Dev-Sec-Ops Jose Alvarez DevSecOps Engineer & Evangelist Security As Code , Beyond the Pipeline

What is DevOps? Methodologies CI/CD, telemetry, system of records Technologies Jenkins, Ansible, Chef, Kubernetes Shared Responsibility Shared Ownership

DevOps Shifts Left Increased Speed Increased Agility Increased Quality Saves Time Reduces Costly Re-work

DevOps Fundamental (The 3 Ways) Principles of Downstream Flow Principles of Continuous Feedback Principles of Continuous Learning & Experimentation

The First Way Principles of Downstream Work Flows Optimally Work Should Flow Downstream Only Known Defects Should not be Passed Downstream Continuously Search for ways to increase workflow tempos

The Second Way The Principle of Continuous Feedback Establish and Maintain Continuous Feedback Loops Upstream Shorten The Feedback Loop (making it faster) Continuously Amplify the Feedback Loop ( Look for ever weaker Failure Signals to Monitor and Alert)

The Third Way The Principles of Continuous Learning & Experimentation Kaizen (Continuous Improvement through Learning) Learn from Failures and Successes Practice and Experiment Continuously until Mastery is Achieved

Dev-Ops Advantages Flexibility Resilience Automation Increased Visibility Increased Deployment and Delivery Frequency

What is Dev-Sec-Ops Dev-Ops is Evolving Confidentiality Integrity Availability

Security Defined? Security is a process and mindset ● Security is a Process not a tool or set of tools ● Security is based on principles & skills, PPTs ● Security is the application Strategy, Operations, Tools and Tactics ● Security is the practice of ensuring Confidentiality, Integrity and Availability (CIA) ● Security is based on Risk Management

DevSecOps Defined? DevSecOPs can be best defined as Building Security into DevOps Tools and Practices but its scope is larger than that and also includes the following ● Culture As A Strategy ● Tools and Tactics ● Relationship building ● Capabilities development ● CI/CD Automation and Beyond

DevSecOps Culture Defined? DevSecOPs Culture can best be defined by the following ● As a Strategy to Achieve Technical and Security Objectives ● As Security Practices that must be integrated within the relative Technical Contexts of the the organization ● Think of the DevSecOps culture as something that must be continuously shared and learned over time as a capability ● Think of the DevSecOps Culture as the Evolutionary adaptation of Security into the DevOps Culture

Strategy, Operations & Tactics Defined? Strategy, Operations and Tactics are interdependent. ● Strategy are the methods and science governing large scale processes and employing resources to meet objectives and achieve high level goals ● Operations are logistical resources and processes that seeks to enable and orchestrate tactical successes through the mapping of Strategic goals, logistics and resources to support tactical objectives. ● Tactics can be defined as the actual decisions regarding the exact means and tooling used in the field to gain and maintain objectives. Tactics determine which resources and tools should be used as well as how they will be used for specific short range goals.

What Problem Does DevSecOps Solve? DevSecOps Solves the Following issues. ● The Security Team’s Inability to keep pace with DevOps Teams ● Lack of Security Requirements for infrastructure & Web applications ● Centralized Inventory Management of Infrastructure and Software components ● Automated deployment Capability of Secure low risk infrastructure & Software to production environments ● Overcoming Security Entropy

Can Security Teams Go Agile? Security Teams can Learn to become Agile! ● By learning to use DevOps Automated Configuration Management Tools like Jenkins, TeamCity, Octopus, Travis, CodeShip... ● By finding ways to add automated security checks, tests, and gates into existing toolsets and frameworks without introducing unnecessary delays, costs and or downtime. ● By using tools that don't require you to be a software engineer to use and maintain

Automation Tools Can We Use Ansible Jenkins Puppet Chef TeamCity SaltStack Travis Octopus

What Kind of Security Tools Can We Use? Arachni Nmap Nkto Sonarqube Snyk OWASP Dependency Check Elk/HELK/Splunk Maltego Kali Linux Metasploit Threat Dragon Devskim Puma Scan Git-Secrets Mocha Ansible ServerSpec ZAP SQLNinja Gauntlt Open Scap Open Vas

What Kind of Issues To Expect Going DevSecOps? Security build steps slows down the deployment frequency Too Many False positives Security Team Doesn't know how to do automation DevOps Teams have Different Goals Security Team is unable to find the time to solve the issues they find Security Teams don't understand SDLC DevOps Teams don't understand security DevOps Teams don't understand risk management

DevSecOps Pipeline CONTINUOUS INTEGRATION CONTINUOUS DELIVERY TOOLS & TACTICS SAST ON COMMIT HARDENING SECURITY UNIT TESTS CONTINUOUS INTEGRATION TOOLS & TACTICS DAST RASP IAST IAC COMPLIANCE CONTINUOUS DELIVERY PRE-COMMIT TOOLS & TACTICS CONFIG TESTS SECRETS MANAGEMENT CLOUD SEC THREAT INTEL PRODUCTION TOOLS & TACTICS IDE-SAST THREAT MODELING SECURITY REQUIREMENTS . CONTINUOUS MONITORING CONTINUOUS SCANNING RED TEAM

Q & A QUESTIONS AND ANSWERS