DevOps & Security: Here & Now
Download as PPTX, PDF11 likes9,120 views
The document outlines the integration of security into the DevOps process, emphasizing the need for a new secure software development lifecycle (SDLC) approach. Key steps include planning for security, engaging developers, automating processes, and using traditional security tools wisely. It concludes that security should not be compromised as DevOps continues to evolve rapidly.
DevOps & Security: Here & Now
- 1. DevOps and Security: It’s Happening. Right Now. Helen Bravo Director of Product Management at Checkmarx [email protected]
- 2. Agenda • Intro to DevOps • Integrating security within DevOps – Problems with traditional controls – Steps to DevOps security
- 3. What is DevOps About? An unstoppable deployment process … in small chunks of time
- 4. DevOps is Happening Companies that have adopted DevOps
- 5. Can TRADITIONAL web application security controls fit in… … a DevOps environment?!
- 6. Traditional Web Application Security Controls • Penetration Testing • WAF (Web Application Firewall) • Code Analysis
- 7. Penetration Testing- Takes Time!
- 8. Penetration Testing – 300 pages report – 3 weeks assessment time – 2 weeks to get it into development
- 9. Web Application Firewall (WAF) Thinking Continuous Deployment? Think Continuous Configuration!
- 10. Code Analysis • Setup time • Running time • Analysis time … just too slow!
- 12. … Do Nothing?
- 13. Required: A New Secure SDLC Approach
- 14. Step by Step
- 15. Step 1: Plan for Security
- 16. Step 1: Plan for Security • Identify unsecured APIs and frameworks • Map security sensitive code portions. E.g. password changes mechanism, user authentication mechanism. • Anticipate regulatory problems, plan for it.
- 17. Step 2: Engage the Developers. And Be Engaged
- 18. Step 2: Engage the Developers. And Be Engaged • Connect developers to security – Going to OWASP? Bring a developer with you! • Is your house on fire? Share the details with your developers. • Have an open door approach • Set up an online collaboration platform E.g. Jive, Confluence etc.
- 19. Step 3: Arm the Developers
- 20. Step 3: Arm the Developer • Secure frameworks: – Use a secure framework such as Spring Security, JAAS, Apache Shiro, Symfony2 – ESAPI is a very useful OWASP security framework • SCA tools that can provide security feedback on pre-commit stage. – Rapid response – Small chunks
- 21. Step 3: Automate the Process
- 22. Step 3: Automate the Process • Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) – SAST – DAST • Fail the build if security does not pass the bar.
- 23. Continuous Deployment Unit Tests Develop Code Commit Source Control Build Trigger Deploy to Test Env Report & Notify Publish to release repository Deploy to Production
- 24. Security within Continuous Deployment Tests Develop Code Commit Source Control Build Trigger Deploy to Test Env SCA Test Publish to Automatic Report release security repository & test Notify Deploy to Production
- 25. Step 5: Use Old Tools Wisely
- 26. Step 5: Use Old Tools Wisely • Periodic pen testing • WAF on main functions • Code review for security sensitive code portions.
- 27. Summary
- 28. Summary • DevOps is happening. Right Now. – During the time of this talk, Amazon has released 75 features and bug fixes. • Security should not be compromised • Don’t be overwhelmed. Start small
- 29. The 3 Takeaways 1. Plan from the ground 2. Engage with your developers 3. Integrate security into automatic build process.
- 30. Questions?