View
230
Download
0
Category
Preview:
Citation preview
Security and DevOps:A Dummies Guide
Jock Forrester
The Standard Bank of South Africa Ltd.
* Opinions and reflections expressed are my own and not that of my employer.
What to expect?
• A tale of our journey into Agile, DevOps and taking security along…
• The key outcome: Security in DevOps is LESS technology and process, rather it is
MORE a people thing.
• Caveat: This will probably end up leaving you with more questions than answers,
though hopefully there will be path starting to outline itself for you.
Waterfall AgilePuppet &
ChefChop Chop
Phoenix Project
STB
Recap: Waterfall
Level of Confidence
Analysis Design Build Test Deploy
Risk Assessment
Level of Confidence
Penetration Test
18 Months
Later
2-3weeks 2-3weeks
Level of Confidence
Feature enhancements Code Change and Deploy
Production Code Change and Deploy
Production Code Change and Deploy
Level of Confidence
Penetration Test
Level of Confidence
2-3weeks
Level of Confidence
Agile
• Rebecca Parsons:
• “Agile is not an excuse to be stupid!”
Security
Puppet
and
Chef
Puppet and Chef
Chop Chop
• How long to deploy Internet Banking and its app server, web server, middle tier, firewall rules, operating system and virtual machines?
Continuous Integration
Server Loads Build
Infrastructure Provisioned /
Configured
Operating System Built
Application Server
Deployed
Software Build Deployed
Recognise?
Phoenix Project
• If you in, deal, use or hate IT - read this book.
Security Testing Bus
• Leverage automatable tools
• Exploit velocity to fix
• Go down the stack
• Feedback loop
• Shift left
Security Testing Bus
Security Code Review
Application Scan
Security Test Engine
Build Compliance
Scan
Vulnerability Scan
Penetration Test
Automation
Feature request /
Backlog item
Create Story Security Test
Cases
Build Code
Automated Security
Code Review
Execute Security Test
Cases
60 Min to 5 Days ^
1 Min –30 Min *
Deploy Code
Execute Security Test
Cases
Application Scan
1Min –30 Min *
5 Min – 5 Hours ~
Infrastructure Requirements
Build Standards (eg: Operating
System)
Build Infrastructure
Build Compliance
Scan
Vulnerability Scan
10 Min 10 Min
Execute Security Test Cases
Production Assurance
1Min – 30 Min *
^ Incremental vs full code base being scanned * Dependant on number of test cases ~ Dependant on size of application
Level of ConfidenceLevel of ConfidenceLevel of ConfidenceLevel of ConfidenceLevel of ConfidenceLevel of Confidence
Notables:
• It is about people
• It is all about velocity
• It is about a fresh start
• It is about starting small
• It is about being prepared
• It is about learning with the team
• It is about leveraging the tools you have
• It is not about perfection
Go Automate!
• Thank you
Recommended