AD39 - Making the Jump from DevOps to DevSecOps - - PDF document

ad39 making the jump from devops to devsecops
SMART_READER_LITE
LIVE PREVIEW

AD39 - Making the Jump from DevOps to DevSecOps - - PDF document

Jan 08, 2024 355 likes •782 views

AD39 DevOps Engineering 11:30 AM AD39 - Making the Jump from DevOps to DevSecOps Presented by: Alan Crouch

slide-1
SLIDE 1

¡ ¡ ¡ ¡ AD39 ¡

DevOps ¡Engineering ¡ 11:30 ¡AM ¡ ¡ ¡ ¡ ¡ ¡

AD39 ¡-­‑ ¡Making ¡the ¡Jump ¡from ¡DevOps ¡ to ¡DevSecOps ¡ ¡

Presented ¡by: ¡ ¡ ¡ ¡

Alan ¡Crouch ¡

¡ ¡Coveros ¡ ¡ Brought ¡to ¡you ¡by: ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ 888-­‑-­‑-­‑268-­‑-­‑-­‑8770 ¡·√·√ ¡904-­‑-­‑-­‑278-­‑-­‑-­‑0524 ¡-­‑ ¡info@techwell.com ¡-­‑ ¡https://agiledevopswest.techwell.com/ ¡ ¡
slide-2
SLIDE 2 ¡

Alan ¡Crouch ¡

¡ Alan ¡Crouch ¡is ¡a ¡Managing ¡Consultant ¡with ¡Coveros, ¡Inc., ¡which ¡helps ¡companies ¡build ¡ better ¡applications ¡using ¡agile, ¡DevOps, ¡and ¡security ¡best ¡practices. ¡Alan ¡works ¡with ¡C-­‑ level ¡and ¡senior ¡management ¡at ¡private ¡companies ¡and ¡federal ¡agencies ¡to ¡transform ¡ and ¡adopt ¡a ¡more ¡Agile/DevSecOps ¡practices ¡when ¡building ¡and ¡deploying ¡mission-­‑ critical ¡software. ¡He ¡has ¡assessed, ¡designed ¡and ¡implemented ¡multiple ¡custom ¡ DevSecOps ¡pipelines ¡utilizing ¡Cloud ¡technologies ¡for ¡clients ¡such ¡as ¡Symantec, ¡ Departments ¡of ¡Homeland ¡Security, ¡Health ¡and ¡Human ¡Services, ¡Appian ¡and ¡mobile ¡ start-­‑ups. ¡Spare ¡time ¡finds ¡Alan ¡traveling ¡the ¡globe ¡and ¡creating ¡adventures ¡for ¡his ¡son ¡ and ¡daughter. ¡Follow ¡Alan ¡on ¡Twitter ¡@coveros_alan. ¡
slide-3
SLIDE 3

MAKING THE JUMP FROM

DEVOPS TO DEVSECOPS

Alan Crouch

@RealAlanCrouch

slide-4
SLIDE 4

HELLO!

I’m Alan Crouch uch.

I am here at Agile + DevOps ps West because I’m passionate about building software efficently and securely.

You can find me at @RealAlanCrouch

2
slide-5
SLIDE 5

MY BACKGROUND

3

EDUCATION LAZY DEV INFOSEC AGILE/DEVOPS DEVSECOPS

Graduated from JMU with a Master’s in Secure Software Development Developer for mission-critical systems Ran a CISO Office Started doing work in the Agile/DevOps space DevSecOps Advocate
slide-6
SLIDE 6

DevOps is a set of software development practices that combine software development (DEV DEV) and operations (OPS PS) to shorten the SDLC while delivering frequently to meet business objectives.

  • Wikipedia
4
slide-7
SLIDE 7

HOW DOES THIS TRANSLATE?

▪ “We just do the same thing faster!” ▪ “Where can we buy this DevOps thing?” ▪ “We need to create a DevOps team!” ▪ “We just need to make the Devs AWS Admins!” ▪ “We need to create a DevOps manual all our teams must follow!”

