SlideShare a Scribd company logo

DevSecOps : an Introduction

Download as PPTX, PDF
P
Prashanth B. P.

DevSecOps is a cultural change that incorporates security practices into software development through people, processes, and technologies. It aims to address security without slowing delivery by establishing secure-by-design approaches, automating security tools and processes, and promoting collaboration between developers, security engineers, and operations teams. As software and connected devices continue proliferating, application security must be a central focus of the development lifecycle through a DevSecOps methodology.

Technology
1 of 18
Downloaded 28 times
1
2
Most read
3
4
Most read
5
6
7
8
9
10
11
12
13
14
15
Most read
16
17
18
z DevSecOps Prashanth Bharathi Prakash
z Its an evolution..
z The Facts • 159,700 total cyber incidents • 7 billion records exposed in first 3 Qtr • $5 billion financial impact • 93% of breaches could have been prevented *Online Trust Alliance report 2018
z How we manage software security? Source: “Managing Application Security”, Security Compass, 2017.
z Challenges of Secure Software Development  Legacy Software  Writing Secure code is hard  Lack of security skills  Emphasis on speed  Lack of risk focus, audits and controls points  Unsupervised collaboration  Wrong automated tools  Best practices are insufficient!  Vulnerabilities in development pipeline
z So we do last minute security..
z Lets define DevSecOps  Do we need Security? Obviously! → DevSecOps  Do we need order in configuration? Sure! → DevSecConfOps  And do we need to automate? Ideally yes. → DevSecConfAutoOps  Resilient? This is so important! → DevSecConfAutoResOps  Backups! We forgot about backups! → DevSecConfAutoResBackOps  Monitoring :-) → DevSecConfAutoResBackMonOp  Should I stop here? No → DevSecConfAutoResBackMonNoOp  Pigeons ate my breakfast while I was entertaining you → DevSecConfAutoResBackMonNoPigeonsAteMyBreakfastWhileIwasEntertaining YouOps
z Security becomes paramount in the new world of connected devices and must be addressed without breaking the rapid delivery, continuous feedback model!
z The Guiding Principles  Security is everybody’s business!  Start with the 3 Ps:  People  Process  Platform  Establish a process to enable people to succeed in using platform to develop secure applications  Build on existing people, process and tools
z The Guiding Principles Adopt Secure-by-Design rather than Secure-by-Test approach Enable development teams to create secure applications Automate as much as possible Reuse existing technology as much as possible Heavy collaboration between all stakeholders
z People  Invest in training on security skills!  Make learning a fun exercise!  Collaborate heavily (Dev Sec Ops)  Secure Design Decisions  Secure Environment Configuration  Secure Deployment planning  Secure code review
z Platforms  Automate environment creation and provisioning  Maintain parity between environments: dev, QA and production  Automated infrastructure testing  Be Open-Source aware!
z Process  Build on existing risk assessment processes / policies  Check the awareness of security policies in dev & ops teams  Create new processes only to improve existing ones Change is a journey.. Not a sprint !!
z How to bring-in Operations Monitor Key KPIs No. of applications threat modelled / scanned for vulnerabilities No. of applications reviewed by Architects No. of security requirements implemented % of open source libraries analysed Total number of critical and high vulnerabilities Number of penetration test vulnerabilities detected …. Monitor, Feedback, Remediate and Improve
z DevSecOps In Action Source Control Code Review Build Code Quality Deploy Testing A/B TestDesign Secure Coding Cloud-based hosting and access to application services through Cloud Platform Release Code Analysis (SonarQube, Coverity and Black Duck) Threat Modeling (Microsoft Threat Modeller, Secure Tree) Secure Coding Practices (Source Code Warrior, in- house trainings) Static Application Security Scanning (Fortify, Veracode, Coverity) Dynamic App Security Scanner (Fortify, IBM AppScan, Chekmarx, Veracode) DevSecOps Enabling tools Integrated Development Environment (Eclipse, X-code) Source Code Repository (Git / Gerrit) Continuous Integration (Jenkins) Deploy (Chef, Docker, Kubernetes) Test (Selenium, Grid, Cucumber) DevOps Enabling tools
z Reference Services for DevSecOps  Governance  Maturity Assessment  Process Engineering  Secure-By-Design  Security Training Curriculum  Threat Modeling  Code scanning Tool Integration  SAST, DAST, OSCA  Penetration Testing  DevSecOps Operationalization  Monitoring and Operations  SEIM Integration  Infrastructure Security
z Summary  DevSecOps is cultural change encompassing people, processes and technologies.  There is no “one-size fits-all“ scenario.  New technologies and ubiquitous access across devices / platforms makes application security the central focal point in software development. DevSecOps is the new mantra in S/W Dev Methodology
z For more information  SEI –Carnegie Mellon University  DevOps Blog: https://insights.sei.cmu.edu/devops  Webinar : https://www.sei.cmu.edu/publications/webinars/index.cfm  Podcast : https://www.sei.cmu.edu/publications/podcasts/index.cfm  DevSecOps: http://www.devsecops.org  Rugged Software: https://www.ruggedsoftware.org

