DevSecOps & Enterprise Security
Tuesday, November 10, 2020
Your company has grown and has hired a security team, or a security person. We’re done, right? Everything is secure? Clearly, this is not the reality. Integrating security into development and operational practices is an ongoing, iterative process, and DevSecOps will look different across organizations. So no, you can’t just buy the same tools as everyone else and unlock the security achievement.
Effective DevSecOps is about recognizing where different functions add unique value and optimizing around that in order to continuously improve security of your products with the ultimate goal of keeping your customers and your company safe. In this talk, I’ll share some ways to more effectively utilize your security team and where automation can help you and your security team scale together.
The goal of this talk is to provide you with some tools to meaningfully discuss security improvements and give you options for where to start making immediate progress. I’ll be sharing some of the pitfalls I’ve experienced, including where automation can hinder your progress. I will also talk about how I think about prioritization of security improvements and share my perspective as a security engineer.
With robust DevOps processes in place, teams are leveraging multiple tools and technologies to build and deploy their applications faster than ever with ease. However numerous high-risk issues may exist in these enterprises if security is not considered as one of the quality characteristics or if just ignored. The intent of DevSecOps is to ensure the close collaboration between Development, Operations, and Security Teams. In this session Vivek will explain how DevSecOps enables everyone to consider infrastructure and application security right from the start of the project and thus makes everyone responsible for the application security. It can reduce the cost associated with the security issues by detecting and fixing it in the early stages of development. He will also walk us through some of the key benefits of DevSecOps which include robust infrastructure, reduced vulnerabilities, continuous security, enhanced compliance, easy threat hunting, increased code coverage, and automation etc.
AWS kicked it off. Azure and Google followed along. The three main cloud providers have their own Frameworks of how to better architect around their services, focusing on delivering value to customers with high performance, enterprise-grade security, operational excellence, high reliability and all while optimizing cost. During this talk we will learn the basic pillars of these frameworks and specific ways they can improve your overall cloud posture.
Of course no Dev talk would be complete without a good automation debate, so we are also going to discuss briefly the power of Infrastructure as Code (IaC) and how it can be a great friend on your journey to automating security, compliance and an overall well-architected cloud environment.
The days of manually deploying infrastructure are over. IT teams need automation tools to modernize towards IT-as-Code. This is achieved through flexibility; IT teams must operate on a platform that accommodates CI/CD pipelines. The pipelines, in turn, must go beyond traditional DevOps and bring Security and Ops to truly take a holistic DevSecOps approach. The goal is to enable all tech teams including security and ops to use DevOps tools to integrate with ticketing systems, run security remediation playbooks, deploy Kubernetes with a security benchmark assessment, automate the creation of SSL certificates and even spin up virtual firewalls with an applied configuration in the cloud. All this with each team leveraging DevOps and security tools like Terraform, Vault, kubectl, Ansible, CIS-CAT Assessor and others.
- What is DevSecOps and what are CI/CD pipelines
- How CI/CD Pipelines work for DevSecOps
- Why enterprises need hybrid CI/CD pipelines
- Real world use cases with Kubernetes, Terraform Vault, CIS-CAT Assessor
The cloud has changed the way hackers operate, and you need to change how you think about securing your cloud assets against this new generation of exploits.
In this talk, Josh Stella, CTO of Fugue, will walk through a simulation of an advanced cloud misconfiguration exploit. He’ll explain at every step how common—but frequently overlooked—mistakes leave cloud data vulnerable, and how most cloud-based data breaches go undetected, even long after the fact.
You’ll gain fresh insights into how to think critically about your cloud security posture and how to identify and eliminate serious misconfiguration risks.
In this session, you’ll learn:
How cloud misconfigurations occur and why they go frequently go undetected
How to assess your cloud environment for misconfiguration vulnerabilities
How to prevent misconfigurations using policy-as-code
In this session, we will discuss concerns over security, privacy, and compliance holding back organizations from making the move to fully cloud-native initiatives. As more and more companies orchestrate their containerized applications in Kubernetes, enabling DevSecOps and continuous security becomes a must.
We will look at the end-to-end SDLC process - from the first line of code up to an application running in a Kubernetes cluster - to examine the importance of DevSecOps. Where can you start, what does it look like for a developer, key patterns for success, and how you can achieve speed and scale while reducing risk and ensuring compliance.