Introduction to DevSecOps OWASP Ahmedabad
Download as pptx, pdf0 likes124 views
Here I have shared a basic introduction about DevOps and DevSecOps. What approach a organization should follow, benefits of CI/CD Pipelines etc.
More Related Content
What's hot (20)
Similar to Introduction to DevSecOps OWASP Ahmedabad (20)
More from kunwaratul hax0r (6)
Recently uploaded (20)
Introduction to DevSecOps OWASP Ahmedabad
- 2. Introduction to DevSecOps Kunwar Atul (@kunwaratulhax0r)
- 3. root@whoami • Kunwar Atul • Yet another Appsec and DevSecOps Guy • Break – Fix – Repeat • Part time Bug Hunter • Synack Red Team Member • OWASP MASVS Hindi Contributor (Ongoing Project) • DevSecOps University Contributor • I Love Knowing What’s Going On (emerging vulns, tools, PoC), CTFs, Offensive Security Work, Cricket, and no compromise with food and coffee. • Social media- kunwaratulhax0r
- 4. What is DevOps • DevOps is a software development method that highlights collaboration and open communication between teams basically it reduce the gap between teams.
- 5. What is DevOps • DevOps is all about Process. • DevOps is about Connections. • DevOps is about Tools. • DevOps is about Automating Everything. • Continuous Software Delivery.
- 6. DevOps Goals • Automated Provisioning • No Downtime Deployments • Monitoring • Automated Builds and Testing
- 7. What Happens in DevOps Automate everything using tools Continuous Development Continuous Integration Continuous Testing Continuous Deployment Continuous Monitoring
- 8. Finally • Great Customer Satisfaction • Increased Productivity
- 9. Planning Phase • In the planning phase all the details related to current build will be logged in the JIRA and Yutrack.
- 10. Development Phase • For Source Code Management we have GIT and SVN. These tools will help us in maintaining the code.
- 11. Build Phase • They help you package your code into executable files which can then be produced into the testing environment.
- 12. Testing Phase • For continuous testing we will use Robotic Process Automation and some other reusability code.
- 13. Release Phase • For the release phase, automate tools like bamboo are used in the releasing a build.
- 14. Deployment Phase • After the code is tested and ready it will be deployed into production or the non-developer machine at this stage.
- 15. Operation Phase • In the operation phase everything will be monitored by using Security Incident and Event Management (SIEM Tools) for security alerts and misbehavior of application.
- 16. Monitor Phase • In the monitoring phase, continuous feedbacks will be taken from customers and will be monitoring them.
- 18. Challenges Without DevSecOps • With the fast pace of development in the Agile world, there is a lack of focus on security during the development process. • The quality of the solution is often compromised from a security standpoint while focusing on feature deliverables during the Agile development lifecycle. • Further, it costs the organization's reputation when critical vulnerabilities are found in shipped solution(s). • Customer sensitive data is compromised due to lack of security testing focus. • A lot of manual effort in order to perform security testing can lead to a delay in uncovering critical vulnerabilities and, further, may result in either delaying the deliverables or shipping them with unknown vulnerabilities.
- 19. What is DevSecOps Development SecurityOperations DevSecOps is a software development concept or mindset that aims at unifying development, operations, and security as a single process in SDLC.
- 20. What is DevSecOps • Security of the CI/CD Pipeline • Automated IAM roles, Jenkins server hardening, etc. • Security in the CI/CD Pipeline • Automated security tests, code analysis etc. • Security Automation • Automated Incident Response Remediation, forensics etc.
- 22. • DevOps = Efficiencies that speed up this lifecycle. • DevSecOps = Validate building blocks without slowing lifecycle.
- 23. DevSecOps: How Important is it? • Agile took us from months to days to deliver software. • DevOps took us from months to minutes to deploy software. • More applications are mission critical. • Now security has become the bottleneck.
- 24. DevSecOps makes everyone responsible for Security, because Security is not one-person job.
- 25. People: What type of Skills are Required? 9 2.5 2.5 2.5 2.5 9 2.5 9 2.5 0 2 4 6 8 10 12 14 16 Developer Sysadmin Security Engineer Skills Chart Dev Sec Ops
- 27. The Main Course • Vulnerability Scans and Assessments • Threat Modelling • Secure Code Reviews (Static Code Analysis) • Penetration Testing Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
- 28. The Gravy • Educating developers on Secure Coding • Practices with workshops, talk, lessons • Secure Coding Standards • Responsible Disclosures • Secure Code Library and other reference materials, creating custom tools Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
- 29. The Dessert • Bug Bounty Programs • CTF’s • Red Team Exercises Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
- 32. Best Practices for DevSecOps • Train development teams to develop secure code. • Track security issues the same as software issues. • If infrastructure is now code, then security should be code. • Integrate security controls in the software pipeline. • Automate security test in the build process. • Detect known vulnerabilities during the pipeline. • Monitor security in the production for known states • Inject failure to ensure security is hardend.
- 34. Q/A
- 35. Thank You Reach me: @kunwaratulhax0r