尊敬的 微信汇率:1円 ≈ 0.046166 元 支付宝汇率:1円 ≈ 0.046257元 [退出登录]
SlideShare a Scribd company logo

Protecting Agile Transformation through Secure DevOps (DevSecOps)

Eryk Budi Pratama
Eryk Budi Pratama

Respresenting Cyber Defense Community (cdef.id) to present and share my view on Secure DevOps / DevSecOps. Through this presentation, I shared several insights about: 1. How to balance the risk and controls in the "great shift left" paradigm (agile) 2. DevOps activities 3. How to seamlessly integrate security into DevOps 4. How to "shift left" the security" 5. Get started with Secure DevOps / DevSecOps 6. Case Study about DevSecOps implementation For further discussion, especially how to secure digital and agile transformation in your organization, don't hesitate to contact me :)

Technology
1 of 34
Protecting Agile Transformation through Secure DevOps Eryk Budi Pratama | Cyber Defense Community (CDEF.id)
Who am I  Cyber Security & Community Enthusiast, Cyber Defense Indonesia Community (https://cdef.id/)  Cyber Security Strategy & Governance, Technical Assessment, Cloud Security, Emerging Technology, DevSecOps  IT Advisory, Audit, Governance, Risk, & Compliance  Knowledge Hunter  @proferyk proferyk@gmail.com
About CDEF.id (https://cdef.id/) Join Us https://cdef.id/pendaftaran-anggota-komunitas/
The Great Shift Left
The great shift left Source: KPMG Forward-looking organizations understand that Agile & DevOps are about shifting the value stream closer to the business The shift left focuses quality on solving the right problems, Using automation, process improvements, and the business can focus on the main impacts to the organizations ability to deliver quality at scale. “Automation can drive quality, risk reductions, and speed to market, and even improve quality of life for employees.”
Risks of using Agile and DevOps Lack of documentation Continuous changes in design Scaling requires careful management Dependencies on ‘soft’ controls (i.e., team skills, knowledge, communication) High levels of autonomy across teams and business units Inconsistent application of principles driven by individual experience and/or knowledge. Design requirements may change over the course of product development without revisiting security or control requirements. Large, cross-functional teams and complex solutions can cause additional work, not less. ‘Soft’ controls may lead to compliance challenges. Inconsistent approaches to meeting control objectives increase the risk of objectives not being met.
Balancing act of risk and controls Agile and DevOps methodologies introduce new risks into the control environment due to the high speed, high volume nature of change. Source: KPMG
The DevOps Warrior
Dev & Sec Challenges What do DEVELOPERS want? What Does the Security Need?  Autonomy/Empowerment  Automate Everything  Think It, Build It, Run It  Business Outcome Orientation  Thin Slice Development/Minimum Viable Product  Predictability  Risk Management  Innovative Products  Accuracy and fewer FP/FNs  Product Security/Supportability  Accountability
DevOps Cycles Source: Gartner
DevOps Activities Source: Gartner
Security under Shift Left
Shifting Security to the Left means built-in Security is a Design Constraint “Apps & data are as safe as where you put it, what’s in it, how you inspect it, who talks to it, and how its protected…”
Security by design in the pipeline and team Leading organizations are embedding security into everything they do using DevSecOps SecOps DevOps SecDevOps Security OperationsDevelopment The addition of security within DevOps has coined many terms including DevOpsSec, SecDevOps, DevOpsSec. These terms are generally used to refer to specific activities within the DevOps process. Secure DevOps means that security is built into the entire Culture Automation Metrics Sharing Source: KPMG
Integrating Security into DevOps
What’s the Secure DevOps Mission? …creating targeted customer value through secure iterative innovation at speed & scale … Security is Everyone’s Job!
Seamlessly Integrating Security in DevOps Source: Gartner
(Continuous) Security and Risk  Continuous and adaptive security decision making  Continuous and integrated risk management  Continuous application security testing  Continuous asset, entity and service discovery  Continuous authentication  Continuous authorization  Continuous compliance  Continuous data monitoring  Continuous identity trust assessment  Continuous monitoring and visibility  Continuous protection  Continuous risk assessment  Continuous risk discovery  Continuous risk-prioritized response  Continuous security posture assessment  Continuous trust assessment  Continuous exposure assessment
Application Security Testing in Pipeline Source: Gartner
Make Security Guidance Agile Friendly Source: Gartner Crafting Effective Agile User Stories for Security Requirements (Example)
Get Started
The Art of Secure DevOps Secure DevOps
Secure DevOps Needs  Active Collaboration  High Engagement  Smaller Projects  Smaller Blast Radius  Experimentation  Open Contribution  Fail Fast Culture  Ability to adapt and learn  DevOps Understanding  Focusing on Simplicity Can we make it simple? Yes!  Smaller Teams, Smaller Services, Smaller Failures  Customer focus  Products and Services have security built-in along the supply chain  Measurement is built-in to support culture of Continuous Improvement
