¡ ¡ ¡ ¡ AD39 ¡ DevOps ¡Engineering ¡ 11:30 ¡AM ¡ ¡ ¡ ¡ ¡ ¡ AD39 ¡-‑ ¡Making ¡the ¡Jump ¡from ¡DevOps ¡ to ¡DevSecOps ¡ ¡ Presented ¡by: ¡ ¡ ¡ ¡ Alan ¡Crouch ¡ ¡ ¡Coveros ¡ ¡ Brought ¡to ¡you ¡by: ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ 888 -‑-‑-‑ 268 -‑-‑-‑ 8770 ¡ ·√·√ ¡904 -‑-‑-‑ 278 -‑-‑-‑ 0524 ¡-‑ ¡info@techwell.com ¡-‑ ¡ https://agiledevopswest.techwell.com/ ¡ ¡
¡ Alan ¡Crouch ¡ ¡ Alan ¡Crouch ¡is ¡a ¡Managing ¡Consultant ¡with ¡Coveros, ¡Inc., ¡which ¡helps ¡companies ¡build ¡ better ¡applications ¡using ¡agile, ¡DevOps, ¡and ¡security ¡best ¡practices. ¡Alan ¡works ¡with ¡C-‑ level ¡and ¡senior ¡management ¡at ¡private ¡companies ¡and ¡federal ¡agencies ¡to ¡transform ¡ and ¡adopt ¡a ¡more ¡Agile/DevSecOps ¡practices ¡when ¡building ¡and ¡deploying ¡mission-‑ critical ¡software. ¡He ¡has ¡assessed, ¡designed ¡and ¡implemented ¡multiple ¡custom ¡ DevSecOps ¡pipelines ¡utilizing ¡Cloud ¡technologies ¡for ¡clients ¡such ¡as ¡Symantec, ¡ Departments ¡of ¡Homeland ¡Security, ¡Health ¡and ¡Human ¡Services, ¡Appian ¡and ¡mobile ¡ start-‑ups. ¡Spare ¡time ¡finds ¡Alan ¡traveling ¡the ¡globe ¡and ¡creating ¡adventures ¡for ¡his ¡son ¡ and ¡daughter. ¡Follow ¡Alan ¡on ¡Twitter ¡@coveros_alan. ¡
MAKING THE JUMP FROM DEVOPS TO DEVSECOPS Alan Crouch @RealAlanCrouch
HELLO! I’m Alan Crouch uch. I am here at Agile + DevOps ps West because I’m passionate about building software efficently and securely. You can find me at @RealAlanCrouch 2
MY BACKGROUND EDUCATION LAZY DEV INFOSEC AGILE/DEVOPS DEVSECOPS Developer for Graduated from Ran a CISO Office Started doing DevSecOps Advocate mission-critical JMU with a Master’s work in the systems in Secure Software Agile/DevOps Development space 3
“ DevOps is a set of software development practices that combine software development ( DEV DEV ) and operations ( OPS PS ) to shorten the SDLC while delivering frequently to meet business objectives. - Wikipedia 4
HOW DOES THIS TRANSLATE? ▪ “We just do the same thing faster!” ▪ “Where can we buy this DevOps thing?” ▪ “We need to create a DevOps team!” ▪ “We just need to make the Devs AWS Admins!” ▪ “We need to create a DevOps manual all our teams must follow!” 5
WHAT I TYPICALLY SEE: Test / QA Development Operations 6
OK, LET’S BE HONEST… 😃 Security Operations Development DevOps Test / QA 7
Gover vernanc nance Audit dit Networ work k Testin ing SECURITY IN Static ic LEGACY SDLC Analy alysis is Binar ary Code Analy alysis is Revie view Threat at Analy alysis is Monitor torin ing Penetr trat ation ion Testin ting DAST ST Security is focused at the end. SAST 8
DEVSECOPS Fulfilling the promise of DevOps 9
“ Dev DevSec ecOps ps is a set of software development practices that combines ALL asp spects cts of the he so softwar tware e deve de velopm opment ent lifecycl ecycle e while delivering featur tures, es, fixes, s, and nd updates dates frequently to meet business objectives. 10
3 STEPS TO ACCOMPLISH DEVSECOPS Part of the e Team “Shift Left” Scalabl lable e Securi rity ty The IT Security Security testing Infrastructure in Office needs to be needs to start earlier support of security part of the team. in the DevOps testing needs to Pipeline. scale with your team and pipeline. 11
1. MAKE SECURITY PART OF THE TEAM Step 1: People
72% Of developers see security as “nags” over delivery partners 2019 Sonatype DevSecOps Survey 13
CHALLENGES ▪ Security lacks development context ▪ Development lacks security knowledge ▪ Design and implementation drift ▪ Hurt feelings ▪ No shared goals ▪ Uncertainty of true risk profile 14
THIS IS THE HARDEST PART ▪ Create security champions ▪ Knowledge sharing by working together ▪ Commit to meeting together frequently 15
CONVINCING SECURITY TO JOIN THE DEVSECOPS JOURNEY DEVSEC ECOP OPS REDUC UCES ES DEVSEC ECOPS IS A EXPOSUR URE E TIME ME SECUR URITY ITY ENABLE ABLER We can stop focusing on the By leveraging automation and number of issues and start fixing issues sooner, Security focusing how long we’re can focus on the cooler stuff exposed. that they say they want to do. DEVSEC ECOP OPS GIVES ES DEVSEC ECOP OPS PROVIDES IDES BETTER R GREA EATER R CONT NTEXT EXT GOVERNANC VERNANCE Treating everything as code Spending more time with the leads to easier auditability. No team, allows you to build questions. Just look at our better confidence in the risk profile and make more process in Jenkins! informed recommendations.
