SlideShare a Scribd company logo

DevOps

Download as PPTX, PDF
Jeremiah Tillman, profile picture
Jeremiah Tillman

The document discusses DevSecOps, which combines DevOps and network security. It outlines the stages of a DevSecOps pipeline including continuous integration, delivery, and deployment. It presents a DevSecOps manifesto advocating for open collaboration, security as a service, exploit testing, and compliance as operations. The document also provides examples of integrating security practices at different stages of the software development lifecycle and approaches for legacy versus new applications.

Technology
Related topics:
Network Security โ€ข Information Security
1 of 8
Download to read offline
1
2
3
4
5
6
7
8
DevOps + Network Security = DevSecOps By Jeremiah Tillman
A Well Rounded DevOps Team QA Testing Operatio Develop
Continuous Integration (CI) ๏‚šMerging the development branches together (master branch) ๏‚šMust successfully pass a series of tests
Continuous Delivery (CD) ๏‚šDeploying small changes more often ๏‚šAutomated delivery of updates
Deployment Pipeline Stages Build & Automate CI Test Automation Deploy Automation Components Visibility Feedback Continuously Deploy
DevSecOps Manifesto ๏‚š Leaning in over Always Saying โ€œNoโ€ ๏‚š Data & Security Science over Fear, Uncertainty and Doubt ๏‚š Open Contribution & Collaboration over Security-Only Requirements ๏‚š Consumable Security Services with APIs over Mandated Security Controls & Paperwork ๏‚š Business Driven Security Scores over Rubber Stamp Security ๏‚š Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities ๏‚š 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident ๏‚š Shared Threat Intelligence over Keeping Info to Ourselves ๏‚š Compliance Operations over Clipboards & Checklists
DevSecOps Integration ๏‚š 1. Prior to code being committed ๏‚š SAST that be run locally or integrated into an IDE ๏‚š 2. During CI ๏‚š Security checks can be issued via the jobs server ๏‚š Unit testing, abuse cases, SAST, and software component analysis (supply chain hygiene) ๏‚š 3. After a successful build ๏‚š Automatically and securely configure and provision servers ๏‚š Configuration management, DAST, security smoke tests ๏‚š 4. Post deployment ๏‚š Automated runtime asserts and compliance checks ๏‚š Automated correction ๏‚š Production monitoring/feedback
Greenfield vs. Legacy ๏‚š Greenfield Environment /Applications ๏‚š Do it right from the start! ๏‚š Legacy Applications ๏‚š Start with vulnerability & risk assessment ๏‚š Apply patches to remediate all vulnerabilities that donโ€™t require major design changes ๏‚š Integrate automated security testing in future releases when possible ๏‚š Rebuilding / Sunsetting ๏‚š Consider breaking out individual components one at a time, where possible, instead of a hard cutover ๏‚š New system should be following secure architecture principles and integrate security throughout the SDLC

More Related Content

PPTX
Chefdevseccon2015
sc0ttruss
ย 
PDF
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Stefan Streichsbier
ย 
PDF
Enterprise Security APIs
Adam Migus
ย 
PDF
A Successful SAST Tool Implementation
Checkmarx
ย 
PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
ย 
PDF
Devops security-An Insight into Secure-SDLC
Suman Sourav
ย 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
ย 
PDF
From Gates to Guardrails: Alternate Approaches to Product Security
Jason Chan
ย 
Chefdevseccon2015
sc0ttruss
ย 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Stefan Streichsbier
ย 
Enterprise Security APIs
Adam Migus
ย 
A Successful SAST Tool Implementation
Checkmarx
ย 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
ย 
Devops security-An Insight into Secure-SDLC
Suman Sourav
ย 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
ย 
From Gates to Guardrails: Alternate Approaches to Product Security
Jason Chan
ย 

What's hot (20)

