Scribd Logo
Upload

Welcome to Scribd!

  • Tomas Honzak, Cism Chief Information Security Officer Gooddata Corporation

    Uploaded by

    DP LANDIGI
    185 views83 pages

    Original Title

    devsecops-190724192149.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    185 views83 pages

    Tomas Honzak, Cism Chief Information Security Officer Gooddata Corporation

    Uploaded by

    DP LANDIGI

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 83

    1

    TOMAS HONZAK, CISM


    CHIEF INFORMATION SECURITY OFFICER
    GOODDATA CORPORATION

    DEVSECOPS
    TOMAS HONZAK / DEVSECOPS 2

    IMAGINE YOU HAVE A NICE AGILE COMPANY …


    TOMAS HONZAK / DEVSECOPS 2

    IMAGINE YOU HAVE A NICE AGILE COMPANY …


    TOMAS HONZAK / DEVSECOPS 3

    AND YOU RUN DEVOPS …


    TOMAS HONZAK / DEVSECOPS 3

    AND YOU RUN DEVOPS …


    TOMAS HONZAK / DEVSECOPS 3

    AND YOU RUN DEVOPS …


    TOMAS HONZAK / DEVSECOPS 4

    BUT THEN, SUDDENLY …


    TOMAS HONZAK / DEVSECOPS 4

    BUT THEN, SUDDENLY …


    TOMAS HONZAK / DEVSECOPS 4

    BUT THEN, SUDDENLY …


    TOMAS HONZAK / DEVSECOPS 4

    BUT THEN, SUDDENLY …


    TOMAS HONZAK / DEVSECOPS 4

    BUT THEN, SUDDENLY …


    TOMAS HONZAK / DEVSECOPS 4

    BUT THEN, SUDDENLY …


    TOMAS HONZAK / DEVSECOPS 5

    WHAT SHALL YOU DO?


    TOMAS HONZAK / DEVSECOPS 5

    WHAT SHALL YOU DO?

    “PANIC?”
    TOMAS HONZAK / DEVSECOPS 6

    OF COURSE NOT … YOU CAN GET CONSULTANTS!


    TOMAS HONZAK / DEVSECOPS 6

    OF COURSE NOT … YOU CAN GET CONSULTANTS!


    TOMAS HONZAK / DEVSECOPS 6

    OF COURSE NOT … YOU CAN GET CONSULTANTS!


    TOMAS HONZAK / DEVSECOPS 6

    OF COURSE NOT … YOU CAN GET CONSULTANTS!


    TOMAS HONZAK / DEVSECOPS 6

    OF COURSE NOT … YOU CAN GET CONSULTANTS!


    TOMAS HONZAK / DEVSECOPS 6

    OF COURSE NOT … YOU CAN GET CONSULTANTS!


    TOMAS HONZAK / DEVSECOPS 6

    OF COURSE NOT … YOU CAN GET CONSULTANTS!


    TOMAS HONZAK / DEVSECOPS 6

    OF COURSE NOT … YOU CAN GET CONSULTANTS!


    TOMAS HONZAK / DEVSECOPS 6

    OF COURSE NOT … YOU CAN GET CONSULTANTS!


    TOMAS HONZAK / DEVSECOPS 6

    OF COURSE NOT … YOU CAN GET CONSULTANTS!


    TOMAS HONZAK / DEVSECOPS 6

    OF COURSE NOT … YOU CAN GET CONSULTANTS!


    TOMAS HONZAK / DEVSECOPS 6

    OF COURSE NOT … YOU CAN GET CONSULTANTS!


    TOMAS HONZAK / DEVSECOPS 6

    OF COURSE NOT … YOU CAN GET CONSULTANTS!


    TOMAS HONZAK / DEVSECOPS 7

    BUT HOW WILL IT END UP?


    TOMAS HONZAK / DEVSECOPS 7

    BUT HOW WILL IT END UP?


    TOMAS HONZAK / DEVSECOPS 7

    BUT HOW WILL IT END UP?

    Release Plan
    TOMAS HONZAK / DEVSECOPS 7

    BUT HOW WILL IT END UP?

    Release Plan Change Control Board Approval


    TOMAS HONZAK / DEVSECOPS 7

    BUT HOW WILL IT END UP?

    Release Manager 

    Approval

    Release Plan Change Control Board Approval


    TOMAS HONZAK / DEVSECOPS 7

    BUT HOW WILL IT END UP?

    Documented 

    Meeting

    Minutes

    Release Manager 

    Approval

    Release Plan Change Control Board Approval


    TOMAS HONZAK / DEVSECOPS 7

    BUT HOW WILL IT END UP?

