SlideShare a Scribd company logo

Security and Data Breach

DevOps Indonesia, profile picture
DevOps Indonesia

This document discusses security and data breaches. It begins by defining a data breach and providing statistics on the number of identities exposed in breaches in recent years. It then covers common tactics used in breaches like hacking and credential theft from previous breaches. Specific examples of recent high-profile breaches through formjacking and on the British Airways website are examined. The document concludes by discussing DevSecOps principles for shifting security left in the development process so it is everyone's responsibility.

Technology
Related topics:
Information Security
1 of 25
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
PAGE1 DEVOPS INDONESIA PAGE 1 Bobby Limitra Solutions Engineer, F5 Jakarta, 10 Juni 2020 Security and Data Breach
Security and Data Breach What & How it Happened? How to Mitigate? Bobby Limitra Solutions Engineer, F5 Networks
“Data Breach is a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so”
Source: Verizon 2020 DBIR
| ©2019 F5​5 CONFIDENTIAL Data Breach: What Tactics are Utilized? Verizon 2020 DBIR
| ©2019 F5​6 CONFIDENTIAL Top Hacking Varieties & Vectors in Breaches
Data Breaches In the last 8 years more than 7.1 billion identities have been exposed in data breaches 70 MILLION accounts 427 MILLION accounts 150 MILLION accounts 3 BILLION accounts 117 MILLION accounts 1. Symantec Internet Security Threat Report, April 2017 2. https://www.entrepreneur.com/article/246902# Nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more. 3 out of 4
| ©2019 F5​8 https://haveibeenpwned.com
USERNAME Credit Card Data USERNAME Intellectual Property USERNAME Healthcare Data USERNAME Passport Data USERNAME Financial Data USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME Credentials from Previous Breaches
• Educate employees / customers and boost security awareness • Bot detection & prevention • Design your login form so that it is impossible for the attacker’s bot to recognize the fields • Use multifactor authentication • Monitor for failed authentication attempt
• Formjacking uses code injected by an attacker to siphon payment card information from an online form and deliver it to the attacker • The recent rise of formjacking indicates that any organization that accepts payment card information over the web is going to have their shopping cart targeted, regardless of sector
Confidential / / Part of F5 Formjacking / Magecart https://cdn.appdynamics.com/adrum/adrum-latest.js https://cdn.gladly.com/assets/chat-sdk/fece5b8abfb/main.js https://cdn.krxd.net/ctjs/controltag.js https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/md5.js https://connect.facebook.net/en_US/fbevents.js https://d1fc8wv8zag5ca.cloudfront.net/2.10.2/sp.js https://d2wy8f7a9ursnm.cloudfront.net/bugsnag-2.min.js https://fullstory.com/s/fs.js https://js.stripe.com/v2/ https://s.btstatic.com/tag.js https://secure.flyr.io/v3/js/flyr.js https://tag.bounceexchange.com/1907/i.js https://uwhfgjlv.micpn.com/p/js/1.js https://vt.myvisualiq.net/2/tDogjioRT72xXtfNK23F7A%3D%3D/vt-77.js Typical Add Payment page loads JS from a dozen sources
Confidential / / Part of F5 Magecart on British Airways (facing US$230M fine) SOURCE: https://www.riskiq.com/blog/labs/magecart-british-airways-breach/ Compromised file: https://www.britishairways.com/cms/global/scripts/lib/modernizr-2.6.2.min.js
• Injection Detection • Inventory • Patching • Scanning • Change Control • Multi-Factor Authentication (MFA) • Web Application Firewall (WAF) • Server Tools (e.g: CSP, SRI) • Monitor (for newly registered domains and certificates of your brand)
Security and Data Breach
• DevOps adoption is increasing, but Security typically remain afterthoughts. • Security has largely been divorced from software development. Security in DevOps ?
| ©2019 F5​17 Cultural shift In a DevOps mentality, security is everybody’s RESPONSIBILITY. FROM TO A shift away from security is the TRAFFIC COP / GATEKEEPER mentality.
| ©2018 F5 NETWORKS​18 Collaborative Model Development Operations Security • Avoid security at the end • Greater collaboration with security “in the room” at the beginning. • Move to a risk based model rather than being a traffic cop. • Collaboration brings understanding. • Understanding shapes how we react.
| ©2018 F5 NETWORKS​19 The DevSecOps way Business Requirement New Code ProductionTesting Security SHIFT LEFT Risk based security as part of normal business. Develop initial sprint with security in mind Deploy to production with regular security reviews Test security in an automated way Shifting left refers to moving security earlier in the development process. This means that security becomes everyone’s responsibility. It also denotes a move to a risk based approach as opposed to a traffic cop approach. It is not just about the speed, but also the safety The earlier that security requirements can be addressed in the Software Development Lifecycle, the lower the cost and impact.
| ©2019 F5​20 Wrap Up: DevSecOps Principles ​Breaking down the silos ​Shifting Left ​Nurturing security champions ​Continuous Testing/Test automation ​Making the secure path the easy path
| ©2019 F5​21 Join us virtually for ASEAN CES 2020! SIGN UP AT: GO.F5.NET/ASEANCES ​Join industry-leading experts in multi-cloud application and gain insights on developing and delivering a modern apps architecture leveraging APIs, DevOps, SRE and Microservices!
| ©2019 F5​22 Connect with us! JOIN IN THE CONVERSATION ON SOCIAL MEDIA CONFIDENTIAL STATE OF APPLICATION SERVICES, 2020 Find us on Facebook @f5asiapacific Add us on LinkedIn F5 Follow us on Twitter @F5_AsiaPacific
Security and Data Breach
PAGE24 DEVOPS INDONESIA Stay Connected @devopsindonesia http://www.devopsindonesia.com @IDDevOps @DevOpsIndonesia @IDDevOps DevOps Indonesia
PAGE25 DEVOPS INDONESIA Alone We are smart, together We are brilliant THANK YOU ! Quote by Steve Anderson

