Scribd Logo
Upload

Welcome to Scribd!

  • Devsecops Bootcamp: Building Rugged Software

    Uploaded by

    Abhay Prasad
    37 views25 pages

    Original Title

    bootcamp-2

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    37 views25 pages

    Devsecops Bootcamp: Building Rugged Software

    Uploaded by

    Abhay Prasad

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 25

    DevSecOps Bootcamp

    B U I L D I N G R U G G E D S O F T WA R E

    YEAR ONE / WEEK ONE / LESSON ONE

    1 Copyright © DevSecOps Foundation 2015-2016


    What’s Happening in the World?

    • DEVOPS
    • PUBLIC CLOUD
    • AGILE
    • SCRUM
    • LEAN
    • LOW-CODE
    • NO-CODE
    • NO OPS
    • …
    https://www.google.com/trends/

    2 Copyright © DevSecOps Foundation 2015-2016


    A History Lesson – Google Trends Research

    • Several years after the Agile Manifesto, DevOps.com was registered in 2004
    • Google searches for “DevOps” started to rise in 2010
    • Major influences:
    • Saving your Infrastructure from DevOps / Chicago Tribune
    • DevOps: A Culture Shift, Not a Technology / Information Week
    • DevOps: A Sharder’s Tale from Etsy
    • DevOps.com articles
    • RuggedSoftware.org was registered in 2010
    • As of 2013, DevSecOps is on the map…

    3 Copyright © DevSecOps Foundation 2015-2016


    Who’s doing Enterprise DevOps?


    4 Copyright © DevSecOps Foundation 2015-2016
    What’s the business benefit?

    Business strategy is achieved with the


    collaboration of all departments and
    providers in service to the customer who
    requires better, faster, cheaper, secure
    products and services.

    5 Copyright © DevSecOps Foundation 2015-2016


    What Hinders Secure Innovation?

    1. Manual processes & meeting culture


    2. Point in time assessments
    3. Friction for friction’s sake
    4. Contextual misunderstandings
    5. Decisions being made outside of value creation
    6. Late constraints and requirements
    7. Big commitments, big teams, and big failures
    8. Fear of failure, lack of learning
    9. Lack of inspiration
    10. Management and political interference (approvals, exceptions)
    ...
    6 Copyright © DevSecOps Foundation 2015-2016
    Say What??!!

    http://donsmaps.com/images22/mutta1200.jpg

    7 Copyright © DevSecOps Foundation 2015-2016


    The Need for Change
    • Innovation is a competitive advantage
    • Cloud has leveled the playing field
    • Demand for Customer centric product development
    • Continuous delivery of features and changes
    • New generation of workers desire collaboration
    • Speed and scale are necessary to handle demand
    • Integration over invention to speed up results
    • Security breaches are on the rise
    • People desire to work with greater autonomy...
    • Continuous Learning... How can I do better? & better? commons.wikimedia.org

    8 Copyright © DevSecOps Foundation 2015-2016


    Culture Hacking

    Security is
    Traditional
    Everyone’s
    Security
    Responsibility

    DEVSECOPS
    9 Copyright © DevSecOps Foundation 2015-2016
    The Art of DevSecOps

    DevSecOps

    Security Security Compliance Security


    Engineering Operations Operations Science

    Experiment, Hunt, Detect, Respond, Learn, Measure,


    Automate, Test Contain Manage, Train Forecast

    10 Copyright © DevSecOps Foundation 2015-2016


    The Secure Software Supply Chain
    • Gating processes are not Deming-like • Hard to avoid business catastrophes by applying
    one-size-fits-all strategies
    • Security is a design constraint
    • Security defects is more like a security “recall”
    • Decisions made by engineering teams

    Faster security feedback loop

    How do I secure
    How do I secure What component Is my app getting
    is secure enough? secrets for the attacked? How?
    my app?
    app?

    design build deploy operate

    Most costly mistakes Typical gates for Mistakes and drift often happen
    Happen during design security after design and build phases that
    checks & balances result in weaknesses and potentially exploits

    11 Copyright © DevSecOps Foundation 2015-2016


    From a Traditional Supply Chain…

    When will you solve my problem?!! Can we discuss my feedback?


