MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating...
Transcript of MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating...
AD39 DevOps Engineering 11:30 AM
AD39 -‐ Making the Jump from DevOps to DevSecOps
Presented by:
Alan Crouch Coveros
Brought to you by:
888-‐-‐-‐268-‐-‐-‐8770 ·∙·∙ 904-‐-‐-‐278-‐-‐-‐0524 -‐ [email protected] -‐ https://agiledevopswest.techwell.com/
Alan Crouch Alan Crouch is a Managing Consultant with Coveros, Inc., which helps companies build better applications using agile, DevOps, and security best practices. Alan works with C-‐level and senior management at private companies and federal agencies to transform and adopt a more Agile/DevSecOps practices when building and deploying mission-‐critical software. He has assessed, designed and implemented multiple custom DevSecOps pipelines utilizing Cloud technologies for clients such as Symantec, Departments of Homeland Security, Health and Human Services, Appian and mobile start-‐ups. Spare time finds Alan traveling the globe and creating adventures for his son and daughter. Follow Alan on Twitter @coveros_alan.
MAKING THE JUMP FROM
DEVOPS TO
DEVSECOPSAlan Crouch@RealAlanCrouch
HELLO!I’m Alan Crouch.I am here at Agile + DevOps West because I’m passionate about building software efficently and securely.
You can find me at @RealAlanCrouch
2
MY BACKGROUND
3
EDUCATION LAZY DEV INFOSEC AGILE/DEVOPS DEVSECOPSGraduated from
JMU with a Master’s in Secure Software
Development
Developer for mission-critical
systems
Ran a CISO Office Started doing work in the
Agile/DevOps space
DevSecOps Advocate
“ DevOps is a set of software development practices that combine software development (DEV) and operations (OPS) to shorten the SDLC while delivering frequently to meet business objectives.- Wikipedia 4
HOW DOES THIS TRANSLATE?
▪ “We just do the same thing faster!”▪ “Where can we buy this DevOps thing?”▪ “We need to create a DevOps team!”▪ “We just need to make the Devs AWS Admins!”▪ “We need to create a DevOps manual all our
teams must follow!”
5
WHAT I TYPICALLY SEE:
OperationsDevelopment
6
Test / QA
OK, LET’S BE HONEST…😂
OperationsDevelopment
Security
7
Test / QA
DevOps
SECURITY INLEGACY SDLC
8
Threat Analysis
Static Analysis
Code Review
SAST
DAST
Penetration Testing
Monitoring
Binary Analysis
Network Testing
Security is focused at the end.
Governance Audit
DEVSECOPSFulfilling the promise of DevOps
9
“ DevSecOps is a set of software development practices that combines ALLaspects of the software development lifecycle while delivering features, fixes, and updates frequently to meet business objectives.
10
3 STEPS TO ACCOMPLISH DEVSECOPS
11
Part of the TeamThe IT Security Office needs to be part of the team.
“Shift Left”Security testing needs to start earlier in the DevOps Pipeline.
Scalable SecurityInfrastructure in support of security testing needs to scale with your team and pipeline.
1.MAKE SECURITY PART OF THE TEAMStep 1: People
72% Of developers see security as “nags” over delivery partners
2019 Sonatype DevSecOps Survey
13
CHALLENGES▪ Security lacks development context▪ Development lacks security
knowledge▪ Design and implementation drift▪ Hurt feelings▪ No shared goals▪ Uncertainty of true risk profile
14
THIS IS THE HARDEST PART
▪ Create security champions▪ Knowledge sharing by working together▪ Commit to meeting together frequently
15
DEVSECOPS IS A SECURITY ENABLER
By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff
that they say they want to do.
DEVSECOPS GIVES GREATER CONTEXT
Spending more time with the team, allows you to build
better confidence in the risk profile and make more
informed recommendations.
DEVSECOPS REDUCES EXPOSURE TIMEWe can stop focusing on the number of issues and start focusing how long we’re exposed.
DEVSECOPS PROVIDES BETTER GOVERNANCETreating everything as code leads to easier auditability. No questions. Just look at our process in Jenkins!
