Security with the Speed of Continuous Delivery
3 likes714 views
The document discusses DevOpsSec, which aims to integrate security practices into continuous delivery workflows. It outlines the key stages of development, testing, deployment and monitoring and how security can be "shifted left" to each stage through automation, dashboards and end-to-end traceability across the software development life cycle. The goal is to achieve both security and speed through continuous delivery.
Security with the Speed of Continuous Delivery
- 1. Confidential Security with the Speed of Continuous Delivery
- 2. ‹#› Tapabrata “Topo” Pal Director, Next Generation Infrastructure tapabrata.pal@capitalone.com @TopoPal Past: • PhD in Semiconductor Physics • 20 years of IT experience as Developer, Architect, System Engineer • Experience in Retail, Healthcare and Finance industries
- 5. ‹#›
- 6. ‹#›
- 7. ‹#›
- 8. ‹#›
- 9. ‹#›
- 10. ‹#›
- 11. ‹#› Speed
- 12. ‹#› Speed
- 13. ‹#› Speed
- 14. ‹#› SpeedSpeed is the new currency
- 15. ‹#›
- 16. ‹#›
- 17. ‹#›
- 18. ‹#›
- 19. ‹#›
- 20. ‹#›
- 21. ‹#› Development • Architecture • Design • Code • Test
- 22. ‹#› Business • Requirements • Feature Request • Roadmap Development • Architecture • Design • Code • Test
- 23. ‹#› Business • Requirements • Feature Request • Roadmap Development • Architecture • Design • Code • Test Operations • Infrastructure • Platforms • Environment • Deployment • Incident Mgmt • Change & Release Mgmt.
- 24. ‹#› Business • Requirements • Feature Request • Roadmap Development • Architecture • Design • Code • Test Operations • Infrastructure • Platforms • Environment • Deployment • Incident Mgmt • Change & Release Mgmt. Information Security Application Security Security Testing Information Security Infrastructure Security
- 25. ‹#› Business • Requirements • Feature Request • Roadmap Development • Architecture • Design • Code • Test Operations • Infrastructure • Platforms • Environment • Deployment • Incident Mgmt • Change & Release Mgmt. Information Security Application Security Security Testing Information Security Infrastructure Security DevOpsSec
- 26. ‹#›
- 27. ‹#› Shift Left
- 30. ‹#›
- 37. ‹#›
- 38. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration
- 39. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment
- 40. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test
- 41. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test
- 42. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test Infrastructure and Environment
- 43. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test Infrastructure and Environment Dashboard/Feedback End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
- 44. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test Infrastructure and Environment Dashboard/Feedback End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
- 45. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test Infrastructure and Environment Dashboard/Feedback End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
- 46. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test Infrastructure and Environment Dashboard/Feedback End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
- 47. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test Infrastructure and Environment Dashboard/Feedback End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
- 48. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test Infrastructure and Environment Dashboard/Feedback End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
- 49. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test Infrastructure and Environment Dashboard/Feedback End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
- 50. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test Infrastructure and Environment Dashboard/Feedback End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
- 51. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test Infrastructure and Environment Dashboard/Feedback End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
- 52. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test Infrastructure and Environment Dashboard/Feedback End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
- 53. ‹#› Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control Agile PM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test Infrastructure and Environment Dashboard/Feedback End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
- 54. ‹#› Delivery Pipeline: Automated, Continuous, Compliant Code Build Release MonitorDeploy + Test Execution
- 55. ‹#› Delivery Pipeline: Automated, Continuous, Compliant Code Build Release MonitorDeploy + Test Execution App Test Infra
- 56. ‹#› Delivery Pipeline: Automated, Continuous, Compliant Code Build Release MonitorDeploy + Test Execution App Test Infra DEV INT QA PERF PROD DEV INT SEC QA SEC PERF PROD DEV INT QA SEC PERF PROD
- 57. ‹#› Delivery Pipeline: Automated, Continuous, Compliant Code Build Release MonitorDeploy + Test Execution App Test Infra DEV INT QA PERF PROD DEV INT SEC QA SEC PERF PROD DEV INT QA SEC PERF PROD Infra App
- 58. ‹#› Delivery Pipeline: Automated, Continuous, Compliant Code Build Release MonitorDeploy + Test Execution App Test Infra DEV INT QA PERF PROD DEV INT SEC QA SEC PERF PROD DEV INT QA SEC PERF PROD Infra App Flow
- 59. ‹#› Delivery Pipeline: Automated, Continuous, Compliant Code Build Release MonitorDeploy + Test Execution App Test Infra DEV INT QA PERF PROD DEV INT SEC QA SEC PERF PROD DEV INT QA SEC PERF PROD Infra App Flow Feedback
- 60. ‹#› Delivery Pipeline: Automated, Continuous, Compliant Code Build Release MonitorDeploy + Test Execution App Test Infra DEV INT QA PERF PROD DEV INT SEC QA SEC PERF PROD DEV INT QA SEC PERF PROD Infra App Flow Feedback Automated Audit and Security Controls at every step
- 68. ‹#› Build
- 69. ‹#› Build
- 70. ‹#› Build
- 71. ‹#› Build
- 72. ‹#› Build
- 73. ‹#› Build
- 74. ‹#› Deploy + Test Execution
- 75. ‹#› Deploy + Test Execution
- 76. ‹#› Deploy + Test Execution
- 77. ‹#› Deploy + Test Execution
- 78. ‹#›
- 79. ‹#›
- 80. ‹#›
- 82. ‹#› Collaborate Early • Setup your IDE with security Plugin(s) • Setup Nexus CLM + Jenkins Integration • Write Security ATDD Test Cases • Setup Fortify Scanning Job • Setup WebInspect scab job • Fix security defects
- 83. ‹#›
- 84. ‹#›
- 85. ‹#›
- 86. ‹#›