MT
Uploaded byMatt Tesauro
PDF, PPTX82 views

Practical DevSecOps: Fundamentals of Successful Programs

The document outlines the principles of DevSecOps, comparing its transformative impact to that of steam trains on American travel, and emphasizes the importance of optimizing workflows, improving feedback loops, and fostering a culture of experimentation within software development. It introduces the evolution of application security (AppSec) pipelines, detailing three generations aimed at enhancing automation, visibility, and integration with development processes. Key takeaways include the necessity for continuous improvement and the critical role of effective feedback in successfully implementing DevSecOps strategies.

Download as PDF, PPTX
Old West Edition Practical DevSecOps Fundamentals of Successful Programs
HOWDY! ● Reformed programmer & AppSec Engineer ● Noname Security - Distinguished Engineer ● 14 years in the OWASP Community ○ OWASP DefectDojo (core maintainer) ○ OWASP AppSec Pipeline (co-leader) ○ OWASP WTE (leader) ● 22 + years using FLOSS & Linux ● Currently a Go language fanboy ● Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt) ● Founder 10Security
Starting from Zero Steps 2 Take Example of how to expand your horizon 1 Final Thought Conclusions and key takeaways How this whole thing got started 3 Ways of DevOps Crawl, walk run with DevSecOps TABLE OF CONTENTS 2 4 3 1
Starting from Zero 1 And maybe heading towards hero
Steam Locomotives
The Iron Horse Straddles America ● Radically changed travel in the US ● Travel time across the US ○ Pre-train: 6 months + $1,000 ○ Post-train: 1 week + $150 ● Town that had a stop prospered ○ Those that didn’t, faded away
Trains == Change ● Trains changed the landscape for better or worse ● The US ‘got smaller’ - travel was in reach to more people ● Expanded markets, more customers ● ‘Cost’ of going west went way down
Trains <==> DevSecOps ● Trains changed the landscape for better or worse DevSecOps changed IT for better or worse ● The US ‘got smaller’ - travel was in reach to more people Batch / change size got smaller (CICD) ● Expanded markets, more customers Increased agility, more customers ● ‘Cost’ of going west went way down ‘Cost’ of experiments goes way down
When will we see this? DevSecOps AppSec Your bit of IT here
3 Ways of DevOps 2 Before there was DevSecOps, there was DevOps
Workflow ? ? The 3 ways of DevOs 1 3 2
Look at your purpose and those processes which aid it ● Make sure the process is correct from the beginning to end then look at ways to speed up that process ● Value Stream - the name of the process which provides value to the business ● Working from left to right e.g. like a timeline business / development => customer / operations ● Flow [rate] - speed work goes through the process. #1 Workflow
Each Step Repeatable #1 Workflow ● Remove all haphazard and ad hoc work from the process ● Repeat until stable ○ I like doing the first couple of times manually with a ‘run book’ ● Scripting languages are your friends ● Config Mgmt - Puppet, Chef, Salt, Ansible, Terraform, Helm, … ● Create deployable artifacts from a branch/release e.g. .rpm, .deb, .msi, … ● Make sure what you do can be done once or 10,000 times
Never Pass along Defects #1 Workflow ● While working left to right, don’t pass on failures ● Test early and often ● Increase rigor of testing as you work left to right ● When a failure occurs, end that flow and start a new one (after corrections) ● The further right you are, the more expensive failure is ○ Concentrate your early work on the left side (intake) ● e.g. in AppSec, defects are false positive findings
Local Optimizations with a Global View #1 Workflow ● Ensure no single-step optimizations degrade the overall performance of the workflow ● Find the bottleneck in your workflow and start there ○ Upstream changes will just back things up ○ Downstream changes won’t manifest since input is constrained ● Each new optimization creates a new bottleneck ○ Iterate on these
Increase the flow of work #1 Workflow ● Make sure you have a well-defined, repeatable process first ● Look for manual steps that can be automated ● Look for duplicate work that can be removed or eliminated ● Measuring/tracking time taken at each step is crucial ● Ask yourself: Where does the flow ebb?
Workflow Improve Feedback ? The 3 ways of DevOs 1 3 2
