DevSecOps-The Good Bad and Ugly

•

3 recomendaciones•777 vistas

ShaoCianLin

Working experience sharing about DevSecOps and discussions

Tecnología

DevSecOps
The Good, Bad, and Ugly
DevOps TW Meetup #28

4ndersonLin
Whois
I am Anderson Lin
MaiCoin Cyber Security Engineer
AWS Certiﬁed All-5 + Sec specialty

Agenda
➔ Security and DevOps
➔ The Good
➔ The Bad
➔ The Ugly

Reality
Maybe we still need some security:
- Business about money and sensitive data
- Company policy
- Local law and regulation issue

Life cycle of DevSecOps
Build ReleaseTest
Plan Monitor
Threat modeling
SAST
Code review
Common test
DAST
Conﬁguration validation
Logging
Telemetry
Detect & response attack
Update threat model
Analysis incident

DevOps periodic table
Ref: https://digital.ai/periodic-table-of-devops-tools

Different Viewpoints
DevSecOps:
- Dev
- Sec
- Ops

Developer viewpoint
DevSecOps:
- Application static/dynamic testing in CI/CD
- Secure by design

Security viewpoint
DevSecOps:
- Policy as code
- Vulnerability, Patch
- Response

Ops viewpoint
DevSecOps:
- Reviewable infrastructure (Infra as code)
- Monitoring more items

Recap
- The life cycle
- From different viewpoint
- Dev
- Sec
- Ops
- Boss--
Ref: https://eiki.hatenablog.jp/entry/meteo_fall

The GOOD: low hanging fruit
Secure by design
Left shift of testing
- Found and ﬁx the vulnerability early
Reviewable infrastructure and policy
- IaC
- Pac
Monitoring makes response faster

The BAD: Sometimes we can solve it
Performance issue
Loss availability
Tools are good but people
- Threat modeling still need dev team’s help
- Trust issue: when the red team coming
Vulnerability of sec tools
- Exploiting image scanners by matuzg
Overdesign
Ref:
https://medium.com/@matuzg/testing-docker
-cve-scanners-part-2-5-exploiting-cve-scan
ners-b37766f73005

The UGLY: The Hardest part
Misunderstanding or Misconﬁguration = Disaster
- “... ***-WAF-Role...” ~= 80M USD
New tools not stable…
- Falco:
More false positive alarm...
Security is always lagging...
Who will take the responsibility?
Ref: https://github.com/falcosecurity/falco/issues/1403

Summary
DevSecOps
- The Good
- The Bad
- The Ugly
More than tool, process… the key is people and culture

Take away
Conference
- Blackhat
- Defcon
- DevSecCon
- DevSecOps days
- RSA
DevSecOps youtube channel
- https://www.youtube.com/channel/UCmzqpR98J4KtLj4K7RRRwEw
Tools collection
- https://github.com/devsecops/awesome-devsecops
- https://github.com/4ndersonLin/awesome-cloud-security It’s me! Please contribute!

We are Hiring
https://github.com/MaiAmis/Careers

Thanks!
Any questions?
You can ﬁnd me at
4nderson.lin@pm.me

Más contenido relacionado

La actualidad más candente

Talk to executives in IT divisions of large enterprises about security and invariably the conversation will hover around DevSecOps pipeline. Is DevSecOps the only thing you need to do for security in your IT division or is there more? What impact does bringing in secure culture in an engineering context mean? What handshake is needed between the IT function and the security / risk function for large enterprises? How does this impact roles and responsibilities of a developer? This talk is an attempt to answer questions such as these using a real world examples of transformations seen in Fortune 100 companies.

Dev week cloud world conf2021

Archana Joshi

DevSecOps : an Introduction

Prashanth B. P.

Dev secops. Real experience.

