DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
Download as PPTX, PDF0 likes269 views
The document presents a guide on securing DevOps processes using DevSecOps principles, emphasizing the integration of security through various automated tools and practices. It outlines the importance of DevSecOps in the fast-paced delivery of software and the need for security to be integrated as a default. The guide also introduces a maturity model (DSOMM) to help teams progressively implement security measures in their DevOps pipelines.
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
- 1. PAGE 1 DEVOPS INDONESIA DevOps Community in Indonesia Jakarta, 17 Maret 2021 How to Secure Process in DevOps with OpenSource (DevSecOps Beginners Guide) Andre Kurniawan & Alan Adi Prasetyo
- 2. PAGE 2 DEVOPS INDONESIA Page 2 About me Nama : Andre Kurniawan General Manager – i3 Experience in Cloud, DevOps,and Security with over 12 years Implement more than 50 Project Open Source with high complexity Contribute Asian Games 2018 1. Red Hat Certified Architect ( RHCA) 2. Red Hat Certified Instructor and Examiner (RHCI and RHCX ) 3. DevSecOps Certified Professional 4. Microsoft Certified Professional ( Azure ) 5. MikroTik Trainer ( MCT ) 6. IBM Storwize Family Technical Solutions V4 7. Scrum Fundamental Certified ( SFC ) General Manager – i3 www.i-3.co.id
- 3. PAGE 3 DEVOPS INDONESIA Page 3 About me Nama : Alan Adi Prasetyo Team Leader RnD – i3 Linux Geek, Kubernetes and Openshift Enthusiast - RHCA - COA - DevOps - Researcher 1. Red Hat Certified Architect ( RHCA) 2. Red Hat Certified Instructor (RHCI) 3. DevOps Foundation Certified 4. Alibaba Cloud Associate ( ACA ) 5. Certified Openstack Administrator (COA) 6. Scrum Fundamental Certified ( SFC ) Team Leader RnD – i3 www.i-3.co.id
- 4. PAGE 4 DEVOPS INDONESIA What is DevSecOps? Effort to strive for “Secure by Default” ● Integrate Security via tools ● Create Security as Code culture ● Implement automatic process security
- 5. PAGE 5 DEVOPS INDONESIA How important is it really? • Agile took us from months to days to deliver software • DevOps took us from months to minutes to deploy software • More applications are mission critical • Now security has become the bottleneck
- 6. PAGE 6 DEVOPS INDONESIA How important is it really? The Real impact of hacks & breaches
- 7. PAGE 7 DEVOPS INDONESIA The Evolution of Security Tools
- 8. PAGE 8 DEVOPS INDONESIA Generic Case Study
- 9. PAGE 9 DEVOPS INDONESIA DevSecOps DEVSECOPS is not Pentesters You build it, you run it You build it, you secure it
- 11. PAGE 11 DEVOPS INDONESIA Phase about DevSecOps • Secret Scanning • Software Composition Analysis (SCA) • Static Analysis Security Testing (SAST) • Dynamic Analysis Security Testing (DAST) • Security in Infrastructure as Code • RunTime Application Self-Protection (RASP) • Vulnerability Management (VA) • Alert and Monitoring in Security For Starter in DevSecOps
- 12. PAGE 12 DEVOPS INDONESIA Secret Scanning • Sensitive information such as the access keys, access tokens, SSH keys etc • Work on pure Regex-based approach for filtering sensitive data Tools : 1. detect-secrets 2. Truffle Hog
- 13. PAGE 13 DEVOPS INDONESIA Software Composition Analysis • Software Composition Analysis (SCA) is an application security methodology for managing open source components. • Discover all related components, their supporting libraries, and their direct and indirect dependencies Tools : 1. Snyk ( All ) 2. find-sec-bugs ( Java ) 3. retireJS ( Javascript / NodeJS ) 4. bundler-audit ( Ruby ) 5. Bandit , safety( Python )
- 14. PAGE 14 DEVOPS INDONESIA Software Composition Analysis Tools : Snyk Tools : Depedency-Check