Open yourself to upstream and downstream information #2 Improve Feedback ● Feedback loops occur when information is gathered from ○ upstream (business / development) ○ downstream (customer / operations) ● Make visible problems, concerns, potential improvements ○ Share this broadly inside the company ● Learn as you move left to right so improvements aren’t lost ● Requests are opportunities to better fulfill business’s needs ○ There’s rarely enough feedback, capture and look for more ○ Feedback collected can be used to optimally improve the system
Understand and Respond to your Customers #2 Improve Feedback ● Customers are also inside your business ● Customer is more than the end ‘consumer’ at the end of the process ○ Each step is the customer of the previous step ○ Understand what the next steps need from you to succeed ● Remember, feedback isn’t guaranteed ○ Encourage it by responding ● Responses are required of external and internal customers ● Make feedback & responding quick, easy and readily available
Shorten Feedback Loops #2 Improve Feedback ● Remove any intermediaries and impediments to feedback ● Communicate as directly as possible, skipping steps/people if possible ○ e.g . The person who finds a problem communicates with the person who fixes the problem ● The more hands that hold the feedback, the more change to get garbled ● If possible, intermediaries should be software, not people ● Whispered secret across a classroom ○ How much change occurs?
Amplify All Feedback #2 Improve Feedback ● Shout it from the mountain tops ● No heroes quietly fixing things or applying workarounds ● Open, honest communication of feedback, especially of problems ○ File a bug report ○ Halt the process at that step (e.g. pull the Andon cord to stop the line) ● Make having problems OK and hiding problems a fireable offense ○ GM and all those green status sheets…
Embed Knowledge where Needed #2 Improve Feedback ● Keep specialized knowledge out of people’s heads and into the system ○ Special configurations, business requirements, etc ○ Check it into source control - automatic versioning! ● git blame anyone? Find out where/when regressions occurred ● Moving left to right, keep info in the stage that requires it ● Docs to build a package stored in the repo for that package ● Deploy automation in the repo with configuration templates, etc
Workflow Improve Feedback Continual Experimentation & Learning The 3 ways of DevOs 1 3 2
Create a culture of innovation and experimentation #3 Continual Experiments ● The fundamentals are now solid, what can your new knowledge buy you? ● The business culture must allow for and embrace innovation & experimentation ● Two essential things must be understood by the business ○ We can learn from failed experiments / risks we take ○ Mastery comes from repetition and practice ● And you won’t be a master the first N times you practice
“I fear not the man who has practiced ten thousand kicks once, But I fear the man who has practiced one kick ten thousand times.”
Rituals are created that reward risk taking #3 Continual Experiments ● Reward risk + learning ● Don’t just talk about rewarding risk, walk the walk ● Trying new things and failing is OK when you gain knowledge ● Consider this creating your own feedback in a very tight loop ● Get real about this: ○ Failures should be noted positively in annual reviews if and only if a lesson was learned ● Edison invented the lightbulb by running out of things that didn’t work
Mgmt allocates time for projects to improve the system #3 Continual Experiments ● Plan to improve or you’re planning on stagnation ● Invest in improving the system created ○ By providing value to the business, it should want to maximize that return ● Prune any technical debt - all debt is not bad ○ Some is good, none has opportunity costs, too much will crush you ● Amplifying feedback helps sell this to the business ● Can keep mistakes from being repeated
Faults are introduced to increase resilience #3 Continual Experiments ● Practice emergencies so emergencies feel routine ● Think fire drills aka Chaos Monkey ● You need to be a very mature org to do this ● Wonderful feedback look ○ How would your programming change if you knew the DB could disappear at any second? ● How else to check redundancy? ○ e.g. Think ‘trying to restore from backups’ after they were encrypted by malware
