Security Process in DevSecOps

Security Process
in
Jirayut Nimsaeng (Dear)
CEO & Founder, Opsta (Thailand) Co.,Ltd.
TechTalkThai Conference: Enterprise Cybersecurity 2021
October 5, 2021 https://bit.ly/opsta-ttt-sec-in-devops

Security Process in DevSecOps
#whoami
Jirayut Nimsaeng (Dear)
Jirayut has been involved in DevSecOps, Container, Cloud
Technology and Open Source for over 10 years. He has experienced
and succeeded in transforming several companies to deliver greater
values and be more agile.
● He is Founder and CEO of Opsta (Thailand) Co.,Ltd.
● He is Cloud/DevSecOps Transformation Consultant and
Solution Architecture
● He is the first Certified Kubernetes Security Specialist
(CKS) and Certified Kubernetes Administrator (CKA) in
Thailand

Agenda
● Automation Security
● Precommit Stage
● Acceptance Stage
● Production Stage
● Wrap Up

Security
Process in
Automation Security

DevOps Flow
Infrastructure
Support
Tools
VCS
Artifacts
CI CD
Dev
Test
Prod
Monitoring
Load Testing
Automation &
Infrastructure as Code
Developer
Operation
& SRE
Communication
Security
Security

DevSecOps Flow
Infrastructure
Support
Tools
VCS
Artifacts
CI CD
Dev
Test
Prod
Monitoring
Load Testing
Automation &
Developer
Operation
& SRE
Security
Communication
Security Shift Left with Automation

Automation Security
Infrastructure
Support
Tools
VCS
Artifacts
CI CD
Dev
Test
Prod
Monitoring
Load Testing
Automation &
Developer
Operation
& SRE
Security
Automation Security
Communication

Security Automation in every steps
Secure Coding
SAST
SCA
Vulnerability Assessment
Penetration Testing
IAST
Compliance
Validation
Threat
Intelligence
Secret Manager
DAST
Binary Analysis
Threat
Modelling
SOC
SOAR

Automation Security Tools
Code Build Secret
Test Release Runtime Monitor
Multi-purpose Commercial

Security Stages on DevOps Flow
Code Build Secret
Test Release Runtime Monitor
Precommit Stage Acceptance Stage Production Stage

Security
Process in
Automation Security:
Precommit Stage

Secure Coding
Secure coding is the practice of writing software that's protected
from vulnerabilities. Some examples below refer from OWASP Secure
Coding Practices
● Input Validation
● Authentication and Password Management
● Session Management
● Access Control
● Cryptographic Practices
● Error Handling and Logging
● Communication Security
● and much more...

SAST (Static Application Security Testing)
SAST is a testing methodology that analyzes source code to ﬁnd
security vulnerabilities. SAST scans an application before the code is
compiled. It’s also known as white box testing.

SAST (Static Application Security Testing)

SCA (Software Composition Analysis)
SCA scans source code to inventory all open-source components to
eliminate vulnerabilities those listed in the National Vulnerability Database
(NVD) and compatibility issues with open-source licenses.

SCA (Software Composition Analysis)

Security
Process in
Acceptance Stage

Software Security Testing (1)
Software security testing is the process of assessing and testing a system to
discover security risks and vulnerabilities of the system and its data.
● Penetration Testing - The system undergoes analysis and attack from
simulated malicious attackers.
● Fuzz Testing - is a brute-force reliability testing technique wherein you
create and inject random data into a ﬁle or API in order to intentionally
cause errors and then see what happens

Software Security Testing (2)
● Vulnerability Assessment - The system is scanned and analyzed for
security issues.
● DAST (Dynamic Application Security Testing) tools automate security
tests for a variety of real-world threats. DAST is a black-box testing method
to identify vulnerabilities in their applications from an external
perspective to better simulate threats most easily accessed by hackers
outside their organization

VA Scan and DAST

IAST (Interactive Application Security Testing)
IAST instruments applications by deploying agents and sensors in
running applications and continuously analyzing all application
interactions initiated by manual tests, automated tests, or a combination of
both to identify vulnerabilities in real time

IAST (Interactive Application Security Testing)

Infrastructure as Code (IaC) Security
IaC Security test and monitor your infrastructure as code such as
Ansible, Terraform modules and Kubernetes YAML, JSON, and Helm charts
to detect conﬁguration issues that could open your deployments to attack
and malicious behavior.

