Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dev-Sec-Ops Jose Alvarez DevSecOps Engineer & Evangelist

Published byBrooke McKenzie Modified over 5 years ago

Similar presentations

Presentation on theme: "Dev-Sec-Ops Jose Alvarez DevSecOps Engineer & Evangelist"— Presentation transcript:

1 Dev-Sec-Ops Jose Alvarez DevSecOps Engineer & Evangelist
Security As Code , Beyond the Pipeline

2 What is DevOps? Methodologies CI/CD, telemetry, system of records
Technologies Jenkins, Ansible, Chef, Kubernetes Shared Responsibility Shared Ownership

3 DevOps Shifts Left Increased Speed Increased Agility Increased Quality
Saves Time Reduces Costly Re-work

4 DevOps Fundamental (The 3 Ways)
Principles of Downstream Flow Principles of Continuous Feedback Principles of Continuous Learning & Experimentation

5 The First Way Principles of Downstream Work Flows
Optimally Work Should Flow Downstream Only Known Defects Should not be Passed Downstream Continuously Search for ways to increase workflow tempos

6 The Second Way The Principle of Continuous Feedback
Establish and Maintain Continuous Feedback Loops Upstream Shorten The Feedback Loop (making it faster) Continuously Amplify the Feedback Loop ( Look for ever weaker Failure Signals to Monitor and Alert)

7 The Third Way The Principles of Continuous Learning & Experimentation
Kaizen (Continuous Improvement through Learning) Learn from Failures and Successes Practice and Experiment Continuously until Mastery is Achieved

8 Dev-Ops Advantages Flexibility Resilience Automation
Increased Visibility Increased Deployment and Delivery Frequency

9 What is Dev-Sec-Ops Dev-Ops is Evolving Confidentiality Integrity
Availability

10 Security Defined? Security is a process and mindset
● Security is a Process not a tool or set of tools ● Security is based on principles & skills, PPTs ● Security is the application Strategy, Operations, Tools and Tactics ● Security is the practice of ensuring Confidentiality, Integrity and Availability (CIA) ● Security is based on Risk Management

11 DevSecOps Defined? DevSecOPs can be best defined as Building Security into DevOps Tools and Practices but its scope is larger than that and also includes the following ● Culture As A Strategy ● Tools and Tactics ● Relationship building ● Capabilities development ● CI/CD Automation and Beyond

12 DevSecOps Culture Defined?
DevSecOPs Culture can best be defined by the following ● As a Strategy to Achieve Technical and Security Objectives ● As Security Practices that must be integrated within the relative Technical Contexts of the the organization ● Think of the DevSecOps culture as something that must be continuously shared and learned over time as a capability ● Think of the DevSecOps Culture as the Evolutionary adaptation of Security into the DevOps Culture

13 Strategy, Operations & Tactics Defined?
Strategy, Operations and Tactics are interdependent. ● Strategy are the methods and science governing large scale processes and employing resources to meet objectives and achieve high level goals ● Operations are logistical resources and processes that seeks to enable and orchestrate tactical successes through the mapping of Strategic goals, logistics and resources to support tactical objectives. ● Tactics can be defined as the actual decisions regarding the exact means and tooling used in the field to gain and maintain objectives. Tactics determine which resources and tools should be used as well as how they will be used for specific short range goals.

14 What Problem Does DevSecOps Solve?
DevSecOps Solves the Following issues. ● The Security Team’s Inability to keep pace with DevOps Teams ● Lack of Security Requirements for infrastructure & Web applications ● Centralized Inventory Management of Infrastructure and Software components ● Automated deployment Capability of Secure low risk infrastructure & Software to production environments ● Overcoming Security Entropy

15 Can Security Teams Go Agile?
Security Teams can Learn to become Agile! ● By learning to use DevOps Automated Configuration Management Tools like Jenkins, TeamCity, Octopus, Travis, CodeShip... ● By finding ways to add automated security checks, tests, and gates into existing toolsets and frameworks without introducing unnecessary delays, costs and or downtime. ● By using tools that don't require you to be a software engineer to use and maintain

16 Automation Tools Can We Use
Ansible Jenkins Puppet Chef TeamCity SaltStack Travis Octopus

17 What Kind of Security Tools Can We Use?
Arachni Nmap Nkto Sonarqube Snyk OWASP Dependency Check Elk/HELK/Splunk Maltego Kali Linux Metasploit Threat Dragon Devskim Puma Scan Git-Secrets Mocha Ansible ServerSpec ZAP SQLNinja Gauntlt Open Scap Open Vas

18 What Kind of Issues To Expect Going DevSecOps?
Security build steps slows down the deployment frequency Too Many False positives Security Team Doesn't know how to do automation DevOps Teams have Different Goals Security Team is unable to find the time to solve the issues they find Security Teams don't understand SDLC DevOps Teams don't understand security DevOps Teams don't understand risk management

19 DevSecOps Pipeline CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
TOOLS & TACTICS SAST ON COMMIT HARDENING SECURITY UNIT TESTS CONTINUOUS INTEGRATION TOOLS & TACTICS DAST RASP IAST IAC COMPLIANCE CONTINUOUS DELIVERY PRE-COMMIT TOOLS & TACTICS CONFIG TESTS SECRETS MANAGEMENT CLOUD SEC THREAT INTEL PRODUCTION TOOLS & TACTICS IDE-SAST THREAT MODELING SECURITY REQUIREMENTS . CONTINUOUS MONITORING CONTINUOUS SCANNING RED TEAM

20 Q & A QUESTIONS AND ANSWERS

Download ppt "Dev-Sec-Ops Jose Alvarez DevSecOps Engineer & Evangelist"

Similar presentations

DevOps and Security: It’s Happening. Right Now.

