DevOps and Security: It’s Happening. Right Now. Helen Bravo Director of Product Management at Checkmarx Helen.email@example.com
Intro to DevOps • Integrating security within DevOps • Problems with traditional controls • Steps to DevOps security Agenda
What is DevOpsAbout? An unstoppable deployment process … in small chunks of time
DevOps is Happening Companies that have adopted DevOps
Can TRADITIONAL web application security controls fit in… … a DevOps environment?!
Traditional Web Application Security Controls • Penetration Testing • WAF (Web Application Firewall) • Code Analysis
Penetration Testing • 300 pages report • 3 weeks assessment time • 2 weeks to get it into development
Web Application Firewall (WAF) Thinking Continuous Deployment? Think Continuous Configuration!
Code Analysis • Setup time • Running time • Analysis time • … just too slow!
Identify unsecured APIs and frameworks • Map security sensitive code portions. E.g. password changes mechanism, user authentication mechanism. • Anticipate regulatory problems, plan for it. Step 1: Plan for Security
Connect developers to security • Going to OWASP? Bring a developer with you! • Is your house on fire? Share the details with your developers. • Have an open door approach • Set up an online collaboration platform E.g. Jive, Confluence etc. Step 2: Engage the Developers. And Be Engaged
Secure frameworks: • Use a secure frameworksuch as Spring Security, JAAS, Apache Shiro, Symfony2 • ESAPI is a very useful OWASP security framework • SCA tools that can provide security feedback on pre-commit stage. • Rapid response • Small chunks Step 3: Arm the Developer
Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) • SAST • DAST • Fail the build if security does not pass the bar. Step 3: Automate the Process
Continuous Deployment • Deploy to Test Env • Report • & • Notify • Code Commit • Source Control • Build Trigger • Unit Tests • Deploy • to • Production • Develop Publish to release repository
Security within Continuous Deployment • Deploy to Test Env • SCA Test • Automatic security test • Report • & • Notify • Code Commit • Source Control • Build Trigger • Tests • Deploy • to • Production • Develop Publish to release repository
Step 5: Use Old Tools Wisely • Periodic pen testing • WAF on main functions • Code review for security sensitive code portions.
DevOps is happening. Right Now. • During the time of this talk, Amazon has released 75 features and bug fixes. • Security should not be compromised • Don’t be overwhelmed. Start small Summary
The 3 Takeaways • Plan from the ground • Engage with your developers • Integrate security into automatic build process.
Thank you Helen.firstname.lastname@example.org