MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating...

42
AD39 DevOps Engineering 11:30 AM AD39 Making the Jump from DevOps to DevSecOps Presented by: Alan Crouch Coveros Brought to you by: 8882688770 9042780524 [email protected] https://agiledevopswest.techwell.com/

Transcript of MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating...

Page 1: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

 

     AD39  DevOps  Engineering  11:30  AM            

AD39  -­‐  Making  the  Jump  from  DevOps  to  DevSecOps  

 Presented  by:    

   

Alan  Crouch      Coveros  

 Brought  to  you  by:    

       

   888-­‐-­‐-­‐268-­‐-­‐-­‐8770  ·∙·∙  904-­‐-­‐-­‐278-­‐-­‐-­‐0524  -­‐  [email protected]  -­‐  https://agiledevopswest.techwell.com/    

Page 2: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

 

Alan  Crouch    Alan  Crouch  is  a  Managing  Consultant  with  Coveros,  Inc.,  which  helps  companies  build  better  applications  using  agile,  DevOps,  and  security  best  practices.  Alan  works  with  C-­‐level  and  senior  management  at  private  companies  and  federal  agencies  to  transform  and  adopt  a  more  Agile/DevSecOps  practices  when  building  and  deploying  mission-­‐critical  software.  He  has  assessed,  designed  and  implemented  multiple  custom  DevSecOps  pipelines  utilizing  Cloud  technologies  for  clients  such  as  Symantec,  Departments  of  Homeland  Security,  Health  and  Human  Services,  Appian  and  mobile  start-­‐ups.  Spare  time  finds  Alan  traveling  the  globe  and  creating  adventures  for  his  son  and  daughter.  Follow  Alan  on  Twitter  @coveros_alan.  

Page 3: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

MAKING THE JUMP FROM

DEVOPS TO

DEVSECOPSAlan Crouch@RealAlanCrouch

Page 4: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

HELLO!I’m Alan Crouch.I am here at Agile + DevOps West because I’m passionate about building software efficently and securely.

You can find me at @RealAlanCrouch

2

Page 5: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

MY BACKGROUND

3

EDUCATION LAZY DEV INFOSEC AGILE/DEVOPS DEVSECOPSGraduated from

JMU with a Master’s in Secure Software

Development

Developer for mission-critical

systems

Ran a CISO Office Started doing work in the

Agile/DevOps space

DevSecOps Advocate

Page 6: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

“ DevOps is a set of software development practices that combine software development (DEV) and operations (OPS) to shorten the SDLC while delivering frequently to meet business objectives.- Wikipedia 4

Page 7: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

HOW DOES THIS TRANSLATE?

▪ “We just do the same thing faster!”▪ “Where can we buy this DevOps thing?”▪ “We need to create a DevOps team!”▪ “We just need to make the Devs AWS Admins!”▪ “We need to create a DevOps manual all our

teams must follow!”

5

Page 8: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

WHAT I TYPICALLY SEE:

OperationsDevelopment

6

Test / QA

Page 9: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

OK, LET’S BE HONEST…😂

OperationsDevelopment

Security

7

Test / QA

DevOps

Page 10: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

SECURITY INLEGACY SDLC

8

Threat Analysis

Static Analysis

Code Review

SAST

DAST

Penetration Testing

Monitoring

Binary Analysis

Network Testing

Security is focused at the end.

Governance Audit

Page 11: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

DEVSECOPSFulfilling the promise of DevOps

9

Page 12: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

“ DevSecOps is a set of software development practices that combines ALLaspects of the software development lifecycle while delivering features, fixes, and updates frequently to meet business objectives.

10

Page 13: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

3 STEPS TO ACCOMPLISH DEVSECOPS

11

Part of the TeamThe IT Security Office needs to be part of the team.

“Shift Left”Security testing needs to start earlier in the DevOps Pipeline.

Scalable SecurityInfrastructure in support of security testing needs to scale with your team and pipeline.

Page 14: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

1.MAKE SECURITY PART OF THE TEAMStep 1: People

Page 15: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

72% Of developers see security as “nags” over delivery partners

2019 Sonatype DevSecOps Survey

13

Page 16: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

CHALLENGES▪ Security lacks development context▪ Development lacks security

knowledge▪ Design and implementation drift▪ Hurt feelings▪ No shared goals▪ Uncertainty of true risk profile

14

Page 17: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

THIS IS THE HARDEST PART

▪ Create security champions▪ Knowledge sharing by working together▪ Commit to meeting together frequently

15

Page 18: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

DEVSECOPS IS A SECURITY ENABLER

By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff

that they say they want to do.

DEVSECOPS GIVES GREATER CONTEXT

Spending more time with the team, allows you to build

better confidence in the risk profile and make more

informed recommendations.

DEVSECOPS REDUCES EXPOSURE TIMEWe can stop focusing on the number of issues and start focusing how long we’re exposed.

