AddingtheSecToDevOpsBSides (1).pptx for Bsides Nairobi 22 with Joylynn Kirui

ellan12 29 views 13 slides May 16, 2024
Slide 1
Slide 1 of 13
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13

About This Presentation

Presentation on DevSecOps for BSides Nairobi

Size: 3.33 MB
Language: en
Added: May 16, 2024
Slides: 13 pages

Slide Content

DevSecOps BSides Nairobi Talk : Adding the Sec in DevOps Speakers | Date; 17th September 2022 Joylynn Kirui Ellan Wambugu 1

What do we mean by Devops DevOps Definition (Development + Operations) DevOps is the union of people, processes, and technology to deliver continuous value to users.

Current DevOps Setup

Threat landscape is changing Breach Vulnerable developer secrets  Vulnerable supply chain Electronic Arts Breach Vulnerable Applications  Vulnerable ID Verification

What do we mean by DevSecOps? Application PLAN DEVELOP OPERATE DELIVER DevOps Definition (Development + Operations) DevOps is the union of people, processes, and technology to deliver continuous value to users. DevSecOps Definition (Development + Security + Operations) DevSecOps is an evolution in the way development organizations approach security by introducing a security-first mindset culture, and automating security into every phase of the software development lifecycle from design to delivery.

The benefits of DevSecOps MORE SECURE CODE, SHIPPED AT THE SAME SPEED Reduce remediation time by shifting security left Integrate with and secure your existing toolchains Quickly identify new threat vectors

Barriers to DevSecOps adoption WHY IS DEVSECOPS HARDER TO ADOPT THAN DEVOPS Organization and team gaps Skill and knowledge gaps Solutions aren't built for developers

Importance of shifting security left 80% reduction in security incidents by extending security to development² 60x Security cost to fix a security defect in production versus in development 1 62% of enterprises do not integrate security in the development phase³ 1 https://www.gartner.com/doc/reprints?id=1-265CMWW4&ct=210527&st=sb 2 https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/ ³Sources: McKinsey Developer Velocity, Microsoft Enterprise DevOps Report, GitHub Octoverse Report 2020

Three themes  for successfully securing the developer workflow  EMBEDDED SECURITY IN THE DEVELOPER WORKFLOW Developer – First Tooling Native and built-in security capabilities Automation

How security fits in the development lifecycle EMBEDDED SECURITY IN THE DEVELOPER WORKFLOW PRE-COMMIT Threat modeling IDE security plug-in Pre-commit hooks Secure coding standards Peer review OPERATE & MONITOR Continuous monitoring Threat intelligence Blameless post-mortems COMMIT (CI) Static code analysis Security unit tests Dependency management Credential scanning DEPLOY (CD) Infra as code ( IaC ) Dynamic security scanning Cloud configuration checks Security acceptance tests

Secure the DevOps Pipelines SECURE THE DEVELOPMENT ENVIRONMENT - INFRASTRUCTURE BE ABLE TO PRODUCE VERIFIABLE AND REPRODUCIBLE BUILDS Compilers Sign properly with validated signatures Builds Produce verifiable build manifests—describing sources, cryptographic hashes of binaries/artifacts and full build parameters Build Machines & Infrastructure Make highly restricted with least privileged access applied and with ephemeral build agents DevOps Services Build and release infra use isolated managed identities and sensitive tenant profiles for isolation Compilers & User Processes Execute in isolation or locked down environments Software on Build Machines Sign properly with validated signatures PREVENT THESE TYPES OF ATTACKS: Compromised compilers and build machines Compromised dependencies

Harden Pipeline Access SECURE THE DEVELOPMENT ENVIRONMENT – ACCESS MANAGEMENT ENSURE CODE-TO-CLOUD PIPELINE IS SECURE Create organization device policies – AAD + Device policies - to secure development machines Make sure all operations adhere to least privileged principles Regularly scan for identity access management to ensure least-privileged access management policies Use multi-factor authentication and dual key/JIT approval for privileged operations and human-induced pushes Enable endpoint protection for all workstations and allow only registered devices Inject identity early into the automation pipeline PREVENT THESE TYPES OF ATTACKS: Compromised credentials Malicious insiders

Thank You
Tags
Categories
Technology Business Design
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 29
  • Slides 13
  • Age 565 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
45 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
Know for Certain 21
Know for Certain
DaveSinNM
19 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views
View More in This Category