DevSecOps Study Notes

Page 1 of 55
DevOps Is Automation , DevSecOps Is People
DevSecOps Question and Answers
1. Security + DevOps
2. Security becomes integral part of process
Page 2 of 55
3. Shift from Traditional to Continuous Security

4. How to apply security controls
5. Continuous testing
6. Automated testing
7. AppSec Pipeline
1. Incorporating Security into DevOps
2. Tools and Frameworks
3. Critical Role
1
4. Building the case
By 2018, 90 percent of infrastructure and operations organizations attempting use DevOps without
specifically addressing their culture foundation will fail
Regardless of the software development and lifecycle management approach, security needs to be built
into the software, not bolted on after the fact.
DevOps was pioneered by smaller, lean-thinking, “born on the web” companies.
DevOps = Development + Operations
 Practices
 Tools
 Deliver at high velocity
 Evolve and improve
 Speed = better served customers
 Compete more effectively
Infrastructure as Code : Defining and managing system configuration through code that can be
versioned and tested in advance, to increase the speed of the building systems, and offering efficiencies
at scale.
Continuous Delivery: Using Continuous Integration and test automation to build pipelines from
DEVELOPMENT to TEST and then to PRODUCTION.
Continuous Monitoring and Measurement: Creating feedback loop from production back to engineering,
collecting metrics, and making them visible to everyone to understand how the system is actually used
and using this data to learn and improve
Continuous Integration / Continuous Delivery

Page 3 of 55
Decreased time to market
Decreased cost of deployment
Improved mean time between deployments
Improved quality
CD is as much a cultural shift as it is a technical one. The biggest shift is from separate teams dealing
with the writing, testing, and deployment of software to a single team that is responsible for the successful
deployment of quality software - albeit one staffed by people who have specialized skills and are tasked
with specific responsibilities.
1. DevOps defined
2. Reason for embracing DevOps
3. Evolution of SDLC
4. Involve security sooner
Paradigm Shifts
1. Transform role of security
2. Give more responsibility to developer
3. Engage security and quality teams both early and often
Page 4 of 55
How to Develop a Security Strategy within DevOps
1. Culture
2. Processes
3. Technologies
Adapting Security for Success
Secuirty
Focus on minmizing enterprise risk
Deliver more secure code at DevOps speed
Activities & controls must change to allow for adaptation
Controls that require adaptions:
 Static analysis
 Dynamic scanning
 Security code reviews
 Feedback
Other crtical security activities:
 Developer training
 Threate modeling
 Penetration testing
Shifting to the left
The only way to build security into the software is to introduce security practices as early as
possible
Design Coding Testing Security
Design Security Coding Testing
Secuirty Design Coding Testing
SATS and DAST

Page 5 of 55
1. Develop
2. Build & Test
3. Static Analysis
4. Check in
5. Build (CI)
6. Static Analysis & Unit Test (CI)
7. Deploy to QA/Stage (CD)
8. Dynamic Analysis & Regression Testing (CD)
With every check-in:
 Triggers compilation process - Run unit test  Run quality tests Runs static analysis tools
The Security Professional’s Role
Embedding Secuirty SMEs Into Development and Operations
 Difficult to scale
 Limited Resources
 Dev and Ops given for security
Training
 Principles
 Practices
 Tools
 Avoid unsafe practice
 Security becomes frame of mind
Building Case
Page 6 of 55
 2014 – 16% DevOps teams

High performenres spent 50 % less time remediating security issues
Involvel security and quality teams in the development process early and often.
When we say “shifting security to the left” mean: To introduce security practice as early as possible
When shifting from a DevOps to DevSecOps workflow, a company must always embed a SME from
security into the development and operation teams. (False)
In this we explore the benefits to the organization that occur when security, development and operations
work together; learn to importance of assembling a team of advocates and champions to bridge the gap
between development and security and discover how successful transformation and cultural change leads
to positive results.
 Analyze the benefits to the organization that occur when security, development and operations
work together.
 Assemble a team of advocates and champions to bridge the gap between development and
security.
 Create positive results towards business goals through successful transformation and cultural
change.
Changing the Culture – A How-To Dev – Sec- Ops
 Team of advocates & champions

 Postive results
 Business goals
 Successful tranformation
 Cultural change
Joining Security with DevOps
 Develpoment
 Security
 Operations
Traditional Security:
Operational and Engineering
Must yield to risk aversion & protective measure
Security maintained veto power
Yet DevOps and Business
Needed freedom
To drive business forward
Cultural Challenges
Frictions
Page 7 of 55
Resistance
Adapting to a New Way
Dev – Sec – Ops
Communication is the key
 Learn from leaders

 Teamwork
 Collaboration
 Daily Touchpoints
 Wikis, Blogs & Portal
 Messaging App
 Lunch & Learn
Opportunities to Communicate
Page 8 of 55
Velocity vs Quality Tradeoff
DevSecOps
 Succeed together
 Fail together
Changing behaviors & culture is funamental to success
BY 2018, 90 percent of infrastructure and operation organizations attempting to use DevOps without
specifically addressing their cultural foundation will fail.
Secuirty consideration are always at odds with those of Development and Operations. (False)
Ease of communication is essential in building a DevSecOps culture. Which of the following can
encourage better and more frequent communication between various groups?
 Establishing daily touchpoints