DEVSECOPS PROVIDES BETTER GOVERNANCETreating everything as code leads to easier auditability. No questions. Just look at our process in Jenkins!

CONVINCING SECURITY TO JOIN THE DEVSECOPS JOURNEY

Page 19: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

2.SHIFT SECURITY LEFTStep 2: Process

Page 20: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

MAKING IT HAPPEN▪ Automation is your friend▪ Use quality gates to drive

quantitative decision making▪ Continuously improve your process▪ Expect development to make

changes to accommodate security

18

Page 21: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

TRANSFORMATION IN ACTION

1. Automate what your doing right now. 2. Tune what you have to get rid of the noise.3. Identify new ways to start security testing

earlier or faster.4. Iterate and continuously improve.

19

Page 22: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

VISUALIZING IT

20

Page 23: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

VISUALIZING IT

21

Page 24: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

TRANSFORMATION IN ACTION

22

DEV PRODSTAGE

Page 25: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

TRANSFORMATION IN ACTION

23

DEV PRODSTAGE

Page 26: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

TRANSFORMATION IN ACTION

24

DEV PRODSTAGE

RegressionPerformance/Load

DAST

Page 27: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

TRANSFORMATION IN ACTION

25

DEV PRODSTAGE

RegressionPerformance/Load

DAST

SmokeFeature

DeploymentSAST

Page 28: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

TRANSFORMATION IN ACTION

26

DEV PRODSTAGE

RegressionPerformance/Load

DAST

SmokeFeature

DeploymentSAST

UnitStatic Code Analysis

Binary Analysis

Page 29: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

TRANSFORMATION IN ACTION

27

DEV PRODSTAGE

RegressionPerformance/Load

DASTNetwork Security

Availability

SmokeFeature

DeploymentSAST

Infrastructure SecuritySecurity Feature

UnitStatic Code Analysis

Binary AnalysisThreat Analysis

Page 30: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

TRANSFORMATION IN ACTION

28

DEV PRODSTAGE

RegressionPerformance/Load

DASTNetwork Security

AvailabilityPenetration

Chaos

SmokeFeature

DeploymentSAST

Infrastructure SecuritySecurity FeatureProxy DAST

IAST

UnitStatic Code Analysis

Binary AnalysisThreat Analysis

Page 31: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

TRANSFORMATION IN ACTION

29

DEV PRODSTAGE

RegressionPerformance/Load

DASTNetwork Security

AvailabilityPenetration

Chaos

SmokeFeature

DeploymentSAST

Infrastructure SecuritySecurity Feature

Proxy DASTIAST

UnitStatic Code Analysis

Binary AnalysisThreat Analysis

MonitoringThreat Modeling

Code ReviewSecure Coding

Page 32: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

PRO TIPSWhen considering what tests to select: Be choosey.Don’t try to force tests that don’t make sense for your application or business.

Understand the two different types of quality gates.Decide whether your gate is just for information gathering (qualitative decision) or blocking (quantitative decision).

A bug is a bug is a bug. Treat all defects the same.Log security defects just like any other bugs, track them, prioritize them, and fix them.

30

Page 33: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

WHAT MAKES UP A GOOD PIPELINE

1. Code Review2. Continuous Integration with Unit Tests and Static Code Analysis 3. Automated Deployment and Configuration Management4. Quality Gate #1: Smoke tests & Static App Sec Testing5. Quality Gate #2: Integration tests & Performance/Load Testing6. Quality Gate #3: Regression tests & Dynamic App Sec Testing7. Continuous Monitoring

31

Page 34: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

3.MAKE SECURITY SCALABLEStep 3: Technology

Page 35: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

91% Of mature DevSecOps teams utilize containers for scalability

82%

78%

33

Of mature DevSecOps teams utilize automation to integrate security

Of mature DevSecOps teams have complete auditability of changes2019 Sonatype DevSecOps Survey

Page 36: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

SECURITY NEEDS DEVELOPMENT HELP▪ Publish artifacts, reports, and

metrics for every release▪ Scale testing infrastructure by using

containers▪ Select tools that decentralize

security from one unicorn to the entire team

▪ Develop mechanisms to make security everyone’s responsibility

34

Page 37: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

TOOLS & TECH

35

DevOps – Creating value, more frequently

DevSecOps – Creating Trust & Confidence

Page 38: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

36

Page 39: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

COMMON PITFALLS

▪ Avoid one-size-fits-all approaches▪ Don’t focus on your traditional metrics▪ Security defects should be more like a

security “recall”▪ You can’t get past training

37

Page 40: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

“ DevSecOps is fundamentally about providing certainty to security by working collaboratively to deliver valuable software.- Alan Crouch

38

Page 41: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

THANKS!

You can find me at:@[email protected]

39

Any questions?

hub.techwell.com

Join me on theTechWell Hub

Page 42: MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

CREDITS

Special thanks to all the people who helped make this presentation possible:▪ Presentation template by SlidesCarnival▪ Techwell & Agile DevOps West▪ You!

40