Infrastructure Saturday - Level Up to DevSecOps

28
Preventing Devoops with DevSecOps Kieran Jacobsen Technical Lead – Infrastructure & Security

Transcript of Infrastructure Saturday - Level Up to DevSecOps

Page 1: Infrastructure Saturday - Level Up to DevSecOps

Preventing Devoops with

DevSecOpsKieran Jacobsen

Technical Lead – Infrastructure & Security

Page 2: Infrastructure Saturday - Level Up to DevSecOps

2016 was a big year…

/ Copyright ©2017 by Readify Limited 2

Page 3: Infrastructure Saturday - Level Up to DevSecOps

2017 is getting of to a bad start…

3

Page 4: Infrastructure Saturday - Level Up to DevSecOps

Before DevOps

Page 5: Infrastructure Saturday - Level Up to DevSecOps

DevOps

Page 6: Infrastructure Saturday - Level Up to DevSecOps

But Where Is Security?

Page 7: Infrastructure Saturday - Level Up to DevSecOps

DevSecOps

Clear Communication Pathways Streamlined Communication Security As Code Training Integrate Security into DevOps cycle

Page 8: Infrastructure Saturday - Level Up to DevSecOps

We're in customer service. Our users are our customers. We need to understand them & their needs to do our job well!

Jess Dodson (@girlgerms)

Page 9: Infrastructure Saturday - Level Up to DevSecOps

Communication Pathways

Development Operations

Security

Page 10: Infrastructure Saturday - Level Up to DevSecOps

Hiring Ratio

DEVELOPERS : OPERATIONS : SECURITY

100 : 10 : 1

Page 11: Infrastructure Saturday - Level Up to DevSecOps

Streamlined Communication

NO: Excel checklists Word document reports and policy documents Email attachments

Page 12: Infrastructure Saturday - Level Up to DevSecOps

Streamlined Communication

YES: Backlogs/boards

Page 13: Infrastructure Saturday - Level Up to DevSecOps

Streamlined Communication

YES: Backlogs/boards Support ticketing

Page 14: Infrastructure Saturday - Level Up to DevSecOps

Streamlined Communication

YES: Backlogs/boards Support ticketing Markup and Git

Page 15: Infrastructure Saturday - Level Up to DevSecOps

Security As Code

Application Source Code Azure ARM and AWS Cloud Formation Server Configuration – Chef, Puppet, DSC

Page 16: Infrastructure Saturday - Level Up to DevSecOps

ARM Templates

Page 17: Infrastructure Saturday - Level Up to DevSecOps

PowerShell DSC

Page 18: Infrastructure Saturday - Level Up to DevSecOps

Training

We can’t be experts in Dev, Sec and Ops We need cross pollination of skills Starts at day 0

Page 19: Infrastructure Saturday - Level Up to DevSecOps

Training: PhishingEmployee Breakdown

Technical Non-Technical

Click Break Down

Technical Victims Non-Technical VictimsPassed

Page 20: Infrastructure Saturday - Level Up to DevSecOps

Integrating Security

Page 21: Infrastructure Saturday - Level Up to DevSecOps

Plan

Integrate security into sprint planning and reviews Consider security user stories early

Page 22: Infrastructure Saturday - Level Up to DevSecOps

Code

Training! Test driven development Use of the correct tools Pull Requests

Page 23: Infrastructure Saturday - Level Up to DevSecOps

Build

Static code analysis Dynamic code analysis

Page 24: Infrastructure Saturday - Level Up to DevSecOps

Test

Develop security test cases Fuzzing Load testing

Page 25: Infrastructure Saturday - Level Up to DevSecOps

Release & Deploy

Automated scanning upon deployment

Page 26: Infrastructure Saturday - Level Up to DevSecOps

Operate & Monitor

Monitor logs Rescan for vulnerabilities Have a structured patch process Track dependencies

Page 27: Infrastructure Saturday - Level Up to DevSecOps

Summary

Clear Communication Pathways Streamlined Communication Security As Code Training Integrate Security into DevOps cycle

Page 28: Infrastructure Saturday - Level Up to DevSecOps

Thank You


addressing IoT challenges through DevSecOps.

addressing IoT challenges through DevSecOps.

