Putting the Sec in DevOpsMatt Rose
Proprietary & Confidential | All Rights Reserved | 2
What Is DevOps About?
DevOps is about:
Processes
Connections
Automation
… and Tools
TestDevelop
Deliver
DevOps
Proprietary & Confidential | All Rights Reserved | 3
Security Technologies in DEVOPS
SAST – Static Application Security Testing
IAST – Interactive Application Security Testing
DAST – Dynamic Application Security Testing
RASP – Runtime Application Self Protection
WAF – Web Application Firewall
Proprietary & Confidential | All Rights Reserved | 4
DevOps Building Blocks
CI CD ProductionDevelopment
The DevOps Building Blocks
Proprietary & Confidential | All Rights Reserved | 5
What Security Fits Where in DEVOPS
CI CD ProductionDevelopment
The DevOps Building Blocks
SAST Incremental SAST & Open Source Analysis
IAST/DAST& Pen Tests WAF/RASP
Proprietary & Confidential | All Rights Reserved | 6
The Developer’s Process
Develop Compile & Test Commit back to SCM
Pull dependant binaries from binary repository
Check-out code from SCM
What is CI About?
Proprietary & Confidential | All Rights Reserved | 7
CI is the process of integrating code
into a mainline code base.
Implementing CI is, therefore,
as simple as using the right tools.
Proprietary & Confidential | All Rights Reserved | 8
What is CD About?
CD is a software development practice in which every code change goes through the
entire pipeline toward the end user.
To achieve CD, you have to organize your software testing, staging and deployment
processes in a way that automates them as much as possible and makes them continuous.
These processes take different forms, depending on the culture of the team and the
type of app it is creating.
Proprietary & Confidential | All Rights Reserved | 9
Continuous Delivery vs. Continuous Development
Continuous Delivery
CodeDone
UnitTests Integrate Acceptance
TestDeploy toProductionAuto Auto Auto Manual
Continuous Deployment
CodeDone
UnitTests Integrate Acceptance
TestAuto Auto Auto Auto
vs.
Deploy toProduction
Proprietary & Confidential | All Rights Reserved | 10
Shift Left
The further right the project is on the
DevOps scale the further left it should start
implementing security checks.
Unit Tests Integration Acceptance TestCode done Deployment
Proprietary & Confidential | All Rights Reserved | 11
Full Build / Nightly Build
Continuous Integration Continuous Delivery / Deployment
Compile & Test Create installation package or image
Deploy on environment
Check-out code from SCM End-to-end tests
Incremental SAST & Open
Source Analysis
Dependency Check
IAST/DAST& Pen Tests
Proprietary & Confidential | All Rights Reserved | 12
Don’t Let Security Be the Build Breaker
When CI breaks (and it breaks) it impacts everyone and everything in the process. Creating a
significant delay in the release cycle.
In order to avoid build breaks you should start implementing security before the CI stage.
If you have 365 developers and each developer breaks
only a single build once a year you have an average of
one build break per day.
Proprietary & Confidential | All Rights Reserved | 13
Build Break is a Sensitive Issue
Proprietary & Confidential | All Rights Reserved | 15
Where Does Security Clash with the DevOps Key Requirements?
Speed
Full code scans too long
Special requirements to initiate scans are time consuming
Stability
Build breaks have to be justifiable therefore accuracy is key
Security Policy
Policy for:
Legacy code security findings
New code security findings
Evolving policy Segregated policy based on
vulnerability type or age
Open Source vulnerabilities policy
Proprietary & Confidential | All Rights Reserved | 16
Proprietary & Confidential | All Rights Reserved | 17
The Developer’s Process
Develop Compile & Test Commit back to SCM
Pull dependant binaries from binary repository
Check-out code from SCM
Use SAST on the IDE to scan code
before commit
Summary
Develop security policy that fits the DevOps
flow
Shift Security Left
Mind Open Source
Proprietary & Confidential | All Rights Reserved | 18
Thank you