The document discusses the principles and practices of DevSecOps. It begins with an agenda that covers DevSecOps prerequisites, foundations, roles and responsibilities, and practical tips. It discusses concepts like shifting security left, continuous integration/delivery pipelines, and the importance of collaboration across roles. It provides overviews of risk management, static and dynamic testing, feature toggles, and recommends DevSecOps training and tools from Cprime. The presentation aims to help organizations adopt DevSecOps practices to improve security and deployment processes.
4. 01 DevSecOps Prerequisites
02 Why DevSecOps? Foundations
03 Who is Responsible for DevSecOps?
04 Practical Tips for Getting Started
05 Keep the Conversation Going/Q&A
Agenda
6. • Leadership buy-in
• Commitment to cultural change
• Literacy and progress with DevOps
• Collaboration across design roles, work intake processes, testing,
security, development, and IT production staff
DevSecOps Prerequisites
12. • Traditional systems and IT
service development has relied
on a plan-driven, phase-gated
style of enterprise workflow.
• This style of managing projects
and products can work well for
physical, mission-critical work,
but doesn’t work well with
software and IT systems.
Agility
13. • Furthermore, plan-driven
work with a focus on
requirements and
documentation fails to take
advantage of a few of
software engineering’s
greatest strengths.
• Agility means quick,
adaptive, responsive cycles
of work…including a
welcoming attitude towards
changing requirements,
emergent needs, and real-
time customer feedback.
Agility
15. • Fundamentally, the DevOps
movement is about
understanding competing
incentives
• A lack of “systems thinking”
means that goals tend to get
optimized according to local,
departmental goals
• This dynamic has big
implications for security,
especially application security
DevOps
16. Originally defined in Continuous Delivery by Jez Humble and David Farley
• CI/CD pipelines usually
represent the practical
execution of DevOps
and technical agility
concepts
• The idea is to set up
progressive layers of
automation which force
software/system
features to “prove
themselves” before
progressing to the next
step towards
deployment
Software
Development
Pipelines
23. …of movement
…of actions
…of decisions
…protection against risk
…safety (of job, of employer, of money, etc.)
…defensibility against attack
Security Freedom
Security is fundamentally about understanding and managing risk
24. Condition White
• Most people live in this condition
• You are in a relaxed state and are unaware of your surroundings
• Avoid condition white!
Condition Yellow
• Still in a relaxed state, but are aware of what’s going on around you
• Be cautious (not paranoid)
• Learn to live in condition yellow!
25. • More than 6,000 online criminal marketplaces sell ransomware products
and services.
(Source: McAfee)
• 444,259 ransomware attacks took place worldwide in 2018.
(Source: Statista)
• As of 2020, Hackers create 300,000 new pieces of malware daily.
(Source: McAfee)
Important Data Points
26. The bottom line:
• Observe the growth since
2016
• $3.2 million – the average
cost of a data breach in 2019
• $12 billion – the cost of
business email compromise
(BEC) in 2019
The World’s
Biggest Data
Breaches, as of
2020
27. YOU, the user, are the weakest link in
any enterprise’s security.
33. Risk identification and classification
Factors and their probabilities
Impact estimation
Risk severity
What should be fixed and when
Five places where you should look
for risk:
1. Encryption
2. Authentication
3. Logging
4. Asset management
5. Zoning and containment
Risk Review
38. OWASP Projects for SAST
• SonarQube (code quality)
• PHP, Java, JavaScript
• O2 (.NET and Windows)
• OWASP Web Application
Protection (PHP)
• Input validation
• SQLI, XSS, RFI, LFI, DT/PT, SCD,
OSC
Open Source SAST
• Bandit (Python)
• Brakeman and Codesake Dawn (Ruby)
• PMD, SpotBugs, and FindSecBugs
(Java)
• Flawfinder (C, C++,)
• LGTM (C, C++, Java, JS, TypeScrypt,
Python)
• Google CodeSearchDiggity (cloud)
• .NET Security Guard
• RIPS and phpcs (PHP)
• SonarQube & VisualCodeGrepper
(VCG)
Static Analysis Security Testing (SAST)
39. • Xray & Jira Test Management - Xray helps you manage your tests in an
organized way. It lets you create tests, group them into test sets, and
create test plans.