DevSecOps - The big picture

DevSecOps - The big picture

DevSecOps Journey - CSO50 Conference · DevSecOps Journey 2/28/2018. 3/3/2018 Confidential –Internal Distribution 2 Agenda • DevSecOps @ Fannie Mae o The Challenges and The Promises

DevSecOps Journey - CSO50 Conference · DevSecOps Journey 2/28/2018. 3/3/2018 Confidential –Internal Distribution 2 Agenda • DevSecOps @ Fannie Mae o The Challenges and The Promises

DoD Enterprise DevSecOps Community of Practice · 2021. 6. 29. · ECMA and Army Software Factory's DevSecOps ... Project Ridgway are users of the DevSecOps ecosystem. 7. ... Continuous

DoD Enterprise DevSecOps Community of Practice · 2021. 6. 29. · ECMA and Army Software Factory's DevSecOps ... Project Ridgway are users of the DevSecOps ecosystem. 7. ... Continuous

RESEARCH HIGHLIGHTS Leveraging DevSecOps to Secure Cloud ... · Fundamental changes to application architectures and the infrastructure platforms that host them is antiquating existing

RESEARCH HIGHLIGHTS Leveraging DevSecOps to Secure Cloud ... · Fundamental changes to application architectures and the infrastructure platforms that host them is antiquating existing

DevSecOps – Agility with Security · 4 DevSecOps – Agility with Security In summary, DevSecOps aims to be a movement that extends all of the organisational benefits achieved through

DevSecOps – Agility with Security · 4 DevSecOps – Agility with Security In summary, DevSecOps aims to be a movement that extends all of the organisational benefits achieved through

DevSecOps Overview - NYS Forum Home · 11/14/2018  · DevSecOps Overview November 14, 2018 ... 3 Benefits of DevSecOps 4 How to Implement DevSecOps 5 Summary / Questions. Security

DevSecOps Overview - NYS Forum Home · 11/14/2018  · DevSecOps Overview November 14, 2018 ... 3 Benefits of DevSecOps 4 How to Implement DevSecOps 5 Summary / Questions. Security

The Journey to DevSecOps

The Journey to DevSecOps

DevSecOps Insights - Snyk

DevSecOps Insights - Snyk

DevSecOps – Agility with Security...4 DevSecOps – Agility with Security In summary, DevSecOps aims to be a movement that extends all of the organisational benefits achieved through

DevSecOps – Agility with Security...4 DevSecOps – Agility with Security In summary, DevSecOps aims to be a movement that extends all of the organisational benefits achieved through

Overcoming DevSecOps Challenges

Overcoming DevSecOps Challenges

Rethinking Enterprise Analytics · Where to start on the journey? Agenda. DevSecOps Services Architecture Cloud Infrastructure Cloud Mobile/IoT Modern applications Customer Experiences

Rethinking Enterprise Analytics · Where to start on the journey? Agenda. DevSecOps Services Architecture Cloud Infrastructure Cloud Mobile/IoT Modern applications Customer Experiences

DevSecOps PLAYBOOK - Cprime

DevSecOps PLAYBOOK - Cprime

DevSecOps SG Introduction - August Meetup

DevSecOps SG Introduction - August Meetup

DevSecOps Best Practices and Considerations

DevSecOps Best Practices and Considerations

Humanising DevSecOps

Humanising DevSecOps

What is DevSecOps? Pipelines...What is DevSecOps? DevSecOps is a methodology in which security is integrated into the entire life cycle of application development. Rather than being

What is DevSecOps? Pipelines...What is DevSecOps? DevSecOps is a methodology in which security is integrated into the entire life cycle of application development. Rather than being

DevSecOps in 10 minutes

DevSecOps in 10 minutes

DevSecOps - Building Rugged Software

DevSecOps - Building Rugged Software

The Path to Modern DevSecOps - intellectualpoint.com · DevSecOps requires understanding and discipline of many areas. The CompTIA Infrastructure Career Pathway includes certifications

The Path to Modern DevSecOps - intellectualpoint.com · DevSecOps requires understanding and discipline of many areas. The CompTIA Infrastructure Career Pathway includes certifications