 Blogs
 Wikis
 Messaging apps for mobile devices
 Info sharing session such as lunch & learns
A Five-Step Approach: Gartner’s 5-Step Approach
1. Gap Analysis
2. Gain Consensus
Page 9 of 55
3. Small Focused Pilot

4. Incremental Deploy With Feedback Loops
5. Continual Improvments Over Time
Benefits of Culture Change
Results of Culture Change
 Greater satisfaction
 Higher performance
 Increased throughput
 Better outcomes
 Higher financial performance
Engaging Advocates and Champions
Secuirty champions:
 Act as voice of security

 Decide when to engage security team
 Participate in code reviews
 Participate in threat modeling exercises
 Help with QA, testing
 Assist in triaging security bugs
For Secuirty Champions:
 Application scurity skills not a key requirment

 Skills can be gained through traiining
 Developers can be good candidates
Achieving Business Goals
Cultural changes come in the form of integrating teams that historically have been disparate around a
single vision. Technical changes come with automating as much of the development, deployment and
operational environment as possible to more rapidly deliver high-quality and highly secure code.
Transformation & Cultural Change
Tremendous values and benefit
 Better retention of talent

 Ability to better respond to change
 Increased efficiency
 Savings from reduction of manual processes
 Reduction of software fixes late in lifecycle
Place the steps of Garter’s 5-Step Approach to Cultural Challenge in the correct order?
Page 10 of 55
1. Gap Analysis
2. Gain Consensus
3. Small Focused Pilot
4. Incremental Deploy With Feedback Loops
5. Continual Improvments Over Time
Culture of Collaboration and Contribution
 Teams must understand and accept that everyone has something to offer
 Everyone is responsible for security
 Goal = safely distributing security decisions
Measurements: Team Communication, Collaboration, Reporting, Significant Changes to Existing

Workflows & Processes
 Multiple teams
 Various technologies
 Various languages
 Code repositories
 Open source code libraries
 Sophisticated practice for CI/CD

 Threat modeling
Attack surface evaluation
 Static & dynamic analysis
 Penetration testing
 Fuzzy testing
Five Principles for Securing DevOps Continuous Integration / Continuous Delivery
 Automate Security In
 Integrate to Fail Quickly
 No False Alarms
 Build Security Champions
 Keep Operational Visibility
Automated invocation Security testing Comprehensive API

Page 11 of 55
1. Initiate
2. Control
3. Return Results
4. Productized support
Integrating Security CI/CD pipeline Application Security
 Testing happens with every release

 NOT entirely up to developer
 NOT a last step in the process
FAILED SECURITY TEST
 Train developers in secure coding

 A force multiplier
 Reduce culture conflict
 Embed app security knowledge into team
Application Security continues
Closed loop feedback
Security Incidents
Integrating Secuirty into DevOps
DEV-SEC-OPS
1. Team of advocates & champions

2. Positive results
3. Business goals
4. Successful transformation
5. Cultural change
DevSecOps Culture Change
1 Cultural Challenge
2 Frictions
Page 12 of 55
3 Resistances
Secuirty must be communicated: 1) as a core value 2) as a critical enabler
 Learn from leaders

 Teamwork
 Collaboration
 Knowledge Transfer
Asking questions – Finding ways to compromise – Considering alternatives
Gartner’s 5-Step Approach To Cultural Challenges
1. Gap Analysis
2. Gain Consensuses
3. Small, Focused Pilot
4. Incremental Deploy with Feedback Loops
5. Continual Improvements Over Time.
DevOps
Automation
 Required to scale
 Establishes consistency
 Enables confident iteration
Dev[Sec]Ops
People
 Working with them

 Working for them
 Building for them.
Actual Problem Ignored
Users are stupid
Devs are lazy
Vuln equals risk.
CAN YOU TALK LIKE A HACKER?
Shared Vocabulary Communication, Empathy, Threats

Page 13 of 55
Communication: Listen – Acknowledge – Repeat back
Empathy – Broaden understanding, Reconsider viewpoints, Improve solutions
Threats – Ambiguity, Erasure, Essential zing
 In this we discuss influencing a shift from traditional security to continuous security, applying sets
of security controls in the application and infrastructure layers of the DevOps Pipeline and how
AppSec Pipelines can be applied to an application security program utilizing the principles of
DevOps and Lean.

 Influence a shift from traditional Security to Continuous Security
 Apply sets of security controls in the application and infrastructure layers of the DevOps Pipeline
while testing them continuously, in an automated manner.
 Discover how AppSec Pipelines take the principles of DevOps and Lean and apply that to an
application security program.
Implementing a Successful DevSecOps Program
Shifting to a Fast-Paced Environments
Training -> Requirments-> Design -> Development-> Testing-> Operation-> Response
DevOps practitioners believe the SDL model doesn’t fit the bill for fast-paced environments.
DevOps Pipelines
Development Teams
 Develop
 Test
 Release
Cloud Services
 Deploy and host

 Private clouds
 Public clouds
Continuous Integration
 Routinely integrating code changes

Page 14 of 55
 Testing changes
 Code integrated daily
Continuous Delivery
Continuous Delivery
Building software that can be released -- Cloud environment
Continuous Deployment
Page 15 of 55
Cloud Environments
Cloud Environments play a central role in DevOps
Cost reduction, rapid elasticity, flexibility
Infrastructure as code (IaC)
Knowledge Check
Continuous Integration: Routinely integrating code change into a repository and testing changes.
Continuous Delivery: Building software that can be released to a cloud environment at any time.
Continuous Deployment: Every change that passes all stages of production pipeline is released to
customers. Fully automated.
Cloud Environment: Enable cost reduction of operating infrastructure, rapid elasticity, flexibility.
Moving Faster – But at What Cost?