How can we get started? Small Project Migration Big Project Approach is tailored to small experiments and pipeline testing. Pros:  Requires DevOps Approach  Fast failures  Team learns to collaborate  Higher Productivity, Less Waste Cons:  Skill shortages  Team needs vision to avoid micro-focus churn Approach allows organization to map and adjust for what they already know. Pros:  Allows companies to keep  operating while teams figure  out what’s needed Cons:  Overload  Can be slower to accomplish completion  Failures can become complex Approach is “all-in” and used to transform an organization as a whole. Pros:  Firm commitment alleviates political back and forth  Focus & All-in Speed Cons:  Bigger Failures  Difficult for everyone to learn from mistakes and experiments
Example – Perimeter Testing PCI DSS1.1.1 –Approve/Test/Detect firewall changes Scan API, Ingest Config/Cloudtrail, trigger firewall audits and revert unapproved changes to heal to spec Measure : Certify annually Impact : High Labor : 40 hours/Annually Tools : Excel, Text Pad, Open Source or Commercial Config Management Measure : Mean time to Detection, Mean time to Resolve Impact : Depends on Resource Labor : 40 hours/First Year, 8 hours per yr maintain Tools : APIs, Logs, Open Source, Commercial
Example – Configuration Management PCI DSS2.2 -Develop & Assure configuration standards for all system components. Track known good CF stacks & AMIs, alert or neutralize non- compliant/non-approved deploys Measure : Certify annually Impact : High Labor : 40 hours/Annually/Per Major Component Tools : Excel, Text Pad, Open Source or Commercial Config Management Measure : Mean time to Detection, Mean time to Resolve Impact : High Labor : 40 hours/First Year, 1 hour per yr maintain/Per Component Tools : APIs, Logs, Open Source, Commercial
Case Study to assist the Enhanced Data Security Program, and as part of that effort, began an initiative to “identify opportunities to enhance the Security Integration into DevOps”
Problems Teams are using EAL as their source of truth, even though they know it to be incomplete and inaccurate Teams consistently expressed interest in security, but don’t have a good outlet to learn and ask questions Across the SDLC there are controls without guidelines, which leaves security implementation up to individual application teams Teams have asked for secure code training, and there is currently no vehicle to deliver it All enterprise projects have security requirements, but smaller and legacy projects do not undergo the same scrutiny Physical asset management is good, but they are far from managing applications and services correctly
Key Themes There is an unmet desire for security awareness among DevOps teams. Risk-based security scrutiny of applications and services is inconsistent. Developers have a hard time knowing what security work to do. 1 2 3
Recommendation - Program-level Enablers To support significant risk reduction across the SDLC process and the broader enterprise, Client was recommended to pursue further improvement of the following programs: Key Theme Recommendation Description There is an unmet desire for security awareness among DevOps teams. Security Champions A structured program to assign one leader to a small group of developers to oversee and drive security integration into development. Risk-based security scrutiny of applications and services is inconsistent. Asset Management There is a process for maintaining up-to-date records for all application related assets (products, servers, APIs etc.) across the organization. This process should account for onboarding of newly created assets, ownership assignment, and for regular updates to existing assets. Developers have a hard time knowing what security work to do. Security & Privacy Requirements Management There is a program focused on including security and privacy requirements as a forethought for each new project, application, and service.
Recommendation - Tactical Client pursue implementation of the following prioritized security controls across the SDLC. Key Theme SDLC Controls Description Available security capabilities are not consistently adopted across DevOps teams. IDE Scanning of Code Code security is analyzed locally and reports are generated to provide developers with real-time feedback throughout coding. DAST Dynamic security tests are run after code pushes to check for runtime vulnerabilities. SAST Static security tests are run after code pushes to detect coding errors. Security Test Case Creation Developers must create automated and reusable test cases that address the requirements of Security Department provided security user stories. Advanced Security Code Review Security sensitive code that involves the use of cryptography, authentication, and authorization, must be reviewed by an approved party within Security Department .
Collect feedback to continually improve and update the control’s solution based on user suggestions and changes in demand. Implementation Roadmap Each security control’s implementation will follow a unique roadmap, but the overall approach remains the same: Assign an owner to the security control who will oversee functionality, answer questions, and assist users. 1 Define KPIs that will measure the control’s success criteria and elicit the reporting frequency. 2 Procure and deploy a solution that can demonstrably meet the requirements of the control. 3 Distribute messaging about the control’s purpose, how to leverage it, and who to contact for questions and concerns. 4 5
Turning DevOps Into Secure DevOps … it’s all about maintaining agility for developers … without getting in the way
Thank You 