More Related Content

PDF
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
PPTX
DevSecOps
Joel Divekar
 
PDF
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
PPTX
DevOps to DevSecOps Journey..
Siddharth Joshi
 
PDF
DevSecOps in Baby Steps
Priyanka Aash
 
PDF
DevSecOps | DevOps Sec
Rubal Jain
 
PPTX
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
PDF
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
DevSecOps
Joel Divekar
 
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
DevOps to DevSecOps Journey..
Siddharth Joshi
 
DevSecOps in Baby Steps
Priyanka Aash
 
DevSecOps | DevOps Sec
Rubal Jain
 
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 

What's hot (20)

PDF
The State of DevSecOps
DevOps Indonesia
 
PDF
The What, Why, and How of DevSecOps
Cprime
 
PPTX
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PDF
Introduction to DevSecOps
Setu Parimi
 
PDF
2019 DevSecOps Reference Architectures
Sonatype
 
PDF
DevSecOps and the CI/CD Pipeline
James Wickett
 
PDF
DevSecOps Implementation Journey
DevOps Indonesia
 
PDF
Security Process in DevSecOps
Opsta
 
PDF
DevSecOps What Why and How
NotSoSecure Global Services
 
PDF
Demystifying DevSecOps
Archana Joshi
 
PPTX
DEVSECOPS.pptx
MohammadSaif904342
 
PDF
DevSecOps, The Good, Bad, and Ugly
4ndersonLin
 
PPTX
DevSecOps reference architectures 2018
Sonatype
 
PDF
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
PDF
Practical DevSecOps - Arief Karfianto
idsecconf
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PDF
Shift Left Security
BATbern
 
PPTX
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
PPTX
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
The State of DevSecOps
DevOps Indonesia
 
The What, Why, and How of DevSecOps
Cprime
 
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Introduction to DevSecOps
Setu Parimi
 
2019 DevSecOps Reference Architectures
Sonatype
 
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecOps Implementation Journey
DevOps Indonesia
 
Security Process in DevSecOps
Opsta
 
DevSecOps What Why and How
NotSoSecure Global Services
 
Demystifying DevSecOps
Archana Joshi
 
DEVSECOPS.pptx
MohammadSaif904342
 
DevSecOps, The Good, Bad, and Ugly
4ndersonLin
 
DevSecOps reference architectures 2018
Sonatype
 
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Practical DevSecOps - Arief Karfianto
idsecconf
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Shift Left Security
BATbern
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
Ad

Similar to DevSecOps : an Introduction (20)

PPTX
DevSecOps Best Practices-Safeguarding Your Digital Landscape
stevecooper930744
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
your techdigest
 
PPTX
DevSecOps Powerpoint Presentation for Students
poonawala2303
 
PDF
Scale security for a dollar or less
Mohammed A. Imran
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
ScalaCode
 
PPTX
The DevSecOps Advantage: A Comprehensive Guide
Dev Software
 
PDF
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
mohitd6
 
PPTX
Devsec ops
VipinYadav257
 
PDF
How To Implement DevSecOps In Your Existing DevOps Workflow
Enov8
 
PDF
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 
PPTX
Secure DevOps - Evolution or Revolution?
Security Innovation
 
PPTX
Secure DevOPS Implementation Guidance
Tej Luthra
 
PPTX
What is devsecops and what is the characteristics of it
amalsalah25
 
PDF
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
PDF
Understanding DevSecOps.pdf
Ciente
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
PPTX
DevSecOps OWASP
Priyanka Raghavan
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
PPTX
DevSecOps: Integrating Security Into DevOps! {Business Security}
Algoworks Inc
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
stevecooper930744
 
The Rise of DevSecOps in CI_CD Workflows.pdf
your techdigest
 
DevSecOps Powerpoint Presentation for Students
poonawala2303
 
Scale security for a dollar or less
Mohammed A. Imran
 
From DevOps to DevSecOps: Evolution of Secure Software Development
ScalaCode
 
The DevSecOps Advantage: A Comprehensive Guide
Dev Software
 
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
mohitd6
 
Devsec ops
VipinYadav257
 
How To Implement DevSecOps In Your Existing DevOps Workflow
Enov8
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 
Secure DevOps - Evolution or Revolution?
Security Innovation
 
Secure DevOPS Implementation Guidance
Tej Luthra
 
What is devsecops and what is the characteristics of it
amalsalah25
 
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
Understanding DevSecOps.pdf
Ciente
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
DevSecOps OWASP
Priyanka Raghavan
 
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
Algoworks Inc
 
Ad

Recently uploaded (20)

PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
August Patch Tuesday
Ivanti
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 

