devops and security it s happening right now n.
Skip this Video
Loading SlideShow in 5 Seconds..
DevOps and Security: It’s Happening. Right Now . PowerPoint Presentation
Download Presentation
DevOps and Security: It’s Happening. Right Now .

play fullscreen
1 / 31
Download Presentation

DevOps and Security: It’s Happening. Right Now . - PowerPoint PPT Presentation

zia
277 Views
Download Presentation

DevOps and Security: It’s Happening. Right Now .

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. DevOps and Security: It’s Happening. Right Now. Helen Bravo Director of Product Management at Checkmarx Helen.bravo@checkmarx.com

  2. Intro to DevOps • Integrating security within DevOps • Problems with traditional controls • Steps to DevOps security Agenda

  3. What is DevOpsAbout? An unstoppable deployment process … in small chunks of time

  4. DevOps is Happening Companies that have adopted DevOps

  5. Can TRADITIONAL web application security controls fit in… … a DevOps environment?!

  6. Traditional Web Application Security Controls • Penetration Testing • WAF (Web Application Firewall) • Code Analysis

  7. Penetration Testing- Takes Time!

  8. Penetration Testing • 300 pages report • 3 weeks assessment time • 2 weeks to get it into development

  9. Web Application Firewall (WAF) Thinking Continuous Deployment? Think Continuous Configuration!

  10. Code Analysis • Setup time • Running time • Analysis time • … just too slow!

  11. … Do Nothing?

  12. Required: A New Secure SDLC Approach

  13. Step by Step

  14. Step 1: Plan for Security

  15. Identify unsecured APIs and frameworks • Map security sensitive code portions. E.g. password changes mechanism, user authentication mechanism. • Anticipate regulatory problems, plan for it. Step 1: Plan for Security

  16. Step 2: Engage the Developers.And Be Engaged

  17. Connect developers to security • Going to OWASP? Bring a developer with you! • Is your house on fire? Share the details with your developers. • Have an open door approach • Set up an online collaboration platform E.g. Jive, Confluence etc. Step 2: Engage the Developers. And Be Engaged

  18. Step 3: Arm the Developers

  19. Secure frameworks: • Use a secure frameworksuch as Spring Security, JAAS, Apache Shiro, Symfony2 • ESAPI is a very useful OWASP security framework • SCA tools that can provide security feedback on pre-commit stage. • Rapid response • Small chunks Step 3: Arm the Developer

  20. Step 3: Automate the Process

  21. Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) • SAST • DAST • Fail the build if security does not pass the bar. Step 3: Automate the Process

  22. Continuous Deployment • Deploy to Test Env • Report • & • Notify • Code Commit • Source Control • Build Trigger • Unit Tests • Deploy • to • Production • Develop Publish to release repository

  23. Security within Continuous Deployment • Deploy to Test Env • SCA Test • Automatic security test • Report • & • Notify • Code Commit • Source Control • Build Trigger • Tests • Deploy • to • Production • Develop Publish to release repository

  24. Step 5: Use Old Tools Wisely

  25. Step 5: Use Old Tools Wisely • Periodic pen testing • WAF on main functions • Code review for security sensitive code portions.

  26. Summary

  27. DevOps is happening. Right Now. • During the time of this talk, Amazon has released 75 features and bug fixes. • Security should not be compromised • Don’t be overwhelmed. Start small Summary

  28. The 3 Takeaways • Plan from the ground • Engage with your developers • Integrate security into automatic build process.

  29. Questions?

  30. Thank you Helen.bravo@checkmarx.com