Vitaly Balashov

DevSecOps outline

Nickleus Jimenez

DevSecOps, The Good, Bad, and Ugly

4ndersonLin

Practical DevSecOps - Arief Karfianto

idsecconf

"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io

How to Get Started with DevSecOps

CYBRIC

1.Security Controls Must Be Programmable and Automated Wherever Possible 2.Implement a Simple Risk and Threat Model for All Applications 3.Scan Custom Code, Applications and APIs 4.Scan for OSS Issues in Development 5.Treat Scripts/Recipes/Templates/Layers as Sensitive Code 6.Measure System Integrity and Ensure Correct Configuration at Load 7.Use Whitelisting on Production Systems, Including Container-Based Implementations 8.Assume Compromise; Monitor Everything; Architect for Rapid Detection and Response 9.Lock Down Production Infrastructure and Services 10.Tokenization and Payment Processing

Integrate Security into DevOps - SecDevOps

Ulf Mattsson

Abstract: See how an Ottawa company has built a SOC2 Type 2 audited software delivery system with less pain, and more value. Build security, and compliance into the way software is delivered and operated to * Make secure development easier * Provide real customer value * Avoid security theatre * Reduce security and audit bottlenecks Bio: Dag Rowe is a BA in security and compliance. Passionate about improving systems of work, he is actively involved in the local software community. Dag helps to organize the Agile Ottawa Meetup group, and the Gatineau-Ottawa Agile Tour conference.

Dev secops security and compliance at the speed of continuous delivery - owasp

Dag Rowe

DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource

DevOps Indonesia

DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully. Learning Objectives: 1: Identify key principles of DevSecOps and see how it relates to DevOps principles. 2: Analyze common pitfalls and see where integration security takes part in DevSecOps. 3: Demonstrate how to do “Continuous Security” by using a lifecycle approach. (Source: RSA Conference USA 2018)

Dos and Don'ts of DevSecOps

Priyanka Aash

Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery. Now some good news: you can easily integrate security into your existing processes to solve this challenge. In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss: - Leveraging the DevSecOps approach to help speed up security - Scaling security into your agile processes - 5 easy ways to start driving DevSecOps in your organization

The Challenges of Scaling DevSecOps

WhiteSource

Secure Your Code Implement DevSecOps in Azure

kloia

Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware. How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?

Take Control: Design a Complete DevSecOps Program

Deborah Schalm

Strengthen and Scale Security Using DevSecOps - OWASP Indonesia

Mohammed A. Imran

DevSecOps - The big picture

Stefan Streichsbier

DevSecOps - The big picture

DevSecOpsSg

In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities. Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey. He will cover DevSecOps challenges he has faced and how he converted them into opportunities. He will cover the following as part of the session. DevSecOps Challenges. DevSecOps Opportunities. Converting Challenges into Opportunities. Quick wins and lessons learned. … and more useful takeaways!

[DevSecOps Live] DevSecOps: Challenges and Opportunities

Mohammed A. Imran

A journey from dev ops to devsecops

Veritis Group, Inc

DevSecOps : The Open Source Way by Yusuf Hadiwinata

Hananto Wibowo Soenarto

La actualidad más candente (20)

Dev week cloud world conf2021

DevSecOps : an Introduction

Dev secops. Real experience.

DevSecOps outline

DevSecOps, The Good, Bad, and Ugly

Practical DevSecOps - Arief Karfianto

How to Get Started with DevSecOps

Integrate Security into DevOps - SecDevOps

Dev secops security and compliance at the speed of continuous delivery - owasp

DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource

Dos and Don'ts of DevSecOps

The Challenges of Scaling DevSecOps

Secure Your Code Implement DevSecOps in Azure

Take Control: Design a Complete DevSecOps Program

Strengthen and Scale Security Using DevSecOps - OWASP Indonesia

DevSecOps - The big picture

[DevSecOps Live] DevSecOps: Challenges and Opportunities

A journey from dev ops to devsecops

DevSecOps : The Open Source Way by Yusuf Hadiwinata

Similar a DevSecOps-The Good Bad and Ugly

For federal agencies, accomplishing in just a matter of weeks IT tasks that typically take months or years may seem like a pipe dream. That’s the promise of the DevSecOps methodology. DevSecOps is a way of thinking that encourages software developers to work collaboratively with IT operations and security staff on development, testing and quality assurance to develop and deploy software more quickly and automate deployment of code, security and infrastructure changes. Commercial Cloud provides a comprehensive platform of tools, technologies and services that can enable federal agencies to realize this promise. The VA Digital Services Team (DSVA) has been leading the Department of Veterans Affairs on their journey to the cloud for the past 4 years. The initial DSVA cloud deployment was vets.gov and Caseflow on AWS. Vets.gov and Caseflow are real world examples of how modern devsecops techniques be used with existing federal ATO security requirements. In this talk, AWS and DSVA will present DevSecOps principles, best practices and lessons learned. DSVA will discuss how Vets.gov and Caseflow have implemented these techniques inside the VA. This includes applying continuous integration and continuous deployment (CI/CD) to the software development process where security checks are performed and automated to ensure compliance and ATO conformance with VA's security standards.

