DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Download as PPTX, PDF4 likes426 views
1) The document discusses the challenges of implementing application security in a DevOps environment, noting that while many organizations are adopting DevOps, few are integrating security testing during development. 2) It presents the DevSecOps approach which incorporates security capabilities and practices into DevOps technologies, processes, and culture through principles of collaboration, continuous improvement, automation, and security as code. 3) Key aspects of DevSecOps discussed include threat modeling, static and dynamic application security testing integrated into the development pipeline, container security, analytics dashboards for visualizing security metrics and risks, and maturity models for prioritizing applications based on risk assessments.
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
- 1. DevSecOpsIndonesia Pain & Pleasure of doing AppSec in DevOps Suman Sourav
- 2. ABOUT ME • 14+ Years of experience in Application Security • Certified Secure Software Lifecycle Professional (CSSLP) • Co-Leader of DevSecOps Singapore & Indonesia • Community Ambassador – DevOps Institute • Full time student – learning from people around me DevSecOpsIndonesia
- 3. DevSecOpsIndonesia Application Security-Non Functional Requirements ? Security Team Application Security DevOps Team DevOps Tools
- 4. DevSecOpsIndonesia I am not kidding-No Offense ! Confluence JIRA BitBucket Bamboo Artifactory Jenkins (master) Jenkins (slave) SonarQube Selenium Grids Web Archive Containerized (Docker image) Dev (Docker) App Server Early scans during CI to ensure code quality and coverage Parallel execution of test cases Current Recommended Orchestrated SIT, UAT, Prod TDD/BDD
- 5. DevSecOpsIndonesia This is same across all industries Development Operations QA Customer Centric Immediate Results Automation Scale Agile 90%of surveyed organizations are implementing or piloting DevOps and 99%Agree DevOps is an opportunity to improve application security but only 20%Are doing application security testing during development SecOps SecOps Needs to Shift Left
- 6. DevSecOpsIndonesia Moving From To Waterfall Agile & DevOps Physical or Virtual Server Cloud & Containers Scalable InstrumentedMonolithic or N-Tier APIs & Micro services Architecture Deployment Development Process Ideally Continuous Changing Landscape
- 7. DevSecOpsIndonesia Reference: Cloud Security Alliance : Security Guidance for Early Adopters of the Internet of Things – April 2015 API is evolving fast
- 8. DevSecOpsIndonesia Defensive security in era of DevOps Organization fails to map the security threats to the risk management process • faster release cycles • automated security testing • tons of security results • silo culture Threat Modeling Attack Surface areas Risk Analysis
- 9. DevSecOpsIndonesia DevOps Approach • People Collaboration Training • Process Continuous Improvement Continuous Testing • Technology Self Service Automation
- 10. DevSecOps Approach 3S Principles TECHNOLOGY Security Capabilities DEVSECOPS • Incorporate security capabilities in DevOps collaborative technologies. • Deploy security solutions to support; security scanning, code quality, reporting and data dissemination capabilities. • Institutionalize security through standardization and documented business processes. • Implement and prioritize project methods and roadmaps in alignment with development & security goals. • Tie rules of engagement to corporate security mission, vision and strategy. • Provide clear goals, metrics and KPI’s aligned with security strategy • Establish training and incentive programs to modify or encourage security-driven decisions. • Align user needs and security skills with compliance needs. DevSecOpsIndonesia
- 11. DevSecOpsIndonesia Secure Engineering Development Practice DEVELOPMENT BUILD AND DEPLOY STAGINGREQUIREMENTS External Repositories Common Components DESIGN Repository DAST/SecurityQAThreat Modeling SAST VS/PT/IAST/ Fuzzing Components Monitoring Monitoring SCM Tools PRODUCTION SAST : Static Application Security Testing DAST : Dynamic Application Security Testing IAST : Interactive Application Security Testing VS : Vulnerability scanning PT : Penetration Testing
- 12. DevSecOpsIndonesia Does this make sense ? Confluence JIRA BitBucket Bamboo Artifactory Jenkins (master) Jenkins (slave) Web Archive Containerized (Docker image) Dev (Docker) App Server SonarQube Selenium Grids Parallel execution of test cases Orchestrated SIT, UAT, Prod TDD/BDD Current Recommended Security SAST Security Requirements Early scans during CI to ensure code quality and coverage Early SAST and SCA scans to discovers security issues Container Security Regulatory Security requirements Container Security Scanning and Monitoring
- 13. DevSecOpsIndonesia Evaluate | security controls, integration and adoption Expose | threats, risks and scores Encapsulate | what , when where and why Efficient | decision making and investment Data analytics in security Contextual decision making Seamless design to execution Predictive Analysis Real time collaboration
- 14. DevSecOpsIndonesia Building analytics database 0 2 4 6 8 10 SAST DAST SecurityQA VS/Fuzzing IAST Analytics DB SIEM Security metrics template TM
- 15. DevSecOpsIndonesia Master Branch1 Compile Test Publish Deploy Build GitHub Build Tools Deploy Env Open Source Libraries DevSecOps Orchestration Platform • Sec Requirements • Design Review • Threat Modelling • Security Unit Tests • SAST • SCA • DAST • IAST • VA • Security as Code • RASP • NG WAF Security As a service Vulnerability Normalization & Analytics Feedback Loop
- 16. DevSecOpsIndonesia OWASP DevSecOps Maturity Model Reference : https://docs.google.com/presentation/d/1rrbyXqxy3LXAJNPFrVH99mj_BNaJKymMsXZItYArWEM/edit#slide=id.g1560ae0085_5_74
- 17. Continuous Security Testing Reference: https://docs.google.com/presentation/d/1dAewXIHgBEKHKwBPpM5N_G2eM6PRpduoGJrp6R6pNUI/edit#slide=id.p
- 18. DevSecOpsIndonesia All the app will be analyzed for RA levels based on their Risk Assessment Score Risk Assessment DevOps SMM3 SMM2 SMM1 RA2RA1 METRICS Baseline RequirementsBaseline RequirementsBaseline Requirements Additional Requirements Additional Requirements Architecture Risk Analysis Application ThreatModeling SCORESCORE Automated scanning SCORE Risk Assessment SECURITY MATURITY SCORE MATURITY RA3 Architecture Risk Analysis • All the app will go through the baseline assessment as per current assessment process • Automated assessment will be done based on Maturity Requirements • Architecture Risk Analysis will be required for RA 2 & RA 1 Apps • Applicartion Threatmodeling will be done only for RA 1 Apps • Security Maturity Score will be calculated after each assessment Setting up priorities
- 19. DevSecOpsIndonesia We can eliminate and minimize the threats if we change our engineering development practice ○ Incorporate security as culture ○ Investment in the right directions ○ Innovate the processes that suits our organization Are we ready for change ?
- 20. DevSecOpsIndonesia Connecting Teams Connecting Insight Connecting Outcomes Connecting Delivery Welcome to the Era of Connection. Are you ready? Bid data analytics can change the state of security in an organization and can offer valuable insights into business risks far beyond IT technologies are available to take a look in much more detail around machine-generated data and user-generated data to understand what is happening inside of an organization
- 21. DevSecOpsIndonesia “The challenge for security in DevOps is not the technology but the people”