Try crazy or audacious things #3 Continual Experiments ● Stretch out of your comfort zone ● Requires embracing failures since many of these won’t work ● Forces out-of-the-box thinking ● Provides new perspectives on existing systems ○ You may thing A will break first, but B falls over instead ● Can help find false bottlenecks, bad assumptions, the dreaded “unknown unknowns” ● Yet another source of feedback so make sure and learn from it publicly
The Phoenix Project _If you haven’t_ _read that yet… Right after this talk is over, go out and get this book & “Beyond The Phoenix Project” to read them. Period
Steps 2 Take 3 Iterate from zero to hero
Introducing AppSec Pipelines
Key features of AppSec Pipelines AppSec Pipelines ● Designed for iterative improvement ● Provides a re-usable path for AppSec activities ● Provides a consistent process for both the team and your constituency ● One way flow with well defined states ● Relies heavily on automation ● Grow functionality organically over time ● Gracefully interconnects with the development process (e.g customers)
AppSec Pipelines
Gen 1 Pipelines Look at your team’s purpose and those processes which aid it
Spending time optimizing anything other than the critical resource is an illusion _W. Edwards Deming_
AppSec Personnelle Critical Resource ● They are the critical resource - optimize their work ● Automate things that don’t require a human brain ● Drive up consistency ● Increase tracking of work status ● Increase flow through the pipeline ● Increase visibility and metrics ● Reduce any dev team friction with application security
Gen 1 Pipeline
Then, once your house is in order…
Gen 2 Pipelines Look outside at your team’s purpose and those processes which aid it
Gen 2 Pipeline Dev Pipeline AppSec Pipeline Drop tool(s) into their pipeline
Weaponizing CICD Gen 2 Pipelines ● Zero false positives ○ Pretend FPs give you anaphylactic shock ● Health Checks vs Scanning ○ Run health checks all the time ● Home of specific issue tests ○ Find a vulnerability, write a test ● Cadence for longer running tests ○ These NEVER break a build ○ Every X builds or every Y days
Gen 2 Pipeline
(A minor aside)
Single source of truth for findings OWASP DefectDojo ● AppSec Programs, QA / QE, Product Security, Pen Testers ○ Custom report generation ○ Metrics and Dashboards ○ App and Infrastructure findings ○ 150+ security tools supported ● OWASP Flagship project, 8+ years being open sourced from Rackspace ● Community and contributor friendly ○ 305 contributors ● Github: 2.4k stars, 1.1k forks, monthly releases
The Heart of your DevSecOps OWASP DefectDojo
Gen 3 Pipelines Look to scale your team’s reach and dramatically increase speed and visibility
What is a Gen 3 Pipeline? Gen 3 Pipelines ● A way to conduct AppSec testing in an automated fashion ● Run by the AppSec team for the AppSec team to: ○ Provide visibility into software security ○ Provide security findings to the dev teams ● A means to scale the AppSec team coverage ○ Not in-depth testing but “you must be this high” ○ Allow some testing to be ‘pre-calculated’ for manual assessments ○ Event-driven (mostly) or on a schedule ● Creates a baseline of security
What a Gen 3 Pipeline isn’t: Gen 3 Pipelines ● Magic pixie dust ● A gate blocking production deploys ● Something to add to existing CICD systems ● Pipelines create artifacts ○ CICD artifacts are a deployed app ○ AppSec Pipeline artifacts are security findings
Gen 3 Pipelines
Gen 3 Pipelines
AppSec Pipeline evolution 1 2 3 Gen 1 Your team's purpose and what aids it Gen 2 Look outside your teams purpose and what aids it Gen 3 Event Driven, inter-connected pipelines
Iteration will be required
Iteration will be required Obligatory coffee stain
1 Final Thought 4 Conclusions and Key Takeaways
● Reverse IP Lookup ● IP reputation ● IP blacklist check ● Domain reputation ● Known IP (aka we own it) ● Check IP against our cloud account OK, AppSec, what else? DFIR ● Who registered the domain ● How long registered ● Shodan lookup ● Geolocate IP ● Whois ● Check against threat intel feed(s)
Useage 5,100 Runs 25k+ Container Executions Size 15 Repos 4 months Event-driven Pipeline numbers
2014 2015 2016 Number of Assessments 44 224 414 Headcount N/A -3.5 -2 Percentage Increase N/A 450% 107% AppSec Program Numbers
840.91% Percentage Increase From 2014 - 2016
What are you waiting for… ● Build a Pipeline & remove painful drudgery from your life ● Co-opt good ideas from other disciplines ● Get your DevSecOps on!
TLDR for this talk
CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik THANKS! matt.tesauro@owasp.org mattt@nonamesecurity.com Twitter: matt_tesauro Do you have any questions?

