DevOps and DevSec with

Size: px

Start display at page:

Download "DevOps and DevSec with"

Hugo Gibbs
6 years ago
Views:

2 DevOps and DevSec with Joona Immonen Software architect Solita Oy

3 THIS IS SOLITA Turnover ,7 Million euros Nearly 500 professionals Over 20 years Working in 3 offices Over 1000 projects Over 97 % customer satisfaction Ranking 6. in Great Place to Work in Finland 2015 Ranking 43. in European Best Workplaces

4 About me 1985 Hello world 1989 DOS basics 1999 Got first time paid from IT stuff 2001 First IT job Nerd stuff

5 What is DevOps

6 What wiki says

7 What I think

8 DEVELOPMENT ENVIRONMENT

9 NEW GUY JOINS YOUR PROJECT

10 TWO STEPS PLAN 1. Install windows features and software with script 2. Install project specific settings with script

11 CHOCOLATEY Package Manager for Windows Use it by installing software or by using Windows Package Manager Do not overtrust packages

12 DEMO Show chocolatey scripts

13 SERVER INSTALLATION

14 NEW SERVERS ARE WAITING FOR SETUP

15 WHICH WILL YOU CHOOSE? WIZARDS SCRIPTS

16 DEMO Show server installation scripts

17 BUILDING A BUILD PIPELINE

18 EXPANDING YOUR PIPELINE Can I build a cloud environment like I build my code? Should I have separated pipeline for infrastructure? Are my build jobs so important that they should be under version control? Should I version my build configurations?

20 PIPELINE AS A CODE Setup a groovy script Create Jenkins Job DSL job with the groovy script Build your build jobs with build job

21 YOU GET A NICE PIPELINE VIEW TOO

22 Used Jenkins plugins MSBuild Plugin xunit Plugin MSTest plugin MSTestRunner plugin PowerShell plugin Visual Studio Code Metrics Plugin HipChat Plugin Performance Plugin Sonarqube plugin OWASP-Dependency-Check Plugin ZAProxy Plugin New Relic Deployment Notifier Plugin Gravatar plugin Dynamic Parameter plugin Selenium HTML report Thinbackup Violations plugin Timestamper Delivery Pipeline Plugin Job DSL Build pipeline plugin Build Name Setter Plugin Git plugin Test stability history

23 EXAMPLE GROOVY SCRIPT Under work example can be found at:

24 WHAT IS DEVSEC?

25 WHAT IS INFORMATION SECURITY? Confidentiality InfoSec Integrity Availability

26 Hack youself first! DevSec is a culture where developers are security aware break stuff automate breaking stuff

27 DevSec in Agile cycle Training Policies Motivation News Design Monitor Develop Deploy

28 CYBER SECURITY PIPELINE

29 Design Develop Deploy Monitor Threat analysis Static code analysis Web application security testing Incident & response Policy review Network scanning Architecture Known vulnerability analysis Attack surface analysis Alerts

30 Develop Deploy Monitor FxCop Burp suite Elasticsearch SonarQube Acunetix Greylock Code Analysis OWASP ZAP NewRelic Code Metrics Nessus HipChat / Slack OWASP Dependency check jmeter Dashing.io

31 GIT AS A TICKET STATUS MONITOR

32 USING FEATURE BRANCHES SUPPORT-1 branch TEST QA PROD (master) Feature being developed Pull request for code review Ready for customer testing Go live

33 TIPS & TRICKS Use DIFF to see what tickets are on which environment Query Jira to see if it matches with GIT Put everything on the screen

34 SUPPORT SITUATION TODO REVIEW QA PROD SUPPORT-1 SUPPORT-5 SUPPORT-73 SUPPORT-21 SUPPORT-2 SUPPORT-28 SUPPORT-13

35 BEING A HERO THAT YOUR PROJECT MANAGER LOVES

36 Thanks! Learn PowerShell and prosper!

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

Suman Sourav Director DevSecOps, Vantage Point Security OWASP Indonesia Day 2017 About me Certified Secure Software Lifecycle Professional (CSSLP) 12+ Years of Experience in Software Security Co-Founder