Introduction to DevSecOps
9 likes•2,523 views
The document provides a comprehensive overview of DevSecOps, highlighting its importance in integrating security practices into DevOps workflows to enhance application and infrastructure security. It discusses core practices, key challenges, recommendations, and a strategic approach for implementing DevSecOps, emphasizing the need for automated security controls and a culture of continuous monitoring. Additionally, it outlines a checklist for security assessments and trainings, along with links to further resources and the author's contact information.
Introduction to DevSecOps
- 1. INTRODUCTION TO DEVSECOPS “You build it, You secure it!”
- 2. Cloud Security Architect, Penetration Tester Setu Parimi Cybersecurity professional with extensive experience performing Vulnerability Assessments, Third-Party Application Security reviews, Penetration Testing, and Remediation support as it pertains to the security of Applications, Networks, Infrastructure, and Cloud domains. Cloud 90% DevSecOps 85% PenTesting 83% Trainings 65%
- 3. Security Consulting ● Product Security Audit ● Architecture Reviews ● Secure Architecture design ● Security Automations ● Threat Modelling ● Vendor Analysis ● AppSec Program ● MSSP Testing & Assessments ● Web Application Penetration Testing ● Cloud Infrastructure Pentesting ● Mobile Application Security Assessment ● Network pentesting and assessment ● Application Source code reviews Security Trainings ● Cloud Security Trainings ● DevSecOps Trainings ● Penetration testing training ● AWS Security Certification ● CCSK ● Cloud Security Automation ● AWS Cost Control ● SOC Training CloudSecOps.com | +123456 43777 | [email protected]
- 4. ➔ DevSecOps Introduction ➔ Key Challenges, Recommendations ➔ DevSecOps Analysis ➔ DevSecOps Core Practices ➔ DevSecOps pipeline for Application & Infrastructure Security ➔ DevSecOps Security Tools Selection Tips ➔ DevSecOps Implementation Strategy ➔ DevSecOps Checklist Agenda: 5-45-10
- 5. Continuous Delivery Small, incremental and frequent code pushes to production. Continuous delivery eschews large production code releases separated by weeks or months DevOps A new mode of intense collaboration between development and operations for the same goals. Continuous Delivery & DevOps
- 6. ➔ Automated Provisioning ➔ No-Downtime Deployments ➔ Monitoring ➔ Fail fast and Open ➔ Automated builds and testing DevOps Goals:
- 7. ➔ Team or Community effort, not an individuals’ ➔ Autonomous and Automated Security -> Security at Scale ➔ DevSecOps is an approach to IT security based on the principles of DevOps ➔ DevSecOps spans the entire IT stack ➔ DevSecOps also spans the full software lifecycle Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers, and preserves the teamwork, agility and speed of DevOps and agile development environments, delivering "DevSecOps." DevSecOps:
- 9. Adding Security to DevOps:
- 10. Do You Believe Your Information Security Policies/Teams Are Slowing IT Down? Information Security Professionals IT Operations Professionals
- 11. ➔ DevOps compliance is a top concern of IT leaders, but information security is seen as an inhibitor to DevOps agility. ➔ Security infrastructure has lagged in its ability to become "software defined" and programmable, making it difficult to integrate security controls into DevOps-style workflows in an automated, transparent way ➔ Modern applications are largely "assembled," not developed, and developers often download and use known vulnerable open-source components and frameworks. DevSecOps Key Challenges:
- 12. ➔ Start with secure development and training, but don't make developers become security experts or switch tools. ➔ Embrace the concept of people-centric security and empower developers to take personal responsibility for security compensated for with monitoring. Embrace a "trust and verify" mindset. ➔ Require all information security platforms to expose full functionality via APIs for automatability. Recommendations:
- 13. ➔ Security Controls Must Be Programmable and Automated Wherever Possible ➔ Use IAM and Role-Based Access Control to Provide Separation of Duties ➔ Implement a Simple Risk and Threat Model for All Applications ➔ Scan Custom Code, Applications and APIs ➔ Scan for OSS Issues in Development ➔ Scan for Vulnerabilities and Correct Configuration in Development ➔ Treat Scripts/Recipes/Templates/Layers as Sensitive Code ➔ Measure System Integrity and Ensure Correct Configuration at Load ➔ Lock Down Production Infrastructure and Services DevSecOps Analysis:
