making the jump from devops to devsecops€¦ · devsecops is a security enabler by leveraging...
TRANSCRIPT
![Page 1: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/1.jpg)
AD39 DevOps Engineering 11:30 AM
AD39 -‐ Making the Jump from DevOps to DevSecOps
Presented by:
Alan Crouch Coveros
Brought to you by:
888-‐-‐-‐268-‐-‐-‐8770 ·∙·∙ 904-‐-‐-‐278-‐-‐-‐0524 -‐ [email protected] -‐ https://agiledevopswest.techwell.com/
![Page 2: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/2.jpg)
Alan Crouch Alan Crouch is a Managing Consultant with Coveros, Inc., which helps companies build better applications using agile, DevOps, and security best practices. Alan works with C-‐level and senior management at private companies and federal agencies to transform and adopt a more Agile/DevSecOps practices when building and deploying mission-‐critical software. He has assessed, designed and implemented multiple custom DevSecOps pipelines utilizing Cloud technologies for clients such as Symantec, Departments of Homeland Security, Health and Human Services, Appian and mobile start-‐ups. Spare time finds Alan traveling the globe and creating adventures for his son and daughter. Follow Alan on Twitter @coveros_alan.
![Page 3: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/3.jpg)
MAKING THE JUMP FROM
DEVOPS TO
DEVSECOPSAlan Crouch@RealAlanCrouch
![Page 4: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/4.jpg)
HELLO!I’m Alan Crouch.I am here at Agile + DevOps West because I’m passionate about building software efficently and securely.
You can find me at @RealAlanCrouch
2
![Page 5: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/5.jpg)
MY BACKGROUND
3
EDUCATION LAZY DEV INFOSEC AGILE/DEVOPS DEVSECOPSGraduated from
JMU with a Master’s in Secure Software
Development
Developer for mission-critical
systems
Ran a CISO Office Started doing work in the
Agile/DevOps space
DevSecOps Advocate
![Page 6: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/6.jpg)
“ DevOps is a set of software development practices that combine software development (DEV) and operations (OPS) to shorten the SDLC while delivering frequently to meet business objectives.- Wikipedia 4
![Page 7: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/7.jpg)
HOW DOES THIS TRANSLATE?
▪ “We just do the same thing faster!”▪ “Where can we buy this DevOps thing?”▪ “We need to create a DevOps team!”▪ “We just need to make the Devs AWS Admins!”▪ “We need to create a DevOps manual all our
teams must follow!”
5
![Page 8: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/8.jpg)
WHAT I TYPICALLY SEE:
OperationsDevelopment
6
Test / QA
![Page 9: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/9.jpg)
OK, LET’S BE HONEST…😂
OperationsDevelopment
Security
7
Test / QA
DevOps
![Page 10: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/10.jpg)
SECURITY INLEGACY SDLC
8
Threat Analysis
Static Analysis
Code Review
SAST
DAST
Penetration Testing
Monitoring
Binary Analysis
Network Testing
Security is focused at the end.
Governance Audit
![Page 11: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/11.jpg)
DEVSECOPSFulfilling the promise of DevOps
9
![Page 12: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/12.jpg)
“ DevSecOps is a set of software development practices that combines ALLaspects of the software development lifecycle while delivering features, fixes, and updates frequently to meet business objectives.
10
![Page 13: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/13.jpg)
3 STEPS TO ACCOMPLISH DEVSECOPS
11
Part of the TeamThe IT Security Office needs to be part of the team.
“Shift Left”Security testing needs to start earlier in the DevOps Pipeline.
Scalable SecurityInfrastructure in support of security testing needs to scale with your team and pipeline.
![Page 14: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/14.jpg)
1.MAKE SECURITY PART OF THE TEAMStep 1: People
![Page 15: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/15.jpg)
72% Of developers see security as “nags” over delivery partners
2019 Sonatype DevSecOps Survey
13
![Page 16: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/16.jpg)
CHALLENGES▪ Security lacks development context▪ Development lacks security
knowledge▪ Design and implementation drift▪ Hurt feelings▪ No shared goals▪ Uncertainty of true risk profile
14
![Page 17: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/17.jpg)
THIS IS THE HARDEST PART
▪ Create security champions▪ Knowledge sharing by working together▪ Commit to meeting together frequently
15
![Page 18: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/18.jpg)
DEVSECOPS IS A SECURITY ENABLER
By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff
that they say they want to do.
DEVSECOPS GIVES GREATER CONTEXT
Spending more time with the team, allows you to build
better confidence in the risk profile and make more
informed recommendations.
DEVSECOPS REDUCES EXPOSURE TIMEWe can stop focusing on the number of issues and start focusing how long we’re exposed.
DEVSECOPS PROVIDES BETTER GOVERNANCETreating everything as code leads to easier auditability. No questions. Just look at our process in Jenkins!
