Preventing Devoops with DevSecOpsKieran JacobsenTechnical Lead – Infrastructure & Security
/ Copyright ©2017 by Readify Limited2Page
2016 was a big year…
/ Copyright ©2017 by Readify Limited3Page
2017 is getting of to a bad start…
/ Copyright ©2017 by Readify Limited4Page
Before DevOps
/ Copyright ©2017 by Readify Limited5Page
DevOps
/ Copyright ©2017 by Readify Limited6Page
But Where Is Security?
/ Copyright ©2017 by Readify Limited7Page
DevSecOps› Clear Communication Pathways› Streamlined Communication› Security As Code› Training› Integrate security into DevOps cycle
/ Copyright ©2017 by Readify Limited9Page
Communication PathwaysDevelopment Operations
Security
/ Copyright ©2017 by Readify Limited10Page
Streamlined CommunicationNO:› Excel checklists› Word document reports› Email Attachments
/ Copyright ©2017 by Readify Limited11Page
Streamlined CommunicationYES:› Backlogs/boards
/ Copyright ©2017 by Readify Limited12Page
Streamlined CommunicationYES:› Backlogs/boards› Support ticketing
/ Copyright ©2017 by Readify Limited13Page
Streamlined CommunicationYES:› Backlogs/boards› Support ticketing› Markup and Git
/ Copyright ©2017 by Readify Limited14Page
Security As Code› Application Source Code› Azure ARM and AWS Cloud Formation› Server Configuration – Chef, Puppet, DSC
/ Copyright ©2017 by Readify Limited15Page
ARM Templates
/ Copyright ©2017 by Readify Limited16Page
PowerShell DSC
/ Copyright ©2017 by Readify Limited17Page
Training› We can’t be experts in Dev, Sec and Ops› We need cross pollination of skills› Starts at day 0› Hands on training for senior developers
/ Copyright ©2017 by Readify Limited18Page
Training: PhishingEmployee Breakdown
Technical Non-Technical
Click Break Down
Technical Victims Non-Technical VictimsPassed
/ Copyright ©2017 by Readify Limited19Page
Integrating Security
/ Copyright ©2017 by Readify Limited20Page
Plan› Integrate security into sprint planning and reviews
› Consider security user stories early
/ Copyright ©2017 by Readify Limited21Page
Code› Training!› Test driven development› Use of the correct tools› Pull Requests
/ Copyright ©2017 by Readify Limited22Page
Build› Static code analysis› Dynamic code analysis
/ Copyright ©2017 by Readify Limited23Page
Test› Develop security test cases› Fuzzing› Load testing
/ Copyright ©2017 by Readify Limited24Page
Release & Deploy› Automated scanning upon deployment
/ Copyright ©2017 by Readify Limited25Page
Operate & Monitor› Monitor logs› Rescan for vulnerabilities› Track dependencies
Thank You