Successfully Implementing DEV-SEC-OPS in the Cloud

Amazon Web Services

Devops security-An Insight into Secure-SDLC

Suman Sourav

DevOps should not be thought of as a frontier where cowboy developers are free to ignore security and do what they want to. When applied appropriately, pioneering DevOps in your organization can lead to improved security outcomes across development and operations work. I’ll share real world examples how facets of DevOps culture, tools, and techniques can be directly mapped to many aspects of security.

Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...

Dan Cundiff

Strengthen and Scale Security for a dollar or less

Mohammed A. Imran

Security is tough and is even tougher to do, in complex environments with lots of dependencies and monolithic architecture. With emergence of Microservice architecture, security has become a bit easier however it introduces its own set of security challenges. This talk will showcase how we can leverage DevSecOps techniques to secure APIs/Microservices using free and open source software. We will also discuss how emerging technologies like Docker, Kubernetes, Clair, ansible, consul, vault, etc., can be used to scale/strengthen the security program for free. More details here - https://www.practical-devsecops.com/

Scale security for a dollar or less

Mohammed A. Imran

Duration : 3 days DevSecOps stands for development, security and operations. DevSecOps is a technique for advancing toward IT security. DevSecOps is essential in light of the fact that while IT framework has developed significantly in the most recent decade, there hasn't been a proportionate headway in most of security and consistence observing devices. Thusly, most apparatuses can't test code as quick as an average DevOps condition requires. DevSecOps Training Bootcamp Course by Tonex: DevSecOps Training Bootcamp is a 3-day down to earth DevSecOps course where members gain inside and out information and abilities to apply, actualize and improve IT security in present day DevOps. DevSecOps is recommended for : Security Staff IT Leadership & IT Infrastructure CIOs, CTOs and CSO Configuration Managers Developers and Application Team Members IT Operations Staff IT Project & Program Managers Product Owners and Managers Release Engineers Agile Staff and ScrumMasters Software Developers and Team Leads System Admin Course Agenda DevOps vs. DevSecOps DevOps Security Requirements DevOps Typical Security Activities Tools for Securing DevOps Principles Behind DevSecOps DevSecOps and Application Security How to DevSecOps DevSecOps Maturity Risk Management Framework (RMF), DevOps and DevSecOps Workshops and Group Activities : Workshop 1: Plan for DevSecOps Workshop 2: Secure Code Overview Workshop 3: Create a DevSecOps plan Request more information regarding DevSecOps IT Modernization Training Bootcamp. Visit tonex.com for course and workshop detail. DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership https://www.tonex.com/training-courses/devsecops-training-bootcamp/

DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership

Bryan Len

DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...

Siva Rama Krishna Chunduru

SC conference - Building AppSec Teams

Dinis Cruz

Red team-view-gaps-in-the-serverless-application-attack-surface

Priyanka Aash

The DevSecOps concept is widely accepted yet its implementation at enterprise-scale presents challenges. This session will describe three challenges and software solutions that address them: 1) dozens of autonomous teams using varied tooling to build applications; 2) use of many different scanning tools and security information sources; and 3) Identity and context aware security guidance to development teams.

Building an Enterprise-scale DevSecOps Infrastructure: Lessons Learned

Prateek Mishra

Deepfence.pdf

Vishwas N

Often times, developers and auditors can be at odds. The agile, fast-moving environments that developers enjoy will typically give auditors heartburn. The more controlled and stable environments that auditors prefer to demonstrate and maintain compliance are traditionally not friendly to developers or innovation. We'll walk through how Netflix moved its PCI and SOX environments to the cloud and how we were able to leverage the benefits of the cloud and agile development to satisfy both auditors and developers. Topics covered will include shared responsibility, using compartmentalization and microservices for scope control, immutable infrastructure, and continuous security testing.

(SEC310) Keeping Developers and Auditors Happy in the Cloud

Amazon Web Services

Dev{sec}ops

Steven Carlson

DevSecOps toolchain: da Open Source a Enterprise è un attimo... o quasi! Tips & tricks per cavalcare sempre l’onda giusta nel tempestoso oceano dell’IT moderno. Andrea e Alessandro hanno parlato alle nuove leve dell'informatica di: fasi evolutive del DevOps, DevOps Platforms, da DevOps a DevSecOps, Quality scan, Security scan ma anche API Security scan, SAST & DAST. Infine hanno mostrato alcuni esempi di quanto descritto anticipando il “must have 2023” del DevSecOps.

