Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

0

Share

Download to read offline

Microsoft DevOps Forum 2021 – DevOps & Security

Download to read offline

DevOps practices for small teams and organizations, with a focus on security

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Microsoft DevOps Forum 2021 – DevOps & Security

  1. 1. DevOps practices for small teams and organizations, with a focus on security Microsoft DevOps Forum 2021 – DevOps & Security
  2. 2. Nico Meisenzahl • Senior Cloud & DevOps Consultant at white duck • Microsoft MVP, Docker Community Leader & GitLab Hero • Container, Kubernetes, Cloud-Native & DevOps © white duck GmbH 2021 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
  3. 3. Agenda • Current state of DevSecOps in small teams & orgs • Demo: Implementing quick wins • Get started with DevSecOps • Implement quick wins © white duck GmbH 2021
  4. 4. Current state of DevSecOps DevOps is now widely known and increasingly implemented in small teams & organizations. DevSecOps practices, on the other hand, are not well- known and typically not yet adopted. © white duck GmbH 2021
  5. 5. Current state of DevSecOps in small teams & orgs • overall low Cloud / Cloud-Native security knowledge • same “problems” with security as with QA • no big invests • no real focus until there is breach or issue • no shift-left and fail-fast cultures • no security baseline • like governance, policies and landing zones © white duck GmbH 2021
  6. 6. What we see at clients • traditional IT departments trying to secure cloud-native projects by relying on on-premises and outdated patterns • slowing down of projects & inovation, but no real increased security • an MVP (Minimum Viable Product) is leveraged as a long- term solution • skipped topics (in terms of time-to-market) are not considered anymore © white duck GmbH 2021
  7. 7. What we see at clients • self-managed resources are sometimes preferred over PaaS and SaaS • then, not maintained with the necessary staff to operate them safely • self-implemented Identity management (AuthN, AuthZ) • without utilizing common best practices, managed services, and libraries/frameworks © white duck GmbH 2021
  8. 8. SANS 2021 Cloud Security Survey © white duck GmbH 2021
  9. 9. Demo – Implementing quick wins • “Ping me app”, based on Golang, deployed to ACI and exposed via App Gateway © white duck GmbH 2021
  10. 10. Demo recap • we found a security vulnerability and injected commands • we consulted the docs for security recommendations • we implemented a Web Application Firewall (WAF) to secure our app • we enabled Code Scanning in our GitHub Repo to fix the issue as well as to find future security issues in earlier stages © white duck GmbH 2021
  11. 11. Get started with DevSecOps • start small and grow • introduce security into all DevOps stages • try to shift security to the left • implement zero-trust Tip: Security should be easy to use, integrated and automated © white duck GmbH 2021
  12. 12. Educate yourself • consult documentation • general docs • Cloud Adoption Framework • https://docs.microsoft.com/azure/cloud-adoption-framework • Azure & GitHub at Microsoft Learn • https://docs.microsoft.com/learn • join a local Meetup group • https://www.meetup.com/pro/azuretechgroups Tip: Get certified © white duck GmbH 2021
  13. 13. Stay up-to-date • Azure Updates • https://azure.microsoft.com/updates • GitHub Updates • https://github.blog/changelog • https://github.blog/category/product • Azure Friday • https://azure.microsoft.com/resources/videos/azure-friday © white duck GmbH 2021
  14. 14. Security quick wins through the DevOps cycle © white duck GmbH 2021
  15. 15. Enable your team • integrate security staff in your development lifecycle (Sprint) • educate developers to raise their security awareness • implement pair programming • enforce PR reviews © white duck GmbH 2021
  16. 16. Ensure secure code • automate and enforce code checks • check your code for secret • schedule dependency scanning • Dependabot • enforce Static Application Security Testing (SAST) in PRs • scans your code to identify potential security vulnerabilities © white duck GmbH 2021
  17. 17. SAST Tooling • GitHub CodeQL • https://codeql.github.com • .Net & .Net Core • https://security-code-scan.github.io • Golang • https://securego.io • Kubernetes manifests • https://kubesec.io • Terraform • https://github.com/tfsec/tfsec © white duck GmbH 2021
  18. 18. Ensure secure code (next stage) • implement automated Dynamic Application Security Testing (DAST) • black-box scanning against a running web application • scheduled scan your artifacts and containers • sign your artifacts and containers © white duck GmbH 2021
  19. 19. App Vulnerability Management Tooling • Zed Attack Proxy • https://www.zaproxy.org • DefectDojo • https://www.defectdojo.org © white duck GmbH 2021
  20. 20. Ensure a secure runtime • implement zero-trust • automate everything (App and infrastructure deployments) • prefer PaaS and SaaS over unmanaged services • review Azure Advisor recommendations • opt-in for Azure Security Center to get even more insights • design & implement a Cloud Governance strategy • IAM, Polices, Landing Zone, … © white duck GmbH 2021
  21. 21. Monitor, review and iterate • implementing security is not a one-time job • you need to stay up-to-date • think big, but start small and iterate • as we do in application development © white duck GmbH 2021
  22. 22. Implement best practices • https://docs.microsoft.com/de-de/azure/security/ • https://docs.microsoft.com/en-us/security/cybersecurity- reference-architecture/mcra • https://docs.microsoft.com/de- de/azure/architecture/solution-ideas/articles/devsecops-in- github © white duck GmbH 2021
  23. 23. Questions? Nico Meisenzahl (Senior Cloud & DevOps Consultant) Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org © white duck GmbH 2021

DevOps practices for small teams and organizations, with a focus on security

Views

Total views

130

On Slideshare

0

From embeds

0

Number of embeds

30

Actions

Downloads

0

Shares

0

Comments

0

Likes

0

×