• Snyk - Snyk is a developer security platform. Integrating directly into
development tools, workflows, and automation pipelines.
Others We Like (Cprime Partners!)
40. • Validate ALL inputs
• Encode and Standardize Outputs
• Implement Authentication &
Authorization
• Manage Sessions Inside Trust
Boundaries
• Zero Trust?
• Enforce Access Control
• Implement updated Cryptography
• Handle Errors and Logs
• Protect Data
• Secure Communication Channels
• Update Systems, Secure by Default
• Secure Database Access
• Strict File Access
• Secure Memory Management
Secure Code & Secure Development Flyover
41. IAM Frameworks & Standards:
• Security Assertion Markup
Language (SAML 2.0)
• OpenID
• OAuth
• WS-Trust
• WS-Federation
IAM Vendors:
• Okta
• OneLogin
• Ping
• IBM IAA
• Microsoft Azure
• Oracle Identity CS
• Amazon
IAM
Should be used as a development building block, and a component of automation
42. • Repository access
• Artifacts signing
• Encrypt everywhere
• DB role provisioning
• Granular net access
• Storage assignment
• Monitoring & alerts
How Does IAM Enable Automation?
43. • Introduce changes that can be switched
on/off without a new release
• Validate hypothesis, testing in production
• Implement A/B Testing
• Watch relevant metrics
• Disable feature if it’s disruptive
Type of toggles:
• Toggle points: Breakpoints to switch
on/off
• Toggle router: Code that chooses what
code path is active for each runtime
thread.
• Toggle configuration: Provide context,
define expectation on what it does.
Requests might be an outcome from:
• Threat modeling
• Dependency check
• CVE publication
• Security incident
• Alarm triggered by logs or events
Favorite DevOps Deployment Patterns – Feature Toggles
44. • Usually implemented with
feature toggles
• Deploy to a reduced set of
users without notification
• Watch relevant metrics and
evaluate user behavior
Favorite DevOps Deployment Patterns – Dark Launches
45. • Data flows
• Trust boundaries
• Technical debt
• Refactoring monolithic
architecture
• Application security
testing
• Testing in parallel
• Mutation testing
• Staging
• Packages
• Infrastructure as secure
code
• Incident response
• Emergency drills
• Chaos engineering
• Game days
• Blue/green deployments
• Reliability engineering
• Monitoring and
observability
• Intelligent alerts
• AIOps
• Log management
• Policy, governance and
audit
• Coding for compliance
• Change management
• Segregation of duties
• Automating change
management
And So Much More…
46. • Checkbox compliance
• Security as gatekeeper of prod
• Hundreds or thousands of checks sent
back to dev teams
• 1 InfoSec expert per 10 Ops
• 1 InfoSec expert per 100 Devs
• Shift left
• Automate testing
• Self-service tools
• Quick feedback loops
• Security training
• Security by design
Key Takeaways
DevOps
Traditional Security
47. DevSecOps Training from Cprime
• DevSecOps Boot Camp
• Application Security with Snyk
• Fundamentals of Secure Application Development
• Enterprise Test Management with Xray
Custom Coding and Integration by Cprime Studios
Cprime Studios is the software product development division of Cprime. Using
agile working methods, we team up with businesses who want to turn ideas into
reality, from the design of the software product to development, infrastructure,
and scaling.
Key Takeaways
48. DevSecOps Tooling
Cprime can help you select the right tools for:
• Automated dependency checks
• Static application security testing
• Dynamic application security testing
• Fuzz testing
• Penetration testing
• Automated security attacks
Key Takeaways
49. Connect with our
speakers on LinkedIn
Check out Cprime
upcoming webinars,
read our blog,
download
whitepapers/case
studies & more:
cprime.com/resources
Share with us what
topics you are
interested in, ask us
questions or give us
feedback!
learn@cprime.com
Keep the Conversation Going…
50. Share in the conversation & keep updated on
thought leadership, events & more!
on LinkedIn, Twitter, Facebook, & YouTube
Follow Us on Social Media