1 / 31

DevOps and Security: It’s Happening. Right Now .

DevOps and Security: It’s Happening. Right Now . Helen Bravo Director of Product Management at Checkmarx Helen.bravo@checkmarx.com. Intro to DevOps Integrating security within DevOps Problems with traditional controls Steps to DevOps security. Agenda. What is DevOps About?.

zia
Download Presentation

DevOps and Security: It’s Happening. Right Now .

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DevOps and Security: It’s Happening. Right Now. Helen Bravo Director of Product Management at Checkmarx Helen.bravo@checkmarx.com

  2. Intro to DevOps • Integrating security within DevOps • Problems with traditional controls • Steps to DevOps security Agenda

  3. What is DevOpsAbout? An unstoppable deployment process … in small chunks of time

  4. DevOps is Happening Companies that have adopted DevOps

  5. Can TRADITIONAL web application security controls fit in… … a DevOps environment?!

  6. Traditional Web Application Security Controls • Penetration Testing • WAF (Web Application Firewall) • Code Analysis

  7. Penetration Testing- Takes Time!

  8. Penetration Testing • 300 pages report • 3 weeks assessment time • 2 weeks to get it into development

  9. Web Application Firewall (WAF) Thinking Continuous Deployment? Think Continuous Configuration!

  10. Code Analysis • Setup time • Running time • Analysis time • … just too slow!

  11. … Do Nothing?

  12. Required: A New Secure SDLC Approach

  13. Step by Step

  14. Step 1: Plan for Security

  15. Identify unsecured APIs and frameworks • Map security sensitive code portions. E.g. password changes mechanism, user authentication mechanism. • Anticipate regulatory problems, plan for it. Step 1: Plan for Security

  16. Step 2: Engage the Developers.And Be Engaged

  17. Connect developers to security • Going to OWASP? Bring a developer with you! • Is your house on fire? Share the details with your developers. • Have an open door approach • Set up an online collaboration platform E.g. Jive, Confluence etc. Step 2: Engage the Developers. And Be Engaged

  18. Step 3: Arm the Developers

  19. Secure frameworks: • Use a secure frameworksuch as Spring Security, JAAS, Apache Shiro, Symfony2 • ESAPI is a very useful OWASP security framework • SCA tools that can provide security feedback on pre-commit stage. • Rapid response • Small chunks Step 3: Arm the Developer

  20. Step 3: Automate the Process

  21. Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) • SAST • DAST • Fail the build if security does not pass the bar. Step 3: Automate the Process

  22. Continuous Deployment • Deploy to Test Env • Report • & • Notify • Code Commit • Source Control • Build Trigger • Unit Tests • Deploy • to • Production • Develop Publish to release repository

  23. Security within Continuous Deployment • Deploy to Test Env • SCA Test • Automatic security test • Report • & • Notify • Code Commit • Source Control • Build Trigger • Tests • Deploy • to • Production • Develop Publish to release repository

  24. Step 5: Use Old Tools Wisely

  25. Step 5: Use Old Tools Wisely • Periodic pen testing • WAF on main functions • Code review for security sensitive code portions.

  26. Summary

  27. DevOps is happening. Right Now. • During the time of this talk, Amazon has released 75 features and bug fixes. • Security should not be compromised • Don’t be overwhelmed. Start small Summary

  28. The 3 Takeaways • Plan from the ground • Engage with your developers • Integrate security into automatic build process.

  29. Questions?

  30. Thank you Helen.bravo@checkmarx.com

More Related