5
slide-8
SLIDE 8

WHAT I TYPICALLY SEE:

Operations Development

6

Test / QA

slide-9
SLIDE 9

OK, LET’S BE HONEST…😃

Operations Development Security

7

Test / QA DevOps

slide-10
SLIDE 10

SECURITY IN LEGACY SDLC

8 Threat at Analy alysis is Static ic Analy alysis is Code Revie view SAST DAST ST Penetr trat ation ion Testin ting Monitor torin ing Binar ary Analy alysis is Networ work k Testin ing

Security is focused at the end.

Gover vernanc nance Audit dit

slide-11
SLIDE 11

DEVSECOPS

Fulfilling the promise of DevOps

9
slide-12
SLIDE 12

Dev DevSec ecOps ps is a set of software development practices that combines ALL asp spects cts of the he so softwar tware e de deve velopm

  • pment

ent lifecycl ecycle e while delivering featur tures, es, fixes, s, and nd updates dates frequently to meet business objectives.

10
slide-13
SLIDE 13

3 STEPS TO ACCOMPLISH DEVSECOPS

11

Part of the e Team The IT Security Office needs to be part of the team. “Shift Left” Security testing needs to start earlier in the DevOps Pipeline. Scalabl lable e Securi rity ty Infrastructure in support of security testing needs to scale with your team and pipeline.

slide-14
SLIDE 14

1. MAKE SECURITY PART OF THE TEAM

Step 1: People

slide-15
SLIDE 15

72%

Of developers see security as “nags” over delivery partners 2019 Sonatype DevSecOps Survey

13
slide-16
SLIDE 16

CHALLENGES

▪ Security lacks development context ▪ Development lacks security

knowledge

▪ Design and implementation drift ▪ Hurt feelings ▪ No shared goals ▪ Uncertainty of true risk profile

14
slide-17
SLIDE 17

THIS IS THE HARDEST PART

▪ Create security champions ▪ Knowledge sharing by working together ▪ Commit to meeting together frequently

15
slide-18
SLIDE 18

DEVSEC ECOPS IS A SECUR URITY ITY ENABLE ABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they say they want to do. DEVSEC ECOP OPS GIVES ES GREA EATER R CONT NTEXT EXT Spending more time with the team, allows you to build better confidence in the risk profile and make more informed recommendations. DEVSEC ECOP OPS REDUC UCES ES EXPOSUR URE E TIME ME We can stop focusing on the number of issues and start focusing how long we’re exposed. DEVSEC ECOP OPS PROVIDES IDES BETTER R GOVERNANC VERNANCE Treating everything as code leads to easier auditability. No

  • questions. Just look at our

process in Jenkins!

CONVINCING SECURITY TO JOIN THE DEVSECOPS JOURNEY

slide-19
SLIDE 19

2. SHIFT SECURITY LEFT

Step 2: Process

slide-20
SLIDE 20

MAKING IT HAPPEN

▪ Automation is your friend ▪ Use quality gates to drive

quantitative decision making

▪ Continuously improve your process ▪ Expect development to make

changes to accommodate security

18
slide-21
SLIDE 21

TRANSFORMATION IN ACTION

  • 1. Automate what your doing right now.
  • 2. Tune what you have to get rid of the noise.
  • 3. Identify new ways to start security testing

earlier or faster.

  • 4. Iterate and continuously improve.
19
slide-22
SLIDE 22

VISUALIZING IT

20
slide-23
SLIDE 23

VISUALIZING IT

21
slide-24
SLIDE 24

TRANSFORMATION IN ACTION

22

DEV PROD STAGE

slide-25
SLIDE 25

TRANSFORMATION IN ACTION

23 DEV PROD STAGE
slide-26
SLIDE 26

TRANSFORMATION IN ACTION

24 DEV PROD STAGE

Regression Performance/Load DAST

slide-27
SLIDE 27

TRANSFORMATION IN ACTION

25 DEV PROD STAGE

Regression Performance/Load DAST Smoke Feature Deployment SAST

slide-28
SLIDE 28

TRANSFORMATION IN ACTION

26 DEV PROD STAGE

Regression Performance/Load DAST Smoke Feature Deployment SAST Unit Stati tic c Code de Analy alysis sis Binary ary Analy alysi sis

