DevOps Indonesia, profile picture
Uploaded byDevOps Indonesia
PDF, PPTX104 views

Securing DevOps Lifecycle

This document discusses securing the DevOps lifecycle with continuous trust. It provides an overview of DevOps and how security remains a challenge that impacts code and data integrity. It discusses how security and quality assurance teams must integrate with DevOps. The benefits of DevOps like speed, reliability, scalability and collaboration are described. It also discusses potential vulnerabilities in DevOps and how establishing a chain of trust across tools is needed. Hardware security modules and key management systems can help support security in DevOps tools that manage the CI/CD pipeline and infrastructure.

Technology
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
PAGE 1 DEVOPS INDONESIA PAGE 1 DEVOPS INDONESIA Mudito Adi Pranowo & Jevon Hura Dymar THALES Jakarta, 19 Januari 2022 DevOps Indonesia Meetup (ONLINE) Securing DevOps Lifecycle
www.dymarjaya.co.id Securing DevOps LifeCycle DevOps Indonesia 51 - 19/1/2022 Mudito Adi Pranowo Product Manager PT Dymar Jaya Indonesia mudito@dymarjaya.co.id
Pembicara • Pengalaman 13+ tahun di kriptografi praktis untuk bisnis dan solusi keamanan data digital. • Spesialis pada desain dan implementasi keamanan data digital di Perbankan, Institusi Finansial, Fintech, e-Commerce, Pemerintahan, dan banyak lagi. • Product Manager & Marketing di Dymar. • Kontak: mudito@dymarjaya.co.id Mudito Adi Pranowo
Profil Perusahaan PT Dymar Jaya Indonesia ● Visi: Trusted Partner in Data Security. ● Misi: SolutionProviding world-class data security solution with trusted local support. ● Berdiri sejak 1988, fokus di bidang Keamanan Data. ● Menyediakan dan implementasi solusi data security di Institusi finansial, perbankan, pemerintahan, manufaktur dan lainnya. ● Implementasi di lebih dari 80 bank di Indonesia. Alamat Kantor: Soho Capital @PodomoroCity, 31st floor, Suite SC 3102-3103. Jl. Let. Jend. S. Parman Kav. 28. Jakarta Barat 11470, Indonesia www.dymarjaya.co.id
Pelanggan Dymar
Technology Partner Dymar ● Thales merupakan Worldwide leader untuk solusi data protection. ● Mencakup solusi: encryption, advance key management, authentication dan key management. “Securing the world's most sensitive data for over 40 years” ● PT Dymar Jaya Indonesia >25 tahun partnership dengan Thales. ● PT Dymar Jaya Indonesia merupakan Platinum Partner dari Thales.
Securing DevOps LifeCycle with Continuous Trust https://cpl.thalesgroup.com/resources/encryption/ securing-devops-lifecycle-with-continuous-trust- white-paper
What is DevOps? DevOps is a set of practices and tools that enables teams to develop and deliver software applications faster and more reliably. DevOps, which blends the words “development” and “operations,” is a cultural movement that breaks down organizational barriers by bringing software engineers and operations managers together to deliver the best possible application user experience. “DevOps is a cultural and professional movement, focused on how we build and operate high velocity organizations, born from the experiences of its practitioners.” - Nathen Harvey , Developer Advocate, Google
DevOps and Security While there are many business advantages to DevOps, security remains a significant challenge that impacts the integrity and trustworthiness of code, software builds, firmware, and data. As a result, security and quality assurance teams must be tightly integrated with DevOps to make the software development lifecycle both efficient and secure. Secure DevOps ensures the trustworthiness of code, finished software, and data throughout the DevOps lifecycle.
Safety First
Benefits of a DevOps Approach Speed Moving at a high velocity to innovate and adjust to changing markets is critical to business competitiveness. The DevOps model allows developers and operations teams to increase the frequency and pace of software updates, enabling a constant flow of new features. In fact, according to a study, top-performing DevOps teams deploy code to production 208 times more frequently than low-performing adopters. DevOps requires trusting that the code has not been tampered with and malware has not been introduced during the build process. Securing a fast DevOps pipeline relies on code signing, secrets management, container security, authentication, and IaaS/PaaS cloud security.
Benefits of a DevOps Approach Reliability DevOps deployments are more reliable and resilient, experiencing less downtime. In fact, skilled DevOps teams experience one-third of the failure rates of low-performing DevOps teams. Security, such as code testing and software composition analysis, are implemented early in the DevOps lifecycle to reduce the cost and time to address security bugs and breakdowns later in the delivery process. Manual and automated testing and software scanning tools require strong authentication, authorization, and access controls.
Benefits of a DevOps Approach Scalability DevOps models leverage automation and orchestration that allow teams to rapidly scale compute resources, load balancing, and application services. For example, infrastructure as code allows companies to manage development, testing, and production environments more efficiently and programmatically using APIs. Scaling DevOps deployments securely requires strong key management, PKI and certificate management, encryption of data-at-rest and data-in motion, authentication, and access controls.