- 15. PAGE 15 DEVOPS INDONESIA Static Analysis Security Testing • White-box security testing using automated tools • Useful for weeding out low-hanging fruits like SQL Injection, Cross-Site Scripting, insecure libraries etc • Needs manual oversight for managing false- positives Tools : Sonarqube
- 16. PAGE 16 DEVOPS INDONESIA Static Analysis Security Testing “ Secure your code “
- 17. PAGE 17 DEVOPS INDONESIA Dynamic Analysis Security Testing • Black/Grey-box security testing using automated tools • DAST will help in picking out deployment specific issues • Results from DAST and SAST can be compared to weed out false-positives Tools : nmap, nikto, sqlmap, metasploit, Nessus, zap, w3af, wapiti, sslyze, dirb, hydra, burpsuite, etc “ We can use tools pentest but must support cmd and export file “
- 18. PAGE 18 DEVOPS INDONESIA Dynamic Analysis Security Testing
- 19. PAGE 19 DEVOPS INDONESIA Security in Infrastructure Code • Infrastructure as a code allows you to document and version control the infra • It also allows you to perform audit on the infrastructure • Environment is as secure as the base image container • Hardening your server with automation (Compliance as Code) Tools : Infrastructure Code Image Scanning Hardening ansible inspec clair anchore dockscan openscap
- 20. PAGE 20 DEVOPS INDONESIA Security in Infrastructure Code
- 21. PAGE 21 DEVOPS INDONESIA Vulnerability Management • A central dashboard is required to normalize the data • Vulnerability Management System can then be integrated to bug tracking systems Tools : 1. defect dojo 2. archery
- 24. PAGE 24 DEVOPS INDONESIA Alert and Monitoring Security Monitoring is needed for two end goals • Understand if our security controls are effective • What and where we need to improve Tools : 1. grafana 2. elk 3. WAF 4. Dynatrace 5. Aqua Security 6. Imperva “Detect, Mitigation ,and Maintain Continuous Security”
- 25. PAGE 25 DEVOPS INDONESIA Alert and Monitoring Security https://github.com/defenxor/dsiem
- 27. PAGE 27 DEVOPS INDONESIA Inject Security in Process DevOps
- 30. PAGE 30 DEVOPS INDONESIA How we start to DevSecOps Choose with DevSecOps Maturity Model (DSOMM)
- 31. PAGE 31 DEVOPS INDONESIA How we start to DevSecOps Choose with DevSecOps Maturity Model (DSOMM)
- 32. PAGE 32 DEVOPS INDONESIA DSOMM Model • Static Depth: How deep is static code analysis ? • Dynamic Depth: How deep are dynamic scans executed ? • Intensity: How intense are the majority of the executed attacks ? • Consolidation: How complete is the process of handling findings ? https://dsomm.timo-pagel.de/
- 33. PAGE 33 DEVOPS INDONESIA DSOMM Model Try to Implement Maturity 1 and 2
- 34. PAGE 34 DEVOPS INDONESIA Level 1 • Never fail a build. There are false positives. Ensure tools are fit for the pipeline • Ensure team training through champions programs and partnership. • Start small, rollout SCA, then token scanning then … • Your process should provide immediate feedback • Consolidating - Super helpful but not yet a necessity
- 35. PAGE 35 DEVOPS INDONESIA Level 2 1. Now that some scans are being run in pipeline, incrementally improve 2. Include minor tweaks to static scans 3. Minor tweaks to DAST - Target worrisome areas 4. Run your scans more often 5. Store the results somewhere central for your review. 6. Meet regularly with and support your champions
- 36. 36 Strategy implement DEVSECOPS A leading open source influencer to create a flexible and agile IT environment in Indonesia.
- 37. PAGE 37 DEVOPS INDONESIA Strategy DevSecOps 1. Implement DevSecOps Maturity Level 1 and 2 2. Use DevSecOps Security Controls Design 3. Start from small. (SCA, SAST, DAST, and Vulnerability Management) 4. Ensure team training through champions programs
- 38. Inject Security in Process DevOps
- 39. PAGE 39 DEVOPS INDONESIA Demonstration Demo Flow DevSecOps