SlideShare a Scribd company logo

Strengthen and Scale Security Using DevSecOps - OWASP Indonesia

Mohammed A. Imran
Mohammed A. Imran

Strengthen and Scale Security Using DevSecOps - OWASP Indonesia More details here - https://www.practical-devsecops.com/

1 of 44
Downloaded 59 times
1
Strengthen and Scale security using DevSecOps @secfigoɂ www.teachera.io secfigo@gmail.com OWASP Indonesia Meetup
2
2 Mohammed A. Imran Senior Security Engineer # whoami Author, Speaker and Community Leader. Speaker/Trainer at Blackhat, AppSec EU, Pycon, All Day DevOps, DevSecCon London, DevSecCon Singapore, Nullcon etc., Organizer of DevSecOps Track in OSS 2018. Project Leader for OWASP DevSecOps Studio, DevSlop, Integra and Awesome-Fuzzing projects. Organised around 100 monthly security meetings and about 50 workshops. SCJP, OSCP, OSCE. AWS-CP, AWS-CSA, AWS-SS
3
Agile and DevOps 1
4
Long Long time ago Trivia: how is this related to Singapore ?
5
5 Traditional SDLC Requirements Gather Requirements from the client/customer Implementation Implement the design agreed upon Maintain Maintain of the software in production Deploy Deploy the software to the production Design Design the software according to the requirements
6
Business Requirements Development Teams Wall of uncertainty
7
7 Enter the change Agile Everything changed after agile, much shorter development cycles and faster deploys to production. Speed with which changes are being made is beyond security’s (operations) 🚨 reach. Then Agile Happened
8
Developers Operations Wall of confusion
9
9 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu DevOps Development (Software Engineering) Operations (Quality Assurance) DevOps
10
D 10 Plan & Create Plan and implement the code using source code management (SCM) A Monitor Create Verify Package Release Configure DevOps Verify Test and verify the code does, what business wants. B Package Package the code in a deployable artifact & test it in staging environment C Release Release the artefact as production ready after change/release approvals Configure Configure the application/ stack using configuration management E Monitor Monitor the application for its performance, security and compliance F DevOps Cycle
11
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
12
DevOps Security Wall of compliance
13
DevOps Security Wall of compliance
14
14 Traditional Secure SDLC
15
15 Security is Outnumbered! Dev / Ops / Security 100 / 10 / 1
16
16 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu By definition, security is part of DevOps. DevSecOps Development (Software Engineering) Security (Quality Assurance) Operations DevSecOps
17
17 Flexibility With ever changing technology, businesses have to be flexible and fast to deliver value to their customers otherwise they risk losing the business. Reliability Customers need more reliable & available systems. DevOps reduces failure rates and provides faster feedback Resilience DevOps helps organisations in designing and implementing resilient systems. Automation Automation helps to reduce complexity of modern systems and can scale as per needs Speed Speed is competitive advantage and DevOps helps to go to market faster. Development Security (Quality Assurance) Operations DevSecOps DevSecOps Benefits
18
18 Culture DevOps is about breaking down barriers between teams; without culture other practices fail C A M S Measurement Measuring activities in CI/CD helps in informed decision making among teams Automation Often mistaken as DevOps itself but a very important aspect of the initiative. Sharing Sharing tools, best practices etc., among the teams/organization improves confidence for collaboration. How to DevSecOps ? Core Values of DevOps
19
Build bridges, not walls!
20
Build guard rails, not gates! Embed security early and often
21
Conway’s Law Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure. “
22
Continuous Integration/Deployment 2
23
23 CI/CD CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting
24
Agile Development Continuous Integration Continuous Delivery Continuous Deployment DevOps/DevSecOps CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository
25
Scale security with DevOps 3
26
26 DevSecOps Implementation So far we have looked at Principles and Ideas behind DevSecOps but how do we start implementing DevSecOps ? We can use the techniques ( see towards your right hand side) discussed in this course to implement a full blown security pipeline. Everything as Code(EAC Compliance as Code and hardening via configuration management systems Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security Self Service Gives developers and operations visibility into security activities Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
27
1. Shift Security left Use CI/CD pipeline to embed security early on
28
CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(Analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting DevOps: Typical Activities
29
Threat Modelling ASVS Git secrets Dependency Scanning Dependency Scanning Code Analysis(SAST) Security Unit Tests Docker security Testing Git secrets scanning Component scanning ZAP testing - baseline Container Scanning Modsecurity CRS Docker/Third Party SSL scanning Nikto/dirbuster WPScan/JoomScan ZAP + selenium + python Component scanning Docker Benchmark System Hardening Application Hardening Compliance as code SOC with ELK Verify Controls CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitoringArtefact Repository DevOps: Typical Security Activities
30
2. Self Service Gives developers and operations visibility into security activities
31
3. Security as Code (EaC) Compliance as Code and hardening via configuration management systems
32
4. Secure by default Use secure by default frameworks and services