PPTX
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
ย 
PDF
A Secure DevOps Journey
Veracode
ย 
PDF
Evident io Continuous Compliance - Mar 2017
Sebastian Taphanel CISSP-ISSEP
ย 
PDF
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
ย 
PDF
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Sebastian Taphanel CISSP-ISSEP
ย 
PPTX
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
ย 
PPTX
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
ย 
PPTX
DevSecOps outline
Nickleus Jimenez
ย 
PDF
DevSecOps, The Good, Bad, and Ugly
4ndersonLin
ย 
PPTX
Splitting The Check On Compliance and Security
New Relic
ย 
PPTX
Secure Software Development Life Cycle
Maurice Dawson
ย 
PDF
The Challenges of Scaling DevSecOps
WhiteSource
ย 
PDF
Dev week cloud world conf2021
Archana Joshi
ย 
PPTX
Whatโ€™s making way for secure sdlc
Avancercorp
ย 
PPTX
Introduction to DevSecOps
abhimanyubhogwan
ย 
PDF
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
ย 
PPTX
A journey from dev ops to devsecops
Veritis Group, Inc
ย 
PDF
OSB130 Patch Management Best Practices
Ivanti
ย 
PPTX
Turning security into code by Jeff Williams
DevSecCon
ย 
PDF
PIACERE - DevSecOps Automated
PIACERE
ย 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
ย 
A Secure DevOps Journey
Veracode
ย 
Evident io Continuous Compliance - Mar 2017
Sebastian Taphanel CISSP-ISSEP
ย 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
ย 
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Sebastian Taphanel CISSP-ISSEP
ย 
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
ย 
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
ย 
DevSecOps outline
Nickleus Jimenez
ย 
DevSecOps, The Good, Bad, and Ugly
4ndersonLin
ย 
Splitting The Check On Compliance and Security
New Relic
ย 
Secure Software Development Life Cycle
Maurice Dawson
ย 
The Challenges of Scaling DevSecOps
WhiteSource
ย 
Dev week cloud world conf2021
Archana Joshi
ย 
Whatโ€™s making way for secure sdlc
Avancercorp
ย 
Introduction to DevSecOps
abhimanyubhogwan
ย 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
ย 
A journey from dev ops to devsecops
Veritis Group, Inc
ย 
OSB130 Patch Management Best Practices
Ivanti
ย 
Turning security into code by Jeff Williams
DevSecCon
ย 
PIACERE - DevSecOps Automated
PIACERE
ย 
Ad

Similar to DevOps (20)

PDF
DevSecOps as a Service_ Secure Your Software Pipeline Without Slowing It Down...
Devseccops.ai
ย 
PDF
Scale security for a dollar or less
Mohammed A. Imran
ย 
PPTX
The DevSecOps Advantage: A Comprehensive Guide
Dev Software
ย 
ODP
Making security-agile matt-tesauro
Matt Tesauro
ย 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
ย 
PDF
AppSec in an Agile World
David Lindner
ย 
PPTX
Securing the continuous integration
Irene Michlin
ย 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
ย 
PDF
The Challenge of Integrating Security Solutions with CI.pdf
Savinder Puri
ย 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
ScalaCode
ย 
PPTX
DevSecOps : an Introduction
Prashanth B. P.
ย 
PDF
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
ย 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
your techdigest
ย 
PPTX
ะ”ะผะธั‚ั€ะพ ะขะตั€ะตั‰ะตะฝะบะพ, "How to secure your application with Secure SDLC"
Sigma Software
ย 
PPTX
DevSecOps: Security and Compliance at the Speed of Continuous Delivery
Dag Rowe
ย 
PDF
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
ย 
PDF
Top 20 DevSecOps Interview Questions and Answers
priyanshamadhwal2
ย 
PDF
Top 20 DevSecOps Interview Questions.pdf
infosec train
ย 
PDF
๐“๐จ๐ฉ ๐Ÿ๐ŸŽ ๐ƒ๐ž๐ฏ๐’๐ž๐œ๐Ž๐ฉ๐ฌ ๐ˆ๐ง๐ญ๐ž๐ซ๐ฏ๐ข๐ž๐ฐ ๐๐ฎ๐ž๐ฌ๐ญ๐ข๐จ๐ง๐ฌ
InfosecTrain
ย 
PDF
Are You Ready to Ace Your DevSecOps Interview?
Azpirantz Technologies
ย 
DevSecOps as a Service_ Secure Your Software Pipeline Without Slowing It Down...
Devseccops.ai
ย 
Scale security for a dollar or less
Mohammed A. Imran
ย 
The DevSecOps Advantage: A Comprehensive Guide
Dev Software
ย 
Making security-agile matt-tesauro
Matt Tesauro
ย 
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
ย 
AppSec in an Agile World
David Lindner
ย 
Securing the continuous integration
Irene Michlin
ย 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
ย 
The Challenge of Integrating Security Solutions with CI.pdf
Savinder Puri
ย 
From DevOps to DevSecOps: Evolution of Secure Software Development
ScalaCode
ย 
DevSecOps : an Introduction
Prashanth B. P.
ย 
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
ย 
The Rise of DevSecOps in CI_CD Workflows.pdf
your techdigest
ย 
ะ”ะผะธั‚ั€ะพ ะขะตั€ะตั‰ะตะฝะบะพ, "How to secure your application with Secure SDLC"
Sigma Software
ย 
DevSecOps: Security and Compliance at the Speed of Continuous Delivery
Dag Rowe
ย 
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
ย 
Top 20 DevSecOps Interview Questions and Answers
priyanshamadhwal2
ย 
Top 20 DevSecOps Interview Questions.pdf
infosec train
ย 
๐“๐จ๐ฉ ๐Ÿ๐ŸŽ ๐ƒ๐ž๐ฏ๐’๐ž๐œ๐Ž๐ฉ๐ฌ ๐ˆ๐ง๐ญ๐ž๐ซ๐ฏ๐ข๐ž๐ฐ ๐๐ฎ๐ž๐ฌ๐ญ๐ข๐จ๐ง๐ฌ
InfosecTrain
ย 
Are You Ready to Ace Your DevSecOps Interview?
Azpirantz Technologies
ย 
Ad

