From DevOps to DevSecOps: 2 Dimensions of Security for DevOps

DevOpstoDevSecOps:TwoDimensionsofSecurityinaDevOpsEnterprise

SanjeevSharmaCTO,DevOpsTechnicalSalesandAdoptionIBMDistinguishedEngineer@sd_architect

#WhoAmI

• 20+ Years in Software Development and Delivery

• IBM’s Client-facing CTO for DevOps

• Author: DevOps For Dummies -http://ibm.co/devopsfordummies

• Write DevOps and Cloud Adoption Blog: http://bit.ly/sdarchitect

DevOpsOverview

DevOps:Origins

DevOpsapproach:ApplyLeanprinciplesacceleratefeedbackand

improvetimetovalue

People

Process

Line-of-business

Customer

1. Get ideas into production fast2. Get people to use it3. Get feedback

Continuously Improve:I. Application DeliveredII. Environment DeployedIII. Application and Environment Delivery Process

DeliveringaBusinessCapability:Multi-SpeedIT

Development SCM Build PackageRepo

Deploy

Deploy Test Stage Production Application N

Application C

Application B

Application A

EnterpriseRelease

Agile/InnovationEdgeRapidDeliveryforInnovation•Agile•Antifragile •Experimentation•NewandInnovative•HybridCloud•PaaS

IndustrializedCoreDeliveratregularcadence•Waterfall->Agile•Stability•Predictability•LeanDeliverypipeline•CoreandLegacy

HybridInfrastructure– Physical,Cloud•IaaS/PaaS

BusinessCapability

SecurityandtheApplicationDelivery

Pipeline

Three(Two)DimensionsofSecurity

1. Secure the Perimeter2. Secure the Delivery Pipeline3. Secure the Deliverable

http://www.ibm.com/developerworks/library/d-security-considerations-devops-adoption/

1. SecurethePerimeter

9OutofScopeforthissession

2. SecuretheDeliveryPipeline

SecureEngineering PatchManagementSecureBuildandDeploy

AvailabilityandBusinessContinuitySeparationofDuties

SecurityEvaluationandLearning

Development SCM BuildPackage

Repo Deploy Testing Staging Production FeedbackPlanning Manage

3. SecuretheDeliverable

Application

MiddlewareConfig

Middleware

OSConfig

HardwareFull

Policies

Secure:• Code• Scripts• Packages• Components• Configurations• Content• Policies• Roles

RisksandVulnerabilities- DeliveryPipelineandDeliverables

1. Vulnerabilities related to the supply chain2. Insider attacks3. Errors and mistakes in the development project4. Weaknesses in the design, code, and integration5. API Economy and Security

http://www.ibm.com/developerworks/library/d-security-considerations-devops-adoption/

Vulnerabilitiesrelatedtothesupplychain

ExternalSupplierA

ExternalSupplierB

InternalSupplierA

InternalSupplierB

Insiderattacks

Errorsandmistakesinthedevelopmentproject

1 per min 1 per min

4 per min 1 per min

4 per min 4 per min

• Reduced Batch size• Continuous Validation:

– Continuous Security Testing– Testing small batches in

every Sprint

• Antifragile Systems– Servers are ‘cattle’ not

‘pets’

– MTBF vs MTTR

Weaknessesinthedesign,code,andintegration

16http://www-03.ibm.com/security/secure-engineering/

TheAPIeconomyandsecurity

17https://developer.ibm.com/architecture/gallery/APImanagement

TheAPIeconomyandsecurity:Implementation

18https://developer.ibm.com/architecture/gallery/APImanagement

1. API Key management2. API provider/consumer Identity Management3. API Access control4. API Usage management/throttling5. API Security Incident Monitoring6. API Logging and audit trail

DevOpsReferenceArchitecture

Adoptinga(Secure)DevOpsArchitecture

https://developer.ibm.com/architecture/devOps

SolutionArchitecture:DevOpsMulti-SpeedIT

https://developer.ibm.com/architecture/gallery/devOpsMultiSpeed

StartHere:ValueStreamMapping

for IdentifyingandAddressingbottlenecks

MappingyourDeliveryPipeline

Idea/Feature/Bug Fix/Enhancement

Production

Development Build QA SIT UAT Prod

PMORequirements/

Analyst

Developer

CustomersLine of Business

BuildEngineer

QA Team Integration Tester User/Tester Operations

Artifact Repository

Deployment Engineer

Release Management

Code Repository

Deploy

Get Feedback

Infrastructure as Code/Cloud Patterns

Feedback

Customer or Customer Surrogate

Metrics - Reporting/Dashboarding

Artifacts

DevOpsInnovationWorkshop

Reviewthecurrentstate1. Businessgoals,ITgoals,current

initiatives2. DevOps3. Requirements4. Environments5. Repositories6. Roles/Organization7. Metrics8. Security

PrioritizechallengestoberesolvedCreateafirstpassatanimprovementroadmap

Thewhiteboard

Questions?

From DevOps to DevSecOps: 2 Dimensions of Security for DevOps

Software

IBM Migrating from Cloud Foundry Field Guide...Incorporate security (DevSecOps), product management (BizDevOps), and infrastructure agility (GitOps) into your DevOps adoption to meet

Continuous Application Security at Scale with IAST and RASP -- Transforming DevOps into DevSecOps

WHITE PER Improving federal IT modernization outcomes with ...€¦ · approaches, such as DevOps, DevSecOps, and Agile. • Cloud-native environments rely heavily on automation,

A DevSecOps Guide - Bitpipe... A DevSecOps Guide • 3 DevSecOps: Making It Happen After understanding the value of a DevOps mindset, making the cultural shift and reaping the benefits,

EMBRACING DEVSECOPS WITH EMBEDDED APPLICATION … · •Cloud Enthusiast, DevOps and Cybersecurity Imposter •Animal Shelter Volunteer (Cat Snuggler) ... APPSEC STATE OF THE PRACTICE:

A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration

DevSecOps Overview - NYS Forum Home · 11/14/2018 · DevSecOps Overview November 14, 2018 ... 3 Benefits of DevSecOps 4 How to Implement DevSecOps 5 Summary / Questions. Security

WHY IS SOFTWARE SECURITY IMPORTANT? · DEVSECOPS – BUZZWORD OR NECESSITY? DevSecOps is a concept which connects traditional DevOps and Security engineers. It accepts the fact that

DevOps - NERCOMP€¦ · Agenda 9:00 Intro 9:20 DevOps on a Shoestring 10:20 Break 10:30 High Availability DevOps 11:30 DevSecOps 12:30 Lunch 1:30 Kubernetes vs Docker Swarm 2:30

MAKING THE JUMP FROM DEVOPS TO DEVSECOPS · DEVSECOPS PROVIDES BETTER GOVERNANCE Treating everything as code leads to easier auditability. No questions. Just look at our process in

DevSecOps - The big picture v1 - Meetupfiles.meetup.com/19432258/DevSecOps - The big picture_v1.0.pdf · the DevOps picture. In other words, when you hear "DevOps" today, you should

DevSecOps – Agility with Security€¦ · 6 DevSecOps – Agility with Security Figure 1 - "DevOps Done Well" - Murray Goldschmidt The need to identify issues and resolve them quickly

DEVSECOPS: Coding DevSecOps journey

Learn how ZolonTech bridges the gap between DevOps and Security DevSecOps Whit… · With the evolution of DevOps, automation of developing, testing and deploying the code has become

DevSecOps: Injecting Security into DevOps - c4i.gmu.edu · ‘Fast & agile’ phases • DevSecOps concepts integrate well with enterprise objectives to incorporate: • Cost savings

MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they

DevSecOps – Security at the speed of Developmenttechworld.event.idg.se/wp-content/uploads/sites/15/... · Source: Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed

DevSecOps Fundamentals

Humanising DevSecOps

Secure DevOps before DevSecOps · 2019-11-05 · DevOps offers a world of possibilities to automate security checks to find vulnerabilities earlier, before they are deployed and when