More Related Content

ODP
Lessons from DevOps: Taking DevOps practices into your AppSec Life
byMatt Tesauro
 
ODP
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
byMatt Tesauro
 
ODP
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
byPROIDEA
 
ODP
Building an Open Source AppSec Pipeline
byMatt Tesauro
 
PPTX
DevOps - Understanding Core Concepts
byNitin Bhide
 
PPT
2012 Velocity London: DevOps Patterns Distilled
byGene Kim
 
PDF
Agile adoption tales from the coalface
byNish Mahanty
 
PDF
How should we build that? Evolving a development environment that's suitable ...
byAdaCore
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
byMatt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
byMatt Tesauro
 
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
byPROIDEA
 
Building an Open Source AppSec Pipeline
byMatt Tesauro
 
DevOps - Understanding Core Concepts
byNitin Bhide
 
2012 Velocity London: DevOps Patterns Distilled
byGene Kim
 
Agile adoption tales from the coalface
byNish Mahanty
 
How should we build that? Evolving a development environment that's suitable ...
byAdaCore
 

Similar to Practical DevSecOps: Fundamentals of Successful Programs

PPTX
The Devops Handbook
byHarish Kamugakudi Marimuthu
 
PPT
Rockstar Programming
byNikiita Groshin
 
PPTX
Agile Principles.pptx
byDJGaming28
 
PDF
Agile concepts for quality and process engineers for slideshare
byYuval Yeret
 
PDF
Building Internet-scale Applications
byGaveen Prabhasara
 
PDF
The Lost Tales of Platform Design (February 2017)
byJulien SIMON
 
PPTX
Kasten Engineering Culture Deck
byNiraj Tolia
 
PDF
A Self Funding Agile Transformation
byDaniel Poon
 
PDF
Feedback loops - the second way towards the world of DevOps
byTapio Rautonen
 
PDF
Modern Engineering Practices - Building Blocks for the New Digital Economy (A...
byIT Arena
 
PDF
JDD 2016 - Joseph W. Yoder - Deliver Fast "With Confidence"
byPROIDEA
 
PPTX
6 Steps To Awesome - Coosto @DevOnSummit March 2018
byArjen de Ruiter
 
PDF
Being agile while standing in a waterfall
byMike Edwards
 
PDF
Scaling teams, processes and architectures
byLorenzo Alberton
 
PDF
When Things Go Bump in the Night
byahamilton55
 
PDF
Indix Engineering Culture Code (2015)
byRajesh Muppalla
 
PPTX
You cant be agile if your code sucks
byPeter Gfader
 
PDF
Sea spin5 2013
byJeff Smith
 
PDF
Andrew phillips three-pillars_of_continuous_delivery-1
byCachet Software Solutions Ltd
 
PDF
Twenty Startups A Year Without Going Crazy
byCiklum Ukraine
 
The Devops Handbook
byHarish Kamugakudi Marimuthu
 
Rockstar Programming
byNikiita Groshin
 
Agile Principles.pptx
byDJGaming28
 
Agile concepts for quality and process engineers for slideshare
byYuval Yeret
 
Building Internet-scale Applications
byGaveen Prabhasara
 
The Lost Tales of Platform Design (February 2017)
byJulien SIMON
 
Kasten Engineering Culture Deck
byNiraj Tolia
 
A Self Funding Agile Transformation
byDaniel Poon
 
Feedback loops - the second way towards the world of DevOps
byTapio Rautonen
 
Modern Engineering Practices - Building Blocks for the New Digital Economy (A...
byIT Arena
 
JDD 2016 - Joseph W. Yoder - Deliver Fast "With Confidence"
byPROIDEA
 
6 Steps To Awesome - Coosto @DevOnSummit March 2018
byArjen de Ruiter
 
Being agile while standing in a waterfall
byMike Edwards
 
Scaling teams, processes and architectures
byLorenzo Alberton
 
When Things Go Bump in the Night
byahamilton55
 
Indix Engineering Culture Code (2015)
byRajesh Muppalla
 
You cant be agile if your code sucks
byPeter Gfader
 
Sea spin5 2013
byJeff Smith
 
Andrew phillips three-pillars_of_continuous_delivery-1
byCachet Software Solutions Ltd
 
