Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure development from the start
Download as PPTX, PDF0 likes38 views
The document discusses the integration of security practices within the DevOps framework, leading to the concept of DevSecOps, which emphasizes embedding security early in the software development lifecycle (SDLC). Key strategies include engaging security champions, fostering a culture of security awareness among developers, and incorporating secure coding training and tools. The ultimate goal is to reduce vulnerabilities and enhance compliance while ensuring that security becomes an integral part of daily development activities.
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure development from the start
- 1. DevOps to DevSecOps: Delivering quality and secure development from the start Simon Roe, Outpost24 & Stefania Chaplin, Secure Code Warrior 15th July 2021
- 2. Helping customers improve security posture since 2001 Full stack security assessment Over 2,000 customers in all regions of the world Really good at breaking technology
- 3. Today’s agenda 3 ● Security best practice for maximum DevSecOps from developer training, risk scoring, to application security scanning and API testing ● Building security testing into your SDLC to deliver actionable results and reduce application vulnerabilities ● Integration and automation of application security for fast and secure deployment ● Fundamentals for starting left with secure code training to maximize compliance
- 5. Traditional ‘Waterfall’ Development 5 Plan Code Build Test Release Deploy Security is ‘tested’ during the fixed Test period.
- 6. 6 • Cost of a Data Breach $3.86M • 207 days to detect • 73 days to contain • $150 / per PII record lost Find during Development $100 / defect Find during Build $500 / defect Find during QA/Test $1,500 / defect Find in Production $10,000 / defect Up to 80% of development costs are spent identifying and correcting defects! Source: Ponemon Institute 2020 Source: National Institute of Standards and Technology Cost of security defects 6
- 7. How do we incorporate security? • Security has historically been a silo • Designed to prevent change • Waterfall security does not fit the shift left mentality • Process + People change • DevOps security champions
- 8. ‘Companies are spending a great deal on security. But we read of a number of massive computer-related attacks. Clearly something is wrong. The root of the problem is twofold: we’re protecting the wrong things, and were hurting productivity in the process.’ Thinking security, Steven M. Bellovin
- 10. DevOps is here, and getting bigger
- 11. DevSecOps – How? • Dev teams should engage with Infosec as early as possible • Embed security champions into DevOps teams • ‘Start left’ in your security testing approach • Embed security into the Developers KPI’s • Integrate security into the DevOps Tool chain (automatically) • Run post mortems and ‘Learn’ from them • Encourage security best practices through gamified learning 11
- 12. Learning from the best or the worst 12 • Mistakes happen. And continue to happen daily. • DevSecOps integration is not immune. • DevSecOps is about process as well as people. • Building security into the very heart of DevOps. Empower individuals to be the security person in their day to day roles through: • Mutual understanding. • Shared Language. • Shared vision. • Collaborative tooling.
- 13. Outpost24 Template 2019 DevSecOps – Now what?
- 14. Dev(Sec)Ops is here, and getting bigger
- 15. 15
- 16. Takeaways Don’t resist – build a plan 16 • If DevSecOps isn’t practiced today: • In the next month identify the who / what / where of the CI /CD pipeline • Find security champions in Dev and Ops • In the next 3 months create a plan to integrate security into DevOps • Start left. Add one or two tools into an earlier phase of the SDLC including secure code training • Empower developers with training to own their own security code hygiene • Within 6 months security should be embedded in all phases of the SDLC • If DevSecOps is practiced today: • Can it be improved? • Do you have a good understanding of security state of each phase from Develop through deploy and monitor? • Do you train your developers regularly on security issues?
- 17. Outpost24 Template 2019 Starting left with secure code training
- 18. Security issues in the beginning... 18 Security bugs used to be an afterthought, now preventing vulnerabilities is integrated into the daily workflow.
- 19. 19
- 20. Mo’ money, mo’ problems... 20 Money Code
- 21. Where do vulnerabilities come from? 21
- 22. The opportunity to overlay with software security 22 The opportunity: • Make Security part of that DevOps ecosystem • Embed writing secure code into the day-to-day development work
- 23. Why do we need effective security training? 23 10 YEARS OF FAILED KNOWLEDGE DISTRIBUTION OF VULNERABILITIES FOUND IN 1999
- 24. Break The Cycle of Recurring Vulnerabilities 24
- 25. Culture fit for developers 25 Provide developers with solutions to write secure code that appeal to developers. Developer should see the benefit: ● Highly sought-after ● A cut above average developers ● More lucrative job opportunities ● Instrumental in the battle against cyberattacks and data breaches Mindset for developers: Aware that the only good code is secure code.
- 27. Culture of Security Awareness 27 • Let developers get hands-on and learn by doing • When security training is engaging and delivered in the languages and frameworks that are actually used, it is a powerful learning experience • Give developers the time to train • Empower them to level up as a developer, while leaving behind boring assessments and tick-the- box training
- 28. The right type of training 28 • EMPOWER DEVELOPERS WITH THE KNOWLEDGE TO SUCCEED IN DAY-TO-DAY WORK • > Hands-on, bite-sized and contextual • > Language/framework specific (yes, even COBOL!) • > Incentive-based, with assessable outcomes • > Doesn’t bore everyone senseless (make it a game!)
- 29. 29
- 30. • Start left with security – all the way left • Run developer training – improve security code hygiene • Appoint Security champions • Integrate security throughout your SDLC #devsecops Takeaways
- 31. Outpost24 Template 2019 Simon Roe, Product Manager Application Security & Stefania Chaplin, Solutions Architect [email protected] [email protected] Questions?