Kubernetes Security
● Kubernetes Certiﬁcates
● Secret
● Network Policy
● Namespace
● Quota
● TLS Ingress Endpoint
● Secure Node Metadata
● CIS Benchmark
● Verify Platform Binary
● Harden Docker Image
● Image Policy Webhook
● Immutability
● RBAC
● Secure Service Account
● Secure API Endpoint
● Admission Controller
● Node Restriction
● Runtime Sandbox
● Non-Root Container
● Security Context
● Pod Security Policy
● Open Policy Agent
● Auditing

Container Image Security
Container security software is used to secure multiple components
of containerized applications or ﬁles, along with their infrastructure and
connected networks. Testing capabilities will assist in developing security
policies, discover zero-day vulnerabilities, and simulate attacks from
common threat sources.

Container Image Security

Signed Container Image

Secrets Management
Secrets management refers to the tools and methods for managing
digital authentication credentials (secrets), including passwords, keys, APIs,
and tokens for use in applications, services, privileged accounts and other
sensitive parts of the IT ecosystem.

Privileged Access Management (PAM)
PAM software allows companies to secure their privileged credentials
in a centralized, secure vault (a password safe). Additionally, these
solutions control who has access to, and therefore who can use, the
privileged credentials based on access policies (including user permissions
and speciﬁc timeframes), often recording or logging user activity while
using the credentials.

Privileged Access Management (PAM)

Security
Process in
Production Stage

Automation Security Baseline
Automation Security Baseline build standard hardening steps into
your recipes instead of using scripts or manual checklists. This includes
minimizing the attack surface by removing all packages that aren’t needed
and that have known problems; and changing default conﬁgurations to be
safe.

Automation Security Baseline Tools

Cloud Security Automation
● Monitoring - it is necessary that you monitor the workflow of all the
tasks in your infrastructure.
● Evaluation - give you insights into which tasks can be automated like
repetitive tasks, resource provisioning, deployments, creating security
rules, etc.
● In-depth analysis - analyze the collected information in depth by
differentiating it on the basis of severity as high, medium or low risk.
● Reporting - The automation processes should be configured to
generate the reports to present the overview of the changes before or
after.
● Remediations - implement remediation and improve overall security
posture.

RASP (Run-time Application Security Protection)
RASP works inside the application. It’s plugged into an application or
its runtime environment and can control application execution. RASP lets
an app run continuous security checks on itself and respond to live
attacks by terminating an attacker’s session and alerting defenders to the
attack.

WAF (Web Application Firewall)
WAF or Web Application Firewall helps protect web applications by
filtering and monitoring HTTP traffic between a web application and the
Internet. It typically protects web applications from attacks such as
cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection,
among others. A WAF is a protocol layer 7 defense (in the OSI model)

Security monitoring, sometimes referred to as "security information
monitoring (SIM)" or "security event monitoring (SEM)," involves
collecting and analysing information to detect suspicious behavior or
unauthorised system changes on your network, deﬁning which types of
behavior should trigger alerts, and taking action on alerts as needed.
Security Monitoring

Security
Process in
Wrap Up

Automation Security
Agile
Focus
DevOps
Focus on Automation
Security in every steps
with Automation
Code Build Integrate Test Release Conﬁgure Monitor
Plan Deploy

More questions?
jirayut@opsta.co.th
Jirayut Nimsaeng
CEO & Founder
Opsta (Thailand)
086-069-4042
Facebook

Security Process in DevSecOps

More Related Content

What's hot (20)

Similar to Security Process in DevSecOps (20)

More from Opsta (20)

Recently uploaded (20)

Security Process in DevSecOps