DevSecOps: Integrating Security Into DevOps! {Business Security}
Download as PPTX, PDF2 likes5,526 views
The document discusses the integration of security practices into DevOps, highlighting the need for security professionals to be involved from the design phase to maintain both speed and security. It outlines three key security behaviors: threat modeling, code review, and red teaming, which help identify and resolve vulnerabilities early in development. Additionally, it emphasizes the principles of 'security as code' and 'infrastructure as code' to enhance security in the DevOps pipeline.
DevSecOps: Integrating Security Into DevOps! {Business Security}
- 1. DEV OPS SEC Integrating Security Into DevOps
- 2. Implementing DevOps is known for: Boosting efficiency Cutting costs Helping businesses flourish better
- 3. Security has not been the easiest to set up around a DevOps implementation. Security professionals need to have a crystal clear understanding as to how their practices can be applied in the development and production stages. They need time. The ever-increasing demand for lightning pace delivery of software using DevOps and agile strategies, with technologies like containers and public cloud, has caused a rift between the software production teams and the security teams who, instead, need time.
- 4. Putting security at the end often fails because many issues can be resolved at an initial level if security experts were involved right from the design phase. So the perfect solution is to have security practices integrated throughout the entire software delivery cycle.
- 6. The key benefit of DevOps is speed and continuous delivery. But, with secure DevOps, teams often suffer from the notion that there’s a tradeoff between security and speed. However, that is not the scenario always.
- 7. Prudent use of Security automation allows the teams to maintain both security and speed. The automated security testing makes the security consistent and less vulnerable to human errors. Shifting of the security practices left towards the design phase is a major advantage. It is a big achievement to catch the security loophole at the design or the development phase of a new feature. This is what DevSecOps tooling strategies aim at.
- 9. People often avoid documentation and it is highly possible to change the security skeleton of the DevOps team without even going for a single line of documentation. Though it is hard to imagine, it is possible through instilling security behaviors. The 3 security behaviors to focus on: ● Threat modeling ● Code review ● Red teaming
- 10. Threat Modeling Threat modeling involves considering the various security impact of every design decision and you need to start thinking like attackers, hackers or infiltrators to your own system to search for the loopholes.
- 11. Threat Modeling You need to verify and select the design that will protect the integrity of the customer data. In a majority of the cases, DevOps teams view the design form agile perspective, leaving behind the security concerns. However, Threat Modeling ensures to embed security directly into the practices and design decisions.
- 12. Code Review The code review security behavior revolves around finding security concerns and flaws in the code. This security behavior ensures to figure out the errors in the code that may prove to be fatal if it reaches the production. The DevOps teams use stringent infrastructure and make sure that code review is mandatory with each check-in to the main line.
- 13. Red Teaming The last security behavior, red teaming involves attacking your code with the same level of ferocity as potential attackers would do when it reaches production. This helps in revealing the flaws using rigorous testing, fixing them and pushing it to production quickly.
- 15. The aim at establishing secure DevOps lies on two major principles: ● Security as code ● Infrastructure as a code
- 16. The security as code involves building security into the existing tools in the DevOps pipeline. It includes usage of static analysis tools to validate portions of code that has been modified rather than scanning the entire codebase.
- 17. On the other hand, Infrastructure as code defines the various DevOps tools to set up and update the infrastructure components. A few examples include Ansible, Puppet, etc. The system administrators no longer fix the issues on a system. With the IaC if your system lacks or faces an issue it is completely disintegrated and a new one is generated to fill in the gap.
- 18. Official Blog Link - http://www.algoworks.com/blog/devsecop s-integrating-security-into-devops/ Mail us at: [email protected] Contact us at: +1-877-284-1028