Scribd
Upload
143 views25 pages

Devsecops Bootcamp: Building Rugged Software

Uploaded by

Abhay Prasad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
143 views25 pages

Devsecops Bootcamp: Building Rugged Software

Uploaded by

Abhay Prasad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

DevSecOps Bootcamp

B U I L D I N G R U G G E D S O F T WA R E

YEAR ONE / WEEK ONE / LESSON ONE

1 Copyright © DevSecOps Foundation 2015-2016


What’s Happening in the World?

• DEVOPS
• PUBLIC CLOUD
• AGILE
• SCRUM
• LEAN
• LOW-CODE
• NO-CODE
• NO OPS
• …
[Link]

2 Copyright © DevSecOps Foundation 2015-2016


A History Lesson – Google Trends Research

• Several years after the Agile Manifesto, [Link] was registered in 2004
• Google searches for “DevOps” started to rise in 2010
• Major influences:
• Saving your Infrastructure from DevOps / Chicago Tribune
• DevOps: A Culture Shift, Not a Technology / Information Week
• DevOps: A Sharder’s Tale from Etsy
• [Link] articles
• [Link] was registered in 2010
• As of 2013, DevSecOps is on the map…

3 Copyright © DevSecOps Foundation 2015-2016


Who’s doing Enterprise DevOps?


4 Copyright © DevSecOps Foundation 2015-2016
What’s the business benefit?

Business strategy is achieved with the


collaboration of all departments and
providers in service to the customer who
requires better, faster, cheaper, secure
products and services.

5 Copyright © DevSecOps Foundation 2015-2016


What Hinders Secure Innovation?

1. Manual processes & meeting culture


2. Point in time assessments
3. Friction for friction’s sake
4. Contextual misunderstandings
5. Decisions being made outside of value creation
6. Late constraints and requirements
7. Big commitments, big teams, and big failures
8. Fear of failure, lack of learning
9. Lack of inspiration
10. Management and political interference (approvals, exceptions)
...
6 Copyright © DevSecOps Foundation 2015-2016
Say What??!!

[Link]

7 Copyright © DevSecOps Foundation 2015-2016


The Need for Change
• Innovation is a competitive advantage
• Cloud has leveled the playing field
• Demand for Customer centric product development
• Continuous delivery of features and changes
• New generation of workers desire collaboration
• Speed and scale are necessary to handle demand
• Integration over invention to speed up results
• Security breaches are on the rise
• People desire to work with greater autonomy...
• Continuous Learning... How can I do better? & better? [Link]

8 Copyright © DevSecOps Foundation 2015-2016


Culture Hacking

Security is
Traditional
Everyone’s
Security
Responsibility

DEVSECOPS
9 Copyright © DevSecOps Foundation 2015-2016
The Art of DevSecOps

DevSecOps

Security Security Compliance Security


Engineering Operations Operations Science

Experiment, Hunt, Detect, Respond, Learn, Measure,


Automate, Test Contain Manage, Train Forecast

10 Copyright © DevSecOps Foundation 2015-2016


The Secure Software Supply Chain
• Gating processes are not Deming-like • Hard to avoid business catastrophes by applying
one-size-fits-all strategies
• Security is a design constraint
• Security defects is more like a security “recall”
• Decisions made by engineering teams

Faster security feedback loop

How do I secure
How do I secure What component Is my app getting
is secure enough? secrets for the attacked? How?
my app?
app?

design build deploy operate

Most costly mistakes Typical gates for Mistakes and drift often happen
Happen during design security after design and build phases that
checks & balances result in weaknesses and potentially exploits

11 Copyright © DevSecOps Foundation 2015-2016


From a Traditional Supply Chain…

When will you solve my problem?!! Can we discuss my feedback?


Did we pass the 98 point inspection?

Thanks to Henrik Kniberg

12 Copyright © DevSecOps Foundation 2015-2016


To a Customer Centric Supply Chain

Better than walking, for sure… Can this be motorized When can I bring my kids with me? Awesome!
but not by much... to go faster and for longer trips? Does it come in Red?

Security must shift left with a Science Mindset like all other Ops…

Thanks to Henrik Kniberg

13 Copyright © DevSecOps Foundation 2015-2016


Shifting Security to the Left means built-in

Faster security feedback loop

How do I secure
How do I secure What component Is my app getting
is secure enough? secrets for the attacked? How?
my app?
app?

design build deploy operate

Most costly mistakes Typical gates for Mistakes and drift often happen
Happen during design security after design and build phases that
checks & balances result in weaknesses and potentially exploits

Security is a Design Constraint

14 Copyright © DevSecOps Foundation 2015-2016


Security is and has always been a Design Constraint…

• Everyone knows Maslow…


• If you can remember 5
things, remember these ->

“Apps & data are as safe as


where you put it, what’s in it,
how you inspect it, who talks
to it, and how its protected…”

15 Copyright © DevSecOps Foundation 2015-2016


But Please No Checklists & Save the Trees!!

16
X
Page 3 of 433

Copyright © DevSecOps Foundation 2015-2016


deforestation: [Link]
Security Governance Transparency via Continuous Improvement

[Link]

17
Security as Code / Everything as Code

• Paper-resident policies do not • LOCK YOUR DOORS

Data Center
stand up to constant cloud • BADGE IN
• AUTHORIZED PERSONNEL ONLY
evolution and lessons learned. • BACKGROUND CHECKS

• Translation from paper to code EVERYTHING


and back can lead to serious AS CODE

mistakes.

Cloud Provider
• CHOOSE STRONG PASSWORDS
• Traditional security policies do

Network
• USE MFA
• ROTATE API CREDENTIALS
not 1:1 translate to Full Stack • CROSS-ACCOUNT ACCESS
deployments.
Page 3 of 433

18 Copyright © DevSecOps Foundation 2015-2016


Example of Continuous Delivery + Security

DevOps Code - Creating Value & Availability

Source
CI Server Test & Scan Artifacts Deploy Monitoring
Code

DevSecOps Code - Creating Trust & Confidence

19 Copyright © DevSecOps Foundation 2015-2016


Continuous Feedback

THE FEEDBACK HIGHWAY

PRODUCT
SCRUM TEAM

THE INTEL HIGHWAY


SECURITY TEAM SECURITY COMMUNITY

SECURITY TESTING & DATA PLATFORM

20 Copyright © DevSecOps Foundation 2015-2016


Continuous Security Engineering & Science

Cloud
accounts threat intel

EC2

CloudTrail

S3 ingestion insights
security
Glacier security science
tools & data

security feedback loop continuous response

Monitor & Inspect Everything


21 Copyright © DevSecOps Foundation 2015-2016
Red Team, Security Operations & Science

API KEY EXPOSURE -> 8 HRS


DEFAULT CONFIGS -> 24 HRS
SECURITY GROUPS -> 24 HRS
ESCALATION OF PRIVS -> 5 D
KNOWN VULN -> 8 HRS

22 Copyright © DevSecOps Foundation 2015-2016


Security Decision Support

23 Copyright © DevSecOps Foundation 2015-2016


This Could Be Your Mean Time to Resolution…

MTTR

Days… 6 months

24 Copyright © DevSecOps Foundation 2015-2016


Get Involved and Join the Community

• [Link]
• @devsecops on Twitter
• DevSecOps on LinkedIn
• DevSecOps on Github
• [Link]
• Compliance at Velocity

25 Copyright © DevSecOps Foundation 2015-2016

You might also like