DevOps and Security: It*s Happening. Right Now.
Transcript of DevOps and Security: It*s Happening. Right Now.
![Page 1: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/1.jpg)
DevOps and Security: It’s Happening. Right Now.
Helen BravoDirector of Product Management at [email protected]
![Page 2: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/2.jpg)
• Intro to DevOps
• Integrating security within DevOps
– Problems with traditional controls
– Steps to DevOps security
Agenda
![Page 3: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/3.jpg)
What is DevOps About?
An unstoppable deployment process… in small chunks of time
![Page 4: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/4.jpg)
DevOps is Happening
Companies that have adopted DevOps
![Page 5: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/5.jpg)
Can TRADITIONAL
web application
security controls fit
in…
… a DevOps environment?!
![Page 6: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/6.jpg)
Traditional Web Application Security Controls
• Penetration Testing
• WAF (Web Application Firewall)
• Code Analysis
![Page 7: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/7.jpg)
Penetration Testing- Takes Time!
![Page 8: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/8.jpg)
Penetration Testing
– 300 pages report
– 3 weeks assessment time
– 2 weeks to get it into development
![Page 9: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/9.jpg)
Web Application Firewall (WAF)
Thinking Continuous
Deployment?
Think Continuous
Configuration!
![Page 10: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/10.jpg)
Code Analysis
• Setup time
• Running time
• Analysis time
… just too slow!
![Page 11: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/11.jpg)
![Page 12: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/12.jpg)
… Do Nothing?
![Page 13: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/13.jpg)
Required: A New Secure SDLC Approach
![Page 14: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/14.jpg)
Step by Step
![Page 15: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/15.jpg)
Step 1: Plan for Security
![Page 16: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/16.jpg)
• Identify unsecured APIs and frameworks
• Map security sensitive code portions. E.g. password
changes mechanism, user authentication
mechanism.
• Anticipate regulatory problems, plan for it.
Step 1: Plan for Security
![Page 17: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/17.jpg)
Step 2: Engage the Developers.And Be Engaged
![Page 18: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/18.jpg)
• Connect developers to security– Going to OWASP? Bring a developer with you!
• Is your house on fire? Share the details with your developers.
• Have an open door approach
• Set up an online collaboration platform E.g. Jive, Confluence etc.
Step 2: Engage the Developers. And Be Engaged
![Page 19: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/19.jpg)
Step 3: Arm the Developers
![Page 20: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/20.jpg)
• Secure frameworks:
– Use a secure framework such as Spring Security, JAAS, Apache
Shiro, Symfony2
– ESAPI is a very useful OWASP security framework
• SCA tools that can provide security feedback on pre-commit stage.
– Rapid response
– Small chunks
Step 3: Arm the Developer
![Page 21: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/21.jpg)
Step 3: Automate the Process
![Page 22: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/22.jpg)
• Integrate within your build (Jenkins, Bamboo, TeamCity, etc.)– SAST– DAST
• Fail the build if security does not pass the bar.
Step 3: Automate the Process
![Page 23: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/23.jpg)
Develop Code Commit
Source Control
Build Trigger
Unit Tests
Deploy to
ProductionDeploy to Test Env
Report& Notify
Publish to release repository
Continuous Deployment
![Page 24: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/24.jpg)
Develop Code Commit
Source Control
Build Trigger
Tests
Deploy to
ProductionDeploy to
Test Env
Report&
Notify
Publish to release
repository
Automatic security
testSCA Test
Security within Continuous Deployment
![Page 25: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/25.jpg)
Step 5: Use Old Tools Wisely
![Page 26: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/26.jpg)
Step 5: Use Old Tools Wisely
• Periodic pen testing
• WAF on main functions
• Code review for security sensitive code portions.
![Page 27: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/27.jpg)
Summary
![Page 28: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/28.jpg)
• DevOps is happening. Right Now.
– During the time of this talk, Amazon has released
75 features and bug fixes.
• Security should not be compromised
• Don’t be overwhelmed. Start small
Summary
![Page 29: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/29.jpg)
The 3 Takeaways
1. Plan from the ground
2. Engage with your developers
3. Integrate security into automatic build process.
![Page 30: DevOps and Security: It*s Happening. Right Now.](https://reader034.fdocuments.us/reader034/viewer/2022050719/58a1ab911a28ab625d8ba556/html5/thumbnails/30.jpg)
Questions?