33
DevSecOps Maturity Model 4
34
DevSecOps Maturity Model (DSOMM) Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
35
DevSecOps Maturity Model (DSOMM) Static Depth: How deep is static code analysis ? Dynamic Depth:  How deep are dynamic scans executed ? Intensity:  How intense are the majority of the executed attacks ? Consolidation:  How complete is the process of handling findings ? Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
36
36 Security Tools in CI/CD 1. Anything which takes more than 10 minutes (me being optimistic), isn’t fit for CI/CD 2. SAST/DAST without creating custom rules/tweaks is of not huge benefit down the line. 3. Create separate jobs for easy debugging later. 4. Roll out tools in phases. 5. Fail builds when critical/high severity issues are found (after you have given devs/ops enough time to learn and get used to the security tools) 6. Link wiki in the scan outputs if someone needs some answers. 7. Tools which provide APIs are huge wins but make sure you at least have a CLI 8. See if your tools does incremental/baseline scans. 9. Some Ability to control the scope and false positives locally is nice (see brakeman/zap/dependency checker). 10. When in doubt ask Developers/QA for the help. 11. Everything as Code (EaC). Auditable, measurable and secure
37
≈ç Let’s see DevSecOps pipeline in Action DEMO
38
38 DevSecOps Studio is a virtual environment to learn and teach DevSecOps concepts. Its easy to get started and is mostly automatic. It takes lots of efforts to setup a DevSecOps environment for training/demos and more often, its error prone when done manually. OWASP DevSecOps Studio https://github.com/teacheraio/DevSecOps-Studio/
39
39 Easy to setup Takes only few mins to setup and start using with just one command A Reproducible The aim of this project is to setup reproducible DevSecOps Lab environment for learning and testing different tools. B Free & Open Source Software This project is a free and open software to help more people learn about DevSecOps C DevSecOps Studio Benefits
40
40 Our Setup for On-Premise GITLABDeveloper(s) > > >Gitlab CI/CD RUNNER PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production
41
41 Our Setup for On-Premise Developer(s) > > >JEnkins CI/CD JENKINS SLAVE PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production GITLAB
42
42 Python security tools Security Test Tool SAST Bandit DAST ZAP Baseline Hardening Ansible Compliance Inspec Git Secrets Trufflehog
43
43 Conclusion In conclusion, we don't need large sums of money to implement DevSecOps. We can use free and open source tools to showcase the benefits and value DevSecOps provides to the organization(s). Go on, embed security as part of CI/CD Everything as Code(EAC Use Configuration management (IaC) to implement Security as Code Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security early on Self Service Give developers and operations visibility into security activities/tools Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
44
Thank you! You folks are awesome. @secfigoɂ www.teachera.io secfigo@gmail.com
Strengthen and Scale security using DevSecOps @secfigoɂ www.teachera.io secfigo@gmail.com OWASP Indonesia Meetup
2 Mohammed A. Imran Senior Security Engineer # whoami Author, Speaker and Community Leader. Speaker/Trainer at Blackhat, AppSec EU, Pycon, All Day DevOps, DevSecCon London, DevSecCon Singapore, Nullcon etc., Organizer of DevSecOps Track in OSS 2018. Project Leader for OWASP DevSecOps Studio, DevSlop, Integra and Awesome-Fuzzing projects. Organised around 100 monthly security meetings and about 50 workshops. SCJP, OSCP, OSCE. AWS-CP, AWS-CSA, AWS-SS
Agile and DevOps 1
Long Long time ago Trivia: how is this related to Singapore ?
5 Traditional SDLC Requirements Gather Requirements from the client/customer Implementation Implement the design agreed upon Maintain Maintain of the software in production Deploy Deploy the software to the production Design Design the software according to the requirements
Business Requirements Development Teams Wall of uncertainty
7 Enter the change Agile Everything changed after agile, much shorter development cycles and faster deploys to production. Speed with which changes are being made is beyond security’s (operations) 🚨 reach. Then Agile Happened
Developers Operations Wall of confusion
9 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu DevOps Development (Software Engineering) Operations (Quality Assurance) DevOps
D 10 Plan & Create Plan and implement the code using source code management (SCM) A Monitor Create Verify Package Release Configure DevOps Verify Test and verify the code does, what business wants. B Package Package the code in a deployable artifact & test it in staging environment C Release Release the artefact as production ready after change/release approvals Configure Configure the application/ stack using configuration management E Monitor Monitor the application for its performance, security and compliance F DevOps Cycle
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
DevOps Security Wall of compliance
DevOps Security Wall of compliance
14 Traditional Secure SDLC
15 Security is Outnumbered! Dev / Ops / Security 100 / 10 / 1
16 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu By definition, security is part of DevOps. DevSecOps Development (Software Engineering) Security (Quality Assurance) Operations DevSecOps
17 Flexibility With ever changing technology, businesses have to be flexible and fast to deliver value to their customers otherwise they risk losing the business. Reliability Customers need more reliable & available systems. DevOps reduces failure rates and provides faster feedback Resilience DevOps helps organisations in designing and implementing resilient systems. Automation Automation helps to reduce complexity of modern systems and can scale as per needs Speed Speed is competitive advantage and DevOps helps to go to market faster. Development Security (Quality Assurance) Operations DevSecOps DevSecOps Benefits