More Related Content

PDF
Digital Transformation in Infrastructure "NetOps in The Era of Modern IT"
DevOps Indonesia
 
PDF
Modern App Architecture - Microservices, API Friendly
DevOps Indonesia
 
PDF
When Automation Keeps Your T-shirt Clean
DevOps Indonesia
 
PDF
Shift Left Security - The What, Why and How
DevOps.com
 
PPTX
Microsoft, Citrix and SCOM: EOL or a New Beginning ?
eG Innovations
 
PPTX
Best Practices for Troubleshooting Slow Citrix Logon and Ensuring Excellent U...
eG Innovations
 
PPTX
Best Practices for Troubleshooting Four Real-world Java Performance Issues
eG Innovations
 
PPTX
How to monitor all aspects of Citrix NetScaler usage and performance within t...
eG Innovations
 
Digital Transformation in Infrastructure "NetOps in The Era of Modern IT"
DevOps Indonesia
 
Modern App Architecture - Microservices, API Friendly
DevOps Indonesia
 
When Automation Keeps Your T-shirt Clean
DevOps Indonesia
 
Shift Left Security - The What, Why and How
DevOps.com
 
Microsoft, Citrix and SCOM: EOL or a New Beginning ?
eG Innovations
 
Best Practices for Troubleshooting Slow Citrix Logon and Ensuring Excellent U...
eG Innovations
 
Best Practices for Troubleshooting Four Real-world Java Performance Issues
eG Innovations
 
How to monitor all aspects of Citrix NetScaler usage and performance within t...
eG Innovations
 

What's hot (20)

PDF
Managing Citrix Digital Business Services Performance - Make your first Impre...
eG Innovations
 
PPT
eG Innovations
janejarvella
 
PDF
Practical operability techniques for teams - Matthew Skelton - Conflux - Cont...
Matthew Skelton
 
PPTX
Delivering Java Applications? Ensure Top Performance Every Time, with Intell...
John Williams
 
PDF
Digital Workspaces and the Customer Experience
eG Innovations
 
PPTX
Citrix troubleshooting 101
eG Innovations
 
PDF
DevOps Indonesia #14 - Building monitoring framework on container infrastructure
DevOps Indonesia
 
PPTX
2018 Citrix Migration Survey - Industry Insights
eG Innovations
 
PPTX
Citrix Cloud Services - Are they right for you ?
eG Innovations
 
PPTX
Citrix Troubleshooting 101
eG Innovations
 
PDF
Measure Customer Value with Self-Service Observability
DevOps.com
 
PDF
The Complete User Experience Monitoring Solution - eG Enterprise v7
eG Innovations
 
