware!
z Process  Build on existing risk assessment processes / policies  Check the awareness of security policies in dev & ops teams  Create new processes only to improve existing ones Change is a journey.. Not a sprint !!
z How to bring-in Operations Monitor Key KPIs No. of applications threat modelled / scanned for vulnerabilities No. of applications reviewed by Architects No. of security requirements implemented % of open source libraries analysed Total number of critical and high vulnerabilities Number of penetration test vulnerabilities detected …. Monitor, Feedback, Remediate and Improve
z DevSecOps In Action Source Control Code Review Build Code Quality Deploy Testing A/B TestDesign Secure Coding Cloud-based hosting and access to application services through Cloud Platform Release Code Analysis (SonarQube, Coverity and Black Duck) Threat Modeling (Microsoft Threat Modeller, Secure Tree) Secure Coding Practices (Source Code Warrior, in- house trainings) Static Application Security Scanning (Fortify, Veracode, Coverity) Dynamic App Security Scanner (Fortify, IBM AppScan, Chekmarx, Veracode) DevSecOps Enabling tools Integrated Development Environment (Eclipse, X-code) Source Code Repository (Git / Gerrit) Continuous Integration (Jenkins) Deploy (Chef, Docker, Kubernetes) Test (Selenium, Grid, Cucumber) DevOps Enabling tools
z Reference Services for DevSecOps  Governance  Maturity Assessment  Process Engineering  Secure-By-Design  Security Training Curriculum  Threat Modeling  Code scanning Tool Integration  SAST, DAST, OSCA  Penetration Testing  DevSecOps Operationalization  Monitoring and Operations  SEIM Integration  Infrastructure Security
z Summary  DevSecOps is cultural change encompassing people, processes and technologies.  There is no “one-size fits-all“ scenario.  New technologies and ubiquitous access across devices / platforms makes application security the central focal point in software development. DevSecOps is the new mantra in S/W Dev Methodology
z For more information  SEI –Carnegie Mellon University  DevOps Blog: https://insights.sei.cmu.edu/devops  Webinar : https://www.sei.cmu.edu/publications/webinars/index.cfm  Podcast : https://www.sei.cmu.edu/publications/podcasts/index.cfm  DevSecOps: http://www.devsecops.org  Rugged Software: https://www.ruggedsoftware.org

More Related Content

PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PDF
DevSecOps Basics with Azure Pipelines
byAbdul_Mujeeb
 
PPTX
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
PDF
DevSecOps | DevOps Sec
byRubal Jain
 
PPTX
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
PDF
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
PPTX
DevSecOps
byJoel Divekar
 
Introduction to DevSecOps
byabhimanyubhogwan
 
The What, Why, and How of DevSecOps
byCprime
 
DevSecOps Basics with Azure Pipelines
byAbdul_Mujeeb
 
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
DevSecOps | DevOps Sec
byRubal Jain
 
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
DevSecOps
byJoel Divekar
 

What's hot

PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
The State of DevSecOps
byDevOps Indonesia
 
PDF
DevSecOps Implementation Journey
byDevOps Indonesia
 
PPTX
How to Get Started with DevSecOps
byCYBRIC
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PDF
DevSecOps What Why and How
byNotSoSecure Global Services
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PDF
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
PDF
DevSecOps The Evolution of DevOps
byMichael Man
 
PPTX
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PDF
Demystifying DevSecOps
byArchana Joshi
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
PPTX
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
byMohamed Nizzad
 
PDF
Practical DevSecOps - Arief Karfianto
byidsecconf
 
PDF
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
byEdureka!
 
PPTX
DevSecOps
byCheah Eng Soon
 
PDF
2019 DevSecOps Reference Architectures
bySonatype
 
PDF
DevSecOps
byTomas Honzak
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
The State of DevSecOps
byDevOps Indonesia
 
DevSecOps Implementation Journey
byDevOps Indonesia
 
How to Get Started with DevSecOps
byCYBRIC
 
Introduction to DevSecOps
bySetu Parimi
 
DevSecOps What Why and How
byNotSoSecure Global Services
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
DevSecOps The Evolution of DevOps
byMichael Man
 
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Demystifying DevSecOps
byArchana Joshi
 
DevSecOps in Baby Steps
byPriyanka Aash
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
byMohamed Nizzad
 
Practical DevSecOps - Arief Karfianto
byidsecconf
 
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
byEdureka!
 