Benefits of a DevOps Approach Collaboration DevOps promotes a culture of collaboration and sharing between the software development and operations teams. The use of common tools and shared goals allows teams to work together efficiently to develop and deploy. Trusted collaboration requires end-user and machine-to-machine authentication, roles-based access controls, and secure communications.
Securing DevOps and CI/CD Pipeline Securing the DevOps environment is critical to the success of business-driven digital transformation. Secure DevOps requires strong key management, certificate management, authentication, PKI, access controls, code signing, and signature verification to ensure the trustworthiness and integrity of software, VMs, and containers.
Securing DevOps and CI/CD Pipeline While DevOps teams can use dynamic and static application security testing to check the code and binaries for misconfigurations or the presence of known vulnerabilities, if the system does not have a consistent and centralized approach to key and certificate management, the DevOps configuration management and orchestration tools will be very difficult to trust. For example, if the signatures used to sign code were created based on a self-signed digital certificate using keys that were generated insecurely, then a sophisticated and persistent attacker could impersonate the author of the code and potentially introduce malware. Similarly, if the configuration management tools used to manage the CI/CD pipeline, IaaS infrastructure, Kubernetes clusters, and network encryption are using secrets, machine identities, certificates, and tokens that are based on insecurely generated private keys, then the deployed software and containers should not be trusted.
Potential Vulnerabilities & Risk in DevOps The rapid adoption of DevOps and DevSecOps has created a complex software development environment that is fraught with vulnerabilities and risks. Gaps in DevOps security can lead to application vulnerabilities that result in: • Code injections • Broken authentication • Using components with known vulnerabilities • Stolen machine identities, keys and certificates • Sensitive data exposure • Weak authentication • Insecure key generation and storage • Lack of a chain of trust • Man-in-the-middle attacks.
Establishing a Chain of Trust Across DevSecOps Establishing a chain of trust across the DevSecOps tool chain requires a consistent and centralized approach to key and certificate management. Development, testing, and production environments rely heavily on machine identities, secrets, tokens, keys, and digital certificates that must be trusted. Hardware Security Modules (HSM) and Key Management Systems (KMS) are able to support advanced security features supported by DevOps tools that manage the CI/CD pipeline, cluster orchestration, TLS, and code signing.
www.dymarjaya.co.id Thank you DevOps Indonesia 51 - 19/1/2022 Mudito Adi Pranowo Product Manager PT Dymar Jaya Indonesia mudito@dymarjaya.co.id
DevSecOps A Primer for Our Journey Together with Thales Data Protection Part of the Thales Data Security By : Jevon (SE Thales Cloud Protection and Licensing)
• DevOps IS NOT • a single person “Shaun and Mary are NOT, themselves, DevOps” • a specific role “Melissa was hired on as the DevOps person” • a separate team Now that we have developed the app, we give it to the “DevOps group” to do their part • a toolset Our manager just approved that “DevOps application”. We are now DevOps! What is DevOps?
• DevOps IS • a Culture of Collaboration • Developers + Operations working together • Automate processes between them • From Build to Test to Deployment to Monitoring and Alerting • High Consistency • High Quality • a process of Continual Improvement • through Automation • through Monitoring • Compatible with Enterprise deployments as well as Cloud deployments What is DevOps?
DevOps -> DevSecOps
5
Thales © 2019 All rights reserved USE-CASES DevSecOps
7 7 Modern Solution Architecture Vault Credentials No Solution Hardcode Credentials Secretless Broker Architecture Isolate Applications Secure – manage credentials in vault with comprehensive audit Simpler – Developers can focus on writing code More Secure – Applications cannot leak what they don't have UserName = “app” Password = “y7qeF$1” Host = “10.10.3.56” ConnectDatabase(Host, UserName, Password) At Risk – Widely exposes credentials Potential for App to Leak Secrets Solution evolution
8 CipherTrust Manager Encryption, using RESTful APIs Container Access using the key stored in Conjur Conjur Server Encryption Secretless Broker
9 What’s Possible CipherTrust Manager OpenSSL Engine PKCS #11 REST, KMIP, Java, C, .NET, PKCS #11 OpenSSL Engine/PKCS #11 REST, KMIP, Java, C, .NET, PKCS #11 PKCS #11 OpenSSL Engine PKCS #11 Discovery and Classification Transparent Encryption Database Protection Application Data Protection Tokenisation Enterprise Key Management Cloud Key Manager REST, KMIP, Java, C, .NET, PKCS #11 Luna 7 HSM
10 Working Together Proven security solutions that protect data to the highest levels FIPS 140-2 Level 3, Common Criteria EAL 4+ Proven integrations and patterns with RedHat and CyberArk to reduce “Technical Debt” Trusted Kubernetes for the enterprise, Kubernetes-native runtimes Automation capabilities for organisation-wide adoption Identity Security and secrets management for the enterprise Secretless brokering for containerised applications
11 Establishing a Chain of Trust Across DevSecOps
12 Thales DevSecOps Ecosystem Partners
1 3 Thank You!
Stay Connected With Us! t.me/iddevops DevOps Indonesia DevOps Indonesia DevOps Indonesia @iddevops @iddevops DevOps Indonesia Scan here
PAGE 34 DEVOPS INDONESIA Alone We are smart, together We are brilliant THANK YOU ! Quote by Steve Anderson