Twenty Startups A Year Without Going Crazy
byCiklum Ukraine
 

More from Matt Tesauro

PDF
AI, AppSec, and You: A Practitioner's Diary
byMatt Tesauro
 
PDF
DefectDojo at Global AppSec San Fran 2024
byMatt Tesauro
 
PDF
Tenants for Going at DevSecOps Speed - LASCON 2023
byMatt Tesauro
 
PDF
Hacking and Defending APIs - Red and Blue make Purple.pdf
byMatt Tesauro
 
PDF
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
byMatt Tesauro
 
PDF
Landmines in the API Landscape
byMatt Tesauro
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
PDF
The Final Frontier, Automating Dynamic Security Testing
byMatt Tesauro
 
PDF
Intro to DefectDojo at OWASP Switzerland
byMatt Tesauro
 
PDF
Taking the Best of Agile, DevOps and CI/CD into security
byMatt Tesauro
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
PDF
Continuous Security: Using Automation to Expand Security's Reach
byMatt Tesauro
 
PDF
OWASP DefectDojo - Open Source Security Sanity
byMatt Tesauro
 
PDF
Running FaaS with Scissors
byMatt Tesauro
 
PDF
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
byMatt Tesauro
 
PDF
Building a Secure DevOps Pipeline - for your AppSec Program
byMatt Tesauro
 
PDF
AppSec Pipelines and Event based Security
byMatt Tesauro
 
PPTX
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
byMatt Tesauro
 
PDF
Taking AppSec to 11 - BSides Austin 2016
byMatt Tesauro
 
PDF
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
byMatt Tesauro
 
AI, AppSec, and You: A Practitioner's Diary
byMatt Tesauro
 
DefectDojo at Global AppSec San Fran 2024
byMatt Tesauro
 
Tenants for Going at DevSecOps Speed - LASCON 2023
byMatt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
byMatt Tesauro
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
byMatt Tesauro
 
Landmines in the API Landscape
byMatt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
byMatt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
byMatt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
byMatt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
byMatt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
byMatt Tesauro
 
Running FaaS with Scissors
byMatt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
byMatt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
byMatt Tesauro
 
AppSec Pipelines and Event based Security
byMatt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
byMatt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
byMatt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
byMatt Tesauro
 

Recently uploaded

PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
PDF
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
PDF
A Complete Beginner's Guide to Internet of Things 2025.pdf
bySecuodsoft
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PPTX
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
PDF
GDG Boise - Innovating with Google Cloud Artificial Intelligence
byJoey Brown
 
PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PPTX
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
PDF
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
PDF
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
A Complete Beginner's Guide to Internet of Things 2025.pdf
bySecuodsoft
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
WebXR in Android and Linux with OpenXR
byIgalia
 
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
GDG Boise - Innovating with Google Cloud Artificial Intelligence
byJoey Brown
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
In this document
Powered by AI

Introduction to DevSecOps and its significance in modern IT. Highlights the evolution from traditional DevOps to a more secure practice emphasizing collaboration.

Use of steam locomotives as a metaphor for transformation in IT. Highlights travel cost reduction and accessibility, paralleling with DevSecOps implementation.

Introduces three foundational principles of DevOps focusing on workflow, value stream, and efficiency to enhance software delivery and customer orientation.

Emphasizes importance of defining workflows, minimizing defects, and optimizing processes for repeatability and efficiency to ensure reliable development.

Explains the necessity of improving feedback loops in DevOps, addressing both upstream and downstream communication to facilitate continual improvement.

Promotes a culture of experimentation where organizations embrace risks and learn from failures, essential for fostering innovation and systemic resilience.

Examines the role of AppSec pipelines in enhancing security processes through iterative improvements and automation, providing consistency in security practices.

Highlights the importance of focusing on critical resources like AppSec personnel and optimizing their workflow to enhance overall efficiency in security practices.

Discussions on evolution from Gen 1 to Gen 3 pipelines, detailing automation, increasing visibility, and scalability in AppSec processes to enhance security.

Presents metrics and assessment data reflecting the growth and improvement of AppSec programs over time, showcasing the importance of iterative processes.

