The document discusses the principles and practices of DevSecOps. It begins with an agenda that covers DevSecOps prerequisites, foundations, roles and responsibilities, and practical tips. It discusses concepts like shifting security left, continuous integration/delivery pipelines, and the importance of collaboration across roles. It provides overviews of risk management, static and dynamic testing, feature toggles, and recommends DevSecOps training and tools from Cprime. The presentation aims to help organizations adopt DevSecOps practices to improve security and deployment processes.

1. ©2022 Cprime, Inc. All rights reserved and no copying without express written permission. cprime.com | 877.800.5221

2. The What, Why, and How of DevSecOps
The time is now to shift left in security

3. Chris Knotts
Cprime Learning Product Director
linkedin.com/in/chris-knotts/
Speaker

4. 01 DevSecOps Prerequisites
02 Why DevSecOps? Foundations
03 Who is Responsible for DevSecOps?
04 Practical Tips for Getting Started
05 Keep the Conversation Going/Q&A
Agenda

5. Part 1
DevSecOps Prerequisites

6. • Leadership buy-in
• Commitment to cultural change
• Literacy and progress with DevOps
• Collaboration across design roles, work intake processes, testing,
security, development, and IT production staff
DevSecOps Prerequisites

7. Executive Buy-In

8. Commitment to
Cultural Change

9. Literacy and Progress With DevOps

10. Collaboration Across
Design Roles, Work
Intake Processes,
Testing, Security,
Development, and IT
Production Staff

11. Part 2
DevSecOps Foundations

12. • Traditional systems and IT
service development has relied
on a plan-driven, phase-gated
style of enterprise workflow.
• This style of managing projects
and products can work well for
physical, mission-critical work,
but doesn’t work well with
software and IT systems.
Agility

13. • Furthermore, plan-driven
work with a focus on
requirements and
documentation fails to take
advantage of a few of
software engineering’s
greatest strengths.
• Agility means quick,
adaptive, responsive cycles
of work…including a
welcoming attitude towards
changing requirements,
emergent needs, and real-
time customer feedback.
Agility

14. Agility

15. • Fundamentally, the DevOps
movement is about
understanding competing
incentives
• A lack of “systems thinking”
means that goals tend to get
optimized according to local,
departmental goals
• This dynamic has big
implications for security,
especially application security
DevOps

16. Originally defined in Continuous Delivery by Jez Humble and David Farley
• CI/CD pipelines usually
represent the practical
execution of DevOps
and technical agility
concepts
• The idea is to set up
progressive layers of
automation which force
software/system
features to “prove
themselves” before
progressing to the next
step towards
deployment
Software
Development
Pipelines

17. Systems Thinking

18. What is a “Shift Left”?

19. Requirements
/Design Dev
Testing
& QA
Release/
Deploy
Ops &
Maintenance
Feature or
business
need
Delivery
Feedback?
What is a “Shift Left”?

20. Requirements
/Design Dev
Testing
& QA
Release/
Deploy
Ops &
Maintenance
Feature or
business
need
Delivery
Feedback?
Shifting Left: Planning and Including Downstream Functions Earlier

21. Business
unit
constructs
Feature or
business
need
PMO
Project management
Delivery
Risk/security
Feedback?
Requirements
/Design Dev
Testing
& QA
Release/
Deploy
Ops &
Maintenance

22. Security is fundamentally about
understanding and managing risk

23. …of movement
…of actions
…of decisions
…protection against risk
…safety (of job, of employer, of money, etc.)
…defensibility against attack
Security Freedom
Security is fundamentally about understanding and managing risk

24. Condition White
• Most people live in this condition
• You are in a relaxed state and are unaware of your surroundings
• Avoid condition white!
Condition Yellow
• Still in a relaxed state, but are aware of what’s going on around you
• Be cautious (not paranoid)
• Learn to live in condition yellow!

25. • More than 6,000 online criminal marketplaces sell ransomware products
and services.
(Source: McAfee)
• 444,259 ransomware attacks took place worldwide in 2018.
(Source: Statista)
• As of 2020, Hackers create 300,000 new pieces of malware daily.
(Source: McAfee)
Important Data Points

26. The bottom line:
• Observe the growth since
2016
• $3.2 million – the average
cost of a data breach in 2019
• $12 billion – the cost of
business email compromise
(BEC) in 2019
The World’s
Biggest Data
Breaches, as of
2020

27. YOU, the user, are the weakest link in
any enterprise’s security.

28. Part 3
Who is responsible for DevSecOps?

29. DevSecOps Roles

30. Decision Makers

31. Feedback: Measurement, improvement
Requirements
/Design Dev
Testing
& QA
Release/
Deploy
Ops &
Maintenance
Feature or
business
need
Delivery
Security
DevSecOps Roles

32. Part 4
Practical tips for getting started

33. Risk identification and classification
Factors and their probabilities
Impact estimation
Risk severity
What should be fixed and when
Five places where you should look
for risk:
1. Encryption
2. Authentication
3. Logging
4. Asset management
5. Zoning and containment
Risk Review

34. Threat Factors:
• Skill level
• Motive
• Opportunity
• Size
Vulnerability Factors:
• Ease of discovery
• Ease of exploit
• Awareness
• Intrusion detection
Risk Review

35. Business Impact Factors:
• Financial damage
• Reputation damage
• Non-compliance
• Privacy violation
Technical Impact Factors:
• Confidentiality
• Integrity
• Availability
• Accountability
Risk Review

