SlideShare una empresa de Scribd logo

Talk DevSecOps to me

Michelle Ribeiro
Michelle Ribeiro

This talk digs into the fundamentals of DevSecOps, exploring the key principles required to advance your security practices. Considering the changes in culture, methodologies, and tools, it will demonstrate how to accelerate your team journey's from endpoint security to built-in security and how to avoid the common mistakes faced when implementing your chosen DevSecOps strategy.

Tecnología
1 de 41
Descargar para leer sin conexión
Talk DevSecOps to me: An Introduction
Michelle Ribeiro ★ CEO @ SPIRITSEC ★ InfoSec & Open Source Pro since 1999 ★ DevOpsDays, LPI, Debian Project ★ Debian Security Manual & Debconf em 2004 (Ubuntu launching site) Innovation 90% Tech 85% GovTech 83% Travel 65%
Michelle Ribeiro ★ Bsc International Relations @ LSE ★ MA Diplomacy & International Studies @ UoL - Chevening Scholarship ★ Innovation Strategy @ MIT
1. What is DevSecOps?
https://www.infoq.com/presentations/devsecops-2019/
The 3 Faces of DevOps DevOps: 1. DevOps Culture 2. DevOps Methodologies 3. DevOps Tools
The 3 Faces of DevSecOps DevSecOps: 1. Introduce Security into DevOps Culture 2. Secure DevOps Methodologies 3. Secure DevOps Tools
Waterfall Security ★ Infosec as gatekeepers; ★ Security audits only after deploy; ★ Too much time & money. DevOps & (Reactive) Security ★ Innovation bottleneck ★ WAF anyone? Michelle Ribeiro
Automated threads require automated responses 58% of web traffic comes from humans Bad bots alone account for almost 22% of all web traffic today. This number is only expected to increase.
Proactive Security ★ Built-in security ★ Decentralized and automated vulnerability assessments ★ Rapid feedback ★ Empower your Dev & Ops teams to make security assessments Michelle Ribeiro
2. Introduce Security into DevOps Culture
Shift Left ★ “You build, you secure it” (Willis, John) ★ Introduce security scans into the developer’s workflow enabling them to find and fix vulnerabilities before the code ever leaves their hands. assureing constant feedback, ★ Different layers of security - cost & + innovation
Michelle Ribeiro
Shared Ownership ★ DevOps team: 100 DEV, 10 OPS & 1 SEC ★ Security development practices ★ Shared security library ★ Container images ★ Use DevOps tools to manage security issues and events. ★ Agile Postmortem
Get Onboard with the Programme ★ DevSecOps # Security as Code ★ Security as Code: automation with Ansible, Chef ★ Learn to code & use Git ★ Deep dive into the DevOps culture ★ Especial attention to CI/CD & continuous feedback
3. Secure DevOps Methodologies
DevOps Methodologies ★ Microservices, APIs, CI/CD, etc, etc, etc… ★ No Devops environment is equal to another ★ Cloud Native Security’s 4Cs: 1. Code 2. Container 3. Cluster 4. Cloud
Michelle Ribeiro
Code - Pre build ★ SAST (Static Application Security Testing) ★ Code inspection for coding vulnerabilities, backdoors and malwares ★ Brakeman Michelle Ribeiro
Code - Pre build ● Dependency security check - scan all dependencies of binaries and executables and ensure that these dependencies, over which we often have no control, are free from vulnerabilities or malicious binaries Michelle Ribeiro
Code - After Deploy ● DAST - Dynamic application security testing ● A black-box security testing methodology in which an application is tested from the outside Michelle Ribeiro
Michelle Ribeiro
CI/CD Platform ★ Gitlab, Github, Azure, etc. ★ A good point to start the shared ownership strategy with Dev and Ops ★ Map their user story, how they could abuse the platform ★ If you are using a SaaS platform, you remain responsible for its security - user and role restrictions, etc:
Containers ★ Oversimplification: a vm ★ More efficiency to deliver and deploy. ★ Shared images, more security, but the host also needs to be secure ★ Be careful with public available images.
Containers ★ Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users ★ Control Groups: Resource accounting and limiting. ★ Restrict control of your Docker daemon to only trusted users ★ Extra layer of safety: AppArmor, SELinux, GRSEC, etc
Container ★ Clair: open source project for the static analysis of vulnerabilities in appc and docker containers. ★ The Center for Internet Security (CIS) Docker Community Edition (CE) Benchmark: reference document designed to establishing a secure configuration baseline for the Docker CE Engine. Michelle Ribeiro
4. Secure DevOps Technologies
DevOps Technologies ★ No DevOps Culture, Methodologies or Mix of tools are the same ★ Cloud Native Computing Foundation: +1.300 projects. ★ Its virtually impossible to be a DevSecOps Engineer. ;)
Michelle Ribeiro
Cluster (Kubernetes) ★ Secure as your code, container and cloud ★ Control access to the Kubernetes and its API ★ Control access to the Kubelet ★ Control the capabilities of a workload or user at runtime, such as memory usage, to prevent an attack.
Cloud Security in the cloud is similar to security in your on-premises data centers — only without the costs of maintaining facilities and hardware. In the cloud, you don’t have to manage physical servers or storage devices. Instead, you use software-based security tools to monitor and protect the flow of information into and of out of your cloud resources.
Cloud For this reason, cloud security is a Shared Responsibility between the customer and AWS, where customers are responsible for “security in the cloud” and AWS is responsible for “security of the cloud.”
★ Netflix's Security Monkey ★ Scout2 ★ Forseti Security & cloudsploit
5. Conclusion
Conclusion What is DevSecOps - 3 faces: ★ To introduce Security into DevOps Culture; ★ To secure DevOps Methodologies; ★ To secure DevOps Technologies;
Conclusion ★ Shift left: Empower Dev&Ops to take security measures ★ 4Cs: Code, CI/CD, Container, Cluster & Cloud ★ Devs: Learn about security development practices ★ Ops & Sec: Get onboard with the programme
First Step GitLab’s DevSecOps Methodology Assessment https://about.gitlab.com/resources/devsecops-metho dology-assessment/
Thanks! @michelleribeiro

