Preventing Devoops with Dev Sec Ops Kieran Jacobsen
Preventing Devoops with Dev. Sec. Ops Kieran Jacobsen Technical Lead – Infrastructure & Security
2016 was a big year… Page 2 / Copyright © 2017 by Readify Limited
2017 is getting of to a bad start… Page 3 / Copyright © 2017 by Readify Limited
Before Dev. Ops Page 4 / Copyright © 2017 by Readify Limited
Dev. Ops Page 5 / Copyright © 2017 by Readify Limited
But Where Is Security? Page 6 / Copyright © 2017 by Readify Limited
Dev. Sec. Ops › Clear Communication Pathways › Streamlined Communication › Security As Code › Training › Integrate Security into Dev. Ops cycle Page 7 / Copyright © 2017 by Readify Limited
Communication Pathways Development Operations Security Page 9 / Copyright © 2017 by Readify Limited
Streamlined Communication NO: › Excel checklists › Word document reports › Email Attachments Page 10 / Copyright © 2017 by Readify Limited
Streamlined Communication YES: › Backlogs/boards Page 11 / Copyright © 2017 by Readify Limited
Streamlined Communication YES: › Backlogs/boards › Support ticketing Page 12 / Copyright © 2017 by Readify Limited
Streamlined Communication YES: › Backlogs/boards › Support ticketing › Markup and Git Page 13 / Copyright © 2017 by Readify Limited
Security As Code › Application Source Code › Azure ARM and AWS Cloud Formation › Server Configuration – Chef, Puppet, DSC Page 14 / Copyright © 2017 by Readify Limited
ARM Templates Page 15 / Copyright © 2017 by Readify Limited
Power. Shell DSC Page 16 / Copyright © 2017 by Readify Limited
Training › We can’t be experts in Dev, Sec and Ops › We need cross pollination of skills › Starts at day 0 Page 17 / Copyright © 2017 by Readify Limited
Integrating Security Page 18 / Copyright © 2017 by Readify Limited
Plan › Integrate security into sprint planning and reviews › Consider security stories early Page 19 / Copyright © 2017 by Readify Limited
Code › Training! › Test driven development › Use of the correct tools › Pull Requests Page 20 / Copyright © 2017 by Readify Limited
Build › Static code analysis › Dynamic code analysis Page 21 / Copyright © 2017 by Readify Limited
Test › Develop security test cases › Fuzzing › Load testing Page 22 / Copyright © 2017 by Readify Limited
Release & Deploy › Automated scanning upon deployment Page 23 / Copyright © 2017 by Readify Limited
Operate & Monitor › Monitor logs › Rescan for vulnerabilities › Track dependencies Page 24 / Copyright © 2017 by Readify Limited
Thank You
- Slides: 24