    Project 
 Documented 

    Manager Meeting

    Minutes

    Release Manager 

    Approval

    Release Plan Change Control Board Approval


    TOMAS HONZAK / DEVSECOPS 8

    AND WE STILL DID NOT ADD ANY “REAL” SECURITY …


    TOMAS HONZAK / DEVSECOPS 8

    AND WE STILL DID NOT ADD ANY “REAL” SECURITY …


    TOMAS HONZAK / DEVSECOPS 8

    AND WE STILL DID NOT ADD ANY “REAL” SECURITY …

    Dynamic code analysis


    TOMAS HONZAK / DEVSECOPS 8

    AND WE STILL DID NOT ADD ANY “REAL” SECURITY …

    Dynamic code analysis


    TOMAS HONZAK / DEVSECOPS 8

    AND WE STILL DID NOT ADD ANY “REAL” SECURITY …

    Dynamic code analysis

    Secure Code Review


    TOMAS HONZAK / DEVSECOPS 8

    AND WE STILL DID NOT ADD ANY “REAL” SECURITY …

    Dynamic code analysis

    Secure Code Review


    TOMAS HONZAK / DEVSECOPS 8

    AND WE STILL DID NOT ADD ANY “REAL” SECURITY …

    Dynamic code analysis

    Secure Code Review


    TOMAS HONZAK / DEVSECOPS 8

    AND WE STILL DID NOT ADD ANY “REAL” SECURITY …

    Dynamic code analysis

    Secure Code Review


    TOMAS HONZAK / DEVSECOPS 8

    AND WE STILL DID NOT ADD ANY “REAL” SECURITY …

    Dynamic code analysis

    Secure Code Review


    TOMAS HONZAK / DEVSECOPS 9

    IF ONLY THERE WAS A BETTER WAY…


    TOMAS HONZAK / DEVSECOPS 9

    IF ONLY THERE WAS A BETTER WAY…


    TOMAS HONZAK / DEVSECOPS 9

    IF ONLY THERE WAS A BETTER WAY…


    TOMAS HONZAK / DEVSECOPS 9

    IF ONLY THERE WAS A BETTER WAY…


    TOMAS HONZAK / DEVSECOPS 10

    KEY DEVSECOPS PRINCIPLES


    TOMAS HONZAK / DEVSECOPS 10

    KEY DEVSECOPS PRINCIPLES


    ▸ Embrace the cultural and practical changes
    ▸ Integrate security in the whole lifecycle, from requirements,
    design and analysis to testing, deployment and operations
    TOMAS HONZAK / DEVSECOPS 10

    KEY DEVSECOPS PRINCIPLES


    ▸ Embrace the cultural and practical changes
    ▸ Integrate security in the whole lifecycle, from requirements,
    design and analysis to testing, deployment and operations

    ▸ Automate your critical processes


    ▸ Automation helps prevent errors and omissions and provides
    reliable assurance both for you and your auditors
    TOMAS HONZAK / DEVSECOPS 10

    KEY DEVSECOPS PRINCIPLES


    ▸ Embrace the cultural and practical changes
    ▸ Integrate security in the whole lifecycle, from requirements,
    design and analysis to testing, deployment and operations

    ▸ Automate your critical processes


    ▸ Automation helps prevent errors and omissions and provides
    reliable assurance both for you and your auditors

    ▸ Empower your teams


    ▸ Like all things Agile, the teams must know what they are doing
    TOMAS HONZAK / DEVSECOPS 11

    ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC


    TOMAS HONZAK / DEVSECOPS 11

    ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC

    JIRA # TO COMMIT

    MESSAGE
    TOMAS HONZAK / DEVSECOPS 11

    ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC


    “COMPLIANCE

    CHECK”

    JIRA # TO COMMIT

    MESSAGE
    TOMAS HONZAK / DEVSECOPS 11

    ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC


    “COMPLIANCE

    CHECK”

    SAST

    JIRA # TO COMMIT

    MESSAGE
    TOMAS HONZAK / DEVSECOPS 11

    ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC


    “COMPLIANCE
 SIGN THE PACKAGE
    CHECK”

    SAST

    JIRA # TO COMMIT

    MESSAGE
    TOMAS HONZAK / DEVSECOPS 11

    ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC


    “COMPLIANCE
 SIGN THE PACKAGE
    CHECK”

    SAST

    JIRA # TO COMMIT

    MESSAGE

    BURP SUITE

    OWASP ZAP
    TOMAS HONZAK / DEVSECOPS 11

    ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC


    “COMPLIANCE
 SIGN THE PACKAGE VERIFY THE SIGNATURE
    CHECK”

    SAST

    JIRA # TO COMMIT

    MESSAGE

    BURP SUITE

    OWASP ZAP
    TOMAS HONZAK / DEVSECOPS 11

    ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC


    “COMPLIANCE
 SIGN THE PACKAGE VERIFY THE SIGNATURE
    CHECK”

    SAST

    APPLY CONFIGURATION AS A CODE


    JIRA # TO COMMIT

    MESSAGE

    BURP SUITE

    OWASP ZAP
    TOMAS HONZAK / DEVSECOPS 11

    ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC


    “COMPLIANCE
 SIGN THE PACKAGE VERIFY THE SIGNATURE
    CHECK”

    SAST

    APPLY CONFIGURATION AS A CODE


    JIRA # TO COMMIT

    MESSAGE

    BURP SUITE

    OWASP ZAP

    SECURE AND AUTOMATED


    TOMAS HONZAK / DEVSECOPS 11

    LOGGED
    ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC ALERTED
    REVIEWED
    “COMPLIANCE
 SIGN THE PACKAGE VERIFY THE SIGNATURE
    CHECK”

