DevSecOps: A New Hope for Security in CI/CD
4 likes717 views
The document discusses the importance of integrating security into the CI/CD process, emphasizing a shift in mindset towards shared responsibility among developers and operations. It highlights the benefits of DevSecOps, including increased deployment frequency and reduced incident impact. Key recommendations include adopting automated scanning, targeted testing, and leveraging the right tools while fostering a proactive security culture.
![import re
re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]uggeds[Dd]ev)[Oo]ps')
Automated Speed Scale People
8](https://image.slidesharecdn.com/devsecops-a-new-hope-for-security-in-cicd-180425135345/85/DevSecOps-A-New-Hope-for-Security-in-CI-CD-8-320.jpg)
DevSecOps: A New Hope for Security in CI/CD
- 1. DevSecOpsDevSecOps A New Hope for Security in CI/CDA New Hope for Security in CI/CD Featuring Franklin Mosley Senior Application Security Engineer PagerDuty 1
- 2. “Fear is the path to the dark side…fear“Fear is the path to the dark side…fear leads to anger…anger leads to hate…hateleads to anger…anger leads to hate…hate leads to suffering.”leads to suffering.” 2
- 3. ThenThen 3
- 4. NowNow 4
- 5. 5
- 6. ““I find your lack of securityI find your lack of security disturbing.disturbing.”” 6
- 7. 21% of all data breach incidents occur from attacks on web applications Source: Verizon Data Breach Investigations Report - http://www.verizonenterprise.com/verizon-insights-lab/dbir/tool/pattern/web-applications 7
- 8. import re re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]uggeds[Dd]ev)[Oo]ps') Automated Speed Scale People 8
- 9. How do we get there?How do we get there? 9
- 10. Change the security mindsetChange the security mindset 10
- 11. Change the security mindsetChange the security mindset Security: Stop being the organization of "No" Security: Walk in a developer's shoes Developer: 48%* know security is important Shift left and integrate throughout the SDLC * Source: Sonatype "2018 DevSecOps Community Survey" - https://www.sonatype.com/2018survey 11
- 13. Change the security mindsetChange the security mindset Security: Stop being the organization of "No" Security: Walk in a developer's shoes Developer: 48%* know security is important Shift left and integrate throughout the SDLC * Source: Sonatype "2018 DevSecOps Community Survey" - https://www.sonatype.com/2018survey 13
- 14. Who's responsible for security?Who's responsible for security? SecurityDevelopers Operations 14
- 15. You code it. You own it.You code it. You own it. 45% increase in number of changes deployed to production 25% reduction in major incidents that impact customers 50% reduction in Mean Time To Resolution (MTTR) of major incidents Less silo-based knowledge centers Source: PagerDuty "Owning Your Code is Better" - https://www.pagerduty.com/blog/developers-own-code/ 15
- 16. ““Do. Or do not. There is no try.Do. Or do not. There is no try.”” 16
- 17. 17
- 18. Application ScanningApplication Scanning Long scan timesLong scan times False PositivesFalse Positives Did not scaleDid not scale 100% coverage?100% coverage? 18
- 19. “I assure you, Lord Vader.“I assure you, Lord Vader. My men are working asMy men are working as fast as they can.”fast as they can.” 19
- 20. Application ScanningApplication Scanning Targeted testingTargeted testing Integrate with Q/AIntegrate with Q/A ScaleScale 20
- 21. 21
- 22. 22
- 23. 23
- 24. Make it easy to do the rightMake it easy to do the right thingthing 24
- 25. 25
- 26. Source Code ScanningSource Code Scanning Use the right tool for the jobUse the right tool for the job Full scansFull scans 26
- 27. Source Code ScanningSource Code Scanning Incremental scansIncremental scans Use the right tool for the jobUse the right tool for the job 27
- 28. 28
- 29. Container/AMI ValidationContainer/AMI Validation Early in the pipelineEarly in the pipeline Learn to use the toolsLearn to use the tools Golden imagesGolden images 29
- 30. 30
- 31. Security OperationsSecurity Operations Be Reactive and ResponsiveBe Reactive and Responsive Learn normal from abnormal behaviorLearn normal from abnormal behavior Act on it!Act on it! 31
- 32. TL;DRTL;DR Security is a shared responsibilitySecurity is a shared responsibility Change the security mindsetChange the security mindset Owning the code is betterOwning the code is better Be FrictionlessBe Frictionless 32
- 33. “You must“You must unlearnunlearn what youwhat you havehave learned.”learned.” 33
- 34. Thank You!Thank You! Franklin MosleyFranklin Mosley @fpmosley3 /in/franklinmosley 34