18 Culture DevOps is about breaking down barriers between teams; without culture other practices fail C A M S Measurement Measuring activities in CI/CD helps in informed decision making among teams Automation Often mistaken as DevOps itself but a very important aspect of the initiative. Sharing Sharing tools, best practices etc., among the teams/organization improves confidence for collaboration. How to DevSecOps ? Core Values of DevOps
Build bridges, not walls!
Build guard rails, not gates! Embed security early and often
Conway’s Law Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure. “
Continuous Integration/Deployment 2
23 CI/CD CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting
Agile Development Continuous Integration Continuous Delivery Continuous Deployment DevOps/DevSecOps CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository
Scale security with DevOps 3
26 DevSecOps Implementation So far we have looked at Principles and Ideas behind DevSecOps but how do we start implementing DevSecOps ? We can use the techniques ( see towards your right hand side) discussed in this course to implement a full blown security pipeline. Everything as Code(EAC Compliance as Code and hardening via configuration management systems Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security Self Service Gives developers and operations visibility into security activities Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
1. Shift Security left Use CI/CD pipeline to embed security early on
CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(Analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting DevOps: Typical Activities
Threat Modelling ASVS Git secrets Dependency Scanning Dependency Scanning Code Analysis(SAST) Security Unit Tests Docker security Testing Git secrets scanning Component scanning ZAP testing - baseline Container Scanning Modsecurity CRS Docker/Third Party SSL scanning Nikto/dirbuster WPScan/JoomScan ZAP + selenium + python Component scanning Docker Benchmark System Hardening Application Hardening Compliance as code SOC with ELK Verify Controls CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitoringArtefact Repository DevOps: Typical Security Activities
2. Self Service Gives developers and operations visibility into security activities
3. Security as Code (EaC) Compliance as Code and hardening via configuration management systems
4. Secure by default Use secure by default frameworks and services
DevSecOps Maturity Model 4
DevSecOps Maturity Model (DSOMM) Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
DevSecOps Maturity Model (DSOMM) Static Depth: How deep is static code analysis ? Dynamic Depth:  How deep are dynamic scans executed ? Intensity:  How intense are the majority of the executed attacks ? Consolidation:  How complete is the process of handling findings ? Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
36 Security Tools in CI/CD 1. Anything which takes more than 10 minutes (me being optimistic), isn’t fit for CI/CD 2. SAST/DAST without creating custom rules/tweaks is of not huge benefit down the line. 3. Create separate jobs for easy debugging later. 4. Roll out tools in phases. 5. Fail builds when critical/high severity issues are found (after you have given devs/ops enough time to learn and get used to the security tools) 6. Link wiki in the scan outputs if someone needs some answers. 7. Tools which provide APIs are huge wins but make sure you at least have a CLI 8. See if your tools does incremental/baseline scans. 9. Some Ability to control the scope and false positives locally is nice (see brakeman/zap/dependency checker). 10. When in doubt ask Developers/QA for the help. 11. Everything as Code (EaC). Auditable, measurable and secure
≈ç Let’s see DevSecOps pipeline in Action DEMO
38 DevSecOps Studio is a virtual environment to learn and teach DevSecOps concepts. Its easy to get started and is mostly automatic. It takes lots of efforts to setup a DevSecOps environment for training/demos and more often, its error prone when done manually. OWASP DevSecOps Studio https://github.com/teacheraio/DevSecOps-Studio/
39 Easy to setup Takes only few mins to setup and start using with just one command A Reproducible The aim of this project is to setup reproducible DevSecOps Lab environment for learning and testing different tools. B Free & Open Source Software This project is a free and open software to help more people learn about DevSecOps C DevSecOps Studio Benefits
40 Our Setup for On-Premise GITLABDeveloper(s) > > >Gitlab CI/CD RUNNER PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production
41 Our Setup for On-Premise Developer(s) > > >JEnkins CI/CD JENKINS SLAVE PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production GITLAB
42 Python security tools Security Test Tool SAST Bandit DAST ZAP Baseline Hardening Ansible Compliance Inspec Git Secrets Trufflehog
43 Conclusion In conclusion, we don't need large sums of money to implement DevSecOps. We can use free and open source tools to showcase the benefits and value DevSecOps provides to the organization(s). Go on, embed security as part of CI/CD Everything as Code(EAC Use Configuration management (IaC) to implement Security as Code Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security early on Self Service Give developers and operations visibility into security activities/tools Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
Thank you! You folks are awesome. @secfigoɂ www.teachera.io secfigo@gmail.com
Ad