Page 16 of 55
Continuous Security
1. Plan
2. Code
3. Build
4. Test
5. Release
6. Deploy
7. Operate
8. Monitor
Page 17 of 55
Application Security:
Infrastructure Security
Page 18 of 55
Pipeline Security
Testing Continuously
Page 19 of 55
Test Driven Security (TDS)1, a term coined by Mozilla, is a similar approach to Test DrivenDevelopment
(TDD) which recommends developers to write tests that represent the desired behavior first, then write
the code that implements the tests.
TDS proposes the following:
•• The list of security controls should be established between the Security, Development and IT
Operations teams.
•• The Security teams must clearly state and document what is expected from the application. They are
responsible for organizing a Rapid Risk Assessment (RRA)2 with appropriate stakeholders when the
project is initiated to capture any potential business and technical risks. They also need to write in
conjunction with the Development teams the security tests that represent the desire behavior of the
application. Finally, they are responsible for establishing the tools to be used in the AppSec Pipeline with
the help from IT Ops that will test the software being developed for security vulnerabilities at different
stages of the DevOps Pipeline.
•• The Development teams implement the controls that have been tested by Security and address any
vulnerabilities identified in the AppSec Pipeline.
•• The IT Operations teams write the code/templates that build the infrastructure. They are also
responsible to setup the DevOps and AppSec Pipelines and ensure the corresponding tools are properly
installed and security hardened to prevent any hacks/data breaches
1. Source: Test Driven Security (TDS):

https://freecontent.manning.com/where-security-meets-devops-test-driven-security/
2. Rapid Risk Assessment (RRA):
https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html
AppSec Pipeline 1) Intake Process 2) Test 3) Triage 4) Deliver

Page 20 of 55
Integrating DevOps and AppSec
AppSec Pipeline Consistent process
Application Security Team

Page 21 of 55
Page 22 of 55
Which of the following choices are security controls in the application and infrastructure layers of DevOps
pipeline. 1) Application Security 2) Infrastructure Security 3) Pipeline Secuirty are the application and
infrastructure layers of a DevOps pipeline.
Put the four steps of an AppSec Pipeline in consecutive order: 1) Intake Process 2) Triage 3) Test 4)
Deliver
The test-driven security test will initially fail. True; It is expected that TDS test will initially fail. Once the
controls are implemented, the TDS tests will pass.
Monitoring and Key Performance Indicators
The value of a logging pipeline, importance of getting incident management right, utilizing KPIs to
measure performance.
 Discover the value of using a logging pipeline to analyze usage and security incidents in real-
time.
 Analyze the importance of getting incident management right.
 Construct KPIs to measure the performance of a DevSecOps program.
DevSecOps – Integrating Security into DevOps

Page 23 of 55
https://www.csoonline.com/article/3132078/security/devopssec‐secdevops‐devsecops‐whats‐in‐a‐
name.html
The importance of Automation and Continuous Monitoring

 Automation
 Metrics
 Continuous Monitoring
 Insight into the types of traffic
 Application-level security metrics
 Patterns of malicious activity
 Stored in logs
The Logging Pipeline

The Logging pipeline
 Analyze usage
 Analyze security incidents
 DevOps teams may not know how to identify security breaches, hacking attempts
 Log Management tool
 Reading & parsing logs
 Distinguishing unauthorized activity
Element of a Logging Pipeline

Page 24 of 55
Element of a Logging Pipeline

Collect > Stream > Analyze > Store > Access
Collect: Log events are recorded from various components of the infrastructure.
Stream: Log records are captured and routed to the corresponding Layer.
Analyze; Log records are inspected in order to detect anomalies and raise alerts
Store: Log records are stored in short & long-term storage facilities.
Access: Log administrative console to access and review logs/alerts
Incident Management
1. Preparation: Incident response, Creating documentation, Building tools
2. Detection & Analysis: Analyzes symptoms, Decides next steps,
3. Containment Eradication & Recovery: Tries to contain incident, Recover, Restore data,
processes
4. Post-Incident Activity: Review incident Two goals: 1) Reduce probability of recurrence 2)
Improve incident handling procedures.
Managing Security Incidents
Detection & Analysis : Incident Handling Process
Blended Approach to Detection: Static, Synthetic, APM, Logging, Beware of alert fatigue
Business-focused Metrics: Mature DevSecOps teams, Business core metrics, Detect application health,
Expanded view, Additional inputs: social media, news feed
Data-driven Investigations: Mature DevSecOps teams, Clean observation, Testable hypotheses, Clear
success criteria, Iterative approach
Containment Eradication & Recovery
Actionable Alerts: Alerts require action, Delivery to appropriate person, Permission and ability to act
ChatOps for Communication: Common, Time-indexed, Searchable record of incidents, Useful records
Page 25 of 55
Runbooks for Remediation: Best runbooks explain: Metrics and alerts, Application or system roles,
Identify upstream and downstream dependencies, Identify an escalation point or Subject Matter Expert,
Enumerate know failure state or symptoms
Adopt Infrastructure as Code (IaC): Rebuilding a system or environment, Quick easy configuration
Post Incident Activity:

Keep Post-Mortems Actionable
Lose track of Ideas, Lose time to implement, Lose focus
Analysis phase is worthless if little or no action is taken

Lessons learned must be reflected in Incident Management Runbook
Key Performance Indicators (KPI)
 Metrics
 Language of cooperation
 Spoken in numbers
 Metrics for DevSecOps
 Choose the right metrics – Business needs, Compliance requirements
TERMS:
Availability: Amount of uptime/downtime in a given time period in accordance with the service-level
agreement (SLA)
Change Failure: Percentage of production deployments that failed.
Change Lead Time: Time between a code commit and production deployment of that code.
Change Volume: Number of user stories deployed in a given time frame
Customer Issues Resolution Time: Mean time to resolve a customer-reported issue
Customer Issue Volume: Number of issues reported by customers in a given time period
Detect Burn Rate: Amount of time to fix vulnerabilities an application.
Detect Density: The number of bugs identified divided by the codebase of an application
Deployment Frequency: Number of deployments to production in a given time frame
Logging Availabitlity: Amount of uptime/downtime of the logging pipeline in a given time period
Page 26 of 55
Mean Time Between Failures (MTBF): The amount of time that one failure and the next.
Mathematically, this is the sum of MTTF and MTTR, the total time required for a device to fail and that
failure to be repaired.
Mean Time to Failure (MTTF): Time that a system is online between outages or failures
Mean Time to Recovery (MTTR): Time between a failed production deployment to full restoration of
production operations.
Number of False Positives: The number of mistakenly flagged vulnerabilities for an application.
Number of Functional/Acceptance Tests: Number of automated functional acceptance test an
application.
Number of Passed/Failed Security Tests: Number of automated security tests for an application.
Number of Unit/Integration Test: Number of automated unit or integration test for an application
Security Benchmark Deviation: Deviation between security benchmarks applied to an image and
security benchmarks on an instaintated image.
Security Controls: Number of technical security controls partially or fully in place.
Test Coverage: Percentage of code that is covered by automated tests.
Time to Patch: Time between identification of vulnerability in platform or application and successful
production deployment of a patch.
Time to Value: Time between a feature requested (user story creation) and realization of business values
from that feature.
Vulnerability Patching Frequency: How often vulnerability patches are regularly deployed to production.
Vulnerability Patching Lead Time: Time between discovery of a new vulnerability (i.e. its publication) and
patching in productions.
Scoring Secuirty Testing
How to manage false positives in the DevSecOps pipeline

Score security testing
Assign security thresholds
 Low security threshold
 Development phase
Page 27 of 55
 70% most tests

 100% critical test
Raise threshold to 100% before going into production
 Adjust thresholds depending on pipeline

 And which products/test being used.
Result of Culture Change
1. Greater ratification
2. Higher Performance
3. Increased throughput
4. Better outcomes
5. Higher financial performance
Security Champions:
 Act as voice of security

 Decide when to engage security team
 Participate in code review
 Help with QA, testing
 Assist in triaging security bugs
 (Application Security skills is not a key requirement
 Skills can be gained through training
 Developers can be good candidates

Culture changes come in the form of integrating teams that historically have been disparate around a
single vision. Technical changes come with automating as much of the development, deployment, and
operational environemtn as possible to to more rapidly.
Successful
Transformation & Cultural Change
Tremendous value and benefit
1) Better retention of talent 2) Ability to better respond to change 3) Increased efficiency 4) Savings
from reduction of manual process 4) Reduction of software fixes late in life cycle.
For a successful DevSecOps program:
1) Influence the shift to Continuous Security

2) Apply security and test continuously
Page 28 of 55
3) Use AppSec Pipelines, using principles of DevOps and Lean
Training Requirements Design Development Testing Operation Response
Core Analyze Threat Specify tools Dynamic Response Response

training security and modeling and Fuzz plan execution
privacy risk Enforce banned testing
function Final
Define quality Attack Verify security
gates Surface Static analysis threat review
models/
attack Release
surface activity
Security Architecture Security Code Review Security Testing

and Design Review
The security Architecture and Design Review
The security teams look at: 1) Product requirements 2) Early designs 3) Add security based on threat
models 4) Architecture is reviewed 5) Security controls proposed.
Can the product withhold a simulated attack? 1) Manual testing 2) Automated tools
DevOps practitioners believe the SDL Model doesn’t fit the bill for the fast-pace envioronments.
Development Teams Cloud Services

Develop Deploy and host
Test Private clouds
Release Public cloud
 Routinely integrating code changes

 Testing changes
 Code integrated daily
Continuous Delivery
Build Software that can be released - Cloud environment
Continuous introgression software
oSs_64099
Page 29 of 55
Cloud Environments play a central role in DevOps
Cost reduction, rapid elasticity, flexibility
Infrastructure as code (IaC)

Page 30 of 55
Open Web Application Security Project (OWASP)
Top 10 most common risks
 OWASP Application Security Verification Standard

 Basis for testing
 Requirement for secure development
Cloud Security Alliance (CSA) CSA Security Guidance for Critical Areas of Focus in Cloud Computing
Industry-wide standards Practical, actionable roadmap
Treacherous 12 Cloud Computing Top Threats Fore adopting the cloud paradigm
https://www.oreilly.com/ideas/9-tips-for-a-more-secure-continuous-delivery-pipeline
 Test Driven Security (TDS)