Recommended

EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
Justin Henderson
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
Steppa Cyber Security
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 

Recommended

EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
Justin Henderson
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
Steppa Cyber Security
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOps
Shiva Narayanaswamy
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
Karina Matos
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
Amazon Web Services
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
Priyanka Aash
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
Amazon Web Services
 
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
Karl Ots
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
Amazon Web Services
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern
 
Qradar - Reports.pdf
Qradar - Reports.pdfQradar - Reports.pdf
Qradar - Reports.pdf
PencilData
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Keynote: Elastic Security evolution and vision
Keynote: Elastic Security evolution and visionKeynote: Elastic Security evolution and vision
Keynote: Elastic Security evolution and vision
Elasticsearch
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
Shannon Lietz
 

More Related Content

What's hot

AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOps
Shiva Narayanaswamy
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
Karina Matos
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
Amazon Web Services
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
Priyanka Aash
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
Amazon Web Services
 
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
Karl Ots
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
Amazon Web Services
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern
 
Qradar - Reports.pdf
Qradar - Reports.pdfQradar - Reports.pdf
Qradar - Reports.pdf
PencilData
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Keynote: Elastic Security evolution and vision
Keynote: Elastic Security evolution and visionKeynote: Elastic Security evolution and vision
Keynote: Elastic Security evolution and vision
Elasticsearch
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 

What's hot (20)

AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOps
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
Qradar - Reports.pdf
Qradar - Reports.pdfQradar - Reports.pdf
Qradar - Reports.pdf
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Keynote: Elastic Security evolution and vision
Keynote: Elastic Security evolution and visionKeynote: Elastic Security evolution and vision
Keynote: Elastic Security evolution and vision
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 

Similar to Protecting Agile Transformation through Secure DevOps (DevSecOps)

ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
Shannon Lietz
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
How to implement DevOps for Enterprise
How to implement DevOps for EnterpriseHow to implement DevOps for Enterprise
How to implement DevOps for Enterprise
Simform
 
DevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptxDevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptx
Gurajalanaganarasimh
 
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
MobibizIndia1
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
Qualitest
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdf
Enov8
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Continuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and WhatContinuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and What
Marc Hornbeek
 
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...
basilmph
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
Techugo
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
Nadira Bajrei
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
Techugo
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
Techugo
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 

