JOINED AT THE HIP: DEVSECOPS AND CLOUD-BASED ASSETS RON INGRAM R2 TECHNOLOGY SOLUTIONS OCTOBER 24, 2018 @TECH AT THE GAP

DEVOPS vs. DEVSECOPS DEVOPS: Collaborative environment between the Development, Testing, and Operations Team to achieve continuous delivery Commonly understood as a combination of processes and tools that facilitate the ongoing collaboration between the software engineering and infrastructure team These, in turn, automate the rapid and reliable delivery of applications and services across organizations DEVSECOPS: Integration of the Security component into DevOps Process; embeds security controls and processes into the DevOps workflow Focuses on tackling DevOps automation security issues (e.g. configuration management, composition analysis, etc)

SECURITY BENEFITS OF DEVSECOPS Automatic Code Security: DevSecOps reduces the risk of introducing security flaws through human error by automating tests and enables greater coverage, consistency and predictable processes. Plus, any issues can be tracked and fixed as soon as they occur during the development process. Continuous Security: By using automation tools, organizations are able to create a continuous, closed-loop process for testing and reporting, thereby ensuring that all security concerns are immediately resolved. Leveraging Security Resources: DevSecOps automates most of the standard security processes and tasks that require lesser hands-on time such as event monitoring, account management, code security and vulnerability assessments. This allows security professionals to focus their attention towards threat remediation and elimination of strategic risk.

HOW DOES DEVSECOPS WORK? Provides DevOps teams with security knowledge and practices Incorporates application development knowledge and processes into Security teams for efficient collaboration between both teams Increased collaboration between the Development, Security and Operations teams ensures that vulnerabilities are identified, and security threats are minimized in the early stages itself Major Components Include: Analysis of Code: Quick identification of vulnerabilities through the delivery of code Change Management: Allows users to submit changes which can increase the speed and efficiency and determine if the impact of the changes is positive or negative Monitoring Compliance: Be compliant with regulations and be prepared for audits Investigating Threats: Each code update is accompanied by potential emerging threats; it is important to identify these threats at the earliest and respond immediately Vulnerability Assessment: The analysis of new vulnerabilities & the response Training: Need to involve software and IT engineers in security-related training and equip them with the guidelines for routines

DEVSECOPS IN THE CLOUD Automatic Code Security: DevSecOps reduces the risk of introducing security flaws through human error by automating tests and enables greater coverage, consistency and predictable processes. Plus, any issues can be tracked and fixed as soon as they occur during the development process. Continuous Security: By using automation tools, organizations are able to create a continuous, closed- loop process for testing and reporting, thereby ensuring that all security concerns are immediately resolved. Leveraging Security Resources: DevSecOps automates most of the standard security processes and tasks that require lesser hands-on time such as event monitoring, account management, code security and vulnerability assessments. This allows security professionals to focus their attention towards threat remediation and elimination of strategic risk. 5

CLOUD PLATFORMS FOR DEVSECOPS: AWS & AZURE

AWS & AZURE CLOUD PLATFORMS: SECURITY COMPARISION

CONTAINER SECURITY: WHAT IS IT & WHY BOTHER? OS Virtualization has become increasingly popular due to advances in its ease of use and a great focus on developer agility as a key benefit OS virtualization technologies are primarily focused on providing a portable, reusable, and automatable way to package and run applications. The terms application container or container refer to such technologies Containers enable teams to run applications and their code, configurations and dependencies in resource-isolated processes Advantages: Allow for reduced environmental dependencies, support for micro-services and horizontal scalability

CONTAINER SECURITY: WHAT IS IT & WHY BOTHER? However, organizations do not have much transparency into containers, for most of these software pieces are available only as part of packaged services. This level of opacity limits the enterprises’ audit-based capabilities and potentially exposes enterprises to additional risk from digital threats Organizations must take the security of their containers as a whole – security measures must be extended to the build, deployment, and runtime environments Particularly important given the ongoing evolution of DevOps systems & the growing adoption of integration-platform-as-a-service (IPaaS) container packages from cloud vendors

CONTAINER SECURITY MEASURES

SECURITY TOOLS FOR DEVSECOPS PIPELINE Photo: https://dso-studio.teachera.io/tools/

DEVSECOPS: CONTINUOUS SECURITY & COMPLIANCE FOR CLOUD With DevSecOps on the cloud, security becomes an essential part of the development process itself instead of being an afterthought DevSecOps is an objective where security checks and controls are applied automatically and transparently throughout the development and delivery of cloud-enabled services Simply implementing or relying on standard security tools and processes won’t work – secure service delivery starts in development, and the most effective DevSecOps programs start at the earliest points in the development process and follow the workload throughout its life cycle

RON INGRAM R2 TECHNOLOGY SOLUTIONS ringram@r2techsolutions.net Q&A RON INGRAM R2 TECHNOLOGY SOLUTIONS ringram@r2techsolutions.net