Introduction to DevSecOps OWASP Ahmedabad
Download as PPTX, PDF0 likes129 views
The document provides an overview of DevSecOps, emphasizing the integration of development, operations, and security throughout the software development life cycle. It highlights the benefits of automation, continuous integration, and the need for security awareness among development teams to address challenges faced in agile development. Best practices are presented for incorporating security into the CI/CD pipeline to enhance software quality and prevent critical vulnerabilities.
Introduction to DevSecOps OWASP Ahmedabad
- 2. Introduction to DevSecOps Kunwar Atul (@kunwaratulhax0r)
- 3. root@whoami • Kunwar Atul • Yet another Appsec and DevSecOps Guy • Break – Fix – Repeat • Part time Bug Hunter • Synack Red Team Member • OWASP MASVS Hindi Contributor (Ongoing Project) • DevSecOps University Contributor • I Love Knowing What’s Going On (emerging vulns, tools, PoC), CTFs, Offensive Security Work, Cricket, and no compromise with food and coffee. • Social media- kunwaratulhax0r
- 4. What is DevOps • DevOps is a software development method that highlights collaboration and open communication between teams basically it reduce the gap between teams.
- 5. What is DevOps • DevOps is all about Process. • DevOps is about Connections. • DevOps is about Tools. • DevOps is about Automating Everything. • Continuous Software Delivery.
- 6. DevOps Goals • Automated Provisioning • No Downtime Deployments • Monitoring • Automated Builds and Testing
- 7. What Happens in DevOps Automate everything using tools Continuous Development Continuous Integration Continuous Testing Continuous Deployment Continuous Monitoring
- 8. Finally • Great Customer Satisfaction • Increased Productivity
- 9. Planning Phase • In the planning phase all the details related to current build will be logged in the JIRA and Yutrack.
- 10. Development Phase • For Source Code Management we have GIT and SVN. These tools will help us in maintaining the code.
- 11. Build Phase • They help you package your code into executable files which can then be produced into the testing environment.
- 12. Testing Phase • For continuous testing we will use Robotic Process Automation and some other reusability code.
- 13. Release Phase • For the release phase, automate tools like bamboo are used in the releasing a build.
- 14. Deployment Phase • After the code is tested and ready it will be deployed into production or the non-developer machine at this stage.
- 15. Operation Phase • In the operation phase everything will be monitored by using Security Incident and Event Management (SIEM Tools) for security alerts and misbehavior of application.
- 16. Monitor Phase • In the monitoring phase, continuous feedbacks will be taken from customers and will be monitoring them.
- 18. Challenges Without DevSecOps • With the fast pace of development in the Agile world, there is a lack of focus on security during the development process. • The quality of the solution is often compromised from a security standpoint while focusing on feature deliverables during the Agile development lifecycle. • Further, it costs the organization's reputation when critical vulnerabilities are found in shipped solution(s). • Customer sensitive data is compromised due to lack of security testing focus. • A lot of manual effort in order to perform security testing can lead to a delay in uncovering critical vulnerabilities and, further, may result in either delaying the deliverables or shipping them with unknown vulnerabilities.
- 19. What is DevSecOps Development SecurityOperations DevSecOps is a software development concept or mindset that aims at unifying development, operations, and security as a single process in SDLC.
- 20. What is DevSecOps • Security of the CI/CD Pipeline • Automated IAM roles, Jenkins server hardening, etc. • Security in the CI/CD Pipeline • Automated security tests, code analysis etc. • Security Automation • Automated Incident Response Remediation, forensics etc.
- 22. • DevOps = Efficiencies that speed up this lifecycle. • DevSecOps = Validate building blocks without slowing lifecycle.
- 23. DevSecOps: How Important is it? • Agile took us from months to days to deliver software. • DevOps took us from months to minutes to deploy software. • More applications are mission critical. • Now security has become the bottleneck.
- 24. DevSecOps makes everyone responsible for Security, because Security is not one-person job.
- 25. People: What type of Skills are Required? 9 2.5 2.5 2.5 2.5 9 2.5 9 2.5 0 2 4 6 8 10 12 14 16 Developer Sysadmin Security Engineer Skills Chart Dev Sec Ops
- 27. The Main Course • Vulnerability Scans and Assessments • Threat Modelling • Secure Code Reviews (Static Code Analysis) • Penetration Testing Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
- 28. The Gravy • Educating developers on Secure Coding • Practices with workshops, talk, lessons • Secure Coding Standards • Responsible Disclosures • Secure Code Library and other reference materials, creating custom tools Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
- 29. The Dessert • Bug Bounty Programs • CTF’s • Red Team Exercises Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
- 32. Best Practices for DevSecOps • Train development teams to develop secure code. • Track security issues the same as software issues. • If infrastructure is now code, then security should be code. • Integrate security controls in the software pipeline. • Automate security test in the build process. • Detect known vulnerabilities during the pipeline. • Monitor security in the production for known states • Inject failure to ensure security is hardend.
- 34. Q/A
- 35. Thank You Reach me: @kunwaratulhax0r