Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automate Early... But Securely!

Published byLouise Lessard Modified over 6 years ago

Similar presentations

Presentation on theme: "Automate Early... But Securely!"— Presentation transcript:

1 Automate Early... But Securely!
DevSecOps  Use Case Automate Early...                  But Securely!

2 About Me serban.bejan@euro-testing.com Information Security Consultant
Bucharest, Romania 169 X Calea Floreasca, Cube Center Building, Ground Floor, Sector 1

3 Outline

4 Outline

5 DevOps + Security = DevSecOps
”The purpose and intent of DevSecOps, is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.” Shannon Lietz

6 SecDevOps / DevSecOps / DevOpsSec

7 Security shifting to the left
Cost to Remediate 30X Somebody builds insecure software IT deploys the insecure software We are breached or pay to have someone tell us our code is bad We convince and pay the developer to fix it Somebody builds insecure software QA finds vulnerabilities in software We convince & pay the developer to fix it thereby delaying the release 15X 7X Requirements Design/ Architecture Coding Testing Deployments/ Maintenance

8 Application Development
Security shifting to the left Static Code Analysis (SAST) Dynamic Testing (DAST) Runtime Protection (RASP) Design Code Test, Integration & Staging Production Application Development IT Operations Shift Left

9 Communication/ChatOps
Integration Code repositories & apps GitHub Bitbucket Requirements & issues ALM Octane JIRA Bugzilla Build servers Jenkins Bamboo VSTS/TFS Build tools Maven Ant Make Build tools Gradle ANT Maven Security Vuln Mgmt SIEM WAFs Communication/ChatOps Continuous Monitoring and Protection Secure Development Security Testing IDEs Eclipse Visual Studio IntelliJ / Android Studio Open Source Sonatype Blackduck Fortify Configuration automation Puppet Chef Ansiable Containers Vagrant Docker kubernetes Cloud Azure AWS

10 Integrating security in DevOps
Review Build Test Plan Code Deploy Operate Monitor Release SAST Secure cod review Dev Ops Threat modeling Risk assessment SAST SCA DAST Fuzzing PenTest

11 Use Case

12 Detection of threats, security defects, and flaws Mean time to repair
Measuring Success Deployment frequency Lead time Detection of threats, security defects, and flaws Mean time to repair Mean time to recovery

13 Technical Benefits: Benefits of DevSecOps Business Benefits:
Continuous software delivery Less complex problems to fix Faster resolution of issues when they arise Secure environment Business Benefits: Faster delivery of features More stable operating environments More time available to add value (rather than waste it with fixes/maintenance) No breaches / better image

14 Non-DevSecOps DevSecOps Main takeaways 92 days to fix a vulnerability
Using dynamic analysis in production 113 days 51 days Using static analysis

15 THANK YOU

Download ppt "Automate Early... But Securely!"

Similar presentations

DevOps and Security: It’s Happening. Right Now.

DevOps and Security: It’s Happening. Right Now.
02 | Define an Effective End-to-End Software Development Lifecycle Steven Borg | Co-founder & Strategist, Northwest Cadence Anthony Borton | ALM Consultant,

02 | Define an Effective End-to-End Software Development Lifecycle Steven Borg | Co-founder & Strategist, Northwest Cadence Anthony Borton | ALM Consultant,
It’s tough out there … Outperforming teams are collaborate extensively with their counterparts 54 % more likely to Developers 26.7% No executive.

It’s tough out there … Outperforming teams are collaborate extensively with their counterparts 54 % more likely to Developers 26.7% No executive.
DNN LOVES JENKINS FOR CONTINUOUS INTEGRATION

DNN LOVES JENKINS FOR CONTINUOUS INTEGRATION
Computer Associates Solutions Managing eBusiness Catalin Matei, April 12, 2005

Computer Associates Solutions Managing eBusiness Catalin Matei, April 12, 2005
Continuous Delivery Ajey Gore Head of Technology ThoughtWorks India.

Continuous Delivery Ajey Gore Head of Technology ThoughtWorks India.
DevOps Jesse Pai Robert Monical 8/14/2015. Agile Software Development 8/14/2015© 2015 SGT Inc.2.

DevOps Jesse Pai Robert Monical 8/14/2015. Agile Software Development 8/14/2015© 2015 SGT Inc.2.
& Dev Ops. Sherwin-Williams & DevOps Introduction to Sherwin-Williams.

& Dev Ops. Sherwin-Williams & DevOps Introduction to Sherwin-Williams.
SIGITE 2008: 16-18 Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.

SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
1 Copyright © 2015, Drilling Info, Inc. All right reserved. All brand names and trademarks are the properties of their respective companies. Webinar Series.

1 Copyright © 2015, Drilling Info, Inc. All right reserved. All brand names and trademarks are the properties of their respective companies. Webinar Series.
It’s tough out there … Software delivery challenges.

It’s tough out there … Software delivery challenges.
Build and Deployment Process Understand NCI’s DevOps and continuous integration requirements Understand NCI’s build and distribution requirements.

Build and Deployment Process Understand NCI’s DevOps and continuous integration requirements Understand NCI’s build and distribution requirements.
Release Management with Visual Studio Team Services

Release Management with Visual Studio Team Services
Cisco Consulting Services for Application-Centric Cloud Your Company Needs Fast IT Cisco Application-Centric Cloud Can Help.

Cisco Consulting Services for Application-Centric Cloud Your Company Needs Fast IT Cisco Application-Centric Cloud Can Help.
From 0 to 60 with VSTS, TFS and Azure Principal Expert

From 0 to 60 with VSTS, TFS and Azure Principal Expert
Release Management for Visual Studio 2013 Ana Roje Ivančić Ognjen Bajić Ekobit.

Release Management for Visual Studio 2013 Ana Roje Ivančić Ognjen Bajić Ekobit.
FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.

FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.
Structured Container Delivery Oscar Renalias Accenture Container Lead (NOTE: PASTE IN PORTRAIT AND SEND BEHIND FOREGROUND GRAPHIC FOR CROP)

Structured Container Delivery Oscar Renalias Accenture Container Lead (NOTE: PASTE IN PORTRAIT AND SEND BEHIND FOREGROUND GRAPHIC FOR CROP)
DevOps in the cloud Peter’s personal journey on how I found out, I need Dev skills to optimize my ‘Azure’ work… and so do you!!

DevOps in the cloud Peter’s personal journey on how I found out, I need Dev skills to optimize my ‘Azure’ work… and so do you!!
Survive and Thrive in a DevOps World Steven Murawski

Survive and Thrive in a DevOps World Steven Murawski

Similar presentations

Ads by Google