Adopting a security attitude in DevOps via DevOpsSec
-
Upload
tapabrata-pal -
Category
Technology
-
view
75 -
download
0
Transcript of Adopting a security attitude in DevOps via DevOpsSec
![Page 1: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/1.jpg)
Adopting a security attitude in DevOps via DevOpsSec
![Page 2: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/2.jpg)
@TopoPal
Tapabrata “Topo” PalEngineering Fellow
Product Manager, Shared Continuous Delivery Tools PlatformCommunity Manager, Hygieia Open Source DevOps Dashboard
[email protected] @TopoPal
Past: • PhD in Semiconductor Physics• 20 years of IT experience as Developer, Architect,
System Engineer• Experience in Retail, Healthcare and Finance industries
![Page 3: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/3.jpg)
@Topo Pal
! 70 million accounts ! One of the largest Digital Banks ! ~ 20 years old
![Page 4: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/4.jpg)
@Topo Pal
Different DNA
! Build our own software
! Build on public cloud
! MicroServices
! Open Source
! DevOpsSec and Continuous Delivery
![Page 6: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/6.jpg)
@TopoPal
Deliver High Quality Working Software Faster
![Page 7: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/7.jpg)
@TopoPal
Deliver High Quality Working Software Faster
• No security flaws
• No legal flaws
• Minimum defects
• All levels of testing done
• Code reviewed and source controlled
• Testing of application, configuration, scripts etc.
• Across LOBs, Shared Services and 3rd Parties
• Tested end-to-end
• All dependencies are satisfied
• How fast? ASAP?
![Page 8: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/8.jpg)
@TopoPal
http://www.netuba.org/
![Page 10: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/10.jpg)
@TopoPal
https://commons.wikimedia.org/wiki/File:US_Navy_060906-N-8257O-026_Damage_Controlman_1st_Class_Petty_Officer_Derrick_Harney_assists_his_students_in_repairing_a_broken_pipeline_during_the_hands_on_patch_training_portion_of_the_Damage_Control_Wet_Trainer.jpg
![Page 11: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/11.jpg)
@TopoPal
A delivery pipeline without security attitude is NOT a pipeline
![Page 12: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/12.jpg)
@TopoPal
![Page 13: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/13.jpg)
@Topo Pal
![Page 14: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/14.jpg)
@Topo Pal
Business • Requirements • Feature Request • Roadmap
Development • Architecture • Design • Code • Test
Operations • Infrastructure • Platforms • Environment • Deployment • Incident Mgmt • Change & Release Mgmt.
Information SecurityApplication Security Security Testing Information Security Infrastructure Security
DevOpsSec
![Page 15: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/15.jpg)
@TopoPal
Shift Left Automate Everything
Dashboard Everything
Three Pillars of DevOpsSec
![Page 16: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/16.jpg)
@TopoPal
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
![Page 17: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/17.jpg)
@TopoPal
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
![Page 18: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/18.jpg)
@TopoPal
Delivery Pipeline: Automated, Continuous, Compliant
Code Build Release MonitorDeploy + Test Execution
App
Test
Infra
DEV INT QA PERF PROD
DEV INT
SEC
QA SEC PERF PROD
DEV INT QA SEC PERF PROD Infra
App
Flow Feedback
Automated Audit and Security Controls at every step
![Page 19: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/19.jpg)
@TopoPal
Code
Application Code
Test Code
Infrastructure Code
! IDE Security Plugins
! Secure Coding Practices
! Security BDD
! Open Source Bill of Material
Security during Coding
![Page 20: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/20.jpg)
@TopoPal
Build
! Bill of Materials
! Static Code Analysis
! Static Security Analysis
! Security BDD
Security during Building
![Page 21: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/21.jpg)
@TopoPal
Deploy + Test Execution
Security Testing
! Application Security Testing
! Penetration Testing
! Data Security Testing
! Configuration Security Testing
![Page 22: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/22.jpg)
@TopoPal
Security Shift-Left
![Page 23: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/23.jpg)
@TopoPal
Security Rapid Feedback
![Page 24: Adopting a security attitude in DevOps via DevOpsSec](https://reader031.fdocuments.net/reader031/viewer/2022022202/587b24ab1a28ab736c8b74e5/html5/thumbnails/24.jpg)
@TopoPal
Any Question?