    Did we pass the 98 point inspection?

    Thanks to Henrik Kniberg

    12 Copyright © DevSecOps Foundation 2015-2016


    To a Customer Centric Supply Chain

    Better than walking, for sure… Can this be motorized When can I bring my kids with me? Awesome!
    but not by much... to go faster and for longer trips? Does it come in Red?

    Security must shift left with a Science Mindset like all other Ops…

    Thanks to Henrik Kniberg

    13 Copyright © DevSecOps Foundation 2015-2016


    Shifting Security to the Left means built-in

    Faster security feedback loop

    How do I secure
    How do I secure What component Is my app getting
    is secure enough? secrets for the attacked? How?
    my app?
    app?

    design build deploy operate

    Most costly mistakes Typical gates for Mistakes and drift often happen
    Happen during design security after design and build phases that
    checks & balances result in weaknesses and potentially exploits

    Security is a Design Constraint

    14 Copyright © DevSecOps Foundation 2015-2016


    Security is and has always been a Design Constraint…

    • Everyone knows Maslow…


    • If you can remember 5
    things, remember these ->

    “Apps & data are as safe as


    where you put it, what’s in it,
    how you inspect it, who talks
    to it, and how its protected…”

    15 Copyright © DevSecOps Foundation 2015-2016


    But Please No Checklists & Save the Trees!!

    16
    X
    Page 3 of 433

    Copyright © DevSecOps Foundation 2015-2016


    deforestation: https://www.flickr.com/photos/foreignoffice/3509228297
    Security Governance Transparency via Continuous Improvement

    https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf

    17
    Security as Code / Everything as Code

    • Paper-resident policies do not • LOCK YOUR DOORS

    Data Center
    stand up to constant cloud • BADGE IN
    • AUTHORIZED PERSONNEL ONLY
    evolution and lessons learned. • BACKGROUND CHECKS

    • Translation from paper to code EVERYTHING


    and back can lead to serious AS CODE

    mistakes.

    Cloud Provider
    • CHOOSE STRONG PASSWORDS
    • Traditional security policies do

    Network
    • USE MFA
    • ROTATE API CREDENTIALS
    not 1:1 translate to Full Stack • CROSS-ACCOUNT ACCESS
    deployments.
    Page 3 of 433

    18 Copyright © DevSecOps Foundation 2015-2016


    Example of Continuous Delivery + Security

    DevOps Code - Creating Value & Availability

    Source
    CI Server Test & Scan Artifacts Deploy Monitoring
    Code

    DevSecOps Code - Creating Trust & Confidence

    19 Copyright © DevSecOps Foundation 2015-2016


    Continuous Feedback

    THE FEEDBACK HIGHWAY

    PRODUCT
    SCRUM TEAM

    THE INTEL HIGHWAY


    SECURITY TEAM SECURITY COMMUNITY

    SECURITY TESTING & DATA PLATFORM

    20 Copyright © DevSecOps Foundation 2015-2016


    Continuous Security Engineering & Science

    Cloud
    accounts threat intel

    EC2

    CloudTrail

    S3 ingestion insights
    security
    Glacier security science
    tools & data

    security feedback loop continuous response

    Monitor & Inspect Everything


    21 Copyright © DevSecOps Foundation 2015-2016
    Red Team, Security Operations & Science

    API KEY EXPOSURE -> 8 HRS


    DEFAULT CONFIGS -> 24 HRS
    SECURITY GROUPS -> 24 HRS
    ESCALATION OF PRIVS -> 5 D
    KNOWN VULN -> 8 HRS

    22 Copyright © DevSecOps Foundation 2015-2016


    Security Decision Support

    23 Copyright © DevSecOps Foundation 2015-2016


    This Could Be Your Mean Time to Resolution…

    MTTR

    Days… 6 months

    24 Copyright © DevSecOps Foundation 2015-2016


    Get Involved and Join the Community

    • devsecops.org
    • @devsecops on Twitter
    • DevSecOps on LinkedIn
    • DevSecOps on Github
    • RuggedSoftware.org
    • Compliance at Velocity

    25 Copyright © DevSecOps Foundation 2015-2016

    You might also like