Recommended

DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Cheah Eng Soon
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
DevOps - A Gentle Introduction
DevOps - A Gentle IntroductionDevOps - A Gentle Introduction
DevOps - A Gentle Introduction
CodeOps Technologies LLP
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+Ops
Shalu Ahuja
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
Robert Sell
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
Opsta
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
How to implement DevOps in your Organization
How to implement DevOps in your OrganizationHow to implement DevOps in your Organization
How to implement DevOps in your Organization
Dalibor Blazevic
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
Mohammed A. Imran
 

More Related Content

What's hot (20)

Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
DevOps - A Gentle Introduction
DevOps - A Gentle IntroductionDevOps - A Gentle Introduction
DevOps - A Gentle Introduction
CodeOps Technologies LLP
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+Ops
Shalu Ahuja
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
Robert Sell
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
Opsta
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
How to implement DevOps in your Organization
How to implement DevOps in your OrganizationHow to implement DevOps in your Organization
How to implement DevOps in your Organization
Dalibor Blazevic
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
DevOps - A Gentle Introduction
DevOps - A Gentle IntroductionDevOps - A Gentle Introduction
DevOps - A Gentle Introduction
CodeOps Technologies LLP
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+Ops
Shalu Ahuja
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
Robert Sell
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
Opsta
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
How to implement DevOps in your Organization
How to implement DevOps in your OrganizationHow to implement DevOps in your Organization
How to implement DevOps in your Organization
Dalibor Blazevic
 

Similar to Strengthen and Scale Security Using DevSecOps - OWASP Indonesia (20)

Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
Mohammed A. Imran
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
kunwaratul hax0r
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
What is devsecops and what is the characteristics of it
What is devsecops and what is the characteristics of itWhat is devsecops and what is the characteristics of it
What is devsecops and what is the characteristics of it
amalsalah25
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
Ensuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps SecurityEnsuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps Security
Dev Software
 
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
mohitd6
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
Algoworks Inc
 
You build it - Cyber Chicago Keynote
You build it - Cyber Chicago KeynoteYou build it - Cyber Chicago Keynote
You build it - Cyber Chicago Keynote
John Willis
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
Enov8
 
How To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowHow To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps Workflow
Enov8
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital LandscapeDevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital Landscape
stevecooper930744
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
Enov8
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24
 
Understanding DevSecOps.pdf
Understanding DevSecOps.pdfUnderstanding DevSecOps.pdf
Understanding DevSecOps.pdf
Ciente
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
Mohammed A. Imran
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
kunwaratul hax0r
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
What is devsecops and what is the characteristics of it
What is devsecops and what is the characteristics of itWhat is devsecops and what is the characteristics of it
What is devsecops and what is the characteristics of it
amalsalah25
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
Ensuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps SecurityEnsuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps Security
Dev Software
 
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
mohitd6
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
Algoworks Inc
 
You build it - Cyber Chicago Keynote
You build it - Cyber Chicago KeynoteYou build it - Cyber Chicago Keynote
You build it - Cyber Chicago Keynote
John Willis
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
Enov8
 
How To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowHow To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps Workflow
Enov8
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital LandscapeDevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital Landscape
stevecooper930744
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
Enov8
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24
 
Understanding DevSecOps.pdf
Understanding DevSecOps.pdfUnderstanding DevSecOps.pdf
Understanding DevSecOps.pdf
Ciente
 
Ad

More from Mohammed A. Imran (11)

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 
Null Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsNull Singapore 2015 accomplishments
Null Singapore 2015 accomplishments
Mohammed A. Imran
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
Mohammed A. Imran
 
Null Singapore Introduction
Null Singapore Introduction Null Singapore Introduction
Null Singapore Introduction
Mohammed A. Imran
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
Mohammed A. Imran
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Assembly language part I
Assembly language part IAssembly language part I
Assembly language part I
Mohammed A. Imran
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 
About Null open security community
About Null open security communityAbout Null open security community
About Null open security community
Mohammed A. Imran
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
Mohammed A. Imran
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 
Null Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsNull Singapore 2015 accomplishments
Null Singapore 2015 accomplishments
Mohammed A. Imran
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
Mohammed A. Imran
 
Null Singapore Introduction
Null Singapore Introduction Null Singapore Introduction
Null Singapore Introduction
Mohammed A. Imran
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
Mohammed A. Imran
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Assembly language part I
Assembly language part IAssembly language part I
Assembly language part I
Mohammed A. Imran
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 
About Null open security community
About Null open security communityAbout Null open security community
About Null open security community
Mohammed A. Imran
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
Mohammed A. Imran
 
Ad

Recently uploaded (20)

Scalefusion Remote Access for Apple Devices
Scalefusion Remote Access for Apple DevicesScalefusion Remote Access for Apple Devices
Scalefusion Remote Access for Apple Devices
Scalefusion
 
How AI Can Improve Media Quality Testing Across Platforms (1).pptx
How AI Can Improve Media Quality Testing Across Platforms (1).pptxHow AI Can Improve Media Quality Testing Across Platforms (1).pptx
How AI Can Improve Media Quality Testing Across Platforms (1).pptx
kalichargn70th171
 
The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...
Prachi Desai
 
Rebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core FoundationRebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core Foundation
Cadabra Studio
 
Software Engineering Process, Notation & Tools Introduction - Part 4
Software Engineering Process, Notation & Tools Introduction - Part 4Software Engineering Process, Notation & Tools Introduction - Part 4
Software Engineering Process, Notation & Tools Introduction - Part 4
Gaurav Sharma
 
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The SequelMarketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
BradBedford3
 
