Benefits of DevSecOps
Download as PPTX, PDF1 like1,030 views
The document outlines the benefits of integrating security into DevOps, termed DevSecOps, highlighting essential shifts, such as early security involvement and enhanced collaboration among development teams. Key advantages include rapid feedback on security, reduced vulnerabilities, and improved operational efficiency, while also addressing constraints such as skill shortages and the need for new tools. The emphasis is on creating a security-centric culture through automation, agile methodologies, and proactive risk management.
Benefits of DevSecOps
- 1. Demonstrating Benefits of DevSecOps for Secure Code and Operations Finto Thomas Event : 8th Dec 2020 - GISEC 2020 - Dubai
- 2. Finto Thomas Cybersecurity Architect and Strategist • 15 Years in IT and Information Security domains across multiple industries • Presently at Alef Education and Leading Information Security function • Previously worked at IBM and Wipro, across multiple geo locations • Key Certifications: CISSP, SABSA, TOGAF, CISM, SANS-GSTRT Connect with me @FintoNT LinkedIn Disclaimer : The views expressed in these slides are my own. They do not represent the position of my current and past employers @FintoNT 2#GISEC 2020
- 3. Topics Covered • Embedding Security into DevOps • Benefits and Constraints • Key Takeaways #GISEC 2020 @FintoNT 3
- 4. Before we get in to DevSecOps – Let us see how DevOps works #GISEC 2020 @FintoNT 4 Developer Source Code Repository Build CI/CD Server QA Staging Production & Monitor ✗ Instant Feedback
- 5. DevOps + Security = DevSecOps #GISEC 2020 @FintoNT 5 ✓ Start End Build ✓ Artifactory Deploy ✓ Staging Setup ✓ Staging Deploy ✓ Production Deploy ✓ UAT ✓ Start End Build ✓ Artifactory Deploy ✓ Staging Setup ✓ Staging Deploy Production Deploy ✓ UAT ✓ SCA ✓ SAST ✓ DAST ✓ Infrastructure Vul Scan ✓ Production Setup ✓ Production Setup ✓ Compliance Check ✓ Production Approval ✓ Production Approval ✓✗ Instant Feedback SCA – 600 Alerts SAST – 1000 Alerts (false positive included) DAST – 5 Alerts DevOps DevSecOps
- 6. DevOps Pipeline #GISEC 2020 @FintoNT 6 Plan Code Build Test Release Deploy Operate Monitor Design Sprint define Use Case Prioritization Stakeholders Code Development Source Code Management Review & Merging Continues Integration Build Status Packaging Artifact Repository Pre deployment Staging Provisioning Infrastructure Orchestration Configuration Management Performance Monitoring Application Monitoring Alerting Continues Test Feedback UAT
- 7. DevSecOps Phases mapped to type of security tools #GISEC 2020 @FintoNT 7 Plan Code Build Test Release Deploy Operate Monitor IDE Plugin Pre Commit hooks Secrets Management SAST SCA Feedback on business Risk DevSecOps - CI CD Pipeline Threat Modeling Security Use Case Prioritization Regulations Policies Container Security System Hardening DAST Compliance Web Application Firewall Vulnerability Management PAM
- 8. Security function benefits from DevSecOps #GISEC 2020 @FintoNT 8 Rapid Business value delivery Rapid user feedback Scalable and Auto SizingFast to Market, Market Edge 1. Shift Left – Security is baked-in in early stages 2. Products have inbuilt security controls – Robust , Secure products to market 3. Less vulnerable product – Build test will fail automatically while developer “commit” (save) the code 4. Security is everyone's responsibility – Better collaboration among the whole app development chain 5. High Returns on security Investment – Early detection and remediation save effort and time
- 9. Developers benefits from DevSecOps #GISEC 2020 @FintoNT 9 Rapid Business value delivery Rapid user feedback Scalable and Auto SizingFast to Market, Market Edge 1. Instant feedback - Developers getting faster feed back on security tests and use cases (~5 mints) 2. No more surprises from Security reports – Security is a part of pipeline and transparent to all 3. Better Security awareness and collaboration – One Team + One agenda + One delivery
