Pentest is yesterday, DevSecOps is tomorrow
3 likes694 views
The document discusses the evolution of project management methodologies from the traditional waterfall model to agile and the modern concept of DevSecOps, which integrates security practices within the DevOps framework. It underscores the necessity for security to be everyone’s responsibility, emphasizing early identification of security issues during software development. The text provides guidelines for implementing DevSecOps effectively, includes various security testing processes, and highlights the importance of training developers in secure coding practices.
Pentest is yesterday, DevSecOps is tomorrow
- 2. Pentest is Yesterday, DevSecOps is Tomorrow WWW.TJAKRABIRAWA.ID DevSecOps Introduction
- 3. Introduction Amien Harisen CEO & Founder - PT Tjakrabirawa Teknologi Indonesia www.devsecops.id Manager – Ernst & Young , Cybersecurity Division Security Engineer – PT Spentera Research & Development – IDSIRTII Others! www.Instagram.com/slashroot.id
- 4. Waterfall As we see through the flown years, the most in-demand approach to project management was the Waterfall approach. It, being a linear and sequential approach, had separately set goals for each defined phase of the project. The entire process of software development was divided into distinct processes, each having its own beginning and end and all of them cascaded to each other in a linear fashion. The latter had its start once the former was achieved and completed. It looked like an ideal methodology at that time and did wonders for years to come. But with the complexities and variations of the IT world on a rising spree, there was a requirement for a change in the typical approach Waterfall vs Agile vs DevOps Agile Agile Methodology involves continuous iteration of development and testing in the SDLC process. This software development method emphasizes on iterative, incremental, and evolutionary development. Agile development process breaks the product into smaller pieces and integrates them for final testing. It can be implemented in many ways, including scrum, kanban, scrum, XP, etc DevOps Considered to be the most modern approach and creating a buzz in the IT world today, ‘DevOps’ weaves its entire approach around bridging the gap between the Development and Operations teams. With the IT world becoming a smaller place to reach with widening arms to reach anywhere under the sun, DevOps Solutions has become an essential ingredient for the success of any application to effectively and efficiently converge the needs of the development and operation teams so as to ensure a completely reliable and secure end product, with as many possible errors to be encountered early
- 9. DevOps & Cloud Adoption Rate In 2017, the global Development to Operations (DevOps) market size was 2770 million US$ and it is expected to reach 10800 million US$ by the end of 2025,
- 10. DevOps & Cloud Adoption Rate
- 11. But, Why ? • DevOps solve problems faster by collaborating & responsibility • Cultural enabler for cloud adoption scaling • More people can try and fails at rapid pace to meet customer demand
- 12. DevOps Efficiencies that speed up the lifecycle
- 13. DevOps Efficiencies that speed up the lifecycle
- 14. DevOps Efficiencies that speed up the lifecycle
- 15. DevSecOps Makes everyone responsible for security WWW.TJAKRABIRAWA.ID
- 16. Where is the Security • Development without integrated security & compliance will fail • With the growing business demand for Agile, DevOps, and Public Cloud Services, traditional security testing processes have become a major obstruction • Gartner’s new concept of “DevSecOps,” which is a merger of DevOps and security aims in bringing the mindset and culture of DevOps into security testing practices. The DevOps mindset displays that security is everybody’s responsibility • Thus promote the “Shift Left” for security
- 17. DevSecOps • DevSecOps is the answer to integrating all the various challenge into a coherent and effective software delivery. It is a new method that helps identify security issues early in the development process rather than after a product is release. • DevSecOps validate building blocks without slowing the life cycle
- 18. What is and is not DevSecOps Is Is not A mindset & a holistic approach A One size fits all approach A collection of processes and tools A single tools or method A means of security & compliance integrated to software Just a means of adding security into the continuous delivery A community driven effort Invented by vendors
- 19. DevSecOps
- 20. DevSecOps Main Process • Vulnerability (VA) Scans and Assessments • Threat Modeling • Secure Code Reviews • Penetration Tests (PenTests)
- 21. DevSecOps Secondary Process • Educating Developers on Secure Coding • Practices with workshops, talks, lessons • Secure Coding Standards • Responsible/Coordinated Disclosure • Secure code library and other reference materials, creating custom tools
- 22. Security Testing in DevSecOps • SAST (Static Application Security Testing) – consists of internal audit of an application, when security auditor or tool has unlimited access to the application source code or binary • DAST (Dynamic Application Security Testing) – tests the application from the “outside” when the application is running in test or production environment. • IAST (Interactive Application Security Testing) – is a combination of SAST and DAST designed to leverage the advantages and strength of both. However, from the practical point of view, implementation of an IAST solution remains not an easy task.