Recently uploaded (20)

PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
ย 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
ย 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
ย 
PPT
Teaching material agriculture food technology
LiaRayya
ย 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
ย 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
ย 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
ย 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
ย 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
ย 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
ย 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
ย 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
ย 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
ย 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
ย 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
ย 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
ย 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
ย 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
ย 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
ย 
PDF
Approach and Philosophy of On baking technology
30anthuong17
ย 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
ย 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
ย 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
ย 
Teaching material agriculture food technology
LiaRayya
ย 
MYSQL Presentation for SQL database connectivity
Swati270511
ย 
Machine learning based COVID-19 study performance prediction
IAESIJAI
ย 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
ย 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
ย 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
ย 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
ย 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
ย 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
ย 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
ย 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
ย 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
ย 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
ย 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
ย 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
ย 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
ย 
Approach and Philosophy of On baking technology
30anthuong17
ย 

DevOps

  • 2. A Well Rounded DevOps Team QA Testing Operatio Develop
  • 3. Continuous Integration (CI) ๏‚šMerging the development branches together (master branch) ๏‚šMust successfully pass a series of tests
  • 4. Continuous Delivery (CD) ๏‚šDeploying small changes more often ๏‚šAutomated delivery of updates
  • 5. Deployment Pipeline Stages Build & Automate CI Test Automation Deploy Automation Components Visibility Feedback Continuously Deploy
  • 6. DevSecOps Manifesto ๏‚š Leaning in over Always Saying โ€œNoโ€ ๏‚š Data & Security Science over Fear, Uncertainty and Doubt ๏‚š Open Contribution & Collaboration over Security-Only Requirements ๏‚š Consumable Security Services with APIs over Mandated Security Controls & Paperwork ๏‚š Business Driven Security Scores over Rubber Stamp Security ๏‚š Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities ๏‚š 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident ๏‚š Shared Threat Intelligence over Keeping Info to Ourselves ๏‚š Compliance Operations over Clipboards & Checklists
  • 7. DevSecOps Integration ๏‚š 1. Prior to code being committed ๏‚š SAST that be run locally or integrated into an IDE ๏‚š 2. During CI ๏‚š Security checks can be issued via the jobs server ๏‚š Unit testing, abuse cases, SAST, and software component analysis (supply chain hygiene) ๏‚š 3. After a successful build ๏‚š Automatically and securely configure and provision servers ๏‚š Configuration management, DAST, security smoke tests ๏‚š 4. Post deployment ๏‚š Automated runtime asserts and compliance checks ๏‚š Automated correction ๏‚š Production monitoring/feedback
  • 8. Greenfield vs. Legacy ๏‚š Greenfield Environment /Applications ๏‚š Do it right from the start! ๏‚š Legacy Applications ๏‚š Start with vulnerability & risk assessment ๏‚š Apply patches to remediate all vulnerabilities that donโ€™t require major design changes ๏‚š Integrate automated security testing in future releases when possible ๏‚š Rebuilding / Sunsetting ๏‚š Consider breaking out individual components one at a time, where possible, instead of a hard cutover ๏‚š New system should be following secure architecture principles and integrate security throughout the SDLC