Agile Software Engineering Methodologies
Agile Software Engineering MethodologiesAgile Software Engineering Methodologies
Agile Software Engineering Methodologies
Gaurav Sharma
 
Top 11 Fleet Management Software Providers in 2025 (2).pdf
Top 11 Fleet Management Software Providers in 2025 (2).pdfTop 11 Fleet Management Software Providers in 2025 (2).pdf
Top 11 Fleet Management Software Providers in 2025 (2).pdf
Trackobit
 
Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3
Gaurav Sharma
 
14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework
Angelo Theodorou
 
Boost Student Engagement with Smart Attendance Software for Schools
Boost Student Engagement with Smart Attendance Software for SchoolsBoost Student Engagement with Smart Attendance Software for Schools
Boost Student Engagement with Smart Attendance Software for Schools
Visitu
 
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
BradBedford3
 
Best Inbound Call Tracking Software for Small Businesses
Best Inbound Call Tracking Software for Small BusinessesBest Inbound Call Tracking Software for Small Businesses
Best Inbound Call Tracking Software for Small Businesses
TheTelephony
 
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Prachi Desai
 
The Future of Open Source Reporting Best Alternatives to Jaspersoft.pdf
The Future of Open Source Reporting Best Alternatives to Jaspersoft.pdfThe Future of Open Source Reporting Best Alternatives to Jaspersoft.pdf
The Future of Open Source Reporting Best Alternatives to Jaspersoft.pdf
Varsha Nayak
 
AI and Deep Learning with NVIDIA Technologies
AI and Deep Learning with NVIDIA TechnologiesAI and Deep Learning with NVIDIA Technologies
AI and Deep Learning with NVIDIA Technologies
SandeepKS52
 
iOS Developer Resume 2025 | Pramod Kumar
iOS Developer Resume 2025 | Pramod KumariOS Developer Resume 2025 | Pramod Kumar
iOS Developer Resume 2025 | Pramod Kumar
Pramod Kumar
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
Artificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across IndustriesArtificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across Industries
SandeepKS52
 
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Safe Software
 
Scalefusion Remote Access for Apple Devices
Scalefusion Remote Access for Apple DevicesScalefusion Remote Access for Apple Devices
Scalefusion Remote Access for Apple Devices
Scalefusion
 
How AI Can Improve Media Quality Testing Across Platforms (1).pptx
How AI Can Improve Media Quality Testing Across Platforms (1).pptxHow AI Can Improve Media Quality Testing Across Platforms (1).pptx
How AI Can Improve Media Quality Testing Across Platforms (1).pptx
kalichargn70th171
 
The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...
Prachi Desai
 
Rebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core FoundationRebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core Foundation
Cadabra Studio
 
Software Engineering Process, Notation & Tools Introduction - Part 4
Software Engineering Process, Notation & Tools Introduction - Part 4Software Engineering Process, Notation & Tools Introduction - Part 4
Software Engineering Process, Notation & Tools Introduction - Part 4
Gaurav Sharma
 
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The SequelMarketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
BradBedford3
 
Agile Software Engineering Methodologies
Agile Software Engineering MethodologiesAgile Software Engineering Methodologies
Agile Software Engineering Methodologies
Gaurav Sharma
 
Top 11 Fleet Management Software Providers in 2025 (2).pdf
Top 11 Fleet Management Software Providers in 2025 (2).pdfTop 11 Fleet Management Software Providers in 2025 (2).pdf
Top 11 Fleet Management Software Providers in 2025 (2).pdf
Trackobit
 
Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3
Gaurav Sharma
 
14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework
Angelo Theodorou
 
Boost Student Engagement with Smart Attendance Software for Schools
Boost Student Engagement with Smart Attendance Software for SchoolsBoost Student Engagement with Smart Attendance Software for Schools
Boost Student Engagement with Smart Attendance Software for Schools
Visitu
 
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
BradBedford3
 
Best Inbound Call Tracking Software for Small Businesses
Best Inbound Call Tracking Software for Small BusinessesBest Inbound Call Tracking Software for Small Businesses
Best Inbound Call Tracking Software for Small Businesses
TheTelephony
 