Summarizes the core themes of the presentation, encouraging the adoption of DevSecOps practices, and invites questions from the audience.

Practical DevSecOps: Fundamentals of Successful Programs

  • 1.
  • 2.
    HOWDY! ● Reformed programmer& AppSec Engineer ● Noname Security - Distinguished Engineer ● 14 years in the OWASP Community ○ OWASP DefectDojo (core maintainer) ○ OWASP AppSec Pipeline (co-leader) ○ OWASP WTE (leader) ● 22 + years using FLOSS & Linux ● Currently a Go language fanboy ● Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt) ● Founder 10Security
  • 3.
    Starting from Zero Steps 2Take Example of how to expand your horizon 1 Final Thought Conclusions and key takeaways How this whole thing got started 3 Ways of DevOps Crawl, walk run with DevSecOps TABLE OF CONTENTS 2 4 3 1
  • 4.
    Starting from Zero 1 And maybeheading towards hero
  • 5.
  • 6.
    The Iron HorseStraddles America ● Radically changed travel in the US ● Travel time across the US ○ Pre-train: 6 months + $1,000 ○ Post-train: 1 week + $150 ● Town that had a stop prospered ○ Those that didn’t, faded away
  • 7.
    Trains == Change ●Trains changed the landscape for better or worse ● The US ‘got smaller’ - travel was in reach to more people ● Expanded markets, more customers ● ‘Cost’ of going west went way down
  • 8.
    Trains <==> DevSecOps ●Trains changed the landscape for better or worse DevSecOps changed IT for better or worse ● The US ‘got smaller’ - travel was in reach to more people Batch / change size got smaller (CICD) ● Expanded markets, more customers Increased agility, more customers ● ‘Cost’ of going west went way down ‘Cost’ of experiments goes way down
  • 9.
    When will wesee this? DevSecOps AppSec Your bit of IT here
  • 10.
    3 Ways of DevOps 2 Beforethere was DevSecOps, there was DevOps
  • 11.
  • 12.
    Look at yourpurpose and those processes which aid it ● Make sure the process is correct from the beginning to end then look at ways to speed up that process ● Value Stream - the name of the process which provides value to the business ● Working from left to right e.g. like a timeline business / development => customer / operations ● Flow [rate] - speed work goes through the process. #1 Workflow
  • 13.
    Each Step Repeatable #1Workflow ● Remove all haphazard and ad hoc work from the process ● Repeat until stable ○ I like doing the first couple of times manually with a ‘run book’ ● Scripting languages are your friends ● Config Mgmt - Puppet, Chef, Salt, Ansible, Terraform, Helm, … ● Create deployable artifacts from a branch/release e.g. .rpm, .deb, .msi, … ● Make sure what you do can be done once or 10,000 times
  • 14.
    Never Pass alongDefects #1 Workflow ● While working left to right, don’t pass on failures ● Test early and often ● Increase rigor of testing as you work left to right ● When a failure occurs, end that flow and start a new one (after corrections) ● The further right you are, the more expensive failure is ○ Concentrate your early work on the left side (intake) ● e.g. in AppSec, defects are false positive findings
  • 15.
    Local Optimizations witha Global View #1 Workflow ● Ensure no single-step optimizations degrade the overall performance of the workflow ● Find the bottleneck in your workflow and start there ○ Upstream changes will just back things up ○ Downstream changes won’t manifest since input is constrained ● Each new optimization creates a new bottleneck ○ Iterate on these
  • 16.
    Increase the flowof work #1 Workflow ● Make sure you have a well-defined, repeatable process first ● Look for manual steps that can be automated ● Look for duplicate work that can be removed or eliminated ● Measuring/tracking time taken at each step is crucial ● Ask yourself: Where does the flow ebb?
  • 17.
  • 18.
    Open yourself toupstream and downstream information #2 Improve Feedback ● Feedback loops occur when information is gathered from ○ upstream (business / development) ○ downstream (customer / operations) ● Make visible problems, concerns, potential improvements ○ Share this broadly inside the company ● Learn as you move left to right so improvements aren’t lost ● Requests are opportunities to better fulfill business’s needs ○ There’s rarely enough feedback, capture and look for more ○ Feedback collected can be used to optimally improve the system
  • 19.
    Understand and Respondto your Customers #2 Improve Feedback ● Customers are also inside your business ● Customer is more than the end ‘consumer’ at the end of the process ○ Each step is the customer of the previous step ○ Understand what the next steps need from you to succeed ● Remember, feedback isn’t guaranteed ○ Encourage it by responding ● Responses are required of external and internal customers ● Make feedback & responding quick, easy and readily available
  • 20.
    Shorten Feedback Loops #2Improve Feedback ● Remove any intermediaries and impediments to feedback ● Communicate as directly as possible, skipping steps/people if possible ○ e.g . The person who finds a problem communicates with the person who fixes the problem ● The more hands that hold the feedback, the more change to get garbled ● If possible, intermediaries should be software, not people ● Whispered secret across a classroom ○ How much change occurs?
  • 21.
    Amplify All Feedback #2Improve Feedback ● Shout it from the mountain tops ● No heroes quietly fixing things or applying workarounds ● Open, honest communication of feedback, especially of problems ○ File a bug report ○ Halt the process at that step (e.g. pull the Andon cord to stop the line) ● Make having problems OK and hiding problems a fireable offense ○ GM and all those green status sheets…
  • 22.
    Embed Knowledge whereNeeded #2 Improve Feedback ● Keep specialized knowledge out of people’s heads and into the system ○ Special configurations, business requirements, etc ○ Check it into source control - automatic versioning! ● git blame anyone? Find out where/when regressions occurred ● Moving left to right, keep info in the stage that requires it ● Docs to build a package stored in the repo for that package ● Deploy automation in the repo with configuration templates, etc
  • 23.
  • 24.
    Create a cultureof innovation and experimentation #3 Continual Experiments ● The fundamentals are now solid, what can your new knowledge buy you? ● The business culture must allow for and embrace innovation & experimentation ● Two essential things must be understood by the business ○ We can learn from failed experiments / risks we take ○ Mastery comes from repetition and practice ● And you won’t be a master the first N times you practice
  • 25.
    “I fear notthe man who has practiced ten thousand kicks once, But I fear the man who has practiced one kick ten thousand times.”
  • 26.
    Rituals are createdthat reward risk taking #3 Continual Experiments ● Reward risk + learning ● Don’t just talk about rewarding risk, walk the walk ● Trying new things and failing is OK when you gain knowledge ● Consider this creating your own feedback in a very tight loop ● Get real about this: ○ Failures should be noted positively in annual reviews if and only if a lesson was learned ● Edison invented the lightbulb by running out of things that didn’t work
  • 27.
    Mgmt allocates timefor projects to improve the system #3 Continual Experiments ● Plan to improve or you’re planning on stagnation ● Invest in improving the system created ○ By providing value to the business, it should want to maximize that return ● Prune any technical debt - all debt is not bad ○ Some is good, none has opportunity costs, too much will crush you ● Amplifying feedback helps sell this to the business ● Can keep mistakes from being repeated
  • 28.
    Faults are introducedto increase resilience #3 Continual Experiments ● Practice emergencies so emergencies feel routine ● Think fire drills aka Chaos Monkey ● You need to be a very mature org to do this ● Wonderful feedback look ○ How would your programming change if you knew the DB could disappear at any second? ● How else to check redundancy? ○ e.g. Think ‘trying to restore from backups’ after they were encrypted by malware
  • 29.
    Try crazy oraudacious things #3 Continual Experiments ● Stretch out of your comfort zone ● Requires embracing failures since many of these won’t work ● Forces out-of-the-box thinking ● Provides new perspectives on existing systems ○ You may thing A will break first, but B falls over instead ● Can help find false bottlenecks, bad assumptions, the dreaded “unknown unknowns” ● Yet another source of feedback so make sure and learn from it publicly
