DevSecOps

“Everyone is responsible for security”

Quick look at DevOps
DevOps is a set of practices that automates the processes
between software development and IT teams, in order
that they can build, test, and release software faster and
more reliably.

It's a firm handshake between development and

operations that emphasizes a shift in mindset, better
collaboration, and tighter integration. It unites agile,
continuous delivery, automation, and much more, to help
development and operations teams be more efficient,
innovate faster, and deliver higher value to businesses and
Source: https://en.wikipedia.org/wiki/DevOps
customers.
 Better, faster, cheaper software with DevOps
COMPANY DEPLOY DEPLOY RELIABILITY CUSTOMER
FREQUENCY LEAD TIME RESPONSIVENESS

AMAZON 23000 / day Minutes High High

GOOGLE 5500 / day Minutes High High

NETFLIX 500 /day Minutes High High

FACEBOOK 1 / day Minutes High High

TWITTER 3 / week Minutes High High

TYPICAL Once in every 9 Months or quarters Low / Medium Low / Medium

ENTERPRISE Months

but is it secure?
Meet DevSecOps
DevSecOps enables organisations to
deliver the secure software at DevOps
speed.

DevSecOps seeks to achieve greater efficiency

and productivity by incorporating security
principles within DevOps process.

Source:
https://www.checkmarx.com/wp-content/uploads/2016/07/Dev-Software-releases-.png
DevSecOps in 3 key categories

Culture Processes Technologies

Culture
● Communication and transparency
● High trust environment
● Continuous improvement
● Everyone is responsible for security
● Automate as much as possible
● Everything as code
○ Infrastructure as code
○ Security as code
○ Compliance as code
Processes

Secure SDLC
How do we integrate AppSec pipeline in DevOps?
 How do we integrate AppSec pipeline in DevOps?
git

Unit Tests

Integration Tests

Code Analysis

Create Docker Image

Start Docker Image Load Test Server

Load Tests

Deploy

DevOps Pipeline AppSec Pipeline

Test Production
Technologies - Incorporate the security principles in DevOps

SDLC Technologies

Requirements -

Code SAST, IDE Plugins

Test Gauntlt, DAST (Dradis, Scout2, OpenVas,

ZAP)

Configure Everything as code

Maintenance Patch Management (Phoenix)

Monitor Auditing, Attack, RASP, ELK

Trainings
Secure Coding Practices

It will help organisations to develop the secure code in order to eliminate the risks and threats at
development stage.

● Secure code trainings

● Code review
● Best coding practices
Code
DevSecOps enables developers to write the secure code by integrating the security plugins in
IDE.

SAST - Secure code analysis tool, also referred to as Static Application Security Testing tools,
designed to analyze the source code to help find the security flaws.

● Sonarqube
● Checkmarx
● IBM App Scan
Test - Automate as much as possible.

DAST - A dynamic analysis security testing tool, or a DAST test, is an application security solution
that can help to find certain vulnerabilities in web applications while they are running in
production

Gauntlt - Gauntlt provides hooks to a variety of security tools and puts them within reach of
security, dev and ops teams to collaborate to build rugged software. It is built to facilitate testing
and communication between groups and create actionable tests that can be hooked into your
deploy and testing processes.

● Curl
● nmap
● sqlmap
● Garmr
● sslyze
Configure
Everything as code

● Infrastructure as code
● Security as code

Platform requirements, server hardening etc. should not be a problem in today’s world. We
should learn to codify as much as possible. It enables Dev, Sec and Ops team to perform actions
on a single click.

● Docker - Containerized applications

● Kubernetes - Automated deployment, scaling and management of containerized
applications
Maintenance
Patch Management

Phoenix deployment strategies can help organisation to quickly deploy the completely new
instance of the application that is patched to the production environment and parallely destroy
the existing instance.

It would help organisation to eliminate all the configuration drift or even technical issues at
DevOps speed.
Monitor
Ability to monitor the secure SDLC.

● Auditing
● Attack Visibility
RASP
Runtime application self-protection security (RASP)

It is a security technology that is built into an application and can detect and then prevent
real-time application attacks. RASP prevents attacks by “self-protecting” or reconfiguring
automatically without human intervention in response to certain conditions (threats, faults, etc.)
ChatSecOps
ChatSecOps enables organisations to make the safe service portals which are being used for
chatting. For eg: Slack, HipChat etc.

Ex: Imagine a simple chat command to push the code to QA and it’s done.
Thank You