Similar to Protecting Agile Transformation through Secure DevOps (DevSecOps) (20)

ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
How to implement DevOps for Enterprise
How to implement DevOps for EnterpriseHow to implement DevOps for Enterprise
How to implement DevOps for Enterprise
 
DevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptxDevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptx
 
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdf
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Continuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and WhatContinuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and What
 
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
 

More from Eryk Budi Pratama

Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIRingkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Eryk Budi Pratama
 
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Eryk Budi Pratama
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
Eryk Budi Pratama
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
Eryk Budi Pratama
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
Eryk Budi Pratama
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data Pribadi
Eryk Budi Pratama
 
Modern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaModern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL Indonesia
Eryk Budi Pratama
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
Eryk Budi Pratama
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
Eryk Budi Pratama
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Eryk Budi Pratama
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Eryk Budi Pratama
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - Eryk
Eryk Budi Pratama
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Eryk Budi Pratama
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
Eryk Budi Pratama
 
Blockchain for Accounting & Assurance
Blockchain for Accounting & AssuranceBlockchain for Accounting & Assurance
Blockchain for Accounting & Assurance
Eryk Budi Pratama
 
Guardians of Trust: Building Trust in Data & Analytics
Guardians of Trust: Building Trust in Data & AnalyticsGuardians of Trust: Building Trust in Data & Analytics
Guardians of Trust: Building Trust in Data & Analytics
Eryk Budi Pratama
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
Eryk Budi Pratama
 
Cybersecurity Skills in Industry 4.0
Cybersecurity Skills in Industry 4.0Cybersecurity Skills in Industry 4.0
Cybersecurity Skills in Industry 4.0
Eryk Budi Pratama
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOps
Eryk Budi Pratama
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas Company
Eryk Budi Pratama
 

More from Eryk Budi Pratama (20)

Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIRingkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
 
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data Pribadi
 
Modern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaModern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL Indonesia
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - Eryk
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
Blockchain for Accounting & Assurance
Blockchain for Accounting & AssuranceBlockchain for Accounting & Assurance
Blockchain for Accounting & Assurance
 
Guardians of Trust: Building Trust in Data & Analytics
Guardians of Trust: Building Trust in Data & AnalyticsGuardians of Trust: Building Trust in Data & Analytics
Guardians of Trust: Building Trust in Data & Analytics
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
Cybersecurity Skills in Industry 4.0
Cybersecurity Skills in Industry 4.0Cybersecurity Skills in Industry 4.0
Cybersecurity Skills in Industry 4.0
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOps
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas Company
 

Recently uploaded

Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
Guidelines for Effective Data Visualization
Guidelines for Effective Data VisualizationGuidelines for Effective Data Visualization
Guidelines for Effective Data Visualization
UmmeSalmaM1
 
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
dipikamodels1
 
Fuxnet [EN] .pdf
Fuxnet [EN] .pdfFuxnet [EN] .pdf
Fuxnet [EN] .pdf
Overkill Security
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
An Introduction to All Data Enterprise Integration
An Introduction to All Data Enterprise IntegrationAn Introduction to All Data Enterprise Integration
An Introduction to All Data Enterprise Integration
Safe Software
 
New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024
ThousandEyes
 
An All-Around Benchmark of the DBaaS Market
An All-Around Benchmark of the DBaaS MarketAn All-Around Benchmark of the DBaaS Market
An All-Around Benchmark of the DBaaS Market
ScyllaDB
 
Facilitation Skills - When to Use and Why.pptx
Facilitation Skills - When to Use and Why.pptxFacilitation Skills - When to Use and Why.pptx
Facilitation Skills - When to Use and Why.pptx
Knoldus Inc.
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0
Neeraj Kumar Singh
 
Cyber Recovery Wargame
Cyber Recovery WargameCyber Recovery Wargame
Cyber Recovery Wargame
Databarracks
 
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc
 
Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...
Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...
Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...
anilsa9823
 
