infrastructure saturday - level up to devsecops
TRANSCRIPT
![Page 1: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/1.jpg)
Preventing Devoops with
DevSecOpsKieran Jacobsen
Technical Lead – Infrastructure & Security
![Page 2: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/2.jpg)
2016 was a big year…
/ Copyright ©2017 by Readify Limited 2
![Page 3: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/3.jpg)
2017 is getting of to a bad start…
3
![Page 4: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/4.jpg)
Before DevOps
![Page 5: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/5.jpg)
DevOps
![Page 6: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/6.jpg)
But Where Is Security?
![Page 7: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/7.jpg)
DevSecOps
Clear Communication Pathways Streamlined Communication Security As Code Training Integrate Security into DevOps cycle
![Page 8: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/8.jpg)
“
”
We're in customer service. Our users are our customers. We need to understand them & their needs to do our job well!
Jess Dodson (@girlgerms)
![Page 9: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/9.jpg)
Communication Pathways
Development Operations
Security
![Page 10: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/10.jpg)
Hiring Ratio
DEVELOPERS : OPERATIONS : SECURITY
100 : 10 : 1
![Page 11: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/11.jpg)
Streamlined Communication
NO: Excel checklists Word document reports and policy documents Email attachments
![Page 12: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/12.jpg)
Streamlined Communication
YES: Backlogs/boards
![Page 13: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/13.jpg)
Streamlined Communication
YES: Backlogs/boards Support ticketing
![Page 14: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/14.jpg)
Streamlined Communication
YES: Backlogs/boards Support ticketing Markup and Git
![Page 15: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/15.jpg)
Security As Code
Application Source Code Azure ARM and AWS Cloud Formation Server Configuration – Chef, Puppet, DSC
![Page 16: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/16.jpg)
ARM Templates
![Page 17: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/17.jpg)
PowerShell DSC
![Page 18: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/18.jpg)
Training
We can’t be experts in Dev, Sec and Ops We need cross pollination of skills Starts at day 0
![Page 19: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/19.jpg)
Training: PhishingEmployee Breakdown
Technical Non-Technical
Click Break Down
Technical Victims Non-Technical VictimsPassed
![Page 20: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/20.jpg)
Integrating Security
![Page 21: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/21.jpg)
Plan
Integrate security into sprint planning and reviews Consider security user stories early
![Page 22: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/22.jpg)
Code
Training! Test driven development Use of the correct tools Pull Requests
![Page 23: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/23.jpg)
Build
Static code analysis Dynamic code analysis
![Page 24: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/24.jpg)
Test
Develop security test cases Fuzzing Load testing
![Page 25: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/25.jpg)
Release & Deploy
Automated scanning upon deployment
![Page 26: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/26.jpg)
Operate & Monitor
Monitor logs Rescan for vulnerabilities Have a structured patch process Track dependencies
![Page 27: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/27.jpg)
Summary
Clear Communication Pathways Streamlined Communication Security As Code Training Integrate Security into DevOps cycle
![Page 28: Infrastructure Saturday - Level Up to DevSecOps](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58d15a931a28ab41128b6a9b/html5/thumbnails/28.jpg)
Thank You