Recomendados

Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.
Vitaly Balashov
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
Hananto Wibowo Soenarto
 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps Automated
PIACERE
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC
 

Recomendados

Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.
Vitaly Balashov
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
Hananto Wibowo Soenarto
 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps Automated
PIACERE
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
Dag Rowe
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
DevSecOps OWASP
DevSecOps OWASPDevSecOps OWASP
DevSecOps OWASP
Priyanka Raghavan
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
Mohammed Ahmed
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
Agile Testing Alliance
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
DevSecOps Days
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
What skills are necessary to become a DevOps Engineer.pdf
What skills are necessary to become a DevOps Engineer.pdfWhat skills are necessary to become a DevOps Engineer.pdf
What skills are necessary to become a DevOps Engineer.pdf
prabhuseshu
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Shannon Williams
 

Más contenido relacionado

La actualidad más candente

Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
DevSecOps Days
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 

La actualidad más candente (20)

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
DevSecOps OWASP
DevSecOps OWASPDevSecOps OWASP
DevSecOps OWASP
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 

Similar a Talk DevSecOps to me

What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.
anilpmuvvala
 
What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.
anilpmuvvala
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basis
Ankita Bhalla
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Black Duck by Synopsys
 
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT LeadershipDevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
Bryan Len
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Gordon Haff
 

Similar a Talk DevSecOps to me (20)

What skills are necessary to become a DevOps Engineer.pdf
What skills are necessary to become a DevOps Engineer.pdfWhat skills are necessary to become a DevOps Engineer.pdf
What skills are necessary to become a DevOps Engineer.pdf
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.
 
What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basis
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT LeadershipDevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Docker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationDocker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - Presentation
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
DevSecOps: Security With DevOps
DevSecOps: Security With DevOpsDevSecOps: Security With DevOps
DevSecOps: Security With DevOps
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Talk DevSecOps to me