  • 30.
    The Phoenix Project _If youhaven’t_ _read that yet… Right after this talk is over, go out and get this book & “Beyond The Phoenix Project” to read them. Period
  • 31.
    Steps 2 Take 3 Iteratefrom zero to hero
  • 32.
  • 33.
    Key features ofAppSec Pipelines AppSec Pipelines ● Designed for iterative improvement ● Provides a re-usable path for AppSec activities ● Provides a consistent process for both the team and your constituency ● One way flow with well defined states ● Relies heavily on automation ● Grow functionality organically over time ● Gracefully interconnects with the development process (e.g customers)
  • 34.
  • 35.
    Gen 1 Pipelines Lookat your team’s purpose and those processes which aid it
  • 36.
    Spending time optimizing anything other thanthe critical resource is an illusion _W. Edwards Deming_
  • 37.
    AppSec Personnelle Critical Resource ●They are the critical resource - optimize their work ● Automate things that don’t require a human brain ● Drive up consistency ● Increase tracking of work status ● Increase flow through the pipeline ● Increase visibility and metrics ● Reduce any dev team friction with application security
  • 38.
  • 39.
  • 40.
    Gen 2 Pipelines Lookoutside at your team’s purpose and those processes which aid it
  • 41.
    Gen 2 Pipeline DevPipeline AppSec Pipeline Drop tool(s) into their pipeline
  • 42.
    Weaponizing CICD Gen 2Pipelines ● Zero false positives ○ Pretend FPs give you anaphylactic shock ● Health Checks vs Scanning ○ Run health checks all the time ● Home of specific issue tests ○ Find a vulnerability, write a test ● Cadence for longer running tests ○ These NEVER break a build ○ Every X builds or every Y days
  • 43.
  • 44.
  • 45.
    Single source oftruth for findings OWASP DefectDojo ● AppSec Programs, QA / QE, Product Security, Pen Testers ○ Custom report generation ○ Metrics and Dashboards ○ App and Infrastructure findings ○ 150+ security tools supported ● OWASP Flagship project, 8+ years being open sourced from Rackspace ● Community and contributor friendly ○ 305 contributors ● Github: 2.4k stars, 1.1k forks, monthly releases
  • 46.
    The Heart ofyour DevSecOps OWASP DefectDojo
  • 47.
    Gen 3 Pipelines Lookto scale your team’s reach and dramatically increase speed and visibility
  • 48.
    What is aGen 3 Pipeline? Gen 3 Pipelines ● A way to conduct AppSec testing in an automated fashion ● Run by the AppSec team for the AppSec team to: ○ Provide visibility into software security ○ Provide security findings to the dev teams ● A means to scale the AppSec team coverage ○ Not in-depth testing but “you must be this high” ○ Allow some testing to be ‘pre-calculated’ for manual assessments ○ Event-driven (mostly) or on a schedule ● Creates a baseline of security
  • 49.
    What a Gen3 Pipeline isn’t: Gen 3 Pipelines ● Magic pixie dust ● A gate blocking production deploys ● Something to add to existing CICD systems ● Pipelines create artifacts ○ CICD artifacts are a deployed app ○ AppSec Pipeline artifacts are security findings
  • 51.
  • 52.
  • 53.
    AppSec Pipeline evolution 1 2 3 Gen1 Your team's purpose and what aids it Gen 2 Look outside your teams purpose and what aids it Gen 3 Event Driven, inter-connected pipelines
  • 54.
  • 55.
    Iteration will berequired Obligatory coffee stain
  • 56.
  • 57.
    ● Reverse IPLookup ● IP reputation ● IP blacklist check ● Domain reputation ● Known IP (aka we own it) ● Check IP against our cloud account OK, AppSec, what else? DFIR ● Who registered the domain ● How long registered ● Shodan lookup ● Geolocate IP ● Whois ● Check against threat intel feed(s)
  • 58.
    Useage 5,100 Runs 25k+ Container Executions Size 15Repos 4 months Event-driven Pipeline numbers
  • 59.
    2014 2015 2016 Numberof Assessments 44 224 414 Headcount N/A -3.5 -2 Percentage Increase N/A 450% 107% AppSec Program Numbers
  • 60.
  • 61.
    What are youwaiting for… ● Build a Pipeline & remove painful drudgery from your life ● Co-opt good ideas from other disciplines ● Get your DevSecOps on!
  • 62.
  • 63.
    CREDITS: This presentationtemplate was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik THANKS! matt.tesauro@owasp.org mattt@nonamesecurity.com Twitter: matt_tesauro Do you have any questions?