DOC
Akant_Kukreja
Akant Kukreja
 
PPTX
Securing Your Infrastructure: Identity Management and Data Protection
Lumension
 
PPTX
How to Get the Fastest Possible Citrix Logon Times?
eG Innovations
 
PPTX
Windows 10 webinar: What’s new for IT pros Windows 10 v 1709
Flexera
 
PPTX
How to Deliver an Exceptional End User Experience in your Citrix Environment
eG Innovations
 
PPTX
eG Enterprise Logon Simulator for Citrix XenApp & XenDesktop
eG Innovations
 
PPTX
How to consolidate Citrix Monitoring in a Single Pane of Glass
eG Innovations
 
PPTX
How to Achieve Great Citrix User Experience
eG Innovations
 
Managing Citrix Digital Business Services Performance - Make your first Impre...
eG Innovations
 
eG Innovations
janejarvella
 
Practical operability techniques for teams - Matthew Skelton - Conflux - Cont...
Matthew Skelton
 
Delivering Java Applications? Ensure Top Performance Every Time, with Intell...
John Williams
 
Digital Workspaces and the Customer Experience
eG Innovations
 
Citrix troubleshooting 101
eG Innovations
 
DevOps Indonesia #14 - Building monitoring framework on container infrastructure
DevOps Indonesia
 
2018 Citrix Migration Survey - Industry Insights
eG Innovations
 
Citrix Cloud Services - Are they right for you ?
eG Innovations
 
Citrix Troubleshooting 101
eG Innovations
 
Measure Customer Value with Self-Service Observability
DevOps.com
 
The Complete User Experience Monitoring Solution - eG Enterprise v7
eG Innovations
 
Akant_Kukreja
Akant Kukreja
 
Securing Your Infrastructure: Identity Management and Data Protection
Lumension
 
How to Get the Fastest Possible Citrix Logon Times?
eG Innovations
 
Windows 10 webinar: What’s new for IT pros Windows 10 v 1709
Flexera
 
How to Deliver an Exceptional End User Experience in your Citrix Environment
eG Innovations
 
eG Enterprise Logon Simulator for Citrix XenApp & XenDesktop
eG Innovations
 
How to consolidate Citrix Monitoring in a Single Pane of Glass
eG Innovations
 
How to Achieve Great Citrix User Experience
eG Innovations
 
Ad

Similar to Security and Data Breach (20)

PDF
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
PDF
Data Protection - Safeguarding Your Business in the Digital Age.pdf
Entrust Network Services
 
PPTX
Be More Secure than your Competition: MePush Cyber Security for Small Business
Art Ocain
 
PPTX
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
Ulf Mattsson
 
PDF
Why Data Security Should Be a Priority in Your Software Development Strategy?
Mars Devs
 
PPTX
Presentation 10.pptx
mishogelashvili28
 
PDF
The What, Why, and How of DevSecOps
Cprime
 
PDF
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
PPTX
Your security posture may define your company’s future
Home
 
PDF
Introduction to Cybersecurity
Krutarth Vasavada
 
PPTX
Secure Iowa Oct 2016
Larry Slobodzian
 
PDF
Your're Special (But Not That Special)
Sandra (Sandy) Dunn
 
PDF
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Research
 
PPTX
Security and Mobility Co Create Week Jakarta
Stefan Streichsbier
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
PPTX
Solnet dev secops meetup
pbink
 
PDF
The State of Data Security
Razor Technology
 
PDF
The 10 Secret Codes of Security
Karina Elise
 
PPTX
Privacies are Coming
Ernest Staats
 
PPTX
Assessing Your security
Legal Services National Technology Assistance Project (LSNTAP)
 
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
Data Protection - Safeguarding Your Business in the Digital Age.pdf
Entrust Network Services
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Art Ocain
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
Ulf Mattsson
 
Why Data Security Should Be a Priority in Your Software Development Strategy?
Mars Devs
 
Presentation 10.pptx
mishogelashvili28
 
The What, Why, and How of DevSecOps
Cprime
 
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Your security posture may define your company’s future
Home
 
