Introduction to DevSecOps Quintessence Anx

Quintessence Anx Developer Advocate, PagerDuty

Mandi Walls Developer Advocate, PagerDuty Nasim Yazdani Program Manager, PagerDuty

Getting Started If you have not already joined, please create a community account at community.pagerduty.com/join/pdu We will have a variety of sessions and workshop breakouts to test your knowledge throughout the course in our community. Redeem points for swag! ● ● ● Introductions 2 Knowledge Checks Post-Course Survey

📸 Doppler Team

Earn Points! 📝 Link in Chat

Agenda 1 Introduction 2 What is DevSecOps? 3 Cultural Shifts 4 Shifting Left 5 Q&A

Don’t Panic

This will be an interactive workshop, as much as possible

I’ll be doing (some) live questions in the presentation.

Questions will be via Slido

And so it begins…

Introduction & Context Setting

How do you feel development, operations, and security work together today? ⓘ Start presenting to display the poll results on this slide.

Dev+Ops: how do you feel when you need to work with security? Security: how do you feel when you need to work with dev and/or ops? ⓘ Start presenting to display the poll results on this slide.

A few questions about The Phoenix Project

Have you read The Phoenix Project? ⓘ Start presenting to display the poll results on this slide.

How well do you recall the story overall? ⓘ Start presenting to display the poll results on this slide.

Which character do you most identify with, in terms of your current role or career? ⓘ Start presenting to display the poll results on this slide.

A Basic Phoenix Project Org Chart

A Basic Phoenix Project Org Chart

Let’s reflect on this for a moment

How favorably did Bill talk about developers? ⓘ Start presenting to display the poll results on this slide.

How favorably did Bill talk about security? ⓘ Start presenting to display the poll results on this slide.

How did you view security in this interaction? ⓘ Start presenting to display the poll results on this slide.

Empathy exercise: how do you think security felt in this interaction, or in parallel real world scenarios? ⓘ Start presenting to display the poll results on this slide.

Let’s discuss.

What and How of DevSecOps

What was that all about? 🤨

Current Situation

Vaulting over “the wall”

DevSecOps

DevSecOps is the set of cultural practices that aims to break down the silo between security and development+operations.

Specifically, DevSecOps seeks to address the organizational friction that exists between these teams and departments.

What DevSecOps is not

DevSecOps is not replacing security with dev and/or ops, or expecting dev and/or ops to become security specialists, or expecting security to become devs and/or ops.

Phew.

DevSecOps is supported by both human activity and tooling.

The first step on your DevSecOps journey: awareness.

Best Practices are a Journey, not a One Size Fits All

There are a lot of Best Practices relevant to DevSecOps - so you’ll need to be aware of self and organization to be able to apply and iterate.

Curious: How many of you are interested in cross discipline learning? ⓘ Start presenting to display the poll results on this slide.

What are some ideas you have for implementing DevSecOps in your company? ⓘ Start presenting to display the poll results on this slide.

DevSecOps is implemented by …

Cultural Changes: Cross Functional Awareness and Empathy

Shifting Left in the Secure Software Development Life Cycle

Security Incident Remediation Process

Let’s talk culture first

Cultural Changes

Cultural Aptitude & Empathy

Blameless Culture

Full Service Ownership

Shadowing

By helping each other, we help ourselves.

Security Champions Program

What are some ways you can support a DevSecOps transformation at your company? ⓘ Start presenting to display the poll results on this slide.

Shifting Left

Secure SDLC

What are some security activities? ⓘ Start presenting to display the poll results on this slide.

Another Secure SDLC

Why is it called “shift left”?

An FTL Overview

Secure Design and Code

Secure Building, Testing, Delivery, & Deployment

Secure Runtime and Monitoring

Your Mileage May Vary

Everyone is relevant

Improve Security Posture

Security Posture

A company’s security posture is their overall readiness against security threats.

What are some ways that your security team helps improve your security posture? ⓘ Start presenting to display the poll results on this slide.

Always Ask

�� What do you do even do here? ⛔

�� How do you help us with ${X}? ✅

Security Assessments

Threat Modeling Exercises

Capture the Flag Games

Socially Engineer Trainings

Do not trick staff, ever

Example Security Training Slides

How many of you have attended a standard security training and received benefit from it? ⓘ Start presenting to display the poll results on this slide.

Security Training Ops Guide

Do you think a training like that would be more beneficial to your organization? ⓘ Start presenting to display the poll results on this slide.

True or false: Once we do All The Things we will be secure, forever! ⓘ Start presenting to display the poll results on this slide.

Secure Incident Response

Security & Incident Response

A security incident is an incident that actually or potentially violates the security policies of a system or information that the system processes, stores, and/or transmits.

When to trigger a security incident

What happens next?

The Fourteen Steps 1. Stop the attack in progress. 2. Cut off the attack vector. 3. Assemble the response team. 4. Isolate affected instances. 5. Identify timeline of attack. 6. Identify compromised data. 7. Assess risk to other systems. 9. Apply additional mitigations, additions to monitoring, etc. 10. Forensic analysis of compromised systems. 11. Internal communication. 12. Involve law enforcement. 13. Reach out to external parties that may have been used as vector for attack. 14. External communication. 8. Assess risk of re-attack.

Step 1: Stop the attack in progress.

Step 2: Cut off the attack vector.

Step 3: Assemble the response team.

Step 4: Isolate affected instances.

Step 5: Identify timeline of attack

Step 6: Identify compromised data.

Step 7: Assess risk to other systems.

Step 8: Assess risk of re-attack.

Step 9: Apply additional mitigations, additions to monitoring, etc.

Step 10: Forensic analysis of compromised systems.

Step 11: Internal communication

Step 12: Involve law enforcement.

Step 13: Reach out to external parties that may have been used as a vector for attack.

Step 14: External communication

The Fourteen Steps (Recap) 1. Stop the attack in progress. 2. Cut off the attack vector. 3. Assemble the response team. 4. Isolate affected instances. 5. Identify timeline of attack. 6. Identify compromised data. 7. Assess risk to other systems. 9. Apply additional mitigations, additions to monitoring, etc. 10. Forensic analysis of compromised systems. 11. Internal communication. 12. Involve law enforcement. 13. Reach out to external parties that may have been used as vector for attack. 14. External communication. 8. Assess risk of re-attack.

References and Resources

Resources PagerDuty DevSecOps Guide devsecops.pagerduty.com All PagerDuty Ops Guides - including security training pagerduty.com/ops-guides/ STRIDE Threat Modeling Framework ThoughtWorks Implementation Link About Capture the Flag (for InfoSec) ctf101.org Resources also available at the PagerDuty University Booth

📸 Purple Team

Final Exam! (Kidding, but really earn some points ☺) Link in Chat

Thank You Final Swag Challenge: Survey (in chat)