More Related Content

PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PDF
Take Control: Design a Complete DevSecOps Program
byDeborah Schalm
 
PDF
DevSecOps for the DoD
byJamesHarmison
 
PDF
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
byCyber Security Alliance
 
DOCX
10 things to get right for successful dev secops
byMohammed Ahmed
 
PDF
Four ways dev ops benefits your enterprise in 2022 min
bySolution Analysts
 
PPTX
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
bycentralohioissa
 
PPTX
Application_security_Strategic
byRamesh VG
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
Take Control: Design a Complete DevSecOps Program
byDeborah Schalm
 
DevSecOps for the DoD
byJamesHarmison
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
byCyber Security Alliance
 
10 things to get right for successful dev secops
byMohammed Ahmed
 
Four ways dev ops benefits your enterprise in 2022 min
bySolution Analysts
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
bycentralohioissa
 
Application_security_Strategic
byRamesh VG
 

What's hot

PPTX
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
PPTX
DevSecCon KeyNote London 2015
byShannon Lietz
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
PPTX
Application security meetup - cloud security best practices 24062021
bylior mazor
 
PDF
DevOps & DevSecOps in Swiss Banking
byAarno Aukia
 
PDF
DevSecOps at the GSA
byChris Downey
 
PDF
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
PDF
DevSecOps - The big picture
byStefan Streichsbier
 
PPTX
Cloud Security Essentials 2.0 at RSA
byShannon Lietz
 
PDF
Modernizing on IBM Z Made Easier With Open Source Software
byDevOps.com
 
PDF
Enable DevSecOps using Jira Software
byAtlassian
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PPTX
S360 2015 dev_secops_program
byShannon Lietz
 
PPTX
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
byDevOps.com
 
PDF
Devops Indonesia - DevSecOps - The Open Source Way
byYusuf Hadiwinata Sutandar
 
PDF
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
byDevOps.com
 
PPTX
Sam Herath - Six Critical Criteria for Cloud Workload Security
bycentralohioissa
 
PPTX
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
byShannon Lietz
 
PDF
Driving Service Ownership with Distributed Tracing
byDevOps.com
 
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
DevSecCon KeyNote London 2015
byShannon Lietz
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
Application security meetup - cloud security best practices 24062021
bylior mazor
 
