Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and...
Transcript of Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and...
![Page 1: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/1.jpg)
Securing DevOps
DevOn Summit , 14 March 2019, Utrecht, Netherlands
Marudhamaran GunasekaranSenior Security Consultant
DevOn
![Page 2: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/2.jpg)
About the Presenter
Security Consultant / Compliance Manager @ DevOn, Bangalore
OWASP ZAP (Zed Attack Proxy) Contributor and Evangelist
Certified:
Lead Auditor ISO 27001
EC-Council Certified Security Analyst (Certified Ethical Hacker)
DevSecOps Engineering Trainer from DevOps Institute
Scrum Master, Product Owner, Agile Coach
Bounty awards in Microsoft Cloud Services and Technology services
https://vimeo.com/gmaran23
https://twitter.com/gmaran23
https://slideshare.net/gmaran23
https://www.linkedin.com/in/marudhamaran-gunasekaran
Marudhamaran Gunasekaran
![Page 3: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/3.jpg)
Agenda
• Traditional ways of managing security• Security Myths• Network Security vs Software Security• Challenges with automation• Introducing DevSecOps• DevSecOps Playbook• Five pragmatic tips for DevSecOps
![Page 4: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/4.jpg)
Traditional Software Development
![Page 5: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/5.jpg)
Traditional Software Development
• Development Organization• Translate business
requirements to software requirements
• Plan next versions and releases
• Develop and maintain various versions of the software
• IT Organization• Maintain and provision IT
infrastructure
• Monitor network and systems for stability
• Manage access to build and release configuration and servers
• Install required software and framework needed by Software Development Teams
Where’s Security?
![Page 6: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/6.jpg)
Traditional Software Development – Security?
![Page 7: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/7.jpg)
Microsoft’s Security Development Life Cycle
https://www.microsoft.com/en-us/sdl
![Page 8: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/8.jpg)
The Evolution and Revolution
Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their software release cycles, software quality, security, and ability to get rapid feedback on product development
Our highest priority is to satisfy the customer through early and continuous delivery of valuable software
Agile Software Development
DevOps
![Page 9: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/9.jpg)
The Evolution and Revolution - flipside
• Cloud based products and Hybrid IT Organizations
• Rise of shadow IT
![Page 10: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/10.jpg)
SECURITY MYTHS
![Page 11: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/11.jpg)
What the PII?
Do you
process?
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf
First name? Last name?
![Page 12: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/12.jpg)
GDPR
• Last year March 2018• Was still coming in to effect
• This year • 59,000 + reported breaches, 59 imposed fines
https://www.helpnetsecurity.com/2019/02/07/gdpr-numbers-january-2019/
![Page 13: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/13.jpg)
More reported breaches
https://www.helpnetsecurity.com/2019/02/07/gdpr-numbers-january-2019/
![Page 14: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/14.jpg)
Dev’s Security Responsibilities
Ops’ Security Responsibilities
![Page 15: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/15.jpg)
Network Security
Patch management, Network segregation, System level security, Software and Hardware Asset management, …
![Page 16: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/16.jpg)
Software Security is about defensive programming
![Page 17: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/17.jpg)
When Dev Teams or Ops Teams handle security?
https://twitter.com/i/moments/1018794418428628992
![Page 18: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/18.jpg)
Developer Trust and Security - Conundrum
• Agile Principle - TRUST – Trust team members?
• Developer has RDP/SSH access to production because we trust?
![Page 19: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/19.jpg)
![Page 20: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/20.jpg)
Security Bug vs Security flaw?
Technical errors vs Logical flaws
![Page 21: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/21.jpg)
Infrastructure as Code, Virtualization & Containers →More automation can be good
![Page 22: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/22.jpg)
Knock knock, who’s there?
• DevSecOps
• SecDevOps
• DevOpsSec
• SecDevSecOpsSec
• DevTestOps
• BizDevOps
• < Shift Left
![Page 25: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/25.jpg)
DevSecOps
• Everyone is responsible for security
https://2017.appsec.eu/presos/DevSecOps/The%20DevSecOps%20Playbook%20from%20a%20Practitioner%E2%80%99s%20Perspective%20-%20Shannon%20Lietz%20-%20OWASP_AppSec-Eu_2017.pdf
![Page 26: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/26.jpg)
DevSecOps - Principles
• Shift left
• Measurable Outcomes
• Scaling through Automation
• More Cooperation – Everyone is responsible for security
• Security as Code
![Page 27: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/27.jpg)
Shifting Left
• What kind of security practices could be done early in software development?