DevSecOps
byCheah Eng Soon
 
2019 DevSecOps Reference Architectures
bySonatype
 
DevSecOps
byTomas Honzak
 

Similar to DevSecOps : an Introduction

PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PPTX
DevSecOps Powerpoint Presentation for Students
bypoonawala2303
 
PPTX
What is devsecops and what is the characteristics of it
byamalsalah25
 
PDF
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
PPTX
DevSecOps Best Practices-Safeguarding Your Digital Landscape
bystevecooper930744
 
PPTX
Devsec ops
byVipinYadav257
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PDF
How DevOps Improves Security DevSecOps Explained.pdf
byhimanshuwowit
 
PPTX
DevSecOps OWASP
byPriyanka Raghavan
 
PDF
Understanding DevSecOps.pdf
byCiente
 
PDF
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
bymohitd6
 
PPTX
The DevSecOps Advantage: A Comprehensive Guide
byDev Software
 
PDF
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
PDF
Outpost24 webinar: Turning DevOps and security into DevSecOps
byOutpost24
 
PDF
How To Implement DevSecOps In Your Existing DevOps Workflow
byEnov8
 
PDF
Scale security for a dollar or less
byMohammed A. Imran
 
PPTX
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
DevSecOps Powerpoint Presentation for Students
bypoonawala2303
 
What is devsecops and what is the characteristics of it
byamalsalah25
 
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
bystevecooper930744
 
Devsec ops
byVipinYadav257
 
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
How DevOps Improves Security DevSecOps Explained.pdf
byhimanshuwowit
 
DevSecOps OWASP
byPriyanka Raghavan
 
Understanding DevSecOps.pdf
byCiente
 
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
bymohitd6
 
The DevSecOps Advantage: A Comprehensive Guide
byDev Software
 
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
byOutpost24
 
How To Implement DevSecOps In Your Existing DevOps Workflow
byEnov8
 
Scale security for a dollar or less
byMohammed A. Imran
 
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 

Recently uploaded

PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PPTX
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
MathML Core in WebKit
byIgalia
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
In this document
Powered by AI

Introduction to DevSecOps highlighting its evolution in response to security challenges.

Statistics on cybersecurity incidents: 159,700 incidents, 7 billion records exposed, $5 billion impact, 93% preventable breaches.

Challenges faced in software security including legacy software, lack of skills, speed emphasis, and insufficient practices.

Definition of DevSecOps and its importance in ensuring security without impacting delivery speed and feedback.

Key principles include security as a shared responsibility, adopting secure-by-design, and heavy collaboration among teams.

Importance of training in security, fostering collaboration, secure design, and environment configuration.

Strategies for automating environment creation, maintaining parity, and awareness of open-source tools.

Building on existing processes for risk assessment and enhancing security policy awareness among teams.

Monitoring key performance indicators related to application security to enhance remediation processes.

Overview of tools involved in DevSecOps like code analysis, threat modeling, CI/CD tools, and secure coding practices.

Services related to DevSecOps including governance, maturity assessment, and security integration methodologies.

DevSecOps as a cultural change involving people, processes, and technology with no one-size-fits-all solution.

Links to resources for deeper understanding of DevSecOps including webinars, blogs, and community initiatives.