- 10. Operational benefits from DevSecOps #GISEC 2020 @FintoNT 10 Rapid Business value delivery Rapid user feedback Scalable and Auto SizingFast to Market, Market Edge 1. Early detection and prevention systems – Security threats and Incidents can be identified early stages of pipeline 2. Easy to fix production issues– Isolate it with out production impact 3. Expectations are more clear and simple – Compliance , Hardening etc are established in early stages as “user stories” 4. Automation reduces Ops team effort from security maintenance – repeatable remediation steps can be automated
- 11. Key constraints #GISEC 2020 @FintoNT 11 1. Asset/Service Inventory, tracking and billing – Orphan and testing containers and systems 2. Identity and Access Management - Hardcoded and decentralized credentials 3. High Cost of Enterprise Tools & limitations – Language specific , Cloud licensing need attention 4. Skill shortage on DevSecOps – Market adoption still in early stages 5. Adoption of new mindset and tools – Definition of perimeter changes and it is no more traditional
- 12. DevSecOps = #GISEC 2020 @FintoNT 12 New Culture + New Skills + Automation People ProcessTools Scalable Culture Innovation Skills Speed Automation Success DevSecOps
- 13. Methodologies and Culture #GISEC 2020 @FintoNT 13 1. Embrace Developers with right tools and advises, find Security tools that Developers will actually use 2. Security needs to adopt Agile – Sprint models and process that’s fit for new environments. Automation is key. 3. Identify and eliminate the Risk early as possible in the workflow with relevant prioritizations and trade-offs
- 14. Peoples and Skills #GISEC 2020 @FintoNT 14 Zero Trust 3. Collaborate on Problem solving, avoid blame game 1. Build Personal Trust and break silos 2. Encourage Security mindsets and Security champions with relevant trainings and incentive programs
- 15. Tools and Technologies #GISEC 2020 @FintoNT 15 3. Traditional Security tools often do not work with new environment 2. Traditional Security solutions are logically valuable, but need to adopt with new environment 1. Adopt new programable tools, which Developers really use, Security team role is advisory and enablers
- 16. Maturity Assessment #GISEC 2020 @FintoNT 16 https://www.slideshare.net/derweeksglobal/abn-amro-devsecops-journey 1. OWASP 2. ABN AMRO Model (level 5) https://owasp.org/www-project-devsecops-maturity-model/
- 17. Key Takeaways Technology and Tools Process and Methodologies People and Skills #GISEC 2020 @FintoNT 17 DevSecOps = New Culture + New Skills + Automation Bake in Security into DevOps flow, do not try to bolt security later Security control must be programable and automated wherever possible Keep an eye on simpler and better programable options Use tools and methods that developer team actually use Adopt Agile and lean methods Involve security as early as possible in the workflow and best to do at design & planning phase Fix by priorities, do not attempt to fix it all DevSecOps feedback process must be smooth and governed Metric and KPI needs to relevant and easy to generate Build personal relations and trust Break silos; do not isolate Identify and nurture “security champions” in each team Focus on problem and solution; Do not blame the person or team Conduct short and repeatable training sessions and training videos
- 18. External Documents referred • https://www.blackhat.com/docs/us-17/thursday/us-17-Lackey-Practical%20Tips-for-Defending-Web-Applications-in-the-Age- of-DevOps.pdf • https://dzone.com/articles/effective-devsecops • https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Shrivastava-DevSecOps.pdf • https://www.sonatype.com/hubfs/2018%20State%20of%20the%20Software%20Supply%20Chain%20Report.pdf • https://www.veracode.com/state-of-software-security-report#snap__subnav_51096 • https://docs.aws.amazon.com/whitepapers/latest/introduction-devops-aws/two-pizza-teams.html • https://www.infoq.com/presentations/devsecops-2019/ • https://owasp.org/www-project-devsecops-maturity-model/ #GISEC 2020 @FintoNT 18
- 19. #GISEC 2020 @FintoNT 19