Post on 15-Jan-2017
Adopting a security attitude in DevOps via DevOpsSec
@TopoPal
Tapabrata “Topo” PalEngineering Fellow
Product Manager, Shared Continuous Delivery Tools PlatformCommunity Manager, Hygieia Open Source DevOps Dashboard
tapabrata.pal@capitalone.com @TopoPal
Past: • PhD in Semiconductor Physics• 20 years of IT experience as Developer, Architect,
System Engineer• Experience in Retail, Healthcare and Finance industries
@Topo Pal
! 70 million accounts ! One of the largest Digital Banks ! ~ 20 years old
@Topo Pal
Different DNA
! Build our own software
! Build on public cloud
! MicroServices
! Open Source
! DevOpsSec and Continuous Delivery
@TopoPal
Deliver High Quality Working Software Faster
@TopoPal
Deliver High Quality Working Software Faster
• No security flaws
• No legal flaws
• Minimum defects
• All levels of testing done
• Code reviewed and source controlled
• Testing of application, configuration, scripts etc.
• Across LOBs, Shared Services and 3rd Parties
• Tested end-to-end
• All dependencies are satisfied
• How fast? ASAP?
@TopoPal
http://www.netuba.org/
@TopoPal
https://commons.wikimedia.org/wiki/File:US_Navy_060906-N-8257O-026_Damage_Controlman_1st_Class_Petty_Officer_Derrick_Harney_assists_his_students_in_repairing_a_broken_pipeline_during_the_hands_on_patch_training_portion_of_the_Damage_Control_Wet_Trainer.jpg
@TopoPal
A delivery pipeline without security attitude is NOT a pipeline
@TopoPal
@Topo Pal
@Topo Pal
Business • Requirements • Feature Request • Roadmap
Development • Architecture • Design • Code • Test
Operations • Infrastructure • Platforms • Environment • Deployment • Incident Mgmt • Change & Release Mgmt.
Information SecurityApplication Security Security Testing Information Security Infrastructure Security
DevOpsSec
@TopoPal
Shift Left Automate Everything
Dashboard Everything
Three Pillars of DevOpsSec
@TopoPal
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
@TopoPal
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
@TopoPal
Delivery Pipeline: Automated, Continuous, Compliant
Code Build Release MonitorDeploy + Test Execution
App
Test
Infra
DEV INT QA PERF PROD
DEV INT
SEC
QA SEC PERF PROD
DEV INT QA SEC PERF PROD Infra
App
Flow Feedback
Automated Audit and Security Controls at every step
@TopoPal
Code
Application Code
Test Code
Infrastructure Code
! IDE Security Plugins
! Secure Coding Practices
! Security BDD
! Open Source Bill of Material
Security during Coding
@TopoPal
Build
! Bill of Materials
! Static Code Analysis
! Static Security Analysis
! Security BDD
Security during Building
@TopoPal
Deploy + Test Execution
Security Testing
! Application Security Testing
! Penetration Testing
! Data Security Testing
! Configuration Security Testing
@TopoPal
Security Shift-Left
@TopoPal
Security Rapid Feedback
@TopoPal
Any Question?