• Security/Privacy by Design
• Security by Default
![Page 28: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/28.jpg)
Measurable Outcomes
• Do we have an increase in delivery cycles?
• How many repeatable security errors?
• How many vulnerabilities detected in Pen Tests?
![Page 29: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/29.jpg)
Sensible Automation
• Security Code Scans to scan the new code (delta)
• Security Scans that respect false positives
• Security Scans that runs faster and on demand
• Custom security scripts to regress business logic and authorization errors
• Security scans that scans for ‘known bad’ libraries and components
• Security Tooling of the new Age
![Page 30: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/30.jpg)
Security is everyone’s responsibility
• Developer training on security
• Engineering teams’ representatives to attend security conferences
• Security Awareness programs for Product Owners, IT Managers
• Ops (or DevOps) and Security teams collaborate during initial release planning
![Page 31: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/31.jpg)
Security as Code
• Compliance as Code
• Policy as Code
![Page 32: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/32.jpg)
https://2017.appsec.eu/presos/DevSecOps/The%20DevSecOps%20Playbook%20from%20a%20Practitioner%E2%80%99s%20Perspective%20-%20Shannon%20Lietz%20-%20OWASP_AppSec-Eu_2017.pdf
![Page 33: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/33.jpg)
DevOOPS
https://www.theregister.co.uk/2017/11/16/dji_private_keys_left_github/
https://gizmodo.com/uber-got-hacked-because-it-left-its-security-key-out-in-1689138254
![Page 34: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/34.jpg)
DevOOPS
https://www.bleepingcomputer.com/news/security/admin-accounts-with-no-passwords-at-the-heart-of-recent-mongodb-ransom-attacks/
![Page 35: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/35.jpg)
DevOOPS
https://www.theregister.co.uk/2017/10/06/ccleaner_megahack_timeline/
![Page 36: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/36.jpg)
https://2017.appsec.eu/presos/DevSecOps/The%20DevSecOps%20Playbook%20from%20a%20Practitioner%E2%80%99s%20Perspective%20-%20Shannon%20Lietz%20-%20OWASP_AppSec-Eu_2017.pdf
![Page 37: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/37.jpg)
Continuous Software Security Platform
Continuous Security at SDLC and Delivery *
Practice and Knowledge Assessment *
Hack Yourself First Training *
Coach the Coders to Secure on the job *
Secure Code Review *
Penetration Testing *
Environment Scans *Real Time
reporting *Automationand Tuning *
People Practices Tools
DevSecOps
![Page 38: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/38.jpg)
Software Security Focus Areas
![Page 39: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/39.jpg)
Continuous Software Security Maturity
ModelDownloadable at https://devon.nl/CSSMM
![Page 40: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/40.jpg)
Disclaimer
• What is often perceived as the weakest link in security?
![Page 41: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/41.jpg)
Top 5 Tips for Securing the DevOps trend
Security focus early in the software development process
Sensible automation
Security Education and Awareness
Sensible Metrics
Operational Awareness with Incident Response
![Page 42: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/42.jpg)
Example Metrics
• Security Review Comments:• Per Pull Request• Per Sprint
• Security Defects:• Per Release• Per Build• Per Component
• Repeating Security Occurrences:• Per Team• By Component
• Developer Security Knowledge:• Scored 75% and above• Not taken training yet
![Page 43: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/43.jpg)
Example Security as Code
• Compliance as Code: Test if SSH 3 or 2 is available
![Page 44: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/44.jpg)
Example Security as Code
• Policy as Code: Fail or Warn a build when a security bug is found
![Page 45: Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea5420957fab978ba2b2ad4/html5/thumbnails/45.jpg)
A sixteen (16) hour certification based course that provides
practical understanding DevSecOps
DevSecOps Engineer Course