DevOpsDaysRiga 2017 ignite: Janis Orlovs - Automation and Security: Implementing Continuous Security Environments

•

0 likes•408 views

In many organisations, development/operations teams are not in the same trenches with the security team. Talk is about how to build trust between different focus teams, how to put DevOps practices in-line with regulated and hardened environments. This talk is about common sense and security automation. And how security should be a requirement in each production deployment. There are differences, even in 2017, for Ops/Dev and Security regarding mindset on building, secure, resilient and yes agile systems. Security is not one fit's all solution, so there are different approaches to start-ups and well-regulated industries. From OS hardening to vulnerability scanning in build pipelines, from OSS projects till million dollars solutions. From common sense till aluminium tin foil hats and all this can be automated and should be automated. The talk will guide thru the best practices of the industry, for implementing and maintaining automated security controls and measures for Enterprises and startups based on speakers good and bad experience, in different Financial services, FinTech companies and startups.

Internet

implementing
continuous security
Jānis Orlovs
Riga DevOPS Days 2017

security = quality
devops = speed + communication + quality

security is not witchcraft
it is about risk assement

to archive continous security
it has to be
built-in
not bolt-on

adapt industry designed
security architecture standards
don’t reinvent new wheel

good security
architecure based of
protection layers

security measures don’t
have to be simple, but
modular

observability
is
communication form
from your systems

monitoring and logging are
your eyes and ears

data visualization is as
important
as data gathering

automate responses from
monitoring/logging tools

include in your personal
workflow review
security data/events
each day

sucefull security must
be automated
in human and technical
level

checklists works great for
(currently) unautomable
tasks

nudges works for
directing staff and
users for unconsicnous
correct security
decissions

pick technical tools for
implementing continous security
for your environment

there is use-case for
automated
security tests and scans
in each part of
solution lifecycle

What's hot

Kate Crandell_01282016_v1

Kate Crandell

The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018. Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality. It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses: - the current state of open source vulnerabilities management; - organizations' struggle to handle open source vulnerabilities; and - the key strategy for effective vulnerability management.

The State of Open Source Vulnerabilities Management

WhiteSource

OTGB - Student Symposium Poster

Paulo Vasconcelos

SLoveless_Resume_20160201

Sara Loveless

" While WannaCry and NotPetya remain open wounds for many organizations, the Shadow Brokers are back with a new stolen exploit, and Equifax just put an exclamation point on the risk to personal data. What do you do if your business gets breached? Sit in as our CISO and Principal Product Manager dish on the state of security, and how the newly automated remediation features in Ivanti Endpoint Security for Endpoint Manager 2017.3 can help you effectively respond to attacks that do get through."

Hacked!?! How Can I Fix This Fast?

Ivanti

Saner 2.0

SecPod Technologies

What's hot (6)

Kate Crandell_01282016_v1

The State of Open Source Vulnerabilities Management

OTGB - Student Symposium Poster

SLoveless_Resume_20160201

Hacked!?! How Can I Fix This Fast?

Saner 2.0

Similar to DevOpsDaysRiga 2017 ignite: Janis Orlovs - Automation and Security: Implementing Continuous Security Environments

Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf

MobibizIndia1

Understanding DevSecOps.pdf

Ciente

Lean_Security.pptx

Clase21

In the fusion between DevOps and DevSecOps, the pace and agility of the DevSecOps approach made AppSec and InfoSec were a little left behind. The DevOps squad topology does not involve any of the organization's AppSec and InfoSec Engineer. Many DevOps team are also not included them since they lack the information on how to manage and configure DevOps CI / CD pipelines and DevSecOps approaches. There's no shortage of talent — you probably don't have a mission worth getting out of bed or a culture that fosters continuous learning such DevSecOps skill and tools and growth where people feel psychologically safe. Besides, there is no shortage of skills — most have a poor understanding of what they need to be successful or the skills that need to leverage to improve their security posture.

Why Security Engineer Need Shift-Left to DevSecOps?

Najib Radzuan

Some key takeaways from this talk are outlined below. The main focus area for researchers in DevSecOps is automation and tool usage. Older technologies, such as SAST & DAST tools have drawbacks that affect DevSecOps goals. Shift-left security and continuous security assessment are two key recommendations. These practices prioritise security in a continuous manner throughout the deployment cycle. Inability to automate traditionally manual security practices is a significant problem in this field. These practices are hard to be fully integrated with the continuous practices of DevOps. Even though cultural or human aspects are critical for DevSecOps success, these has not been much done in the state-of-the-art and the state-of-the-practice domains Adopting DevSecOps principles or practices in various complex, resource-constrained, and highly regulated infrastructures is a growing area of research. More empirically evaluated solutions are needed to ensure wider adoption of such tools or frameworks

DevSecOps: Continuous Engineering with Security by Design: Challenges and Sol...

CREST @ University of Adelaide

Secure DevOPS Implementation Guidance

Tej Luthra

Most application security efforts are misguided and ineffective. Why? Because while many security practitioners have a good understanding of how to find application vulnerabilities and exploit them, they often don't understand how software development teams work, especially in Agile/DevOps organizations. This leads to flawed programs. If we want to build secure applications, we have to meet development teams where they are by embedding security into their processes.