From NCSA to the National Research Platform
From NCSA to the National Research PlatformFrom NCSA to the National Research Platform
From NCSA to the National Research Platform
Larry Smarr
 
Elasticity vs. State? Exploring Kafka Streams Cassandra State Store
Elasticity vs. State? Exploring Kafka Streams Cassandra State StoreElasticity vs. State? Exploring Kafka Streams Cassandra State Store
Elasticity vs. State? Exploring Kafka Streams Cassandra State Store
ScyllaDB
 
CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity
CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My IdentityCNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity
CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity
Cynthia Thomas
 
APJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes WebinarAPJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes Webinar
ThousandEyes
 
intra-mart Accel series 2024 Spring updates_En
intra-mart Accel series 2024 Spring updates_Enintra-mart Accel series 2024 Spring updates_En
intra-mart Accel series 2024 Spring updates_En
NTTDATA INTRAMART
 

Recently uploaded (20)

Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
Guidelines for Effective Data Visualization
Guidelines for Effective Data VisualizationGuidelines for Effective Data Visualization
Guidelines for Effective Data Visualization
 
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
 
Fuxnet [EN] .pdf
Fuxnet [EN] .pdfFuxnet [EN] .pdf
Fuxnet [EN] .pdf
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
An Introduction to All Data Enterprise Integration
An Introduction to All Data Enterprise IntegrationAn Introduction to All Data Enterprise Integration
An Introduction to All Data Enterprise Integration
 
New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024
 
An All-Around Benchmark of the DBaaS Market
An All-Around Benchmark of the DBaaS MarketAn All-Around Benchmark of the DBaaS Market
An All-Around Benchmark of the DBaaS Market
 
Facilitation Skills - When to Use and Why.pptx
Facilitation Skills - When to Use and Why.pptxFacilitation Skills - When to Use and Why.pptx
Facilitation Skills - When to Use and Why.pptx
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0
 
Cyber Recovery Wargame
Cyber Recovery WargameCyber Recovery Wargame
Cyber Recovery Wargame
 
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
 
Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...
Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...
Call Girls Chennai ☎️ +91-7426014248 😍 Chennai Call Girl Beauty Girls Chennai...
 
From NCSA to the National Research Platform
From NCSA to the National Research PlatformFrom NCSA to the National Research Platform
From NCSA to the National Research Platform
 
Elasticity vs. State? Exploring Kafka Streams Cassandra State Store
Elasticity vs. State? Exploring Kafka Streams Cassandra State StoreElasticity vs. State? Exploring Kafka Streams Cassandra State Store
Elasticity vs. State? Exploring Kafka Streams Cassandra State Store
 
CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity
CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My IdentityCNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity
CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity
 
APJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes WebinarAPJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes Webinar
 
intra-mart Accel series 2024 Spring updates_En
intra-mart Accel series 2024 Spring updates_Enintra-mart Accel series 2024 Spring updates_En
intra-mart Accel series 2024 Spring updates_En
 

Protecting Agile Transformation through Secure DevOps (DevSecOps)