  • 2. Michelle Ribeiro ★ CEO @ SPIRITSEC ★ InfoSec & Open Source Pro since 1999 ★ DevOpsDays, LPI, Debian Project ★ Debian Security Manual & Debconf em 2004 (Ubuntu launching site) Innovation 90% Tech 85% GovTech 83% Travel 65%
  • 3. Michelle Ribeiro ★ Bsc International Relations @ LSE ★ MA Diplomacy & International Studies @ UoL - Chevening Scholarship ★ Innovation Strategy @ MIT
  • 6. The 3 Faces of DevOps DevOps: 1. DevOps Culture 2. DevOps Methodologies 3. DevOps Tools
  • 7. The 3 Faces of DevSecOps DevSecOps: 1. Introduce Security into DevOps Culture 2. Secure DevOps Methodologies 3. Secure DevOps Tools
  • 8. Waterfall Security ★ Infosec as gatekeepers; ★ Security audits only after deploy; ★ Too much time & money. DevOps & (Reactive) Security ★ Innovation bottleneck ★ WAF anyone? Michelle Ribeiro
  • 9. Automated threads require automated responses 58% of web traffic comes from humans Bad bots alone account for almost 22% of all web traffic today. This number is only expected to increase.
  • 10. Proactive Security ★ Built-in security ★ Decentralized and automated vulnerability assessments ★ Rapid feedback ★ Empower your Dev & Ops teams to make security assessments Michelle Ribeiro
  • 11. 2. Introduce Security into DevOps Culture
  • 12. Shift Left ★ “You build, you secure it” (Willis, John) ★ Introduce security scans into the developer’s workflow enabling them to find and fix vulnerabilities before the code ever leaves their hands. assureing constant feedback, ★ Different layers of security - cost & + innovation
  • 14. Shared Ownership ★ DevOps team: 100 DEV, 10 OPS & 1 SEC ★ Security development practices ★ Shared security library ★ Container images ★ Use DevOps tools to manage security issues and events. ★ Agile Postmortem
  • 15. Get Onboard with the Programme ★ DevSecOps # Security as Code ★ Security as Code: automation with Ansible, Chef ★ Learn to code & use Git ★ Deep dive into the DevOps culture ★ Especial attention to CI/CD & continuous feedback
  • 17. DevOps Methodologies ★ Microservices, APIs, CI/CD, etc, etc, etc… ★ No Devops environment is equal to another ★ Cloud Native Security’s 4Cs: 1. Code 2. Container 3. Cluster 4. Cloud
  • 19. Code - Pre build ★ SAST (Static Application Security Testing) ★ Code inspection for coding vulnerabilities, backdoors and malwares ★ Brakeman Michelle Ribeiro
  • 20. Code - Pre build ● Dependency security check - scan all dependencies of binaries and executables and ensure that these dependencies, over which we often have no control, are free from vulnerabilities or malicious binaries Michelle Ribeiro
  • 21. Code - After Deploy ● DAST - Dynamic application security testing ● A black-box security testing methodology in which an application is tested from the outside Michelle Ribeiro
  • 23. CI/CD Platform ★ Gitlab, Github, Azure, etc. ★ A good point to start the shared ownership strategy with Dev and Ops ★ Map their user story, how they could abuse the platform ★ If you are using a SaaS platform, you remain responsible for its security - user and role restrictions, etc:
  • 24.
  • 25. Containers ★ Oversimplification: a vm ★ More efficiency to deliver and deploy. ★ Shared images, more security, but the host also needs to be secure ★ Be careful with public available images.
  • 26. Containers ★ Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users ★ Control Groups: Resource accounting and limiting. ★ Restrict control of your Docker daemon to only trusted users ★ Extra layer of safety: AppArmor, SELinux, GRSEC, etc
  • 27. Container ★ Clair: open source project for the static analysis of vulnerabilities in appc and docker containers. ★ The Center for Internet Security (CIS) Docker Community Edition (CE) Benchmark: reference document designed to establishing a secure configuration baseline for the Docker CE Engine. Michelle Ribeiro
  • 29. DevOps Technologies ★ No DevOps Culture, Methodologies or Mix of tools are the same ★ Cloud Native Computing Foundation: +1.300 projects. ★ Its virtually impossible to be a DevSecOps Engineer. ;)
  • 30.
  • 31.
  • 33. Cluster (Kubernetes) ★ Secure as your code, container and cloud ★ Control access to the Kubernetes and its API ★ Control access to the Kubelet ★ Control the capabilities of a workload or user at runtime, such as memory usage, to prevent an attack.
  • 34. Cloud Security in the cloud is similar to security in your on-premises data centers — only without the costs of maintaining facilities and hardware. In the cloud, you don’t have to manage physical servers or storage devices. Instead, you use software-based security tools to monitor and protect the flow of information into and of out of your cloud resources.
  • 35. Cloud For this reason, cloud security is a Shared Responsibility between the customer and AWS, where customers are responsible for “security in the cloud” and AWS is responsible for “security of the cloud.”
  • 36. ★ Netflix's Security Monkey ★ Scout2 ★ Forseti Security & cloudsploit
  • 38. Conclusion What is DevSecOps - 3 faces: ★ To introduce Security into DevOps Culture; ★ To secure DevOps Methodologies; ★ To secure DevOps Technologies;
  • 39. Conclusion ★ Shift left: Empower Dev&Ops to take security measures ★ 4Cs: Code, CI/CD, Container, Cluster & Cloud ★ Devs: Learn about security development practices ★ Ops & Sec: Get onboard with the programme
  • 40. First Step GitLab’s DevSecOps Methodology Assessment https://about.gitlab.com/resources/devsecops-metho dology-assessment/