DevOps & DevSecOps in Swiss Banking
byAarno Aukia
 
DevSecOps at the GSA
byChris Downey
 
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
DevSecOps - The big picture
byStefan Streichsbier
 
Cloud Security Essentials 2.0 at RSA
byShannon Lietz
 
Modernizing on IBM Z Made Easier With Open Source Software
byDevOps.com
 
Enable DevSecOps using Jira Software
byAtlassian
 
The Future of DevSecOps
byStefan Streichsbier
 
S360 2015 dev_secops_program
byShannon Lietz
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
byDevOps.com
 
Devops Indonesia - DevSecOps - The Open Source Way
byYusuf Hadiwinata Sutandar
 
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
byDevOps.com
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
bycentralohioissa
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
byShannon Lietz
 
Driving Service Ownership with Distributed Tracing
byDevOps.com
 

Similar to Securing DevOps Lifecycle

PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PPTX
Devops
bypenetration Tester
 
PPTX
DevSecOps-Explained-converted.pptx
byGurajalanaganarasimh
 
PPTX
DevSecOps Training Bootcamp - A Practical DevSecOps Course
byTonex
 
PDF
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
PPTX
DevSecOps with Microsoft Tech
byDarin Morris
 
PDF
How DevOps Improves Security DevSecOps Explained.pdf
byhimanshuwowit
 
PDF
DevOps vs DevSecOps_ What CTOs Must Know Before Scaling Securely.pdf
byDevseccops.ai
 
PDF
Why you need DevOps Consulting Services?
byTkXel
 
PDF
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
DOCX
The Importance of DevOps Security in 2023.docx
byXavor Corporation - Redefining Health Technology
 
DOCX
DevSecOps – The Importance of DevOps Security in 2023.docx
byXavor Corporation - Redefining Health Technology
 
PDF
DevSecOps Implement Making Security Central to Your DevOps Pipeline
byEnov8
 
PPTX
Ensuring Secure and Efficient Operations with DevOps Security
byDev Software
 
PDF
Why DevSecOps Is Necessary For Your SDLC Pipeline?
byEnov8
 
PPTX
A detailed guide about dev secops
byEnov8
 
PDF
A detailed guide about dev secops.docx
byEnov8
 
PPTX
DevOps and the Future of InfoSec
byDarin Morris
 
PPTX
What is DevOps?
byALG Systems (АЛЖ Системс)
 
PDF
You build it - Cyber Chicago Keynote
byJohn Willis
 
Introduction to DevSecOps
byabhimanyubhogwan
 
Devops
bypenetration Tester
 
DevSecOps-Explained-converted.pptx
byGurajalanaganarasimh
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
byTonex
 
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
DevSecOps with Microsoft Tech
byDarin Morris
 
How DevOps Improves Security DevSecOps Explained.pdf
byhimanshuwowit
 
DevOps vs DevSecOps_ What CTOs Must Know Before Scaling Securely.pdf
byDevseccops.ai
 
Why you need DevOps Consulting Services?
byTkXel
 
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
The Importance of DevOps Security in 2023.docx
byXavor Corporation - Redefining Health Technology
 
DevSecOps – The Importance of DevOps Security in 2023.docx
byXavor Corporation - Redefining Health Technology
 
DevSecOps Implement Making Security Central to Your DevOps Pipeline
byEnov8
 
Ensuring Secure and Efficient Operations with DevOps Security
byDev Software
 
Why DevSecOps Is Necessary For Your SDLC Pipeline?
byEnov8
 
A detailed guide about dev secops
byEnov8
 
A detailed guide about dev secops.docx
byEnov8
 
DevOps and the Future of InfoSec
byDarin Morris
 
What is DevOps?
byALG Systems (АЛЖ Системс)
 
You build it - Cyber Chicago Keynote
byJohn Willis
 

More from DevOps Indonesia

PDF
DevSecOps Implementation Journey
byDevOps Indonesia
 
PDF
Operate Containers with AWS Copilot
byDevOps Indonesia
 
PDF
API Security Webinar : Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
PDF
Secure your Application with Google cloud armor
byDevOps Indonesia
 