CONVINCING SECURITY TO JOIN THE DEVSECOPS JOURNEY
2.SHIFT SECURITY LEFTStep 2: Process
MAKING IT HAPPEN▪ Automation is your friend▪ Use quality gates to drive
quantitative decision making▪ Continuously improve your process▪ Expect development to make
changes to accommodate security
18
TRANSFORMATION IN ACTION
1. Automate what your doing right now. 2. Tune what you have to get rid of the noise.3. Identify new ways to start security testing
earlier or faster.4. Iterate and continuously improve.
19
VISUALIZING IT
20
VISUALIZING IT
21
TRANSFORMATION IN ACTION
22
DEV PRODSTAGE
TRANSFORMATION IN ACTION
23
DEV PRODSTAGE
TRANSFORMATION IN ACTION
24
DEV PRODSTAGE
RegressionPerformance/Load
DAST
TRANSFORMATION IN ACTION
25
DEV PRODSTAGE
RegressionPerformance/Load
DAST
SmokeFeature
DeploymentSAST
TRANSFORMATION IN ACTION
26
DEV PRODSTAGE
RegressionPerformance/Load
DAST
SmokeFeature
DeploymentSAST
UnitStatic Code Analysis
Binary Analysis
TRANSFORMATION IN ACTION
27
DEV PRODSTAGE
RegressionPerformance/Load
DASTNetwork Security
Availability
SmokeFeature
DeploymentSAST
Infrastructure SecuritySecurity Feature
UnitStatic Code Analysis
Binary AnalysisThreat Analysis
TRANSFORMATION IN ACTION
28
DEV PRODSTAGE
RegressionPerformance/Load
DASTNetwork Security
AvailabilityPenetration
Chaos
SmokeFeature
DeploymentSAST
Infrastructure SecuritySecurity FeatureProxy DAST
IAST
UnitStatic Code Analysis
Binary AnalysisThreat Analysis
TRANSFORMATION IN ACTION
29
DEV PRODSTAGE
RegressionPerformance/Load
DASTNetwork Security
AvailabilityPenetration
Chaos
SmokeFeature
DeploymentSAST
Infrastructure SecuritySecurity Feature
Proxy DASTIAST
UnitStatic Code Analysis
Binary AnalysisThreat Analysis
MonitoringThreat Modeling
Code ReviewSecure Coding
PRO TIPSWhen considering what tests to select: Be choosey.Don’t try to force tests that don’t make sense for your application or business.
Understand the two different types of quality gates.Decide whether your gate is just for information gathering (qualitative decision) or blocking (quantitative decision).
A bug is a bug is a bug. Treat all defects the same.Log security defects just like any other bugs, track them, prioritize them, and fix them.
30
WHAT MAKES UP A GOOD PIPELINE
1. Code Review2. Continuous Integration with Unit Tests and Static Code Analysis 3. Automated Deployment and Configuration Management4. Quality Gate #1: Smoke tests & Static App Sec Testing5. Quality Gate #2: Integration tests & Performance/Load Testing6. Quality Gate #3: Regression tests & Dynamic App Sec Testing7. Continuous Monitoring
31
3.MAKE SECURITY SCALABLEStep 3: Technology
91% Of mature DevSecOps teams utilize containers for scalability
82%
78%
33
Of mature DevSecOps teams utilize automation to integrate security
Of mature DevSecOps teams have complete auditability of changes2019 Sonatype DevSecOps Survey
SECURITY NEEDS DEVELOPMENT HELP▪ Publish artifacts, reports, and
metrics for every release▪ Scale testing infrastructure by using
containers▪ Select tools that decentralize
security from one unicorn to the entire team
▪ Develop mechanisms to make security everyone’s responsibility
34
TOOLS & TECH
35
DevOps – Creating value, more frequently
DevSecOps – Creating Trust & Confidence
36
COMMON PITFALLS
▪ Avoid one-size-fits-all approaches▪ Don’t focus on your traditional metrics▪ Security defects should be more like a
security “recall”▪ You can’t get past training
37
“ DevSecOps is fundamentally about providing certainty to security by working collaboratively to deliver valuable software.- Alan Crouch
38
THANKS!
You can find me at:@[email protected]
39
Any questions?
hub.techwell.com
Join me on theTechWell Hub
CREDITS
Special thanks to all the people who helped make this presentation possible:▪ Presentation template by SlidesCarnival▪ Techwell & Agile DevOps West▪ You!
40