Spearited Guidance: Learning About DevSecOps @QuintessenceAnx Developer Advocate @ PagerDuty
Slide 2
Don’t panic @QuintessenceAnx
Slide 3
The Now
@QuintessenceAnx
Slide 4
@QuintessenceAnx
Slide 5
Software Development Life Cycle
@QuintessenceAnx
Slide 6
Vault over “The Wall” for Security Review
@QuintessenceAnx
Slide 7
Software Development Life Cycle
Security
@QuintessenceAnx
Slide 8
@QuintessenceAnx
Slide 9
!
@QuintessenceAnx
Slide 10
DevSecOps
@QuintessenceAnx
Slide 11
What is DevSecOps?
@QuintessenceAnx
Slide 12
DevSecOps stands for development, security, and operations. DevSecOps seeks to integrate security across the SDLC and streamline the workflows between dev, sec, and ops.
@QuintessenceAnx
Slide 13
What DevSecOps is not
@QuintessenceAnx
Slide 14
DevSecOps is not replacing security with dev and/or ops, or expecting dev and/or ops to become security specialists, or expecting security to become devs and/or ops.
@QuintessenceAnx
Slide 15
Phew.
@QuintessenceAnx
Slide 16
@QuintessenceAnx
Slide 17
How?
@QuintessenceAnx
Slide 18
The Secure SDLC + Shifting Left
@QuintessenceAnx
Slide 19
@QuintessenceAnx
Slide 20
@QuintessenceAnx
Slide 21
@QuintessenceAnx
Slide 22
SecOps Activities •
Secure architecture / design
•
Threat modeling
•
Testing, e.g. SAST and DAST
•
Scanning images and dependencies
•
Fuzzing
•
And more!
@QuintessenceAnx
Slide 23
Shift Left
@QuintessenceAnx
Slide 24
@QuintessenceAnx
Slide 25
How?
@QuintessenceAnx
Slide 26
Cultural Support
@QuintessenceAnx
Slide 27
Humans.
@QuintessenceAnx
Slide 28
Sharp end: High Risk Low Power
Blunt end: Low Risk High Power @QuintessenceAnx
Slide 29
Exec Buy-in
@QuintessenceAnx
Slide 30
Never trick staff, ever.
@QuintessenceAnx
Slide 31
Training
@QuintessenceAnx
Slide 32
Full Service Ownership
@QuintessenceAnx
Slide 33
Capture the Flag
@QuintessenceAnx
Slide 34
Threat Modeling
@QuintessenceAnx
Slide 35
” @QuintessenceAnx
Slide 36
Secure Incident Response
@QuintessenceAnx
Slide 37
Stop the attack in progress. 2. Cut off the attack vector.
Apply additional mitigations, make changes to monitoring, etc.
Assemble the response team.
10.Forensic analysis of compromised systems.