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Prachi Desai
 
The Future of Open Source Reporting Best Alternatives to Jaspersoft.pdf
The Future of Open Source Reporting Best Alternatives to Jaspersoft.pdfThe Future of Open Source Reporting Best Alternatives to Jaspersoft.pdf
The Future of Open Source Reporting Best Alternatives to Jaspersoft.pdf
Varsha Nayak
 
AI and Deep Learning with NVIDIA Technologies
AI and Deep Learning with NVIDIA TechnologiesAI and Deep Learning with NVIDIA Technologies
AI and Deep Learning with NVIDIA Technologies
SandeepKS52
 
iOS Developer Resume 2025 | Pramod Kumar
iOS Developer Resume 2025 | Pramod KumariOS Developer Resume 2025 | Pramod Kumar
iOS Developer Resume 2025 | Pramod Kumar
Pramod Kumar
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
Artificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across IndustriesArtificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across Industries
SandeepKS52
 
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Safe Software
 

Strengthen and Scale Security Using DevSecOps - OWASP Indonesia

  • 1. Strengthen and Scale security using DevSecOps @secfigoɂ www.teachera.io secfi[email protected] OWASP Indonesia Meetup
  • 2. 2 Mohammed A. Imran Senior Security Engineer # whoami Author, Speaker and Community Leader. Speaker/Trainer at Blackhat, AppSec EU, Pycon, All Day DevOps, DevSecCon London, DevSecCon Singapore, Nullcon etc., Organizer of DevSecOps Track in OSS 2018. Project Leader for OWASP DevSecOps Studio, DevSlop, Integra and Awesome-Fuzzing projects. Organised around 100 monthly security meetings and about 50 workshops. SCJP, OSCP, OSCE. AWS-CP, AWS-CSA, AWS-SS
  • 4. Long Long time ago Trivia: how is this related to Singapore ?
  • 5. 5 Traditional SDLC Requirements Gather Requirements from the client/customer Implementation Implement the design agreed upon Maintain Maintain of the software in production Deploy Deploy the software to the production Design Design the software according to the requirements
  • 7. 7 Enter the change Agile Everything changed after agile, much shorter development cycles and faster deploys to production. Speed with which changes are being made is beyond security’s (operations) 🚨 reach. Then Agile Happened
  • 9. 9 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu DevOps Development (Software Engineering) Operations (Quality Assurance) DevOps
  • 10. D 10 Plan & Create Plan and implement the code using source code management (SCM) A Monitor Create Verify Package Release Configure DevOps Verify Test and verify the code does, what business wants. B Package Package the code in a deployable artifact & test it in staging environment C Release Release the artefact as production ready after change/release approvals Configure Configure the application/ stack using configuration management E Monitor Monitor the application for its performance, security and compliance F DevOps Cycle
  • 15. 15 Security is Outnumbered! Dev / Ops / Security 100 / 10 / 1
  • 16. 16 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu By definition, security is part of DevOps. DevSecOps Development (Software Engineering) Security (Quality Assurance) Operations DevSecOps
  • 17. 17 Flexibility With ever changing technology, businesses have to be flexible and fast to deliver value to their customers otherwise they risk losing the business. Reliability Customers need more reliable & available systems. DevOps reduces failure rates and provides faster feedback Resilience DevOps helps organisations in designing and implementing resilient systems. Automation Automation helps to reduce complexity of modern systems and can scale as per needs Speed Speed is competitive advantage and DevOps helps to go to market faster. Development Security (Quality Assurance) Operations DevSecOps DevSecOps Benefits
  • 18. 18 Culture DevOps is about breaking down barriers between teams; without culture other practices fail C A M S Measurement Measuring activities in CI/CD helps in informed decision making among teams Automation Often mistaken as DevOps itself but a very important aspect of the initiative. Sharing Sharing tools, best practices etc., among the teams/organization improves confidence for collaboration. How to DevSecOps ? Core Values of DevOps
  • 20. Build guard rails, not gates! Embed security early and often
  • 21. Conway’s Law Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure. “
  • 23. 23 CI/CD CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting
  • 24. Agile Development Continuous Integration Continuous Delivery Continuous Deployment DevOps/DevSecOps CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository
  • 26. 26 DevSecOps Implementation So far we have looked at Principles and Ideas behind DevSecOps but how do we start implementing DevSecOps ? We can use the techniques ( see towards your right hand side) discussed in this course to implement a full blown security pipeline. Everything as Code(EAC Compliance as Code and hardening via configuration management systems Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security Self Service Gives developers and operations visibility into security activities Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
  • 27. 1. Shift Security left Use CI/CD pipeline to embed security early on
  • 28. CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(Analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting DevOps: Typical Activities
  • 29. Threat Modelling ASVS Git secrets Dependency Scanning Dependency Scanning Code Analysis(SAST) Security Unit Tests Docker security Testing Git secrets scanning Component scanning ZAP testing - baseline Container Scanning Modsecurity CRS Docker/Third Party SSL scanning Nikto/dirbuster WPScan/JoomScan ZAP + selenium + python Component scanning Docker Benchmark System Hardening Application Hardening Compliance as code SOC with ELK Verify Controls CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitoringArtefact Repository DevOps: Typical Security Activities
  • 30. 2. Self Service Gives developers and operations visibility into security activities
  • 31. 3. Security as Code (EaC) Compliance as Code and hardening via configuration management systems
  • 32. 4. Secure by default Use secure by default frameworks and services
  • 34. DevSecOps Maturity Model (DSOMM) Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
  • 35. DevSecOps Maturity Model (DSOMM) Static Depth: How deep is static code analysis ? Dynamic Depth:  How deep are dynamic scans executed ? Intensity:  How intense are the majority of the executed attacks ? Consolidation:  How complete is the process of handling findings ? Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
  • 36. 36 Security Tools in CI/CD 1. Anything which takes more than 10 minutes (me being optimistic), isn’t fit for CI/CD 2. SAST/DAST without creating custom rules/tweaks is of not huge benefit down the line. 3. Create separate jobs for easy debugging later. 4. Roll out tools in phases. 5. Fail builds when critical/high severity issues are found (after you have given devs/ops enough time to learn and get used to the security tools) 6. Link wiki in the scan outputs if someone needs some answers. 7. Tools which provide APIs are huge wins but make sure you at least have a CLI 8. See if your tools does incremental/baseline scans. 9. Some Ability to control the scope and false positives locally is nice (see brakeman/zap/dependency checker). 10. When in doubt ask Developers/QA for the help. 11. Everything as Code (EaC). Auditable, measurable and secure
  • 38. 38 DevSecOps Studio is a virtual environment to learn and teach DevSecOps concepts. Its easy to get started and is mostly automatic. It takes lots of efforts to setup a DevSecOps environment for training/demos and more often, its error prone when done manually. OWASP DevSecOps Studio https://github.com/teacheraio/DevSecOps-Studio/
  • 39. 39 Easy to setup Takes only few mins to setup and start using with just one command A Reproducible The aim of this project is to setup reproducible DevSecOps Lab environment for learning and testing different tools. B Free & Open Source Software This project is a free and open software to help more people learn about DevSecOps C DevSecOps Studio Benefits
  • 40. 40 Our Setup for On-Premise GITLABDeveloper(s) > > >Gitlab CI/CD RUNNER PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production
  • 41. 41 Our Setup for On-Premise Developer(s) > > >JEnkins CI/CD JENKINS SLAVE PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production GITLAB
  • 42. 42 Python security tools Security Test Tool SAST Bandit DAST ZAP Baseline Hardening Ansible Compliance Inspec Git Secrets Trufflehog
  • 43. 43 Conclusion In conclusion, we don't need large sums of money to implement DevSecOps. We can use free and open source tools to showcase the benefits and value DevSecOps provides to the organization(s). Go on, embed security as part of CI/CD Everything as Code(EAC Use Configuration management (IaC) to implement Security as Code Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security early on Self Service Give developers and operations visibility into security activities/tools Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
  • 44. Thank you! You folks are awesome. @secfigoɂ www.teachera.io secfi[email protected]