DevOps and Security: It’s Happening. Right Now.
People, Process & Tools – The Essence of DevOps Richard

People, Process & Tools – The Essence of DevOps Richard
Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
Software Confidence. Achieved. Deployment of a Code Analysis Methodology Critical Discussion Towards a Roadmap for Success John Steven Software Security.

Software Confidence. Achieved. Deployment of a Code Analysis Methodology Critical Discussion Towards a Roadmap for Success John Steven Software Security.
Continuous Delivery Ajey Gore Head of Technology ThoughtWorks India.

Continuous Delivery Ajey Gore Head of Technology ThoughtWorks India.
DevOps Jesse Pai Robert Monical 8/14/2015. Agile Software Development 8/14/2015© 2015 SGT Inc.2.

DevOps Jesse Pai Robert Monical 8/14/2015. Agile Software Development 8/14/2015© 2015 SGT Inc.2.
SOFTWARE ENGINEERING MCS-2 LECTURE # 5. RAD (RAPID APPLICATION DEVELOPMENT) MODEL  In RAD model the components or functions are developed in parallel.

SOFTWARE ENGINEERING MCS-2 LECTURE # 5. RAD (RAPID APPLICATION DEVELOPMENT) MODEL  In RAD model the components or functions are developed in parallel.
& Dev Ops. Sherwin-Williams & DevOps Introduction to Sherwin-Williams.

& Dev Ops. Sherwin-Williams & DevOps Introduction to Sherwin-Williams.
2 © 2015 Pivotal Software, Inc. All rights reserved. 2 Removing Barriers Between Dev and Ops It Takes a Platform VMworld 1 September 2015 Cornelia.

2 © 2015 Pivotal Software, Inc. All rights reserved. 2 Removing Barriers Between Dev and Ops It Takes a Platform VMworld 1 September 2015 Cornelia.
Continous Integration & Continous Deployment - For the new nameserver infrastructures of DENIC eG 15/10/03 – Christian Petrasch

Continous Integration & Continous Deployment - For the new nameserver infrastructures of DENIC eG 15/10/03 – Christian Petrasch
What Is DevOps? DevOps is a portmanteau of 'development' and 'operations' and is a software development method that stresses communications, collaboration,

What Is DevOps? DevOps is "a portmanteau of 'development' and 'operations'" and is "a software development method that stresses communications, collaboration,
LOGO Introduction to DevOps 中科大移动云计算系统实验室 孟宁. LOGO Page  2 Agenda Introduce DevOps DevOp Patterns How to Start Adopting DevOps.

LOGO Introduction to DevOps 中科大移动云计算系统实验室 孟宁. LOGO Page  2 Agenda Introduce DevOps DevOp Patterns How to Start Adopting DevOps.
Rod Fontecilla, Ph.D. Vice President Application Services Nov 2015 Deploying Applications Using DevOps.

Rod Fontecilla, Ph.D. Vice President Application Services Nov 2015 Deploying Applications Using DevOps.
1 Copyright © 2015, Drilling Info, Inc. All right reserved. All brand names and trademarks are the properties of their respective companies. Webinar Series.

1 Copyright © 2015, Drilling Info, Inc. All right reserved. All brand names and trademarks are the properties of their respective companies. Webinar Series.
A way to develop software that emphasizes communication, collaboration, and integration between development and IT operations teams.

A way to develop software that emphasizes communication, collaboration, and integration between development and IT operations teams.
Cisco Consulting Services for Application-Centric Cloud Your Company Needs Fast IT Cisco Application-Centric Cloud Can Help.

Cisco Consulting Services for Application-Centric Cloud Your Company Needs Fast IT Cisco Application-Centric Cloud Can Help.
The Next Level Of Agile: DevOps and CD אוקטובר 2015.

The Next Level Of Agile: DevOps and CD אוקטובר 2015.
Hello. ASPE & Techtown Training An Introduction to DevOps for Project Managers Today’s Presenters : Chris Knotts, PMP – Enterprise training curriculum.

Hello. ASPE & Techtown Training An Introduction to DevOps for Project Managers Today’s Presenters : Chris Knotts, PMP – Enterprise training curriculum.
Disciplined Agile Takes the Mystery Out of Agile Software development is inherently complex The Disciplined Agile (DA) framework describes how: – Agile.

Disciplined Agile Takes the Mystery Out of Agile Software development is inherently complex The Disciplined Agile (DA) framework describes how: – Agile.
TICKETMASTER CULTURE EATS STRATEGY FOR

TICKETMASTER CULTURE EATS STRATEGY FOR

Similar presentations

Ads by Google