DevSecOps is a cultural change that incorporates security practices into software development through people, processes, and technologies. It aims to address security without slowing delivery by establishing secure-by-design approaches, automating security tools and processes, and promoting collaboration between developers, security engineers, and operations teams. As software and connected devices continue proliferating, application security must be a central focus of the development lifecycle through a DevSecOps methodology.
3. z
The Facts
• 159,700 total cyber incidents
• 7 billion records exposed in first 3 Qtr
• $5 billion financial impact
• 93% of breaches could have been prevented
*Online Trust Alliance report 2018
4. z
How we manage software security?
Source: “Managing Application Security”, Security Compass, 2017.
5. z
Challenges of Secure Software
Development
Legacy Software
Writing Secure code is hard
Lack of security skills
Emphasis on speed
Lack of risk focus, audits
and controls points
Unsupervised collaboration
Wrong automated tools
Best practices are
insufficient!
Vulnerabilities in
development pipeline
7. z
Lets define DevSecOps
Do we need Security? Obviously! → DevSecOps
Do we need order in configuration? Sure! → DevSecConfOps
And do we need to automate? Ideally yes. → DevSecConfAutoOps
Resilient? This is so important! → DevSecConfAutoResOps
Backups! We forgot about backups! → DevSecConfAutoResBackOps
Monitoring :-) → DevSecConfAutoResBackMonOp
Should I stop here? No → DevSecConfAutoResBackMonNoOp
Pigeons ate my breakfast while I was entertaining you →
DevSecConfAutoResBackMonNoPigeonsAteMyBreakfastWhileIwasEntertaining
YouOps
8. z
Security becomes paramount in the new world
of connected devices and must be addressed
without breaking the rapid delivery, continuous
feedback model!
9. z
The Guiding Principles
Security is everybody’s business!
Start with the 3 Ps:
People
Process
Platform
Establish a process to enable people to succeed in using
platform to develop secure applications
Build on existing people, process and tools
10. z
The Guiding Principles
Adopt Secure-by-Design rather than Secure-by-Test approach
Enable development teams to create secure applications
Automate as much as possible
Reuse existing technology as much as possible
Heavy collaboration between all stakeholders
11. z
People
Invest in training on security skills!
Make learning a fun exercise!
Collaborate heavily (Dev Sec Ops)
Secure Design Decisions
Secure Environment Configuration
Secure Deployment planning
Secure code review
12. z
Platforms
Automate environment
creation and provisioning
Maintain parity between
environments: dev, QA and
production
Automated infrastructure
testing
Be Open-Source aware!
13. z
Process
Build on existing risk assessment processes / policies
Check the awareness of security policies in dev & ops teams
Create new processes only to improve existing ones
Change is a journey.. Not a sprint !!
14. z
How to bring-in Operations
Monitor Key KPIs
No. of applications threat modelled / scanned for vulnerabilities
No. of applications reviewed by Architects
No. of security requirements implemented
% of open source libraries analysed
Total number of critical and high vulnerabilities
Number of penetration test vulnerabilities detected
….
Monitor, Feedback, Remediate and Improve
15. z
DevSecOps In Action
Source
Control
Code
Review
Build
Code
Quality
Deploy Testing A/B TestDesign
Secure
Coding
Cloud-based hosting and access to application services through Cloud Platform Release
Code Analysis
(SonarQube, Coverity and
Black Duck)
Threat Modeling
(Microsoft Threat
Modeller, Secure
Tree)
Secure Coding Practices
(Source Code Warrior, in-
house trainings)
Static Application
Security Scanning
(Fortify, Veracode, Coverity)
Dynamic App Security
Scanner
(Fortify, IBM AppScan,
Chekmarx, Veracode)
DevSecOps Enabling tools
Integrated
Development
Environment (Eclipse,
X-code)
Source Code Repository
(Git / Gerrit)
Continuous Integration
(Jenkins)
Deploy
(Chef, Docker, Kubernetes)
Test
(Selenium, Grid, Cucumber)
DevOps Enabling tools
16. z
Reference Services for DevSecOps
Governance
Maturity Assessment
Process Engineering
Secure-By-Design
Security Training Curriculum
Threat Modeling
Code scanning Tool Integration
SAST, DAST, OSCA
Penetration Testing
DevSecOps Operationalization
Monitoring and Operations
SEIM Integration
Infrastructure Security
17. z
Summary
DevSecOps is cultural change encompassing people, processes
and technologies.
There is no “one-size fits-all“ scenario.
New technologies and ubiquitous access across devices /
platforms makes application security the central focal point in
software development.
DevSecOps is the new mantra in S/W Dev Methodology
18. z
For more information
SEI –Carnegie Mellon University
DevOps Blog: https://insights.sei.cmu.edu/devops
Webinar : https://www.sei.cmu.edu/publications/webinars/index.cfm
Podcast : https://www.sei.cmu.edu/publications/podcasts/index.cfm
DevSecOps: http://www.devsecops.org
Rugged Software: https://www.ruggedsoftware.org
Notas del editor
Placing Sec between Dev and Ops is the ideal way to show that one doesn't understand anything about sorting apples and oranges.
DevSecOps Operationalization
Monitoring and Operations
SEIM Integration
Infrastructure Security