Automate Early... But Securely!

Slides:

Advertisements

Similar presentations

DevOps and Security: It’s Happening. Right Now.

Advertisements

02 | Define an Effective End-to-End Software Development Lifecycle Steven Borg | Co-founder & Strategist, Northwest Cadence Anthony Borton | ALM Consultant,

It’s tough out there … Outperforming teams are collaborate extensively with their counterparts 54 % more likely to Developers 26.7% No executive.

DNN LOVES JENKINS FOR CONTINUOUS INTEGRATION

Computer Associates Solutions Managing eBusiness Catalin Matei, April 12, 2005

Continuous Delivery Ajey Gore Head of Technology ThoughtWorks India.

DevOps Jesse Pai Robert Monical 8/14/2015. Agile Software Development 8/14/2015© 2015 SGT Inc.2.

& Dev Ops. Sherwin-Williams & DevOps Introduction to Sherwin-Williams.

SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.

1 Copyright © 2015, Drilling Info, Inc. All right reserved. All brand names and trademarks are the properties of their respective companies. Webinar Series.

It’s tough out there … Software delivery challenges.

Build and Deployment Process Understand NCI’s DevOps and continuous integration requirements Understand NCI’s build and distribution requirements.

Release Management with Visual Studio Team Services

Cisco Consulting Services for Application-Centric Cloud Your Company Needs Fast IT Cisco Application-Centric Cloud Can Help.

From 0 to 60 with VSTS, TFS and Azure Principal Expert

Release Management for Visual Studio 2013 Ana Roje Ivančić Ognjen Bajić Ekobit.

FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.

Structured Container Delivery Oscar Renalias Accenture Container Lead (NOTE: PASTE IN PORTRAIT AND SEND BEHIND FOREGROUND GRAPHIC FOR CROP)

DevOps in the cloud Peter’s personal journey on how I found out, I need Dev skills to optimize my ‘Azure’ work… and so do you!!

Survive and Thrive in a DevOps World Steven Murawski

當 Java 遇上 DevOps 黃忠成. Java In Azure Storage Table Storage Services NoSQL base storage Fast and Easy to use Blob Storage Services File Storage (photo,

Configuration Management, Continuous Integration, Continuous Delivery Revealed.

Top Docker Cloud Software Hosting PaaS Providers in Australia

KRISHNACHANDER KALIYAPERUMAL PROJECT MANAGER

Effective Performance Testing in Agile and DevOps

Joonas Sirén, Technology Architect, Emerging Technologies Accenture

Agenda:- DevOps Tools Chef Jenkins Puppet Apache Ant Apache Maven Logstash Docker New Relic Gradle Git.

Implementing Cloud-based Agile Team Development - Lessons Learned

DEVOPS from BUZZ to FIZZ

4/24/ :07 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Docker Birthday #3.

Trends like agile development and continuous integration speak to the modern enterprise’s need to build software hyper-efficiently Jenkins: a highly.

Владимир Гусаров Директор R&D, Dell Visual Studio ALM MVP ALM Ranger

Agile Security Testing

Transform your IT Skills in a DevOps World

Your Chance to Get It Right Five Keys to Building AppSec into DevOps

Discover the New ADM and App Testing

Enterprise Quality Roadmap

Dmytro Mykhailov How HashiCorp platform tools can make the difference in development and deployment Target and goal of HashiCorp.

MANAGING APPLICATION SECURITY

Speaker’s Name, SAP Month 00, 2017

Zero to DevOps Louis Berman Cloud Solutions Architect

Application Lifecycle Management – Best Practices for SharePoint and Office App development November 2015.

DataOps DataOps DevOps for Analytics.

A Discussion Primer Andy Willingham March 28, 2017 OWASP Cincinnati

Microsoft Connect /7/ :48 PM

Quantifying Quality in DevOps

Managing Development Projects Across Oracle Cloud Services: A Guide

Securing Cloud-Native Applications Jason Schmitt CEO

DevOps Fundamentals Configuration Management

Continuous Delivery for Microsoft Azure

Get Good at DevOps: Feature Flag Deployments with ASP

11/29/2018 2:52 AM MDC317A Continuous Delivery - The Agile End to End Story for Developers & IT Pros! Morgan Webb Technical © 2013.

Automated Testing and Integration with CI Tool

Continuous deployment best practices, methods and tools.

Putting the ‘Sec’ in DevSecOps

DevOps Fundamentals Automated Testing

Windows Azure Larry Guger Senior Program Manager 3-007

IBM Containers Docker in the Cloud

JOINED AT THE HIP: DEVSECOPS AND CLOUD-BASED ASSETS

Shifting Security Left

The Ops side of DevOps Manager Microsoft

HCL’s Viewpoint – DevOps on MS Cloud

DEVOPS & THE FUTURE OF TESTING

Node.js Test Automation using Oracle Developer Cloud- Simplified

IT Management Services Infrastructure Services

Dev-Sec-Ops Jose Alvarez DevSecOps Engineer & Evangelist

Digital Transformation & Compile to Combat in 24 Hours (C2C24)

Runtime Modernization Diagram Template

Presentation transcript:

Automate Early... But Securely! DevSecOps Use Case Automate Early... But Securely!

About Me serban.bejan@euro-testing.com Information Security Consultant Bucharest, Romania 169 X Calea Floreasca, Cube Center Building, Ground Floor, Sector 1 www.euro-testing.com

Outline

Outline

DevOps + Security = DevSecOps ”The purpose and intent of DevSecOps, is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.” Shannon Lietz

SecDevOps / DevSecOps / DevOpsSec

Security shifting to the left Cost to Remediate 30X Somebody builds insecure software IT deploys the insecure software We are breached or pay to have someone tell us our code is bad We convince and pay the developer to fix it Somebody builds insecure software QA finds vulnerabilities in software We convince & pay the developer to fix it thereby delaying the release 15X 7X Requirements Design/ Architecture Coding Testing Deployments/ Maintenance

Application Development Security shifting to the left Static Code Analysis (SAST) Dynamic Testing (DAST) Runtime Protection (RASP) Design Code Test, Integration & Staging Production Application Development IT Operations Shift Left

Communication/ChatOps Integration Code repositories & apps GitHub Bitbucket Requirements & issues ALM Octane JIRA Bugzilla Build servers Jenkins Bamboo VSTS/TFS Build tools Maven Ant Make Build tools Gradle ANT Maven Security Vuln Mgmt SIEM WAFs Communication/ChatOps Continuous Monitoring and Protection Secure Development Security Testing IDEs Eclipse Visual Studio IntelliJ / Android Studio Open Source Sonatype Blackduck Fortify Configuration automation Puppet Chef Ansiable Containers Vagrant Docker kubernetes Cloud Azure AWS

Integrating security in DevOps Review Build Test Plan Code Deploy Operate Monitor Release SAST Secure cod review Dev Ops Threat modeling Risk assessment SAST SCA DAST Fuzzing PenTest

Use Case

Detection of threats, security defects, and flaws Mean time to repair Measuring Success Deployment frequency Lead time Detection of threats, security defects, and flaws Mean time to repair Mean time to recovery

Technical Benefits: Benefits of DevSecOps Business Benefits: Continuous software delivery Less complex problems to fix Faster resolution of issues when they arise Secure environment Business Benefits: Faster delivery of features More stable operating environments More time available to add value (rather than waste it with fixes/maintenance) No breaches / better image

Non-DevSecOps DevSecOps Main takeaways 92 days to fix a vulnerability Using dynamic analysis in production 113 days 51 days Using static analysis

THANK YOU