    SAST

    APPLY CONFIGURATION AS A CODE


    JIRA # TO COMMIT

    MESSAGE

    BURP SUITE

    OWASP ZAP

    SECURE AND AUTOMATED


    TOMAS HONZAK / DEVSECOPS 12

    DEVSEC SUMMARY
    ▸ Move security as much to the left as possible

    ▸ Enhance your CI/CD pipeline with security testing tools

    ▸ Static Code Analysis (SonarQube)

    ▸ Lightweight penetration testing (Burp / OWASP ZAP)

    ▸ Enforce change control, approvals and SoD by gating (Zuul)

    ▸ “JIRA ticket = approval, peer review = SoD”

    ▸ Secure the environment and log everything

    ▸ (traceability and accountability)


    TOMAS HONZAK / DEVSECOPS 13

    ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS


    TOMAS HONZAK / DEVSECOPS 13

    ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS


    TOMAS HONZAK / DEVSECOPS 13

    ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS


    TOMAS HONZAK / DEVSECOPS 13

    ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS

    APPLICATION

    LOGS
    TOMAS HONZAK / DEVSECOPS 13

    ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS

    APPLICATION

    LOGS
    TOMAS HONZAK / DEVSECOPS 13

    ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS

    APPLICATION

    LOGS

    LOGGED
    ALERTED
    TOMAS HONZAK / DEVSECOPS 13

    ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS

    APPLICATION

    LOGS

    LOGGED
    ALERTED
    REVIEWED AND RESOLVED
    TOMAS HONZAK / DEVSECOPS 13

    ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS

    APPLICATION

    LOGS

    LOGGED
    ESCALATED ALERTED
    REVIEWED AND RESOLVED
    TOMAS HONZAK / DEVSECOPS 13

    ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS

    APPLICATION

    LOGS
    FEEDBACK

    LOGGED
    ESCALATED ALERTED
    REVIEWED AND RESOLVED
    TOMAS HONZAK / DEVSECOPS 13

    ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS

    APPLICATION

    LOGS
    FEEDBACK

    LOGGED
    ESCALATED ALERTED
    REVIEWED AND RESOLVED
    TOMAS HONZAK / DEVSECOPS 14

    SECOPS SUMMARY
    ▸ Security Built-in on all levels
    ▸ Not only “DevSec”, but also non-functional requirement — secrets management, logging, encryption, …

    ▸ Images / Containers / Infrastructure / Network Hardening


    ▸ No unnecessary SW, no default passwords, firewalls in deny-all mode, monitored bastion hosts in DMZ
    with session logging and strong authentication/authorization …

    ▸ Configuration management, automated compliance


    ▸ Orchestrated CM, anything-as-a-code (including fw rules, access control etc.), code reviews + alerts

    ▸ Automated threat intelligence, scans, detection, alerting and response


    ▸ Vulnerability scans, HIDS/NIDS, log monitoring and analysis, SIEM, …

    ▸ Combination of Operations and Security in the same on-call team


    ▸ Not everyone can be top-class security expert — keep these in a virtual CSIRT, not in Ops
    TOMAS HONZAK / DEVSECOPS 15

    OH, AND BY THE WAY … WERE YOU WORRIED ABOUT


    TOMAS HONZAK / DEVSECOPS 15

    OH, AND BY THE WAY … WERE YOU WORRIED ABOUT


    TOMAS HONZAK / DEVSECOPS 15

    OH, AND BY THE WAY … WERE YOU WORRIED ABOUT

    SECURE 

    BY

    (DESIGN)

    DEVSECOPS
    TOMAS HONZAK / DEVSECOPS 16

    OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW?


    TOMAS HONZAK / DEVSECOPS 16

    OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW?


    Of course not :) :(, but you decreased the risks a lot:
    TOMAS HONZAK / DEVSECOPS 16

    OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW?


    Of course not :) :(, but you decreased the risks a lot:

    ▸ Increased prevention and detection capabilities


    TOMAS HONZAK / DEVSECOPS 16

    OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW?


    Of course not :) :(, but you decreased the risks a lot:

    ▸ Increased prevention and detection capabilities

    ▸ Faster response, no handover between Security and Ops


    TOMAS HONZAK / DEVSECOPS 16

    OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW?


    Of course not :) :(, but you decreased the risks a lot:

    ▸ Increased prevention and detection capabilities

    ▸ Faster response, no handover between Security and Ops

    ▸ Faster recovery thanks to automation and *-as-a-code


    TOMAS HONZAK / DEVSECOPS 16

    OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW?


    Of course not :) :(, but you decreased the risks a lot:

    ▸ Increased prevention and detection capabilities

    ▸ Faster response, no handover between Security and Ops

    ▸ Faster recovery thanks to automation and *-as-a-code

    ▸ Cultural change, better communication and


    straightforward feedback
    THANKS FOR
    YOUR ATTENTION!

    ANY QUESTIONS?

    Tomas Honzak
    tomas@honzak.cz

    You might also like