  • 1. Protecting Agile Transformation through Secure DevOps Eryk Budi Pratama | Cyber Defense Community (CDEF.id)
  • 2. Who am I  Cyber Security & Community Enthusiast, Cyber Defense Indonesia Community (https://cdef.id/)  Cyber Security Strategy & Governance, Technical Assessment, Cloud Security, Emerging Technology, DevSecOps  IT Advisory, Audit, Governance, Risk, & Compliance  Knowledge Hunter  @proferyk proferyk@gmail.com
  • 3. About CDEF.id (https://cdef.id/) Join Us https://cdef.id/pendaftaran-anggota-komunitas/
  • 5. The great shift left Source: KPMG Forward-looking organizations understand that Agile & DevOps are about shifting the value stream closer to the business The shift left focuses quality on solving the right problems, Using automation, process improvements, and the business can focus on the main impacts to the organizations ability to deliver quality at scale. “Automation can drive quality, risk reductions, and speed to market, and even improve quality of life for employees.”
  • 6. Risks of using Agile and DevOps Lack of documentation Continuous changes in design Scaling requires careful management Dependencies on ‘soft’ controls (i.e., team skills, knowledge, communication) High levels of autonomy across teams and business units Inconsistent application of principles driven by individual experience and/or knowledge. Design requirements may change over the course of product development without revisiting security or control requirements. Large, cross-functional teams and complex solutions can cause additional work, not less. ‘Soft’ controls may lead to compliance challenges. Inconsistent approaches to meeting control objectives increase the risk of objectives not being met.
  • 7. Balancing act of risk and controls Agile and DevOps methodologies introduce new risks into the control environment due to the high speed, high volume nature of change. Source: KPMG
  • 9. Dev & Sec Challenges What do DEVELOPERS want? What Does the Security Need?  Autonomy/Empowerment  Automate Everything  Think It, Build It, Run It  Business Outcome Orientation  Thin Slice Development/Minimum Viable Product  Predictability  Risk Management  Innovative Products  Accuracy and fewer FP/FNs  Product Security/Supportability  Accountability
  • 13. Shifting Security to the Left means built-in Security is a Design Constraint “Apps & data are as safe as where you put it, what’s in it, how you inspect it, who talks to it, and how its protected…”
  • 14. Security by design in the pipeline and team Leading organizations are embedding security into everything they do using DevSecOps SecOps DevOps SecDevOps Security OperationsDevelopment The addition of security within DevOps has coined many terms including DevOpsSec, SecDevOps, DevOpsSec. These terms are generally used to refer to specific activities within the DevOps process. Secure DevOps means that security is built into the entire Culture Automation Metrics Sharing Source: KPMG
  • 16. What’s the Secure DevOps Mission? …creating targeted customer value through secure iterative innovation at speed & scale … Security is Everyone’s Job!
  • 17. Seamlessly Integrating Security in DevOps Source: Gartner
  • 18. (Continuous) Security and Risk  Continuous and adaptive security decision making  Continuous and integrated risk management  Continuous application security testing  Continuous asset, entity and service discovery  Continuous authentication  Continuous authorization  Continuous compliance  Continuous data monitoring  Continuous identity trust assessment  Continuous monitoring and visibility  Continuous protection  Continuous risk assessment  Continuous risk discovery  Continuous risk-prioritized response  Continuous security posture assessment  Continuous trust assessment  Continuous exposure assessment
  • 19. Application Security Testing in Pipeline Source: Gartner
  • 20. Make Security Guidance Agile Friendly Source: Gartner Crafting Effective Agile User Stories for Security Requirements (Example)
  • 22. The Art of Secure DevOps Secure DevOps
  • 23. Secure DevOps Needs  Active Collaboration  High Engagement  Smaller Projects  Smaller Blast Radius  Experimentation  Open Contribution  Fail Fast Culture  Ability to adapt and learn  DevOps Understanding  Focusing on Simplicity Can we make it simple? Yes!  Smaller Teams, Smaller Services, Smaller Failures  Customer focus  Products and Services have security built-in along the supply chain  Measurement is built-in to support culture of Continuous Improvement
  • 24. How can we get started? Small Project Migration Big Project Approach is tailored to small experiments and pipeline testing. Pros:  Requires DevOps Approach  Fast failures  Team learns to collaborate  Higher Productivity, Less Waste Cons:  Skill shortages  Team needs vision to avoid micro-focus churn Approach allows organization to map and adjust for what they already know. Pros:  Allows companies to keep  operating while teams figure  out what’s needed Cons:  Overload  Can be slower to accomplish completion  Failures can become complex Approach is “all-in” and used to transform an organization as a whole. Pros:  Firm commitment alleviates political back and forth  Focus & All-in Speed Cons:  Bigger Failures  Difficult for everyone to learn from mistakes and experiments