CONVINCING SECURITY TO JOIN THE DEVSECOPS JOURNEY
![Page 19: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/19.jpg)
2.SHIFT SECURITY LEFTStep 2: Process
![Page 20: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/20.jpg)
MAKING IT HAPPEN▪ Automation is your friend▪ Use quality gates to drive
quantitative decision making▪ Continuously improve your process▪ Expect development to make
changes to accommodate security
18
![Page 21: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/21.jpg)
TRANSFORMATION IN ACTION
1. Automate what your doing right now. 2. Tune what you have to get rid of the noise.3. Identify new ways to start security testing
earlier or faster.4. Iterate and continuously improve.
19
![Page 22: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/22.jpg)
VISUALIZING IT
20
![Page 23: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/23.jpg)
VISUALIZING IT
21
![Page 24: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/24.jpg)
TRANSFORMATION IN ACTION
22
DEV PRODSTAGE
![Page 25: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/25.jpg)
TRANSFORMATION IN ACTION
23
DEV PRODSTAGE
![Page 26: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/26.jpg)
TRANSFORMATION IN ACTION
24
DEV PRODSTAGE
RegressionPerformance/Load
DAST
![Page 27: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/27.jpg)
TRANSFORMATION IN ACTION
25
DEV PRODSTAGE
RegressionPerformance/Load
DAST
SmokeFeature
DeploymentSAST
![Page 28: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/28.jpg)
TRANSFORMATION IN ACTION
26
DEV PRODSTAGE
RegressionPerformance/Load
DAST
SmokeFeature
DeploymentSAST
UnitStatic Code Analysis
Binary Analysis
![Page 29: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/29.jpg)
TRANSFORMATION IN ACTION
27
DEV PRODSTAGE
RegressionPerformance/Load
DASTNetwork Security
Availability
SmokeFeature
DeploymentSAST
Infrastructure SecuritySecurity Feature
UnitStatic Code Analysis
Binary AnalysisThreat Analysis
![Page 30: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/30.jpg)
TRANSFORMATION IN ACTION
28
DEV PRODSTAGE
RegressionPerformance/Load
DASTNetwork Security
AvailabilityPenetration
Chaos
SmokeFeature
DeploymentSAST
Infrastructure SecuritySecurity FeatureProxy DAST
IAST
UnitStatic Code Analysis
Binary AnalysisThreat Analysis
![Page 31: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/31.jpg)
TRANSFORMATION IN ACTION
29
DEV PRODSTAGE
RegressionPerformance/Load
DASTNetwork Security
AvailabilityPenetration
Chaos
SmokeFeature
DeploymentSAST
Infrastructure SecuritySecurity Feature
Proxy DASTIAST
UnitStatic Code Analysis
Binary AnalysisThreat Analysis
MonitoringThreat Modeling
Code ReviewSecure Coding
![Page 32: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/32.jpg)
PRO TIPSWhen considering what tests to select: Be choosey.Don’t try to force tests that don’t make sense for your application or business.
Understand the two different types of quality gates.Decide whether your gate is just for information gathering (qualitative decision) or blocking (quantitative decision).
A bug is a bug is a bug. Treat all defects the same.Log security defects just like any other bugs, track them, prioritize them, and fix them.
30
![Page 33: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/33.jpg)
WHAT MAKES UP A GOOD PIPELINE
1. Code Review2. Continuous Integration with Unit Tests and Static Code Analysis 3. Automated Deployment and Configuration Management4. Quality Gate #1: Smoke tests & Static App Sec Testing5. Quality Gate #2: Integration tests & Performance/Load Testing6. Quality Gate #3: Regression tests & Dynamic App Sec Testing7. Continuous Monitoring
31
![Page 34: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/34.jpg)
3.MAKE SECURITY SCALABLEStep 3: Technology
![Page 35: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/35.jpg)
91% Of mature DevSecOps teams utilize containers for scalability
82%
78%
33
Of mature DevSecOps teams utilize automation to integrate security
Of mature DevSecOps teams have complete auditability of changes2019 Sonatype DevSecOps Survey
![Page 36: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/36.jpg)
SECURITY NEEDS DEVELOPMENT HELP▪ Publish artifacts, reports, and
metrics for every release▪ Scale testing infrastructure by using
containers▪ Select tools that decentralize
security from one unicorn to the entire team
▪ Develop mechanisms to make security everyone’s responsibility
34
![Page 37: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/37.jpg)
TOOLS & TECH
35
DevOps – Creating value, more frequently
DevSecOps – Creating Trust & Confidence
![Page 38: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/38.jpg)
36
![Page 39: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/39.jpg)
COMMON PITFALLS
▪ Avoid one-size-fits-all approaches▪ Don’t focus on your traditional metrics▪ Security defects should be more like a
security “recall”▪ You can’t get past training
37
![Page 40: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/40.jpg)
“ DevSecOps is fundamentally about providing certainty to security by working collaboratively to deliver valuable software.- Alan Crouch
38
![Page 41: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/41.jpg)
THANKS!
You can find me at:@[email protected]
39
Any questions?
hub.techwell.com
Join me on theTechWell Hub
![Page 42: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they](https://reader035.vdocuments.us/reader035/viewer/2022070523/61495533080bfa6260148ac1/html5/thumbnails/42.jpg)
CREDITS
Special thanks to all the people who helped make this presentation possible:▪ Presentation template by SlidesCarnival▪ Techwell & Agile DevOps West▪ You!
40