ComeToCode 2022 - speech di Emerasoft

Emerasoft, solutions to collaborate

Much has been said about DevOps and SecDevOps for security automation and integration. However, to many in the security community, this is still a buzzword. There are many practical applications of automation in cloud security controls, however, across all security-related disciplines. This talk will delve into concrete examples of security automation in the cloud, with metrics examples, as well. (Source : RSA Conference USA 2017)

Cloud security : Automate or die

Priyanka Aash

We introduce NRE and DevNetOps with inspiration from SRE and DevOps. We get into some detail on what it means to be a Network Reliability Engineer (NRE) and implement a DevNetOps pipeline. We cover the journey from manual and basic automation in NetOps to NRE generically and with the example from the journey at Riot Games. In closing we flip the narrative and look at networking in tradition DevOps and software engineering as well to contrast networking's role in DevOps vs. DevNetOps and NRE.

Network Reliability Engineering and DevNetOps - Presented at ONS March 2018

James Kelly

Software security is often boiled down to the “OWASP Top 10,” resulting in an ineffective sense of what maturity-focused, comprehensive application security could be like. How then should an organization consider building a holistic program that seeks to grow in maturity over time? Come hear how one team has taken on this challenge and learn what has, and has not, worked on their own journey. Learning Objectives: 1: Gain real-world insight on how to realize the Security Development Lifecycle. 2: Learn approaches to make working with engineers a great experience for all. 3: Understand how to track progress and maturity without simply “bug counting.” (Source: RSA Conference USA 2018)

Realizing Software Security Maturity: The Growing Pains and Gains

Priyanka Aash

Take Control: Design a Complete DevSecOps Program

DevOps.com

All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler. This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence. From DeliveryConf 2020

Pragmatic Pipeline Security

James Wickett

Continuous Compliance and DevSecOps

Puppet

Similar a DevSecOps-The Good Bad and Ugly (20)

Successfully Implementing DEV-SEC-OPS in the Cloud

Devops security-An Insight into Secure-SDLC

Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...

Strengthen and Scale Security for a dollar or less

Scale security for a dollar or less

DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership

DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...

SC conference - Building AppSec Teams

Red team-view-gaps-in-the-serverless-application-attack-surface

Building an Enterprise-scale DevSecOps Infrastructure: Lessons Learned

Deepfence.pdf

(SEC310) Keeping Developers and Auditors Happy in the Cloud

Dev{sec}ops

ComeToCode 2022 - speech di Emerasoft

Cloud security : Automate or die

Network Reliability Engineering and DevNetOps - Presented at ONS March 2018

Realizing Software Security Maturity: The Growing Pains and Gains

Take Control: Design a Complete DevSecOps Program

Pragmatic Pipeline Security

Continuous Compliance and DevSecOps

Último

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

Presentation on how to chat with PDF using ChatGPT code interpreter

naman860154

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Histor y of HAM Radio presentation slide

vu2urc

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

[2024]Digital Global Overview Report 2024 Meltwater.pdf

hans926745

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

In an era where artificial intelligence (AI) stands at the forefront of business innovation, Information Architecture (IA) is at the core of functionality. See “There’s No AI Without IA” – (from 2016 but even more relevant today) Understanding and leveraging how Information Architecture (IA) supports AI synergies between knowledge engineering and prompt engineering is critical for senior leaders looking to successfully deploy AI for internal and externally facing knowledge processes. This webinar be a high-level overview of the methodologies that can elevate AI-driven knowledge processes supporting both employees and customers. Core Insights Include: Strategic Knowledge Engineering: Delve into how structuring AI's knowledge base is required to prevent hallucinations, enable contextual retrieval of accurate information. This will include discussion of gold standard libraries of use cases support testing various LLMs and structures and configurations of knowledge base. Precision in Prompt Engineering: Learn the art of crafting prompts that direct AI to deliver targeted, relevant responses, thereby optimizing customer experiences and business outcomes. Unified Approach for Enhanced AI Performance: Explore the intersection of knowledge and prompt engineering to develop AI systems that are not only more responsive but also aligned with overarching business strategies. Guiding Principles for Implementation: Equip yourself with best practices, ethical guidelines, and strategic considerations for embedding these technologies into your business ecosystem effectively. This webinar is designed to empower business and technology leaders with the knowledge to harness the full potential of AI, ensuring their organizations not only keep pace with digital transformation but lead the charge. Join us to map a roadmap to fully leverage Information Architecture (IA) and AI chart a course towards a future where AI is a key pillar of strategic innovation and business success.