  • 25. Example – Perimeter Testing PCI DSS1.1.1 –Approve/Test/Detect firewall changes Scan API, Ingest Config/Cloudtrail, trigger firewall audits and revert unapproved changes to heal to spec Measure : Certify annually Impact : High Labor : 40 hours/Annually Tools : Excel, Text Pad, Open Source or Commercial Config Management Measure : Mean time to Detection, Mean time to Resolve Impact : Depends on Resource Labor : 40 hours/First Year, 8 hours per yr maintain Tools : APIs, Logs, Open Source, Commercial
  • 26. Example – Configuration Management PCI DSS2.2 -Develop & Assure configuration standards for all system components. Track known good CF stacks & AMIs, alert or neutralize non- compliant/non-approved deploys Measure : Certify annually Impact : High Labor : 40 hours/Annually/Per Major Component Tools : Excel, Text Pad, Open Source or Commercial Config Management Measure : Mean time to Detection, Mean time to Resolve Impact : High Labor : 40 hours/First Year, 1 hour per yr maintain/Per Component Tools : APIs, Logs, Open Source, Commercial
  • 27. Case Study to assist the Enhanced Data Security Program, and as part of that effort, began an initiative to “identify opportunities to enhance the Security Integration into DevOps”
  • 28. Problems Teams are using EAL as their source of truth, even though they know it to be incomplete and inaccurate Teams consistently expressed interest in security, but don’t have a good outlet to learn and ask questions Across the SDLC there are controls without guidelines, which leaves security implementation up to individual application teams Teams have asked for secure code training, and there is currently no vehicle to deliver it All enterprise projects have security requirements, but smaller and legacy projects do not undergo the same scrutiny Physical asset management is good, but they are far from managing applications and services correctly
  • 29. Key Themes There is an unmet desire for security awareness among DevOps teams. Risk-based security scrutiny of applications and services is inconsistent. Developers have a hard time knowing what security work to do. 1 2 3
  • 30. Recommendation - Program-level Enablers To support significant risk reduction across the SDLC process and the broader enterprise, Client was recommended to pursue further improvement of the following programs: Key Theme Recommendation Description There is an unmet desire for security awareness among DevOps teams. Security Champions A structured program to assign one leader to a small group of developers to oversee and drive security integration into development. Risk-based security scrutiny of applications and services is inconsistent. Asset Management There is a process for maintaining up-to-date records for all application related assets (products, servers, APIs etc.) across the organization. This process should account for onboarding of newly created assets, ownership assignment, and for regular updates to existing assets. Developers have a hard time knowing what security work to do. Security & Privacy Requirements Management There is a program focused on including security and privacy requirements as a forethought for each new project, application, and service.
  • 31. Recommendation - Tactical Client pursue implementation of the following prioritized security controls across the SDLC. Key Theme SDLC Controls Description Available security capabilities are not consistently adopted across DevOps teams. IDE Scanning of Code Code security is analyzed locally and reports are generated to provide developers with real-time feedback throughout coding. DAST Dynamic security tests are run after code pushes to check for runtime vulnerabilities. SAST Static security tests are run after code pushes to detect coding errors. Security Test Case Creation Developers must create automated and reusable test cases that address the requirements of Security Department provided security user stories. Advanced Security Code Review Security sensitive code that involves the use of cryptography, authentication, and authorization, must be reviewed by an approved party within Security Department .
  • 32. Collect feedback to continually improve and update the control’s solution based on user suggestions and changes in demand. Implementation Roadmap Each security control’s implementation will follow a unique roadmap, but the overall approach remains the same: Assign an owner to the security control who will oversee functionality, answer questions, and assist users. 1 Define KPIs that will measure the control’s success criteria and elicit the reporting frequency. 2 Procure and deploy a solution that can demonstrably meet the requirements of the control. 3 Distribute messaging about the control’s purpose, how to leverage it, and who to contact for questions and concerns. 4 5
  • 33. Turning DevOps Into Secure DevOps … it’s all about maintaining agility for developers … without getting in the way
  翻译: