Security and DevOps:A Dummies Guide

Jock Forrester

The Standard Bank of South Africa Ltd.

* Opinions and reflections expressed are my own and not that of my employer.

What to expect?

• A tale of our journey into Agile, DevOps and taking security along…

• The key outcome: Security in DevOps is LESS technology and process, rather it is

MORE a people thing.

• Caveat: This will probably end up leaving you with more questions than answers,

though hopefully there will be path starting to outline itself for you.

Waterfall AgilePuppet &

ChefChop Chop

Phoenix Project

STB

Recap: Waterfall

Level of Confidence

Analysis Design Build Test Deploy

Risk Assessment

Level of Confidence

Penetration Test

18 Months

Later

2-3weeks 2-3weeks

Level of Confidence

Feature enhancements Code Change and Deploy

Production Code Change and Deploy

Production Code Change and Deploy

Level of Confidence

Penetration Test

Level of Confidence

2-3weeks

Level of Confidence

Agile

• Rebecca Parsons:

• “Agile is not an excuse to be stupid!”

Security

Puppet

and

Chef

Puppet and Chef

Chop Chop

• How long to deploy Internet Banking and its app server, web server, middle tier, firewall rules, operating system and virtual machines?

Continuous Integration

Server Loads Build

Infrastructure Provisioned /

Configured

Operating System Built

Application Server

Deployed

Software Build Deployed

Recognise?

Phoenix Project

• If you in, deal, use or hate IT - read this book.

Security Testing Bus

• Leverage automatable tools

• Exploit velocity to fix

• Go down the stack

• Feedback loop

• Shift left

Security Testing Bus

Security Code Review

Application Scan

Security Test Engine

Build Compliance

Scan

Vulnerability Scan

Penetration Test

Automation

Feature request /

Backlog item

Create Story Security Test

Cases

Build Code

Automated Security

Code Review

Execute Security Test

Cases

60 Min to 5 Days ^

1 Min –30 Min *

Deploy Code

Execute Security Test

Cases

Application Scan

1Min –30 Min *

5 Min – 5 Hours ~

Infrastructure Requirements

Build Standards (eg: Operating

System)

Build Infrastructure

Build Compliance

Scan

Vulnerability Scan

10 Min 10 Min

Execute Security Test Cases

Production Assurance

1Min – 30 Min *

^ Incremental vs full code base being scanned * Dependant on number of test cases ~ Dependant on size of application

Level of ConfidenceLevel of ConfidenceLevel of ConfidenceLevel of ConfidenceLevel of ConfidenceLevel of Confidence

Notables:

• It is about people

• It is all about velocity

• It is about a fresh start

• It is about starting small

• It is about being prepared

• It is about learning with the team

• It is about leveraging the tools you have

• It is not about perfection

Go Automate!

• Thank you