Downloaded 38 times
Uploaded byTapabrata Pal
Adopting a security attitude in DevOps via DevOpsSec
Adopting a security attitude in DevOps involves implementing security practices and controls at every stage of the software delivery pipeline from coding through testing and deployment. This includes performing security checks and tests during coding like using secure coding practices and static analysis tools, during building like reviewing dependencies and analyzing for vulnerabilities, and during testing and deployment through security testing techniques like penetration testing and configuration reviews. The goal is to shift security left and provide rapid security feedback throughout the development and delivery process.
More Related Content
Similar to Adopting a security attitude in DevOps via DevOpsSec
Adopting a security attitude in DevOps via DevOpsSec
- 1. Adopting a securityattitude in DevOps via DevOpsSec
- 2. @TopoPal Tapabrata “Topo” Pal EngineeringFellow Product Manager, Shared Continuous Delivery Tools Platform Community Manager, Hygieia Open Source DevOps Dashboard tapabrata.pal@capitalone.com @TopoPal Past: • PhD in Semiconductor Physics • 20 years of IT experience as Developer, Architect, System Engineer • Experience in Retail, Healthcare and Finance industries
- 3. @Topo Pal ! 70million accounts ! One of the largest Digital Banks ! ~ 20 years old
- 4. @Topo Pal Different DNA !Build our own software ! Build on public cloud ! MicroServices ! Open Source ! DevOpsSec and Continuous Delivery
- 5.
- 6. @TopoPal Deliver High QualityWorking Software Faster
- 7. @TopoPal Deliver High QualityWorking Software Faster • No security flaws • No legal flaws • Minimum defects • All levels of testing done • Code reviewed and source controlled • Testing of application, configuration, scripts etc. • Across LOBs, Shared Services and 3rd Parties • Tested end-to-end • All dependencies are satisfied • How fast? ASAP?
- 8.
- 9.
- 10.
- 11. @TopoPal A delivery pipelinewithout security attitude is NOT a pipeline
- 12.
- 13.
- 14. @Topo Pal Business • Requirements •Feature Request • Roadmap Development • Architecture • Design • Code • Test Operations • Infrastructure • Platforms • Environment • Deployment • Incident Mgmt • Change & Release Mgmt. Information Security Application Security Security Testing Information Security Infrastructure Security DevOpsSec
- 15.
- 16. @TopoPal Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control AgilePM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test Infrastructure and Environment Dashboard/Feedback End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
- 17. @TopoPal Code Quality Check Unit/ Integration Test Binary Repository CI Tool IDE Source Control AgilePM Tools Defect Management Request,Plan ReportResults Automated Tests Code Analysis Automated Build Develop, Unit Test Continuous Integration Automated/Continuous Deployment Plan Monitor Verify Deploy Continuous Deployment Test Mgmt Test Data Mgmt D evelop Promote Verify Execute Service Test UI Test Device Test Perf Test Security Test Continuous Testing Service Virtualization Acceptance Test Infrastructure and Environment Dashboard/Feedback End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
- 18. @TopoPal Delivery Pipeline: Automated,Continuous, Compliant Code Build Release Monitor Deploy + Test Execution App Test Infra DEV INT QA PERF PROD DEV INT SEC QA SEC PERF PROD DEV INT QA SEC PERF PROD Infra App Flow Feedback Automated Audit and Security Controls at every step
- 19. @TopoPal Code Application Code Test Code InfrastructureCode ! IDE Security Plugins ! Secure Coding Practices ! Security BDD ! Open Source Bill of Material Security during Coding
- 20. @TopoPal Build ! Bill ofMaterials ! Static Code Analysis ! Static Security Analysis ! Security BDD Security during Building
- 21. @TopoPal Deploy + TestExecution Security Testing ! Application Security Testing ! Penetration Testing ! Data Security Testing ! Configuration Security Testing
- 22.
- 23.
- 24.