Introduction to Cybersecurity
Krutarth Vasavada
 
Secure Iowa Oct 2016
Larry Slobodzian
 
Your're Special (But Not That Special)
Sandra (Sandy) Dunn
 
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Research
 
Security and Mobility Co Create Week Jakarta
Stefan Streichsbier
 
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Solnet dev secops meetup
pbink
 
The State of Data Security
Razor Technology
 
The 10 Secret Codes of Security
Karina Elise
 
Privacies are Coming
Ernest Staats
 
Assessing Your security
Legal Services National Technology Assistance Project (LSNTAP)
 
Ad

More from DevOps Indonesia (20)

PDF
DevSecOps Implementation Journey
DevOps Indonesia
 
PDF
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia
 
PDF
Securing an NGINX deployment for K8s
DevOps Indonesia
 
PDF
DevOps Indonesia Meetup #52 - announcement
DevOps Indonesia
 
PDF
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
DevOps Indonesia
 
PDF
Securing DevOps Lifecycle
DevOps Indonesia
 
PDF
DevOps Meetup 50 : Securing your Application - Announcement
DevOps Indonesia
 
PDF
Secure your Application with Google cloud armor
DevOps Indonesia
 
PDF
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Indonesia
 
PDF
Operate Containers with AWS Copilot
DevOps Indonesia
 
PDF
Continuously Deploy Your CDK Application by Petra novandi barus
DevOps Indonesia
 
PDF
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps Indonesia
 
PDF
Securing Your Database Dynamic DB Credentials
DevOps Indonesia
 
PDF
DevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia
 
PDF
The Death and Rise of Enterprise DevOps
DevOps Indonesia
 
PDF
API Security Webinar - Credential Stuffing
DevOps Indonesia
 
PDF
API Security Webinar - Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
PDF
API Security Webinar - Hendra Tanto
DevOps Indonesia
 
PDF
API Security Webinar : Credential Stuffing
DevOps Indonesia
 
PDF
API Security Webinar : Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
DevSecOps Implementation Journey
DevOps Indonesia
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia
 
Securing an NGINX deployment for K8s
DevOps Indonesia
 
DevOps Indonesia Meetup #52 - announcement
DevOps Indonesia
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
DevOps Indonesia
 
Securing DevOps Lifecycle
DevOps Indonesia
 
DevOps Meetup 50 : Securing your Application - Announcement
DevOps Indonesia
 
Secure your Application with Google cloud armor
DevOps Indonesia
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Indonesia
 
Operate Containers with AWS Copilot
DevOps Indonesia
 
Continuously Deploy Your CDK Application by Petra novandi barus
DevOps Indonesia
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps Indonesia
 
Securing Your Database Dynamic DB Credentials
DevOps Indonesia
 
DevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia
 
The Death and Rise of Enterprise DevOps
DevOps Indonesia
 
API Security Webinar - Credential Stuffing
DevOps Indonesia
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
API Security Webinar - Hendra Tanto
DevOps Indonesia
 
API Security Webinar : Credential Stuffing
DevOps Indonesia
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 

Recently uploaded (20)

PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Cloud computing and distributed systems.
kkkkkhan
 