Security's DevOps Transformation

Michele Chubirka

_Best practices towards a well-polished DevSecOps environment (1).pdf

Enov8

Abstract: See how an Ottawa company has built a SOC2 Type 2 audited software delivery system with less pain, and more value. Build security, and compliance into the way software is delivered and operated to * Make secure development easier * Provide real customer value * Avoid security theatre * Reduce security and audit bottlenecks Bio: Dag Rowe is a BA in security and compliance. Passionate about improving systems of work, he is actively involved in the local software community. Dag helps to organize the Agile Ottawa Meetup group, and the Gatineau-Ottawa Agile Tour conference.

Dev secops security and compliance at the speed of continuous delivery - owasp

Dag Rowe

Link to Youtube video: https://youtu.be/-awH_CC4DLo You can contact me at abhimanyu.bhogwan@gmail.com My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/ Basic Introduction to DevSecOps concept Why What and How for DevSecOps Basic intro for Threat Modeling Basic Intro for Security Champions 3 pillars of DevSecOps 6 important components of a DevSecOps approach DevSecOps Security Best Practices How to integrate security in CI/CD pipeline

Introduction to DevSecOps

abhimanyubhogwan

ALM and DevOps in the health industry

Agile Partner S.A.

DevSecOps: Integrating Security Into Your SDLC

Dev Software

Software risk management

Jose Javier M

DevSecOps for Agile Development: Integrating Security into the Agile Process

Dev Software

DevSecOps is gaining popularity to recent years, thanks to the rapid expansion and adoptions of DevOps. The traditional penetration testing is considered a blocker in a rapid CI/CD deployment. So integrating security in a seamless manner is considered an important upgrade to the DevOps environment. However, the traditional DevSecOps require huge amount of time, money and effort to implement. Traditional and DevSecOps principle is a culture that depends on teamwork between, the Dev ,Sec, and Ops team, which in real life situation its pretty difficult to realize. This talk is about how to minimize the whole effort to implement DevSecOps in the current DevOps environment.

Dev secops indonesia-devsecops as a service-Amien Harisen

Nadira Bajrei

The key benefit of DevOps is speed and continuous delivery but with secure DevOps teams often suffer from the notion that there’s a tradeoff between security and speed. However, that is not the scenario always. Prudent use of Security automation allows the teams to maintain both security and speed. The automated security testing makes the security consistent and less vulnerable to human errors. Shifting of the security practices left towards the design phase is a major advantage. It is a big achievement to catch the security loophole at the design or the development phase of a new feature. This is what DevSecOps tooling strategies aim at. Check out this presentation and learn more about integrating security into DevOps with DevSecOps!

DevSecOps: Integrating Security Into DevOps! {Business Security}

Ajeet Singh

SanerNow a platform for Endpoint security and systems Management

SecPod Technologies

All About Intelligent Orchestration :The Future of DevSecOps.pdf

Enov8

DevSecOps Best Practices-Safeguarding Your Digital Landscape

stevecooper930744

Why DevSecOps Is Necessary For Your SDLC Pipeline?

Enov8

Similar to DevOpsDaysRiga 2017 ignite: Janis Orlovs - Automation and Security: Implementing Continuous Security Environments (20)

Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf

Understanding DevSecOps.pdf

Lean_Security.pptx

Why Security Engineer Need Shift-Left to DevSecOps?

DevSecOps: Continuous Engineering with Security by Design: Challenges and Sol...

Secure DevOPS Implementation Guidance

Security's DevOps Transformation

_Best practices towards a well-polished DevSecOps environment (1).pdf

Dev secops security and compliance at the speed of continuous delivery - owasp

Introduction to DevSecOps

ALM and DevOps in the health industry

DevSecOps: Integrating Security Into Your SDLC

Software risk management

DevSecOps for Agile Development: Integrating Security into the Agile Process

Dev secops indonesia-devsecops as a service-Amien Harisen

DevSecOps: Integrating Security Into DevOps! {Business Security}

SanerNow a platform for Endpoint security and systems Management

All About Intelligent Orchestration :The Future of DevSecOps.pdf

DevSecOps Best Practices-Safeguarding Your Digital Landscape

Why DevSecOps Is Necessary For Your SDLC Pipeline?

More from DevOpsDays Riga

A fast-moving, outside-in talk that 'sells' the value of DevOps to business executives, finds the weakest link in the value stream and explores the often troubled relationship between IT people and normal people (the business). There is much hype around DevOps, so what are we actually talking about? DevOps improved Agile by speeding up deployment (and more). But how do you 'sell' DevOps to business executives who don't understand IT? No business value is realized until the users actually use the systems well. This is often the weakest link in the IT value chain, so you need to extend your scope. Collaboration is difficult and collaboration between business and IT even more so. What kind of behaviour is effective? Learn from workshop results from practitioners in 11 countries. But why "Kill DevOps"? This refers to an ancient Zen saying about a monk’s journey towards enlightenment and awakening. If you think that you’ve found Buddha, think again, because you never will. It’s the same with DevOps: it’s about continuous experimentation and learning.

DevOpsDaysRiga 2017: Mark Smalley - Kill DevOps

DevOpsDaysRiga 2017 ignite: Janis Orlovs - Automation and Security: Implementing Continuous Security Environments

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Similar to DevOpsDaysRiga 2017 ignite: Janis Orlovs - Automation and Security: Implementing Continuous Security Environments

Similar to DevOpsDaysRiga 2017 ignite: Janis Orlovs - Automation and Security: Implementing Continuous Security Environments (20)

More from DevOpsDays Riga

More from DevOpsDays Riga (20)

Recently uploaded

Recently uploaded (20)

DevOpsDaysRiga 2017 ignite: Janis Orlovs - Automation and Security: Implementing Continuous Security Environments