slide-29
SLIDE 29

TRANSFORMATION IN ACTION

27 DEV PROD STAGE

Regression Performance/Load DAST

Network

  • rk Securi

rity ty Availabil ilability ity

Smoke Feature Deployment SAST

Infrast rastru ructu ture re Securit ity Securi rity ty Featu ture

Unit Static tic Code de Analy lysis Bina nary Ana naly lysis

Threat reat Analy alysis sis

slide-30
SLIDE 30

TRANSFORMATION IN ACTION

28 DEV PROD STAGE

Regression Performance/Load DAST Netwo work k Security ty Availa lability lity

Penetr etrati ation

  • n

Chaos aos

Smoke Feature Deployment SAST Infrastructur frastructure e Security ty Security ity Featur ature

Proxy DAST IAST

Unit Static tic Code de Analy lysis Bina nary Ana naly lysis Threa eat t Analy lysis

slide-31
SLIDE 31

TRANSFORMATION IN ACTION

29 DEV PROD STAGE Regression Performance/Load DAST ST Networ work k Secur urity ity Availabi ailability lity Penetr trat ation ion Chaos

  • s
Smoke Feature Deployment SAST Infras astruc tructur ure Secur urity ity Secur urit ity Feature ture Proxy xy DAST IAST Unit Static ic Code Analy alysis is Binar nary Anal alysis is Threat at Analy alysis is

Monitorin toring Threat reat Model elin ing Code e Review ew Secure re Coding ding

slide-32
SLIDE 32

PRO TIPS

When consideri ring what tests s to select: : Be choosey. Don’t try to force tests that don’t make sense for your application or business. Understa tand d the two diffe fere rent t types of qual ality ity gates. Decide whether your gate is just for information gathering (qualitative decision) or blocking (quantitative decision). A bug is a bug is a bug. . Treat at all defects s the same. Log security defects just like any other bugs, track them, prioritize them, and fix them.

30
slide-33
SLIDE 33

WHAT MAKES UP A GOOD PIPELINE

1.

Code e Review ew

2.

Continuous Integration with Unit t Tests ts and Static ic Code e Analy alysis sis

3.

Automat ated ed Deploy loyment ent and Confi figurat guration ion Managem agement ent

4.

Quality Gate #1: Smoke e tests ts & Static ic App Sec Testi ting

5.

Quality Gate #2: Integrat egration ion tests ts & Perfo form rmance ance/Load Load Testi ting ng

6.

Quality Gate #3: Regress ession

  • n tests

ts & Dynam amic ic App Sec Testin ting

7.

Conti tinuou uous s Monit itorin

  • ring
31
slide-34
SLIDE 34

3. MAKE SECURITY SCALABLE

Step 3: Technology

slide-35
SLIDE 35

91%

Of mature DevSecOps teams utilize containers for scalability

82% 78%

33

Of mature DevSecOps teams utilize automation to integrate security Of mature DevSecOps teams have complete auditability of changes 2019 Sonatype DevSecOps Survey

slide-36
SLIDE 36

SECURITY NEEDS DEVELOPMENT HELP

▪ Publish artifacts, reports, and

metrics for every release

▪ Scale testing infrastructure by using

containers

▪ Select tools that decentralize

security from one unicorn to the entire team

▪ Develop mechanisms to make

security everyone’s responsibility

34
slide-37
SLIDE 37

TOOLS & TECH

35

DevOps Ops – Creating value, more frequently DevSecOps – Creating Trust & Confidence

slide-38
SLIDE 38 36
slide-39
SLIDE 39

COMMON PITFALLS

▪ Avoid one-size-fits-all approaches ▪ Don’t focus on your traditional metrics ▪ Security defects should be more like a security “recall” ▪ You can’t get past training

37
slide-40
SLIDE 40

DevSecOps is fundamentally about providing certainty to security by working collaboratively to deliver valuable software.

  • Alan Crouch
38
slide-41
SLIDE 41

THANKS!

You can find me at: @RealAlanCrouch alan.crouch@coveros.com

39

Any questions?

hub.techwell.com Join me on the

TechWell ll Hub

slide-42
SLIDE 42

CREDITS

Special thanks to all the people who helped make this presentation possible: ▪ Presentation template by SlidesCarnival ▪ Techwell & Agile DevOps West ▪ You!

40