security with the speed of continuous delivery
TRANSCRIPT
Confidential
Security with the Speed of Continuous Delivery
‹#›
Tapabrata “Topo” PalDirector, Next Generation Infrastructure
[email protected] @TopoPal
Past: • PhDinSemiconductorPhysics• 20yearsofITexperienceasDeveloper,Architect,SystemEngineer
• ExperienceinRetail,HealthcareandFinanceindustries
‹#›
OWSAP Top 10
‹#›
OWSAP Top 10
‹#›
‹#›
‹#›
‹#›
‹#›
‹#›
‹#›
Speed
‹#›
Speed
‹#›
Speed
‹#›
SpeedSpeed is the new currency
‹#›
‹#›
‹#›
‹#›
‹#›
‹#›
‹#›
Development • Architecture • Design • Code • Test
‹#›
Business • Requirements • Feature Request • Roadmap
Development • Architecture • Design • Code • Test
‹#›
Business • Requirements • Feature Request • Roadmap
Development • Architecture • Design • Code • Test
Operations • Infrastructure • Platforms • Environment • Deployment • Incident Mgmt • Change & Release Mgmt.
‹#›
Business • Requirements • Feature Request • Roadmap
Development • Architecture • Design • Code • Test
Operations • Infrastructure • Platforms • Environment • Deployment • Incident Mgmt • Change & Release Mgmt.
Information SecurityApplication Security Security Testing Information Security Infrastructure Security
‹#›
Business • Requirements • Feature Request • Roadmap
Development • Architecture • Design • Code • Test
Operations • Infrastructure • Platforms • Environment • Deployment • Incident Mgmt • Change & Release Mgmt.
Information SecurityApplication Security Security Testing Information Security Infrastructure Security
DevOpsSec
‹#›
‹#›
Shift Left
‹#›
Shift Left Automate
Everything
‹#›
Shift Left Automate
EverythingDashboard Everything
‹#›
‹#›
code.commit()
‹#›
code.commit() (Deployed) app.use()
‹#›
code.commit() (Deployed) app.use()everything.automate()
‹#›
code.commit() (Deployed) app.use()everything.automate()
‹#›
code.commit() (Deployed) app.use()everything.automate()
‹#›
code.commit() (Deployed) app.use()everything.automate()
‹#›
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
‹#›
Code Quality Check
Unit/Integration
Test
Binary Repository
CI Tool
IDESource Control
Agile PM Tools
Defect Management
Reque
st, P
lan
Report Results
Automated Tests
Code Analysis
Automated
Build
Develop, Unit Test
ContinuousIntegration
Automated/Continuous Deployment
Plan
Monitor
Verify
Deploy
ContinuousDeployment
Test Mgmt
Test Data Mgmt
Develop
Promote
Verify
Execute
Service Test
UI Test
Device Test
Perf Test
Security Test ContinuousTesting
Service Virtualization
Acceptance Test
Infrastructure and Environment
Dashboard/Feedback
End to End Traceability, Real time status of Code, Build, Deploy, Test, Application and Environment Health
‹#›
Delivery Pipeline: Automated, Continuous, Compliant
Code Build Release MonitorDeploy + Test Execution
‹#›
Delivery Pipeline: Automated, Continuous, Compliant
Code Build Release MonitorDeploy + Test Execution
App
Test
Infra
‹#›
Delivery Pipeline: Automated, Continuous, Compliant
Code Build Release MonitorDeploy + Test Execution
App
Test
Infra
DEV INT QA PERF PROD
DEV INT
SEC
QA SEC PERF PROD
DEV INT QA SEC PERF PROD
‹#›
Delivery Pipeline: Automated, Continuous, Compliant
Code Build Release MonitorDeploy + Test Execution
App
Test
Infra
DEV INT QA PERF PROD
DEV INT
SEC
QA SEC PERF PROD
DEV INT QA SEC PERF PROD Infra
App
‹#›
Delivery Pipeline: Automated, Continuous, Compliant
Code Build Release MonitorDeploy + Test Execution
App
Test
Infra
DEV INT QA PERF PROD
DEV INT
SEC
QA SEC PERF PROD
DEV INT QA SEC PERF PROD Infra
App
Flow
‹#›
Delivery Pipeline: Automated, Continuous, Compliant
Code Build Release MonitorDeploy + Test Execution
App
Test
Infra
DEV INT QA PERF PROD
DEV INT
SEC
QA SEC PERF PROD
DEV INT QA SEC PERF PROD Infra
App
Flow Feedback
‹#›
Delivery Pipeline: Automated, Continuous, Compliant
Code Build Release MonitorDeploy + Test Execution
App
Test
Infra
DEV INT QA PERF PROD
DEV INT
SEC
QA SEC PERF PROD
DEV INT QA SEC PERF PROD Infra
App
Flow Feedback
Automated Audit and Security Controls at every step
‹#›
Code
Application Code
Test Code
Infrastructure Code
‹#›
Code
Application Code
Test Code
Infrastructure Code
‹#›
Code
Application Code
Test Code
Infrastructure Code
‹#›
Code
Application Code
Test Code
Infrastructure Code
‹#›
Code
Application Code
Test Code
Infrastructure Code
‹#›
Code
Application Code
Test Code
Infrastructure Code
‹#›
Code
Application Code
Test Code
Infrastructure Code
‹#›
Build
‹#›
Build
‹#›
Build
‹#›
Build
‹#›
Build
‹#›
Build
‹#›
Deploy + Test Execution
‹#›
Deploy + Test Execution
‹#›
Deploy + Test Execution
‹#›
Deploy + Test Execution
‹#›
‹#›
‹#›
‹#›
Collaborate Early
‹#›
Collaborate Early
• Setup your IDE with security Plugin(s) • Setup Nexus CLM + Jenkins Integration • Write Security ATDD Test Cases • Setup Fortify Scanning Job • Setup WebInspect scab job • Fix security defects
‹#›
‹#›
‹#›
‹#›
‹#›
Any Question?