DevSecOps : an Introduction

  • 1.
  • 2.
  • 3.
    z The Facts • 159,700total cyber incidents • 7 billion records exposed in first 3 Qtr • $5 billion financial impact • 93% of breaches could have been prevented *Online Trust Alliance report 2018
  • 4.
    z How we managesoftware security? Source: “Managing Application Security”, Security Compass, 2017.
  • 5.
    z Challenges of SecureSoftware Development  Legacy Software  Writing Secure code is hard  Lack of security skills  Emphasis on speed  Lack of risk focus, audits and controls points  Unsupervised collaboration  Wrong automated tools  Best practices are insufficient!  Vulnerabilities in development pipeline
  • 6.
    z So we dolast minute security..
  • 7.
    z Lets define DevSecOps Do we need Security? Obviously! → DevSecOps  Do we need order in configuration? Sure! → DevSecConfOps  And do we need to automate? Ideally yes. → DevSecConfAutoOps  Resilient? This is so important! → DevSecConfAutoResOps  Backups! We forgot about backups! → DevSecConfAutoResBackOps  Monitoring :-) → DevSecConfAutoResBackMonOp  Should I stop here? No → DevSecConfAutoResBackMonNoOp  Pigeons ate my breakfast while I was entertaining you → DevSecConfAutoResBackMonNoPigeonsAteMyBreakfastWhileIwasEntertaining YouOps
  • 8.
    z Security becomes paramountin the new world of connected devices and must be addressed without breaking the rapid delivery, continuous feedback model!
  • 9.
    z The Guiding Principles Security is everybody’s business!  Start with the 3 Ps:  People  Process  Platform  Establish a process to enable people to succeed in using platform to develop secure applications  Build on existing people, process and tools
  • 10.
    z The Guiding Principles AdoptSecure-by-Design rather than Secure-by-Test approach Enable development teams to create secure applications Automate as much as possible Reuse existing technology as much as possible Heavy collaboration between all stakeholders
  • 11.
    z People  Invest intraining on security skills!  Make learning a fun exercise!  Collaborate heavily (Dev Sec Ops)  Secure Design Decisions  Secure Environment Configuration  Secure Deployment planning  Secure code review
  • 12.
    z Platforms  Automate environment creationand provisioning  Maintain parity between environments: dev, QA and production  Automated infrastructure testing  Be Open-Source aware!
  • 13.
    z Process  Build onexisting risk assessment processes / policies  Check the awareness of security policies in dev & ops teams  Create new processes only to improve existing ones Change is a journey.. Not a sprint !!
  • 14.
    z How to bring-inOperations Monitor Key KPIs No. of applications threat modelled / scanned for vulnerabilities No. of applications reviewed by Architects No. of security requirements implemented % of open source libraries analysed Total number of critical and high vulnerabilities Number of penetration test vulnerabilities detected …. Monitor, Feedback, Remediate and Improve
  • 15.
    z DevSecOps In Action Source Control Code Review Build Code Quality DeployTesting A/B TestDesign Secure Coding Cloud-based hosting and access to application services through Cloud Platform Release Code Analysis (SonarQube, Coverity and Black Duck) Threat Modeling (Microsoft Threat Modeller, Secure Tree) Secure Coding Practices (Source Code Warrior, in- house trainings) Static Application Security Scanning (Fortify, Veracode, Coverity) Dynamic App Security Scanner (Fortify, IBM AppScan, Chekmarx, Veracode) DevSecOps Enabling tools Integrated Development Environment (Eclipse, X-code) Source Code Repository (Git / Gerrit) Continuous Integration (Jenkins) Deploy (Chef, Docker, Kubernetes) Test (Selenium, Grid, Cucumber) DevOps Enabling tools
  • 16.
    z Reference Services forDevSecOps  Governance  Maturity Assessment  Process Engineering  Secure-By-Design  Security Training Curriculum  Threat Modeling  Code scanning Tool Integration  SAST, DAST, OSCA  Penetration Testing  DevSecOps Operationalization  Monitoring and Operations  SEIM Integration  Infrastructure Security
  • 17.
    z Summary  DevSecOps iscultural change encompassing people, processes and technologies.  There is no “one-size fits-all“ scenario.  New technologies and ubiquitous access across devices / platforms makes application security the central focal point in software development. DevSecOps is the new mantra in S/W Dev Methodology
  • 18.
    z For more information SEI –Carnegie Mellon University  DevOps Blog: https://insights.sei.cmu.edu/devops  Webinar : https://www.sei.cmu.edu/publications/webinars/index.cfm  Podcast : https://www.sei.cmu.edu/publications/podcasts/index.cfm  DevSecOps: http://www.devsecops.org  Rugged Software: https://www.ruggedsoftware.org

Editor's Notes

  • #8 Placing Sec between Dev and Ops is the ideal way to show that one doesn't understand anything about sorting apples and oranges.
  • #17 DevSecOps Operationalization Monitoring and Operations SEIM Integration Infrastructure Security