 Similar to Test Driven Development (TDD)
 Write test that represent desired behavior
 Then write code that implements the t est
 Test will fail and that is expected
 Implement controls to pass TDS test
 Security teams
 Help Developers and IT Operation teams
 Implement controls
Monitoring and Key Performance Indicator

Page 31 of 55
1. Metrics
2. Continuous Monitoring
3. Insight into the types of traffic
4. Application-level security metrics
5. Patterns of malicious activity
6. Stored logs
Loggin pipeline
1) Analyze usage
2) Analyze security incidents
Log management tools  Reading & parsing logs  Distinguishing unauthorized activity
TERMS: DEFINITION
Availability: Amount of uptime/downtime in a given time period, in accordance with the SLA.
Change Failure: Percentage of production deployments that failed.
Change Lead Time: Time between a code commit and production deployment of that code.
Change Volume: Number of user stories deployed in a given time frame.
Customer Issue Resolution Time: Mean time to resolve a customer-reported issue.
Customer Issue Volume: Number of issues reported by customers in a given time period.
Defect Burn Rate: Amount of time to fix vulnerabilities in an application.
Defect Density: The number of bugs identified divided by the codebase of an application.
Deployment Frequency; Number of deployments to production in a given time frame.
Logging Availability: Amount of uptime/downtime of the logging pipeline in a given time period.
Mean Time Between Failures (MTBF): The amount of time that elapses between one failure and the next.
Mathematically, this is the sum of MTTF and MTTR, the total time required for a device to fail and that
failure to be repaired.
Mean Time to Failure (MTTF): Time that a system is online between outages or failures.
Mean Time to Recovery (MTTR): Time between a failed production deployment to full restoration of
production operations.
Number of False Positives: The number of mistakenly flagged vulnerabilities for an application.
Number of Functional/Acceptance Tests: Number of automated functional or acceptance tests for an
application.
Number of Passed/Failed Security Tests: Number of automated security tests for an application.
Key Performance Indicators
Number of Unit/Integration Tests: Number of automated unit or integration tests for an
Page 32 of 55
application.
Security Benchmark Deviation: Deviation between security benchmarks applied to an image and security
benchmarks on an instantiated image.
Security Controls: Number of technical security controls partially or fully in place.
Test Coverage: Percentage of code that is covered by automated tests.
Time to Patch: Time between identification of a vulnerability in the platform or application and successful
production deployment of a patch.
Time to Value: Time between a feature request (user story creation) and realization of business value
from that feature.
Vulnerability Patching Frequency: How often vulnerability patches are regularly deployed to production.
Vulnerability Patching Lead Time: Time between discovery of a new vulnerability (i.e., its publication) and
patching in production Test Driven Security (TDS)1, a term coined by Mozilla, is a similar approach to
Test Driven Development (TDD) which recommends developers to write tests that represent the desired
behavior first, then write the code that implements the tests.
TDS proposes the following:

•• The list of security controls should be established between the Security, Development and IT
Operations teams.
•• The Security teams must clearly state and document what is expected from the application. They are
responsible for organizing a Rapid Risk Assessment (RRA)2 with appropriate stakeholders when the
project is initiated to capture any potential business and technical risks. They also need to write in
conjunction with the Development teams the security tests that represent the desire behavior of the
application. Finally, they are responsible for establishing the tools to be used in the AppSec Pipeline with
the help from IT Ops that will test the software being developed for security vulnerabilities at different
stages of the DevOps Pipeline.
•• The Development teams implement the controls that have been tested by Security and address any
vulnerabilities identified in the AppSec Pipeline.
•• The IT Operations teams write the code/templates that build the infrastructure. They are also
responsible to setup the DevOps and AppSec Pipelines and ensure the corresponding tools are properly
installed and security hardened to prevent any hacks/data breaches
1. Microsoft SDL: https://blogs.technet.microsoft.com/voy/2013/06/10/security-series-2-howto-

bake-security-in-products-and-services-sdl/
2. STRIDE: https://en.wikipedia.org/wiki/STRIDE_(security)
3. Waterfall Model: https://en.wikipedia.org/wiki/Waterfall_model
4. Test Driven Security (TDS):
5. Rapid Risk Assessment (RRA):
6. OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
7. OWASP ASVS: https://www.owasp.org/index.php/Category:OWASP_Application_Security_
Verification_Standard_Project
8. 9 tips for a more secure continuous delivery pipeline: https://www.oreilly.com/ideas/9-tips-for-amore-
secure-continuous-delivery-pipeline
9. CSA Treacherous 12: https://downloads.cloudsecurityalliance.org/assets/research/top-threats/
Treacherous-12_Cloud-Computing_Top-Threats.pdf
10. CSA Security Guidance for Critical Areas of Focus in Cloud Computing:
https://cloudsecurityalliance.org/download/security-guidance-v4/
Page 33 of 55
11. Continuous Delivery vs Continuous Deployment:

https://www.atlassian.com/continuous-delivery/ci-vs-ci-vs-cd0
12. OWASP AppSec Pipeline: https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
1) Intake Process: Customer request application security service DAST, SAST, manual assessment
2) Triage: Determination mad for applying requested services
3) Test: The heart of pipeline where AppSec tools feed result into repository and check for false
positive
4) Deliver: Result are distributed to appropriated parties. Defects are tracked. Metrics
summarized.
AppSec Pipeline = DevOps + Lean
Application Security
Iterative improvement
Ability to grow in functionality over time
Greates pain point
Work on reusable path
Elements of a Logging Pipeline