36. Prioritize Testing for Risk
• Identify assets
• Identify threats
• Identify vulnerabilities
Prioritize vulnerabilities using methods :
• Damage, reproducibility, exploitability, affected users,
and discoverability (DREAD)
• Spoofing, Tampering, Repudiation, Denial of Service,
Information Disclosure and Elevation of Privilege
DevSecOps and Testing

37. Priorities:
• Compiling steps (dependencies)
• Framework analysis (like Spring)
• Pattern matching
• Control flow
• Data flow (e.g., untrusted inputs)
• Taint and string analysis
Static Analysis Security Testing (SAST)

38. OWASP Projects for SAST
• SonarQube (code quality)
• PHP, Java, JavaScript
• O2 (.NET and Windows)
• OWASP Web Application
Protection (PHP)
• Input validation
• SQLI, XSS, RFI, LFI, DT/PT, SCD,
OSC
Open Source SAST
• Bandit (Python)
• Brakeman and Codesake Dawn (Ruby)
• PMD, SpotBugs, and FindSecBugs
(Java)
• Flawfinder (C, C++,)
• LGTM (C, C++, Java, JS, TypeScrypt,
Python)
• Google CodeSearchDiggity (cloud)
• .NET Security Guard
• RIPS and phpcs (PHP)
• SonarQube & VisualCodeGrepper
(VCG)
Static Analysis Security Testing (SAST)

39. • Xray & Jira Test Management - Xray helps you manage your tests in an
organized way. It lets you create tests, group them into test sets, and
create test plans.
• Snyk - Snyk is a developer security platform. Integrating directly into
development tools, workflows, and automation pipelines.
Others We Like (Cprime Partners!)

40. • Validate ALL inputs
• Encode and Standardize Outputs
• Implement Authentication &
Authorization
• Manage Sessions Inside Trust
Boundaries
• Zero Trust?
• Enforce Access Control
• Implement updated Cryptography
• Handle Errors and Logs
• Protect Data
• Secure Communication Channels
• Update Systems, Secure by Default
• Secure Database Access
• Strict File Access
• Secure Memory Management
Secure Code & Secure Development Flyover

41. IAM Frameworks & Standards:
• Security Assertion Markup
Language (SAML 2.0)
• OpenID
• OAuth
• WS-Trust
• WS-Federation
IAM Vendors:
• Okta
• OneLogin
• Ping
• IBM IAA
• Microsoft Azure
• Oracle Identity CS
• Amazon
IAM
Should be used as a development building block, and a component of automation

42. • Repository access
• Artifacts signing
• Encrypt everywhere
• DB role provisioning
• Granular net access
• Storage assignment
• Monitoring & alerts
How Does IAM Enable Automation?

43. • Introduce changes that can be switched
on/off without a new release
• Validate hypothesis, testing in production
• Implement A/B Testing
• Watch relevant metrics
• Disable feature if it’s disruptive
Type of toggles:
• Toggle points: Breakpoints to switch
on/off
• Toggle router: Code that chooses what
code path is active for each runtime
thread.
• Toggle configuration: Provide context,
define expectation on what it does.
Requests might be an outcome from:
• Threat modeling
• Dependency check
• CVE publication
• Security incident
• Alarm triggered by logs or events
Favorite DevOps Deployment Patterns – Feature Toggles

44. • Usually implemented with
feature toggles
• Deploy to a reduced set of
users without notification
• Watch relevant metrics and
evaluate user behavior
Favorite DevOps Deployment Patterns – Dark Launches

45. • Data flows
• Trust boundaries
• Technical debt
• Refactoring monolithic
architecture
• Application security
testing
• Testing in parallel
• Mutation testing
• Staging
• Packages
• Infrastructure as secure
code
• Incident response
• Emergency drills
• Chaos engineering
• Game days
• Blue/green deployments
• Reliability engineering
• Monitoring and
observability
• Intelligent alerts
• AIOps
• Log management
• Policy, governance and
audit
• Coding for compliance
• Change management
• Segregation of duties
• Automating change
management
And So Much More…

46. • Checkbox compliance
• Security as gatekeeper of prod
• Hundreds or thousands of checks sent
back to dev teams
• 1 InfoSec expert per 10 Ops
• 1 InfoSec expert per 100 Devs
• Shift left
• Automate testing
• Self-service tools
• Quick feedback loops
• Security training
• Security by design
Key Takeaways
DevOps
Traditional Security

47. DevSecOps Training from Cprime
• DevSecOps Boot Camp
• Application Security with Snyk
• Fundamentals of Secure Application Development
• Enterprise Test Management with Xray
Custom Coding and Integration by Cprime Studios
Cprime Studios is the software product development division of Cprime. Using
agile working methods, we team up with businesses who want to turn ideas into
reality, from the design of the software product to development, infrastructure,
and scaling.
Key Takeaways

48. DevSecOps Tooling
Cprime can help you select the right tools for:
• Automated dependency checks
• Static application security testing
• Dynamic application security testing
• Fuzz testing
• Penetration testing
• Automated security attacks
Key Takeaways

49. Connect with our
speakers on LinkedIn
Check out Cprime
upcoming webinars,
read our blog,
download
whitepapers/case
studies & more:
cprime.com/resources
Share with us what
topics you are
interested in, ask us
questions or give us
feedback!
learn@cprime.com
Keep the Conversation Going…

50. Share in the conversation & keep updated on
thought leadership, events & more!
on LinkedIn, Twitter, Facebook, & YouTube
Follow Us on Social Media

51. QUESTIONS?
cprime.com | 877.800.5221
Thank You
cprime.com | 877.800.5221