- 15. Step 1: Assess Your Current Security Controls Step 2: Inserting “Sec” into DevOps Step 3: Integrate DevSecOps into Security Operations Delivering DevSecOps:
- 16. ➔ Most likely threats ➔ Data types and sensitivity ➔ System builds and controls ➔ Cloud Infrastructure security posture ➔ Existing controls in place ➔ Controls we lose in cloud Step 1: Assess Your Current Security Controls for Cloud
- 17. ➔ Development ➔ Inventory Management ➔ Configuration and Patch Posture ➔ Vulnerability Scanning and Assessment ➔ Account and Privilege Management ➔ Logging and Event Management ➔ Change Detection and Automated Rollback ➔ Microsegmentation Step 2: Inserting “Sec” into DevOps
- 18. Step 3: Integrate DevSecOps into Security Operations ➔ Security tools help to automate or speed up the DevOps processes Eg: Chef, Ansible,Puppet, Lambda ➔ Scenario: ◆ Security tools detect a suspicious behavior on an instance in the cloud provider environment and trigger an automated response workflow via APIs that communicate with a DevSecOps automation engine or product ◆ The network allocation of the instance is changed via scripts and API calls to a dedicated “quarantine virtual switch” in the cloud environment that has no direct Internet connectivity ◆ A local process begins disk and memory acquisition on the suspect instance, which is copied to a forensic storage node in the cloud controlled by the security team and automatically protected with dedicated encryption ◆ The security and operations teams can then automatically perform a rollback of the instance to a known good state (or likely create a new one from the most recent template).
- 19. DevSecOps pipeline for AppSec:
- 20. DevSecOps pipeline for AppSec: Src: https://www.slideshare.net/denimgroup/rsa2015-blending-theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
- 21. DevSecOps pipeline for AWS Cloud:
- 22. ➔ Policy Coverage ➔ Accuracy ➔ Speed ➔ Scale ➔ Process Fit ➔ Integrations Criteria for Choosing Security Tools
- 23. Example PoC & Vendor Analysis:
- 24. ➔ Ensure that periodic reviews of the overall risk posture within cloud environments are performed to guarantee continued alignment of security and the other DevOps teams involved ➔ Keep system instances in the cloud as locked down as you can, commensurate with the exposure and data classification types involved ➔ Pay careful attention to privilege allocation and user, group and role management.This can easily creep over time in a dynamic environment ➔ Commit to a culture of continuous monitoring, helping to automate detection and scripted response activities that minimize manual intervention wherever possible ➔ Discuss vulnerabilities detected in cloud deployments with all team members, and make sure DevOps teams are involved in vulnerability, patch and configuration management discussions and policy creation. ➔ Ensure that you are gathering adequate security and operations logs and eventdata, sending it to a remote monitoring and collection platform ➔ Discuss the changing threat landscape with DevOps teams, get practical measures that can be taken to implement the most effective security without impeding progress or slowing down the pace of business activities Final Checklist
- 25. ➔ Web Application Penetration Testing ➔ DevSecops piple for application security ➔ Cloud Infrastructure Penetration Testing ➔ AWS, GCP security audit ➔ DevSecOps Training ➔ Security Automations in Cloud ➔ Incident Response in Cloud ➔ Architectect security in Cloud ➔ Cloud Cost Control ➔ Security Awareness Training ➔ Third party Vendor Application Security Assessment Future Sessions
- 26. Security Consulting ● Product Security Audit ● Architecture Reviews ● Secure Architecture design ● Security Automations ● Threat Modelling ● Vendor Analysis ● AppSec Program ● MSSP Testing & Assessments ● Web Application Penetration Testing ● Cloud Infrastructure Pentesting ● Mobile Application Security Assessment ● Network pentesting and assessment ● Application Source code reviews Security Trainings ● Cloud Security Trainings ● DevSecOps Trainings ● Penetration testing training ● AWS Security Certification ● CCSK ● Cloud Security Automation ● AWS Cost Control ● SOC Training CloudSecOps.com | +123456 43777 | [email protected]