PDF
Securing an NGINX deployment for K8s
byDevOps Indonesia
 
PDF
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
byDevOps Indonesia
 
PDF
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
byDevOps Indonesia
 
PDF
API Security Webinar : Credential Stuffing
byDevOps Indonesia
 
PDF
API Security Webinar - Credential Stuffing
byDevOps Indonesia
 
PDF
The Death and Rise of Enterprise DevOps
byDevOps Indonesia
 
PDF
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
byDevOps Indonesia
 
PDF
Securing Your Database Dynamic DB Credentials
byDevOps Indonesia
 
PDF
API Security Webinar - Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
PDF
Feature Scoring in Green Field Application Development and DevOps
byDevOps Indonesia
 
PDF
DevOps Indonesia Meetup #52 - announcement
byDevOps Indonesia
 
PDF
DevOps Indonesia (online) meetup 45 - Announcement
byDevOps Indonesia
 
PDF
Continuously Deploy Your CDK Application by Petra novandi barus
byDevOps Indonesia
 
PDF
DevOps Meetup 50 : Securing your Application - Announcement
byDevOps Indonesia
 
PDF
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
byDevOps Indonesia
 
PDF
API Security Webinar - Hendra Tanto
byDevOps Indonesia
 
DevSecOps Implementation Journey
byDevOps Indonesia
 
Operate Containers with AWS Copilot
byDevOps Indonesia
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
Secure your Application with Google cloud armor
byDevOps Indonesia
 
Securing an NGINX deployment for K8s
byDevOps Indonesia
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
byDevOps Indonesia
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
byDevOps Indonesia
 
API Security Webinar : Credential Stuffing
byDevOps Indonesia
 
API Security Webinar - Credential Stuffing
byDevOps Indonesia
 
The Death and Rise of Enterprise DevOps
byDevOps Indonesia
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
byDevOps Indonesia
 
Securing Your Database Dynamic DB Credentials
byDevOps Indonesia
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
Feature Scoring in Green Field Application Development and DevOps
byDevOps Indonesia
 
DevOps Indonesia Meetup #52 - announcement
byDevOps Indonesia
 
DevOps Indonesia (online) meetup 45 - Announcement
byDevOps Indonesia
 
Continuously Deploy Your CDK Application by Petra novandi barus
byDevOps Indonesia
 
DevOps Meetup 50 : Securing your Application - Announcement
byDevOps Indonesia
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
byDevOps Indonesia
 
API Security Webinar - Hendra Tanto
byDevOps Indonesia
 

Recently uploaded

PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PPTX
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PPTX
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
WebXR in Android and Linux with OpenXR
byIgalia
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 

