Dev Dives: Streamline document processing with UiPath Studio Web
Pentest is yesterday, DevSecOps is tomorrow
1.
2. Pentest is Yesterday, DevSecOps is Tomorrow
WWW.TJAKRABIRAWA.ID
DevSecOps Introduction
3. Introduction
Amien Harisen
CEO & Founder - PT Tjakrabirawa Teknologi
Indonesia
www.devsecops.id
Manager – Ernst & Young , Cybersecurity
Division
Security Engineer – PT Spentera
Research & Development – IDSIRTII
Others!
www.Instagram.com/slashroot.id
4. Waterfall
As we see through the flown years,
the most in-demand approach to
project management was the
Waterfall approach. It, being a linear
and sequential approach, had
separately set goals for each defined
phase of the project. The entire
process of software development was
divided into distinct processes, each
having its own beginning and end and
all of them cascaded to each other in a
linear fashion. The latter had its start
once the former was achieved and
completed. It looked like an ideal
methodology at that time and did
wonders for years to come. But with
the complexities and variations of the
IT world on a rising spree, there was a
requirement for a change in the
typical approach
Waterfall vs Agile vs DevOps
Agile
Agile Methodology involves
continuous iteration of development
and testing in the SDLC process. This
software development method
emphasizes on iterative, incremental,
and evolutionary development.
Agile development process breaks the
product into smaller pieces and
integrates them for final testing. It can
be implemented in many ways,
including scrum, kanban, scrum, XP,
etc
DevOps
Considered to be the most modern
approach and creating a buzz in the IT
world today, ‘DevOps’ weaves its
entire approach around bridging the
gap between the Development and
Operations teams. With the IT world
becoming a smaller place to reach
with widening arms to reach anywhere
under the sun, DevOps Solutions has
become an essential ingredient for the
success of any application to
effectively and efficiently converge the
needs of the development and
operation teams so as to ensure a
completely reliable and secure end
product, with as many possible errors
to be encountered early
5.
6.
7.
8.
9. DevOps & Cloud Adoption Rate
In 2017, the global Development to Operations (DevOps) market size was 2770
million US$ and it is expected to reach 10800 million US$ by the end of 2025,
11. But, Why ?
• DevOps solve problems faster by collaborating
& responsibility
• Cultural enabler for cloud adoption scaling
• More people can try and fails at rapid pace to
meet customer demand
16. Where is the Security
• Development without integrated security & compliance will fail
• With the growing business demand for Agile, DevOps, and Public
Cloud Services, traditional security testing processes have become a
major obstruction
• Gartner’s new concept of “DevSecOps,” which is a merger of
DevOps and security aims in bringing the mindset and culture of
DevOps into security testing practices. The DevOps mindset displays
that security is everybody’s responsibility
• Thus promote the “Shift Left” for security
17. DevSecOps
• DevSecOps is the answer to integrating all the
various challenge into a coherent and effective
software delivery. It is a new method that helps
identify security issues early in the development
process rather than after a product is release.
• DevSecOps validate building blocks without
slowing the life cycle
18. What is and is not DevSecOps
Is Is not
A mindset & a holistic approach A One size fits all approach
A collection of processes and tools A single tools or method
A means of security & compliance integrated
to software
Just a means of adding security into the
continuous delivery
A community driven effort Invented by vendors
20. DevSecOps Main Process
• Vulnerability (VA) Scans and Assessments
• Threat Modeling
• Secure Code Reviews
• Penetration Tests (PenTests)
21. DevSecOps Secondary Process
• Educating Developers on Secure Coding
• Practices with workshops,
talks, lessons
• Secure Coding Standards
• Responsible/Coordinated Disclosure
• Secure code library and other reference materials,
creating custom tools
22. Security Testing in DevSecOps
• SAST (Static Application Security Testing)
– consists of internal audit of an application, when security auditor or
tool has unlimited access to the application source code or binary
• DAST (Dynamic Application Security Testing)
– tests the application from the “outside” when the application is
running in test or production environment.
• IAST (Interactive Application Security Testing)
– is a combination of SAST and DAST designed to leverage the
advantages and strength of both. However, from the practical point of
view, implementation of an IAST solution remains not an easy task.
24. 10 Guide to Successful DevSecOps
According to Gartner
01
03
02
“Adapt your security testing tools and processes to the developers,
not the other way around:” According to the analysts, the Sec in
DevSecOps should be silent. That means the security team needs to change
their processes and tools to be integrated into DevOps, instead of trying to
enforce their old processes be adopted.
“Quit trying to eliminate all vulnerabilities during
development.” “Perfect security is impossible. Zero risk is impossible. We
must bring continuous risk- and trust-based assessment and prioritization
of application vulnerabilities to DevSecOps,” Head and MacDonald wrote in
their report. DevSecOps should be thought of as a continuous
improvement process, meaning security can go beyond development and
can be searching and protecting against vulnerabilities even after services
are deployed into production.
“Focus first on identifying and removing the known critical
vulnerabilities.” Instead of wasting time trying to break a system, find
focus on known security issues from pre built components, libraries,
containers and frameworks; and protect against those before they are put
into production.
04
06
05
“Don’t expect to use traditional DAST/SAST without changes.” Scan
custom code for unknown vulnerabilities by integrating testing into the IDE,
providing autonomous scans that don’t require a security expert, reducing
false positives, and delivering results into a bug tracking system or
development dashboard.
“Train all developers on the basics of secure coding, but don’t expect
them to become security experts.” Training all developers on the basis of
security issues will help prevent them from creating harmful scenarios.
Developers should be expected to know simple threat modeling scenarios,
how to think like a hacker, and know not to put secrets like cryptographic
keys and passwords into the code, according to Head.
“Adopt a security champion model and implement a simple security
requirements gathering tool.” A security champion is someone who can
effectively lead the security community of practice, stay up to date with
maturity issues, and evangelize, communicate and market what to do with
security and how to adapt.
25. 10 Guide to Successful DevSecOps
According to Gartner
07
09
08
“Eliminate the use of known vulnerable components at the
source.” “As previously stated, most risk in modern application
assembly comes from the use of known vulnerable components,
libraries and frameworks. Rather than wait until an application is
assembled to scan and identify these known vulnerabilities, why
not address this issue at its source by warning developers not to
download and use these known vulnerable components,” Head
and MacDonald wrote.
“Secure and apply operational discipline to automation
scripts.” “Treat automation code, scripts, recipes, formation
scripts and other such infrastructure and platform artifacts as
valuable source code with specific additional risk. Therefore, use
source-code-type controls including audit, protection, digital
signatures, change control and version control to protect all
such infrastructure and platform artifacts,” according to the
report.
“Implement strong version control on all code and
components.” Be able to capture every change from what was
changed, when the change happened and who made the
change.
10
“Adopt an immutable infrastructure mindset.“ Teams should
work towards a place where all the infrastructure is only updated
by the tools. This is a sign that the team is maturing, and it
provides a more secure way to maintain applications, according
to Head.
27. Three Steps Process
DevSecOps Quick Start
01
03
02
Reading the article and collaborate on the
community at www.devsecops.id
Train the developer and the security
engineer with Us
Implement the DevSecOps As A Service with
Us