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx

Earley Information Science

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

The Raspberry Pi 5 was announced on October 2023. This new version of the popular embedded device comes with a new iteration of Broadcom’s VideoCore GPU platform, and was released with a fully open source driver stack, developed by Igalia. The presentation will discuss some of the major changes required to support this new Video Core iteration, the challenges we faced in the process and the solutions we provided in order to deliver conformant OpenGL ES and Vulkan drivers. The talk will also cover the next steps for the open source Raspberry Pi 5 graphics stack. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://eoss24.sched.com/event/1aBEx

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

Igalia

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

DevSecOps-The Good Bad and Ugly

1. DevSecOps The Good, Bad, and Ugly DevOps TW Meetup #28

2. 4ndersonLin Whois I am Anderson Lin MaiCoin Cyber Security Engineer AWS Certiﬁed All-5 + Sec specialty

3. Agenda ➔ Security and DevOps ➔ The Good ➔ The Bad ➔ The Ugly

4. Security and DevOps

6. Reality Maybe we still need some security: - Business about money and sensitive data - Company policy - Local law and regulation issue

8. Some interesting data: The trend

9. DevSecOps The Overview

10. Life cycle of DevSecOps Build ReleaseTest Plan Monitor Threat modeling SAST Code review Common test DAST Conﬁguration validation Logging Telemetry Detect & response attack Update threat model Analysis incident

11. DevOps periodic table Ref: https://digital.ai/periodic-table-of-devops-tools

12. Different Viewpoints DevSecOps: - Dev - Sec - Ops

13. Developer viewpoint DevSecOps: - Application static/dynamic testing in CI/CD - Secure by design

14. Security viewpoint DevSecOps: - Policy as code - Vulnerability, Patch - Response

15. Ops viewpoint DevSecOps: - Reviewable infrastructure (Infra as code) - Monitoring more items

16. Recap - The life cycle - From different viewpoint - Dev - Sec - Ops - Boss-- Ref: https://eiki.hatenablog.jp/entry/meteo_fall

17. DevSecOps The GOOD

18. The GOOD: low hanging fruit Secure by design Left shift of testing - Found and ﬁx the vulnerability early Reviewable infrastructure and policy - IaC - Pac Monitoring makes response faster

19. DevSecOps The BAD

20. The BAD: Sometimes we can solve it Performance issue Loss availability Tools are good but people - Threat modeling still need dev team’s help - Trust issue: when the red team coming Vulnerability of sec tools - Exploiting image scanners by matuzg Overdesign Ref: https://medium.com/@matuzg/testing-docker -cve-scanners-part-2-5-exploiting-cve-scan ners-b37766f73005

21. DevSecOps The UGLY

22. The UGLY: The Hardest part Misunderstanding or Misconﬁguration = Disaster - “... ***-WAF-Role...” ~= 80M USD New tools not stable… - Falco: More false positive alarm... Security is always lagging... Who will take the responsibility? Ref: https://github.com/falcosecurity/falco/issues/1403

23. Summary

24. Summary DevSecOps - The Good - The Bad - The Ugly More than tool, process… the key is people and culture

25.

26. Take away Conference - Blackhat - Defcon - DevSecCon - DevSecOps days - RSA DevSecOps youtube channel - https://www.youtube.com/channel/UCmzqpR98J4KtLj4K7RRRwEw Tools collection - https://github.com/devsecops/awesome-devsecops - https://github.com/4ndersonLin/awesome-cloud-security It’s me! Please contribute!

27. We are Hiring https://github.com/MaiAmis/Careers

28. Thanks! Any questions? You can ﬁnd me at 4nderson.lin@pm.me

DevSecOps-The Good Bad and Ugly

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a DevSecOps-The Good Bad and Ugly

Similar a DevSecOps-The Good Bad and Ugly (20)

Último

Último (20)

DevSecOps-The Good Bad and Ugly