Page 34 of 55
Collect Stream Analyze Store Access

Log events are Log records Log records Log records Log
recorded from are captured are inspected are stored in administrative
various and routed to in order to short & long- console to
components of the detect term storage access and
the corresponding anomalies and facilites review
Infrastructure layer raise alerts logs/alerts
Preparation Detection & Analysis Containment Post-incident Activity

Eradication & Recovery
Incident response Analyzes symptoms Tries to contain incident Review incident Two
goals:
Creating documentation Decides next steps Recover 1. Reduce
probability of
recurrences
Building
Restore Data, process 2. Improve

handling
procedures
Blended Approach to Detection Business-focused Metrics Data-driven Investigations

Static Mature DevSecOps teams Mature DevSecOps teams
Synthetic Business core metrics Clean observation
APM Detect application health Testable hypotheses
Logging Expanded view Clear success criteria
Beware of alert fatigure Additional inputs: social media, Iterative approach
news feed
Actionable Alerts Alerts require actions
Delivery to appropriate person
Permission and ability to act

ChatOps for Communication
Runbooks for Remediation’s
Adopt Infrastructure as Code (IaC)
Post-Incident Activity
Keep Post-Mortems Actionable

Page 35 of 55
Lose track of ideas
Lose time to implement
Lose focus
Analysis phases is worthless if little or no action is taken
Lessons learned must be reflected in Incident Management Runbook
Metrics Language of Spoken in Metrics for Choose the right

cooperation numbers DevSecOps metrics
Business needs
Compliance
requirements
Code stays secure Low security threshold

Development phase
But process is agile 70% most tests
100% critical tests
Raise threshold to 100% before going into production
Adjust threshold depending on pipeline
And which products/tests are being used

Into pipeline
When we say “shifting security to the left” we mean:
Question 1 options:
To introduce security practices as early as possible
To move security from a conservative to liberal perspective
To leverage frameworks and libraries
To introduce security practices later in development

Page 36 of 55
1 2979 4399 2 oSs_64100
A widely-accepted principle of security among practitioners is that security is a shared responsibility

among many stakeholders
Question 2 options:
True
False
True 1 2901 4316 3 oSs_64101
Agile and DevOps are one and the same.
Question 3 options:
True
False
oSs_64102
Which of the following describes the percentage of production deployments that failed?
Question 4 options:
Change volume
Change failure
Test coverage
Defect Burn Rate
Availability
The amount of uptime/downtime of the logging pipeline in a given time period is called:
Question 5 options:
Change Lead Time

Page 37 of 55
Mean Time Between Failures (MTBF)
Logging Availability
Security Benchmark Deviation
oSs_64104
Which of the following is an effective enabler of DevOps because it focuses on small teams continually
delivering high quality code to customers.
Question 6 options:
Waterfall
Agile
Structured development methodologies
Service-oriented architecture
Routinely integrating code change into a repository and testing the changes is called:
Question 7 options:
Continuous integration
Continuous delivery
Continuous deployment
Cloud environment
Agile and DevOps each has its own set of objectives and methods of achieving its goals.
Question 8 options:
True
False
Page 38 of 55
oSs_64107
Building software that can be released to a cloud environment at any time is called:
Question 9 options:
Continuous delivery
Cloud environment
oSs_64108
The duties of a security champion include which of the following:
Question 10 options:
Acting as the voice of security
Deciding when to engage the security team
Organizing code reviews
Helping with Quality Assurance
Question 11 (1 point)
The test-driven security tests will initially fail.
True
False
Which of the following is the latest approach to driving DevOps?
Embracing structured development methodologies since software became larger and more
complex
Page 39 of 55
Embracing service-oriented architecture to overcome the interoperability and reusability challenges
Embracing the waterfall model to meeting the needs of evolving business requirements
Removing much of the latency that has existed for years around software development through
automation.
oSs_64111
True or False: A continuous-delivery tool chain can be an attack target itself.
True
False
The time between a feature request and the realization of business value from that feature is called:
Deployment Frequency
Mean Time to Recovery (MTTR)
Customer Issue Volume
Time to Value
oSs_64113
Which of the following choices are security controls in the application and infrastructure layers of a
DevOps pipeline? Choose three:
Application Security
CSA Security
Page 40 of 55
TSA Security
Infrastructure Security
Pipeline Security
Test-driven Security
Securing a continuous delivery pipeline may involve which of the following? Select all that apply:
Strong access control across the entire toolchain and access audits
Hardening various systems
Protecting credentials, keys, and other secrets
Protecting (i.e. digitally signing) binaries and other build artifacts against tamper, etc.
Creating a culture conducive to successful DevOps practices requires which of the following? Select all
that apply:
Security awareness
Training
Abandoning software threat modeling
Avoiding application penetration testing
DevOps teams rely on a variety of tools to help them deploy code faster. Which of the following types of
tools are used by DevOps teams for that purpose? Select all that apply:
Continuous integration tools to ensure that every code change results in a new product build
Page 41 of 55
Configuration management tools to define the server infrastructure as code
Software application threat modeling tools to identify threats to the software
Automated test tools to verify code quality and provide quick feedback
A successful implementation of DevSecOps will require which of the following? Select all that apply
Elimination of silos
Promotion of collaboration and teamwork
Cross-training teams so that vulnerabilities can be identified early
All the above
DevOps allows an organization to increase its ability to deliver applications and services at high velocity.
True
False
What are the five principles for securing DevOps? Select all five principles:
Automate security in
Integrate to fail quickly
Thoroughly test each patch
Measure twice, cut once
No false alarms
Page 42 of 55
Build security champions
Keep operational viability
oSs_64120
Which of the following is true about security champions? Select all that apply:
Question 22 option
They must be able to code
They may help make decisions about when to engage the security team
They may act as the voice of security for a given product or team
They may assist in the triage of security bugs for their team or area
Which of the following is a correct statement in the context of a successful DevSecOps implementation?
Select all that apply:
Extensive additional automation may be required
Establishing a culture of openness and collaboration is a requisite
Adopting DevSecOps always results in reduced development costs for a software project
Investments in culture change will enhance communication and collaboration between