- 23. DevSecOps
- 24. 10 Guide to Successful DevSecOps According to Gartner 01 03 02 “Adapt your security testing tools and processes to the developers, not the other way around:” According to the analysts, the Sec in DevSecOps should be silent. That means the security team needs to change their processes and tools to be integrated into DevOps, instead of trying to enforce their old processes be adopted. “Quit trying to eliminate all vulnerabilities during development.” “Perfect security is impossible. Zero risk is impossible. We must bring continuous risk- and trust-based assessment and prioritization of application vulnerabilities to DevSecOps,” Head and MacDonald wrote in their report. DevSecOps should be thought of as a continuous improvement process, meaning security can go beyond development and can be searching and protecting against vulnerabilities even after services are deployed into production. “Focus first on identifying and removing the known critical vulnerabilities.” Instead of wasting time trying to break a system, find focus on known security issues from pre built components, libraries, containers and frameworks; and protect against those before they are put into production. 04 06 05 “Don’t expect to use traditional DAST/SAST without changes.” Scan custom code for unknown vulnerabilities by integrating testing into the IDE, providing autonomous scans that don’t require a security expert, reducing false positives, and delivering results into a bug tracking system or development dashboard. “Train all developers on the basics of secure coding, but don’t expect them to become security experts.” Training all developers on the basis of security issues will help prevent them from creating harmful scenarios. Developers should be expected to know simple threat modeling scenarios, how to think like a hacker, and know not to put secrets like cryptographic keys and passwords into the code, according to Head. “Adopt a security champion model and implement a simple security requirements gathering tool.” A security champion is someone who can effectively lead the security community of practice, stay up to date with maturity issues, and evangelize, communicate and market what to do with security and how to adapt.
- 25. 10 Guide to Successful DevSecOps According to Gartner 07 09 08 “Eliminate the use of known vulnerable components at the source.” “As previously stated, most risk in modern application assembly comes from the use of known vulnerable components, libraries and frameworks. Rather than wait until an application is assembled to scan and identify these known vulnerabilities, why not address this issue at its source by warning developers not to download and use these known vulnerable components,” Head and MacDonald wrote. “Secure and apply operational discipline to automation scripts.” “Treat automation code, scripts, recipes, formation scripts and other such infrastructure and platform artifacts as valuable source code with specific additional risk. Therefore, use source-code-type controls including audit, protection, digital signatures, change control and version control to protect all such infrastructure and platform artifacts,” according to the report. “Implement strong version control on all code and components.” Be able to capture every change from what was changed, when the change happened and who made the change. 10 “Adopt an immutable infrastructure mindset.“ Teams should work towards a place where all the infrastructure is only updated by the tools. This is a sign that the team is maturing, and it provides a more secure way to maintain applications, according to Head.
- 26. Question & Answer Please not that difficult question ☺ WWW.TJAKRABIRAWA.ID
- 27. Three Steps Process DevSecOps Quick Start 01 03 02 Reading the article and collaborate on the community at www.devsecops.id Train the developer and the security engineer with Us Implement the DevSecOps As A Service with Us
- 28. Reference • https://medium.com/@freddyyumba/contrasting-the- waterfall-model-agile-lean-and-devops-a95cd9acf58 • https://www.slideshare.net/isnuryusuf/devops-indonesia- devsecops-the-open-source-way • https://www.guru99.com/agile-vs-devops.html • https://www.slideshare.net/narudomr/devsecops-101
- 29. PT. Tjakrabirawa Teknologi Indonesia Manhattan Tower 12th Floor, TB Simatupang phone : 021-80641090 | Web: http://www.tjakrabirawa.id | Info : [email protected]