Post on 21-Mar-2017
Preventing Devoops with
DevSecOpsKieran Jacobsen
Technical Lead – Infrastructure & Security
2016 was a big year…
/ Copyright ©2017 by Readify Limited 2
2017 is getting of to a bad start…
3
Before DevOps
DevOps
But Where Is Security?
DevSecOps
Clear Communication Pathways Streamlined Communication Security As Code Training Integrate Security into DevOps cycle
“
”
We're in customer service. Our users are our customers. We need to understand them & their needs to do our job well!
Jess Dodson (@girlgerms)
Communication Pathways
Development Operations
Security
Hiring Ratio
DEVELOPERS : OPERATIONS : SECURITY
100 : 10 : 1
Streamlined Communication
NO: Excel checklists Word document reports and policy documents Email attachments
Streamlined Communication
YES: Backlogs/boards
Streamlined Communication
YES: Backlogs/boards Support ticketing
Streamlined Communication
YES: Backlogs/boards Support ticketing Markup and Git
Security As Code
Application Source Code Azure ARM and AWS Cloud Formation Server Configuration – Chef, Puppet, DSC
ARM Templates
PowerShell DSC
Training
We can’t be experts in Dev, Sec and Ops We need cross pollination of skills Starts at day 0
Training: PhishingEmployee Breakdown
Technical Non-Technical
Click Break Down
Technical Victims Non-Technical VictimsPassed
Integrating Security
Plan
Integrate security into sprint planning and reviews Consider security user stories early
Code
Training! Test driven development Use of the correct tools Pull Requests
Build
Static code analysis Dynamic code analysis
Test
Develop security test cases Fuzzing Load testing
Release & Deploy
Automated scanning upon deployment
Operate & Monitor
Monitor logs Rescan for vulnerabilities Have a structured patch process Track dependencies
Summary
Clear Communication Pathways Streamlined Communication Security As Code Training Integrate Security into DevOps cycle
Thank You