development, security, and operations, which in turn, could positively impact other areas such as
processes
oSs_64122
Below are the four steps of an AppSec pipeline. Which one shows the steps in the correct order?
Triage, Intake Process, Deliver, Test

Page 43 of 55
Test, Intake Process, Triage, Deliver
ntake Process, Triage, Deliver, Test
Intake Process, Triage, Test, Deliver
Which KPI measures the amount of time between identification of a vulnerability in the platform or
application and successful production deployment of a patch?
Vulnerability Patching Frequency
Vulnerability Patching Lead Time
Time to Patch
Mean Time to Failure (MTTF)
Customer Issue Resolution Time
Which of the following enables cost reduction of operating infrastructure, rapid elasticity, and flexibility?
Continuous delivery
Cloud environment
Which KPI measures the number of automated security tests for an application?
Security Controls

Page 44 of 55
Number of Passed/Failed Security Tests
Defect Density
Number of False Positives
Cloud environments play a central role in DevOps by enabling which of the following? Select all that
apply:
Communication tools
Cost reduction of operating infrastructure
Rapid elasticity
Flexibility
Automated archiving
Which KPI reveals the company’s ability to react faster to threats?
Mean time to failure
Time to value
Defect density
Vulnerability patching lead time
, Company K had adopted Infrastructure as Code, which

IaC calls for managing and provisioning resources through which of the following?
Machine-readable definition files

Page 45 of 55
Physical hardware configuration
Interactive configuration tools
Quiz
Top of Form
-1881508120650 7169
5964 78436 1 0
false 0 30
oSs_64099
Question 1
When shifting from a DevOps to DevSecOps workflow, a company must always embed a SME from
security into the development and operations teams.
Question 1 options:
True
False
Question 2
Ease of communication is essential in building a DevSecOps culture. Which of the following can
encourage better and more frequent communication between various groups? Select all that apply:
Question 2 options:
Establishing daily touchpoints
Wikis
Finger pointing
Name calling
Blogs
Page 46 of 55
Messaging apps for mobile devices
Managers who are uncomfortable with change
Info sharing sessions such as lunch & learns
Question 3
DevSecOps attempts to bridge the gap between ________ and _________.
Question 3 options:
Security and Agility
Speed and Agility
Integration and Delivery
Theory and Application
Question 4
What would an organization choose to move from a traditional SDLC structure to a DevOps structure?
Select all that apply.
Question 4 options:
Because regulations and privacy laws are forcing them to change their SDLC.
Because DevOps places more emphasis on software security than traditional SDLC.
Because they need to deliver high-quality software updates more frequently.
Because they need to deliver updates more reliably, in a cost-effective manner.
I wouldn’t advise the change. They should stick with traditional SDLC.
Question 5
Which of the following KPIs communicates to management how a DevSecOps workflow results in higher
customer satisfaction?
Question 5 options:
Page 47 of 55
Change failure
Test coverage
Customer issue resolution time
Logging availability
6
Question 6
oSs_64104
The Benefits of a successful implementation of DevOps include which of the following:
Question 6 options:
Streamlining of processes
Accelerated pace of interactions between the Development and Operations teams
Increased level of automation
All the above
Question 7
oSs_64105
Agile and DevOps each has its own set of objectives and methods of achieving its goals.
Question 7 options:
True
False
Question 8
8 oSs_64106

Which of the following KPIs could indicate an overall increase in the speed of the software development
life cycle?
Page 48 of 55
Question 8 options:
Deployment frequency
Change failure
Security benchmark deviation
Question 9
oSs_64107
What would be the primary reason for an organization to transition from DevOps to DevSecOps at this
point?
Question 9 options:
To bring the development team up to speed with the latest on application security
To teach software developers how to think like attackersa
To bridge the gap between DevOps and security
To drive further automation across the environment
Question 10
Place the steps of Garter’s 5-Step Approach to Cultural Challenges in the correct order:
Continual Improvements Over Time
Small, Focused Pilot
Gain Consensus
Incremental Deploy with Feedback Loops
Gap Analysis
Question 11
Page 49 of 55
oSs_64109
The amount of uptime/downtime of the logging pipeline in a given time period is called:
Change Lead Time
Mean Time Between Failures (MTBF)
Logging Availability
Security Benchmark Deviation
12
Agile and DevOps are one and the same.
True
False
Question 13
2903 4318 13 oSs_64111

Which of the following is an effective
enabler of DevOps because it focuses on small teams continually delivering high quality code to
customers.
Waterfall
Agile
Structured development methodologies
Service-oriented architecture
14
Question 14
Page 50 of 55
Which of the following basic KPIs expresses ROI to management?
Number of false positives
Security benchmark deviation
Availability
Time to patch
Question 15
15 oSs_64113

When we say “shifting security to the left” we mean:
To introduce security practices as early as possible
To move security from a conservative to liberal perspective
To leverage frameworks and libraries
To introduce security practices later in development
Question 16
A widely-accepted principle of security among practitioners is that security is a shared responsibility

among many stakeholders
True
False
Question 17
The test-driven security tests will initially fail.
Page 51 of 55
True
False
Question 18
Building software that can be released to a cloud environment at any time is called:
Continuous delivery
Cloud environment
oSs_64117
Question 19
Security considerations are always at odds with those of Development and Operations.
True
False
oSs_64118
Question 20
The duties of a security champion include which of the following:
Acting as the voice of security
Deciding when to engage the security team
Organizing code reviews
Helping with Quality Assurance

Page 52 of 55
21 oSs_64119
Question 21
Which of the following describes the percentage of production deployments that failed?
Change volume
Change failure
Test coverage
Defect Burn Rate
Availability
Question 22
Routinely integrating code change into a repository and testing the changes is called:
Continuous delivery
Cloud environment
oSs_64121
Question 23
True or False: A continuous-delivery tool chain can be an attack target itself.
True
False
oSs_64122
Question 24
Page 53 of 55
Securing a continuous delivery pipeline may involve which of the following? Select all that apply:
Strong access control across the entire toolchain and access audits
Hardening various systems
Protecting credentials, keys, and other secrets
Protecting (i.e. digitally signing) binaries and other build artifacts against tamper, etc.
oSs_64123
Which KPI measures the amount of time between identification of a vulnerability in the platform or
application and successful production deployment of a patch?
Vulnerability Patching Frequency
Vulnerability Patching Lead Time
Time to Patch
Mean Time to Failure (MTTF)
Customer Issue Resolution Time
Question 26
Which KPI measures the number of automated security tests for an application?
Security Controls
Number of Passed/Failed Security Tests

Page 54 of 55
Defect Density
Number of False Positives
oSs_64125
Question 27
Which KPI reveals the company’s ability to react faster to threats?
Mean time to failure
Time to value
Defect density
Vulnerability patching lead time
Question 28
28 oSs_64126
Below are the four steps of an AppSec pipeline. Which one shows the
steps in the correct order?
Triage, Intake Process, Deliver, Test
Test, Intake Process, Triage, Deliver
ntake Process, Triage, Deliver, Test
Intake Process, Triage, Test, Deliver
Question 29
oSs_64127
DevOps teams rely on a variety of tools to help them deploy code faster. Which of the following types of
tools are used by DevOps teams for that purpose? Select all that apply:
Page 55 of 55
Continuous integration tools to ensure that every code change results in a new product build
Configuration management tools to define the server infrastructure as code
Software application threat modeling tools to identify threats to the software
Automated test tools to verify code quality and provide quick feedback
Question 30
Which of the following enables cost reduction of operating infrastructure, rapid elasticity, and flexibility?
Continuous delivery
Cloud environment

DevSecOps Study Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DevSecOps Study Notes

Uploaded by

Copyright:

Available Formats

Page 1 of 55

DevOps Is Automation , DevSecOps Is People

DevSecOps Question and Answers

3. Shift from Traditional to Continuous Security

DevOps was pioneered by smaller, lean-thinking, “born on the web” companies.

DevOps = Development + Operations

Continuous Integration / Continuous Delivery

Decreased time to market

Decreased cost of deployment

Improved mean time between deployments

How to Develop a Security Strategy within DevOps

Adapting Security for Success

Focus on minmizing enterprise risk

Deliver more secure code at DevOps speed

Activities & controls must change to allow for adaptation

Controls that require adaptions:

Other crtical security activities:

Shifting to the left

Design Coding Testing Security

Design Security Coding Testing

Secuirty Design Coding Testing

SATS and DAST

With every check-in:

The Security Professional’s Role

Embedding Secuirty SMEs Into Development and Operations

 2014 – 16% DevOps teams

High performenres spent 50 % less time remediating security issues

Changing the Culture – A How-To Dev – Sec- Ops

 Team of advocates & champions

Joining Security with DevOps

Adapting to a New Way

Dev – Sec – Ops

Communication is the key

 Learn from leaders

Velocity vs Quality Tradeoff

Changing behaviors & culture is funamental to success

 Establishing daily touchpoints

A Five-Step Approach: Gartner’s 5-Step Approach

3. Small Focused Pilot

Benefits of Culture Change

Results of Culture Change

Engaging Advocates and Champions

 Act as voice of security

For Secuirty Champions:

 Application scurity skills not a key requirment

Achieving Business Goals

Transformation & Cultural Change

Tremendous values and benefit

 Better retention of talent

Culture of Collaboration and Contribution

Measurements: Team Communication, Collaboration, Reporting, Significant Changes to Existing

Five Principles for Securing DevOps Continuous Integration / Continuous Delivery

Automated invocation Security testing Comprehensive API

Integrating Security CI/CD pipeline Application Security

 Testing happens with every release

FAILED SECURITY TEST

 Train developers in secure coding

Application Security continues

Closed loop feedback

Integrating Secuirty into DevOps

1. Team of advocates & champions

DevSecOps Culture Change

Secuirty must be communicated: 1) as a core value 2) as a critical enabler

 Learn from leaders