Encapsulation theory and applications.pdf
gurumoop
 

Security and Data Breach

  • 1. PAGE1 DEVOPS INDONESIA PAGE 1 Bobby Limitra Solutions Engineer, F5 Jakarta, 10 Juni 2020 Security and Data Breach
  • 2. Security and Data Breach What & How it Happened? How to Mitigate? Bobby Limitra Solutions Engineer, F5 Networks
  • 3. “Data Breach is a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so”
  • 5. | ©2019 F5​5 CONFIDENTIAL Data Breach: What Tactics are Utilized? Verizon 2020 DBIR
  • 6. | ©2019 F5​6 CONFIDENTIAL Top Hacking Varieties & Vectors in Breaches
  • 7. Data Breaches In the last 8 years more than 7.1 billion identities have been exposed in data breaches 70 MILLION accounts 427 MILLION accounts 150 MILLION accounts 3 BILLION accounts 117 MILLION accounts 1. Symantec Internet Security Threat Report, April 2017 2. https://www.entrepreneur.com/article/246902# Nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more. 3 out of 4
  • 9. USERNAME Credit Card Data USERNAME Intellectual Property USERNAME Healthcare Data USERNAME Passport Data USERNAME Financial Data USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME Credentials from Previous Breaches
  • 10. • Educate employees / customers and boost security awareness • Bot detection & prevention • Design your login form so that it is impossible for the attacker’s bot to recognize the fields • Use multifactor authentication • Monitor for failed authentication attempt
  • 11. • Formjacking uses code injected by an attacker to siphon payment card information from an online form and deliver it to the attacker • The recent rise of formjacking indicates that any organization that accepts payment card information over the web is going to have their shopping cart targeted, regardless of sector
  • 12. Confidential / / Part of F5 Formjacking / Magecart https://cdn.appdynamics.com/adrum/adrum-latest.js https://cdn.gladly.com/assets/chat-sdk/fece5b8abfb/main.js https://cdn.krxd.net/ctjs/controltag.js https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/md5.js https://connect.facebook.net/en_US/fbevents.js https://d1fc8wv8zag5ca.cloudfront.net/2.10.2/sp.js https://d2wy8f7a9ursnm.cloudfront.net/bugsnag-2.min.js https://fullstory.com/s/fs.js https://js.stripe.com/v2/ https://s.btstatic.com/tag.js https://secure.flyr.io/v3/js/flyr.js https://tag.bounceexchange.com/1907/i.js https://uwhfgjlv.micpn.com/p/js/1.js https://vt.myvisualiq.net/2/tDogjioRT72xXtfNK23F7A%3D%3D/vt-77.js Typical Add Payment page loads JS from a dozen sources
  • 13. Confidential / / Part of F5 Magecart on British Airways (facing US$230M fine) SOURCE: https://www.riskiq.com/blog/labs/magecart-british-airways-breach/ Compromised file: https://www.britishairways.com/cms/global/scripts/lib/modernizr-2.6.2.min.js
  • 14. • Injection Detection • Inventory • Patching • Scanning • Change Control • Multi-Factor Authentication (MFA) • Web Application Firewall (WAF) • Server Tools (e.g: CSP, SRI) • Monitor (for newly registered domains and certificates of your brand)
  • 16. • DevOps adoption is increasing, but Security typically remain afterthoughts. • Security has largely been divorced from software development. Security in DevOps ?
  • 17. | ©2019 F5​17 Cultural shift In a DevOps mentality, security is everybody’s RESPONSIBILITY. FROM TO A shift away from security is the TRAFFIC COP / GATEKEEPER mentality.
  • 18. | ©2018 F5 NETWORKS​18 Collaborative Model Development Operations Security • Avoid security at the end • Greater collaboration with security “in the room” at the beginning. • Move to a risk based model rather than being a traffic cop. • Collaboration brings understanding. • Understanding shapes how we react.
  • 19. | ©2018 F5 NETWORKS​19 The DevSecOps way Business Requirement New Code ProductionTesting Security SHIFT LEFT Risk based security as part of normal business. Develop initial sprint with security in mind Deploy to production with regular security reviews Test security in an automated way Shifting left refers to moving security earlier in the development process. This means that security becomes everyone’s responsibility. It also denotes a move to a risk based approach as opposed to a traffic cop approach. It is not just about the speed, but also the safety The earlier that security requirements can be addressed in the Software Development Lifecycle, the lower the cost and impact.
  • 20. | ©2019 F5​20 Wrap Up: DevSecOps Principles ​Breaking down the silos ​Shifting Left ​Nurturing security champions ​Continuous Testing/Test automation ​Making the secure path the easy path
  • 21. | ©2019 F5​21 Join us virtually for ASEAN CES 2020! SIGN UP AT: GO.F5.NET/ASEANCES ​Join industry-leading experts in multi-cloud application and gain insights on developing and delivering a modern apps architecture leveraging APIs, DevOps, SRE and Microservices!
  • 22. | ©2019 F5​22 Connect with us! JOIN IN THE CONVERSATION ON SOCIAL MEDIA CONFIDENTIAL STATE OF APPLICATION SERVICES, 2020 Find us on Facebook @f5asiapacific Add us on LinkedIn F5 Follow us on Twitter @F5_AsiaPacific
  • 25. PAGE25 DEVOPS INDONESIA Alone We are smart, together We are brilliant THANK YOU ! Quote by Steve Anderson