2. SHIFT SECURITY LEFT Step 2: Process
MAKING IT HAPPEN ▪ Automation is your friend ▪ Use quality gates to drive quantitative decision making ▪ Continuously improve your process ▪ Expect development to make changes to accommodate security 18
TRANSFORMATION IN ACTION 1. Automate what your doing right now. 2. Tune what you have to get rid of the noise. 3. Identify new ways to start security testing earlier or faster. 4. Iterate and continuously improve. 19
VISUALIZING IT 20
VISUALIZING IT 21
TRANSFORMATION IN ACTION DEV STAGE PROD 22
TRANSFORMATION IN ACTION DEV STAGE PROD 23
TRANSFORMATION IN ACTION DEV STAGE PROD Regression Performance/Load DAST 24
TRANSFORMATION IN ACTION DEV STAGE PROD Smoke Regression Feature Performance/Load Deployment DAST SAST 25
TRANSFORMATION IN ACTION DEV STAGE PROD Unit Smoke Regression Stati tic c Code de Analy alysis sis Feature Performance/Load Binary ary Analy alysi sis Deployment DAST SAST 26
TRANSFORMATION IN ACTION DEV STAGE PROD Unit Smoke Regression Static tic Code de Analy lysis Feature Performance/Load Bina nary Ana naly lysis Deployment DAST Threat reat Analy alysis sis Network ork Securi rity ty SAST Infrast rastru ructu ture re Securit ity Availabil ilability ity Securi rity ty Featu ture 27
TRANSFORMATION IN ACTION DEV STAGE PROD Unit Smoke Regression Static tic Code de Analy lysis Feature Performance/Load Bina nary Ana naly lysis Deployment DAST Threa eat t Analy lysis SAST Netwo work k Security ty Infrastructur frastructure e Security ty Availa lability lity Penetr etrati ation on Security ity Featur ature Proxy DAST 28 Chaos aos IAST
TRANSFORMATION IN ACTION DEV STAGE PROD Unit Smoke Regression Static ic Code Analy alysis is Feature Performance/Load Binar nary Anal alysis is Deployment DAST ST Threat at Analy alysis is SAST Networ work k Secur urity ity Infras astruc tructur ure Secur urity ity Availabi ailability lity Threat reat Model elin ing Secur urit ity Feature ture Penetr trat ation ion Monitorin toring Code e Review ew Proxy xy DAST Chaos os IAST 29 Secure re Coding ding
PRO TIPS When consideri ring Understa tand d the two A bug is a bug is a bug. . what tests s to select: : diffe fere rent t types of Treat at all defects s the Be choosey. qual ality ity gates. same. Don’t try to force tests Decide whether your Log security defects that don’t make sense gate is just for just like any other bugs, for your application or information gathering track them, prioritize business. (qualitative decision) or them, and fix them. blocking (quantitative decision). 30
WHAT MAKES UP A GOOD PIPELINE Code e Review ew 1. Continuous Integration with Unit t Tests ts and Static ic Code e Analy alysis sis 2. Automat ated ed Deploy loyment ent and Confi figurat guration ion Managem agement ent 3. Quality Gate #1: Smoke e tests ts & Static ic App Sec Testi ting 4. Quality Gate #2: Integrat egration ion tests ts & Perfo form rmance ance/Load Load Testi ting ng 5. Quality Gate #3: Regress ession on tests ts & Dynam amic ic App Sec Testin ting 6. Conti tinuou uous s Monit itorin oring 7. 31
3. MAKE SECURITY SCALABLE Step 3: Technology
91% Of mature DevSecOps teams utilize containers for scalability 78% Of mature DevSecOps teams utilize automation to integrate security 82% Of mature DevSecOps teams have complete auditability of changes 2019 Sonatype DevSecOps Survey 33
SECURITY NEEDS DEVELOPMENT HELP ▪ Publish artifacts, reports, and metrics for every release ▪ Scale testing infrastructure by using containers ▪ Select tools that decentralize security from one unicorn to the entire team ▪ Develop mechanisms to make security everyone’s responsibility 34
TOOLS & TECH DevOps Ops – Creating value, more frequently DevSecOps – Creating Trust & Confidence 35
36
Recommend
More recommend