DevSecOps : an Introduction

  • 3. z The Facts • 159,700 total cyber incidents • 7 billion records exposed in first 3 Qtr • $5 billion financial impact • 93% of breaches could have been prevented *Online Trust Alliance report 2018
  • 4. z How we manage software security? Source: “Managing Application Security”, Security Compass, 2017.
  • 5. z Challenges of Secure Software Development  Legacy Software  Writing Secure code is hard  Lack of security skills  Emphasis on speed  Lack of risk focus, audits and controls points  Unsupervised collaboration  Wrong automated tools  Best practices are insufficient!  Vulnerabilities in development pipeline
  • 6. z So we do last minute security..
  • 7. z Lets define DevSecOps  Do we need Security? Obviously! → DevSecOps  Do we need order in configuration? Sure! → DevSecConfOps  And do we need to automate? Ideally yes. → DevSecConfAutoOps  Resilient? This is so important! → DevSecConfAutoResOps  Backups! We forgot about backups! → DevSecConfAutoResBackOps  Monitoring :-) → DevSecConfAutoResBackMonOp  Should I stop here? No → DevSecConfAutoResBackMonNoOp  Pigeons ate my breakfast while I was entertaining you → DevSecConfAutoResBackMonNoPigeonsAteMyBreakfastWhileIwasEntertaining YouOps
  • 8. z Security becomes paramount in the new world of connected devices and must be addressed without breaking the rapid delivery, continuous feedback model!
  • 9. z The Guiding Principles  Security is everybody’s business!  Start with the 3 Ps:  People  Process  Platform  Establish a process to enable people to succeed in using platform to develop secure applications  Build on existing people, process and tools
  • 10. z The Guiding Principles Adopt Secure-by-Design rather than Secure-by-Test approach Enable development teams to create secure applications Automate as much as possible Reuse existing technology as much as possible Heavy collaboration between all stakeholders
  • 11. z People  Invest in training on security skills!  Make learning a fun exercise!  Collaborate heavily (Dev Sec Ops)  Secure Design Decisions  Secure Environment Configuration  Secure Deployment planning  Secure code review
  • 12. z Platforms  Automate environment creation and provisioning  Maintain parity between environments: dev, QA and production  Automated infrastructure testing  Be Open-Source aware!
  • 13. z Process  Build on existing risk assessment processes / policies  Check the awareness of security policies in dev & ops teams  Create new processes only to improve existing ones Change is a journey.. Not a sprint !!
  • 14. z How to bring-in Operations Monitor Key KPIs No. of applications threat modelled / scanned for vulnerabilities No. of applications reviewed by Architects No. of security requirements implemented % of open source libraries analysed Total number of critical and high vulnerabilities Number of penetration test vulnerabilities detected …. Monitor, Feedback, Remediate and Improve
  • 15. z DevSecOps In Action Source Control Code Review Build Code Quality Deploy Testing A/B TestDesign Secure Coding Cloud-based hosting and access to application services through Cloud Platform Release Code Analysis (SonarQube, Coverity and Black Duck) Threat Modeling (Microsoft Threat Modeller, Secure Tree) Secure Coding Practices (Source Code Warrior, in- house trainings) Static Application Security Scanning (Fortify, Veracode, Coverity) Dynamic App Security Scanner (Fortify, IBM AppScan, Chekmarx, Veracode) DevSecOps Enabling tools Integrated Development Environment (Eclipse, X-code) Source Code Repository (Git / Gerrit) Continuous Integration (Jenkins) Deploy (Chef, Docker, Kubernetes) Test (Selenium, Grid, Cucumber) DevOps Enabling tools
  • 16. z Reference Services for DevSecOps  Governance  Maturity Assessment  Process Engineering  Secure-By-Design  Security Training Curriculum  Threat Modeling  Code scanning Tool Integration  SAST, DAST, OSCA  Penetration Testing  DevSecOps Operationalization  Monitoring and Operations  SEIM Integration  Infrastructure Security
  • 17. z Summary  DevSecOps is cultural change encompassing people, processes and technologies.  There is no “one-size fits-all“ scenario.  New technologies and ubiquitous access across devices / platforms makes application security the central focal point in software development. DevSecOps is the new mantra in S/W Dev Methodology
  • 18. z For more information  SEI –Carnegie Mellon University  DevOps Blog: https://insights.sei.cmu.edu/devops  Webinar : https://www.sei.cmu.edu/publications/webinars/index.cfm  Podcast : https://www.sei.cmu.edu/publications/podcasts/index.cfm  DevSecOps: http://www.devsecops.org  Rugged Software: https://www.ruggedsoftware.org

Editor's Notes

  • #8: Placing Sec between Dev and Ops is the ideal way to show that one doesn't understand anything about sorting apples and oranges.
  • #17: DevSecOps Operationalization Monitoring and Operations SEIM Integration Infrastructure Security