Saturday, Jun 9, 2018
Presented at DrupalHackCamp: Bucharest, Romania, 8-10 June 2018. DevSecOps and Drupal gives and overview of the DevSecOps process and mindset and also how to use it to deliver Drupal applications (or anything really) with security built in.
Link to slides
1. DevSecOps and Drupal: Securing Your Applications in a Modern IT Landscape
2. About me
3. Imposters and security… Personal Vulnerabilities
4. The History of Musical Notation
La, la, la, la, la. We’ll get to why this is relevant soon. 1
5. “ Music is oral history.
However, in its history it was unable to be communicated easily across time & space.
6. Compressed history of musical notation
- Boethius (480-525 AD)
- Letter associated with notes
- Gregory the Great (600 AD)
- First seven letters, Uppercase and Lowercase. Also introduced lines (similar to stave) with words moving up and down. ◉ Franco of Cologne (1200 AD) Symbols for length of notes.
7. Standards take time, effort, evolution
8. DevOps is filled with incomplete standards We have so much to compete with when joining code to infrastructure. So many additional variables.
9. What is DevSecOps? Because everyone needs a buzzword 2
10. Development Team Favourite phrase: Works On My Machine DevOps Operations Team Favourite phrase: Server is up, must be application errors.
11. Security Team Favourite Phrase: No
12. DevOps OperationsDevelopment DevOps
13. DevOps is fixated on the successful movement of products between environments
14. DevSecOps Operations Development Security DevSecOps
15. DevSecOps is fixated on the secure, successful movement of secure products between secure environments
16. DevOps is moving products Is that an oversimplification? 3
17. DevOps delusion first lastsecond Our process is easy…
18. €89,526,124 That’s a lot of money 100% Total success! 185,244 users And a lot of users
19. Global our office
21. Testing Automation Doing the same things over and over again 4
22. Let’s review some testing concepts Static Analysis Testing Checking the code against standards.
What is acceptable, what is not:
- Build Testing: Does the application build with its dependencies?
- Smoke Testing: Is it broken now?
- Unit Testing: Testing the functionality of code. Inputs and outputs.
- Functional Testing: Testing functions/features inside the application.
- Security Testing: Testing elements of security.
23. You don’t need to be a plumber to like pipelines.
###24. Pipelines Code Static Analysis Unit Test Build Test Functional Test Smoke Test Local testing?
25. Where is security testing inside your pipelines? 🤷
26. Security you can automate:
- Secrets Management (secure your pipeline)
- Dependency/Vulnerabilty Scanning
- Vulnerability Attacks
- Load Testing/DDoS Simulations
27. Let’s get real.
- Everything should be in a container.
- Containers should have the minimum required.
- We should process jobs in parallel.
28. Let’s demo this…Or in practice, use my pre-completed examples 😲
29. We probably already know what our greatest weakness is…
31. Secrets Management
- How do you achieve minimum required access?
- Where do you inject secrets?
- How do you control access?
- Hashicorp Vault
- Docker Secrets
32. Vulnerability Databases
When standing on the “shoulders of giants”, we can see further, but we also don’t know all of our dependencies:
33. Vulnerability Attacks
Attack your known weaknesses:
- Bad users
- Kali Linux 😈
- Brute forcing
- Module enumeration
- Burp Portswigger…
34. Security Auditing: DevSecOps does not replace Security Audits, it augments the pipeline to allow greater focus.
35. What you need to do now Actionable items for you 6
36. Automate your build
- If you are building manually, stop. Automate.
- If you already use Jenkins, that is fine, if not, don’t start on it.
- GitOps - This should be your new search topic…
- GitLab CI
- Clusters and orchestration of containers are the future of application delivery.
- Learn Docker
- Learn Kubernetes (and probably use services; EKS, RDS on AWS).
38. Automate your security
- Test your weaknesses
- Reduce your effort
- Speed is essential - time is your non-transferable resource
39. We probably already know what our greatest strength is… Each other.
40. Any questions?
Special thanks to all the people who made and released these awesome resources for free:
- Presentation template by SlidesCarnival
- Photographs by Pixabay