Securing DevOps Lifecycle

  • 1.
    PAGE 1 DEVOPS INDONESIA PAGE 1 DEVOPS INDONESIA MuditoAdi Pranowo & Jevon Hura Dymar THALES Jakarta, 19 Januari 2022 DevOps Indonesia Meetup (ONLINE) Securing DevOps Lifecycle
  • 2.
    www.dymarjaya.co.id Securing DevOps LifeCycle DevOpsIndonesia 51 - 19/1/2022 Mudito Adi Pranowo Product Manager PT Dymar Jaya Indonesia [email protected]
  • 3.
    Pembicara • Pengalaman 13+tahun di kriptografi praktis untuk bisnis dan solusi keamanan data digital. • Spesialis pada desain dan implementasi keamanan data digital di Perbankan, Institusi Finansial, Fintech, e-Commerce, Pemerintahan, dan banyak lagi. • Product Manager & Marketing di Dymar. • Kontak: [email protected] Mudito Adi Pranowo
  • 4.
    Profil Perusahaan PT DymarJaya Indonesia ● Visi: Trusted Partner in Data Security. ● Misi: SolutionProviding world-class data security solution with trusted local support. ● Berdiri sejak 1988, fokus di bidang Keamanan Data. ● Menyediakan dan implementasi solusi data security di Institusi finansial, perbankan, pemerintahan, manufaktur dan lainnya. ● Implementasi di lebih dari 80 bank di Indonesia. Alamat Kantor: Soho Capital @PodomoroCity, 31st floor, Suite SC 3102-3103. Jl. Let. Jend. S. Parman Kav. 28. Jakarta Barat 11470, Indonesia www.dymarjaya.co.id
  • 5.
  • 6.
    Technology Partner Dymar ●Thales merupakan Worldwide leader untuk solusi data protection. ● Mencakup solusi: encryption, advance key management, authentication dan key management. “Securing the world's most sensitive data for over 40 years” ● PT Dymar Jaya Indonesia >25 tahun partnership dengan Thales. ● PT Dymar Jaya Indonesia merupakan Platinum Partner dari Thales.
  • 7.
    Securing DevOps LifeCyclewith Continuous Trust https://cpl.thalesgroup.com/resources/encryption/ securing-devops-lifecycle-with-continuous-trust- white-paper
  • 8.
    What is DevOps? DevOpsis a set of practices and tools that enables teams to develop and deliver software applications faster and more reliably. DevOps, which blends the words “development” and “operations,” is a cultural movement that breaks down organizational barriers by bringing software engineers and operations managers together to deliver the best possible application user experience. “DevOps is a cultural and professional movement, focused on how we build and operate high velocity organizations, born from the experiences of its practitioners.” - Nathen Harvey , Developer Advocate, Google
  • 9.
    DevOps and Security Whilethere are many business advantages to DevOps, security remains a significant challenge that impacts the integrity and trustworthiness of code, software builds, firmware, and data. As a result, security and quality assurance teams must be tightly integrated with DevOps to make the software development lifecycle both efficient and secure. Secure DevOps ensures the trustworthiness of code, finished software, and data throughout the DevOps lifecycle.
  • 10.
  • 11.
    Benefits of aDevOps Approach Speed Moving at a high velocity to innovate and adjust to changing markets is critical to business competitiveness. The DevOps model allows developers and operations teams to increase the frequency and pace of software updates, enabling a constant flow of new features. In fact, according to a study, top-performing DevOps teams deploy code to production 208 times more frequently than low-performing adopters. DevOps requires trusting that the code has not been tampered with and malware has not been introduced during the build process. Securing a fast DevOps pipeline relies on code signing, secrets management, container security, authentication, and IaaS/PaaS cloud security.
  • 12.
    Benefits of aDevOps Approach Reliability DevOps deployments are more reliable and resilient, experiencing less downtime. In fact, skilled DevOps teams experience one-third of the failure rates of low-performing DevOps teams. Security, such as code testing and software composition analysis, are implemented early in the DevOps lifecycle to reduce the cost and time to address security bugs and breakdowns later in the delivery process. Manual and automated testing and software scanning tools require strong authentication, authorization, and access controls.
  • 13.
    Benefits of aDevOps Approach Scalability DevOps models leverage automation and orchestration that allow teams to rapidly scale compute resources, load balancing, and application services. For example, infrastructure as code allows companies to manage development, testing, and production environments more efficiently and programmatically using APIs. Scaling DevOps deployments securely requires strong key management, PKI and certificate management, encryption of data-at-rest and data-in motion, authentication, and access controls.
  • 14.
    Benefits of aDevOps Approach Collaboration DevOps promotes a culture of collaboration and sharing between the software development and operations teams. The use of common tools and shared goals allows teams to work together efficiently to develop and deploy. Trusted collaboration requires end-user and machine-to-machine authentication, roles-based access controls, and secure communications.
  • 15.
    Securing DevOps andCI/CD Pipeline Securing the DevOps environment is critical to the success of business-driven digital transformation. Secure DevOps requires strong key management, certificate management, authentication, PKI, access controls, code signing, and signature verification to ensure the trustworthiness and integrity of software, VMs, and containers.
  • 16.
    Securing DevOps andCI/CD Pipeline While DevOps teams can use dynamic and static application security testing to check the code and binaries for misconfigurations or the presence of known vulnerabilities, if the system does not have a consistent and centralized approach to key and certificate management, the DevOps configuration management and orchestration tools will be very difficult to trust. For example, if the signatures used to sign code were created based on a self-signed digital certificate using keys that were generated insecurely, then a sophisticated and persistent attacker could impersonate the author of the code and potentially introduce malware. Similarly, if the configuration management tools used to manage the CI/CD pipeline, IaaS infrastructure, Kubernetes clusters, and network encryption are using secrets, machine identities, certificates, and tokens that are based on insecurely generated private keys, then the deployed software and containers should not be trusted.
  • 17.
    Potential Vulnerabilities &Risk in DevOps The rapid adoption of DevOps and DevSecOps has created a complex software development environment that is fraught with vulnerabilities and risks. Gaps in DevOps security can lead to application vulnerabilities that result in: • Code injections • Broken authentication • Using components with known vulnerabilities • Stolen machine identities, keys and certificates • Sensitive data exposure • Weak authentication • Insecure key generation and storage • Lack of a chain of trust • Man-in-the-middle attacks.
  • 18.
    Establishing a Chainof Trust Across DevSecOps Establishing a chain of trust across the DevSecOps tool chain requires a consistent and centralized approach to key and certificate management. Development, testing, and production environments rely heavily on machine identities, secrets, tokens, keys, and digital certificates that must be trusted. Hardware Security Modules (HSM) and Key Management Systems (KMS) are able to support advanced security features supported by DevOps tools that manage the CI/CD pipeline, cluster orchestration, TLS, and code signing.
  • 19.
    www.dymarjaya.co.id Thank you DevOps Indonesia51 - 19/1/2022 Mudito Adi Pranowo Product Manager PT Dymar Jaya Indonesia [email protected]
  • 20.
    DevSecOps A Primer forOur Journey Together with Thales Data Protection Part of the Thales Data Security By : Jevon (SE Thales Cloud Protection and Licensing)
  • 21.
    • DevOps ISNOT • a single person “Shaun and Mary are NOT, themselves, DevOps” • a specific role “Melissa was hired on as the DevOps person” • a separate team Now that we have developed the app, we give it to the “DevOps group” to do their part • a toolset Our manager just approved that “DevOps application”. We are now DevOps! What is DevOps?
  • 22.
    • DevOps IS •a Culture of Collaboration • Developers + Operations working together • Automate processes between them • From Build to Test to Deployment to Monitoring and Alerting • High Consistency • High Quality • a process of Continual Improvement • through Automation • through Monitoring • Compatible with Enterprise deployments as well as Cloud deployments What is DevOps?
  • 23.
  • 24.
  • 25.
    Thales © 2019All rights reserved USE-CASES DevSecOps
  • 26.
    7 7 Modern Solution Architecture VaultCredentials No Solution Hardcode Credentials Secretless Broker Architecture Isolate Applications Secure – manage credentials in vault with comprehensive audit Simpler – Developers can focus on writing code More Secure – Applications cannot leak what they don't have UserName = “app” Password = “y7qeF$1” Host = “10.10.3.56” ConnectDatabase(Host, UserName, Password) At Risk – Widely exposes credentials Potential for App to Leak Secrets Solution evolution
  • 27.
    8 CipherTrust Manager Encryption, using RESTful APIs Container Accessusing the key stored in Conjur Conjur Server Encryption Secretless Broker
  • 28.
    9 What’s Possible CipherTrust Manager OpenSSLEngine PKCS #11 REST, KMIP, Java, C, .NET, PKCS #11 OpenSSL Engine/PKCS #11 REST, KMIP, Java, C, .NET, PKCS #11 PKCS #11 OpenSSL Engine PKCS #11 Discovery and Classification Transparent Encryption Database Protection Application Data Protection Tokenisation Enterprise Key Management Cloud Key Manager REST, KMIP, Java, C, .NET, PKCS #11 Luna 7 HSM
  • 29.
    10 Working Together Proven securitysolutions that protect data to the highest levels FIPS 140-2 Level 3, Common Criteria EAL 4+ Proven integrations and patterns with RedHat and CyberArk to reduce “Technical Debt” Trusted Kubernetes for the enterprise, Kubernetes-native runtimes Automation capabilities for organisation-wide adoption Identity Security and secrets management for the enterprise Secretless brokering for containerised applications
  • 30.
    11 Establishing a Chainof Trust Across DevSecOps
  • 31.
  • 32.
  • 33.
    Stay Connected WithUs! t.me/iddevops DevOps Indonesia DevOps Indonesia DevOps Indonesia @iddevops @iddevops DevOps Indonesia Scan here
  • 34.
    PAGE 34 DEVOPS INDONESIA Alone Weare smart, together We are brilliant THANK YOU ! Quote by Steve Anderson