Adding the Sec to DevOps
Show transcript [en]
the next person is going to be training Kiri are giving us a very interesting job [Applause] So today we're going to talk about um adding the flag to devops so just basically then step ups and I'm sure most of you probably heard about it I mean you need to raise your hand and ask questions I mean [Music] okay so um how many days were here yesterday so um I'm from a company that really gives the same queuing together but um maybe you can just say it's it's very doable to work for this companies I work for Microsoft I've been there since last year I've seen Eva who is Eva she's just here she's also a software
engineer there so I am a senior Cloud security Advocate at Microsoft and what I do I do [Music] so what I do is mainly work with communities as well as product team in terms of um features in terms of getting the security of the security products they vote in general fixing new day-to-day challenges and as well as working with communities to get additional products or product features to help you work better so um but my main product in Cloud security is around um so that's what I do on a day-to-day basis how did I get to Microsoft I got into LinkedIn so when you guys are talking about Team Water money or on your LinkedIn
it works okay so um we'll talk a lot more about maybe if you're interested in Academy Security in Microsoft what you need to do to get started also in website options that's what you're interested in how to get started how to get there yeah [Music] so um today we'll be talking alone I'll be talking with Dylan uh you probably know him on Twitter um on Twitter so maybe you can just introduce yourself [Music] good morning everyone my name is my name is Milan I'm currently a csos engineer uh underworks Engineering Services of civilization with technical I'm here with my mentor today and a good friend I'm gonna be doing this talk for you I've been sick to demos basically
um so the reason why I'm here maybe you can just laugh for him
we've been talking a lot about helping you know you guys being out there you know talking at conferences so maybe you can just Shadow and you know get to interact with the various other speakers you have to share to them as well and get out of them yeah I know you have a lot of knowledge to share this guy knows that he's humble he's a head of the box um the kidney and the team lead for for the cyber security and devops after my camera so what you can say a young age but it is doing an amazing one and I know most of us are doing awesome stuff we have knowledge to share with others so hopefully uh Lawrence if
you have another conference anytime soon hopefully I want to see many more people here presenting receiver can happen in hopefully next month later yeah awesome so um so I will just leave Jump Right In so um just mentioned you are a developer so when you were developing did you ever think about security when you're developing when I was developing before I go to wine or security actually mine was just yes yes [Music] like I was a software developer before pushing so many systems but I never ever thought of security until one day like I got a compromised okay so uh I think mostly as you've heard from Jolene and the students is as a developer of
muscles and they're not you don't think about security so I must try to give a little bit of history as well yet about history because I'm I'm guilty of what they're saying like sitting in a corner right software send it here by Hero So within the past weekend what the world has seen is changes in terms of how it is software we're moving really fast towards I think from two or nine around two or nine thousand is on this the term devopsis coins because as softer is really coming out really fast right every day someone comes up in a new habit it's just pushing something so in terms of tech and the beauty of tech is
that you're always like you always improving so what do you mean by devops I think from uh Wikipedia is the union of people who processes technology to deliver continuous value to users however as for me I'd say it gets to a little bit uh particular numbers where where I say because energy is that because we're trying to move from just trading software to Baby systems and as we began normally it doesn't agile was the big thing but then because it brought about the collaboration between the devil and the discipline themselves people who talk to the end users that are going to end user what to do next to see you know systems next time right and it's really helped
because you know users get to bring feedback in terms of what they want to see in your software however the address and the teams internally were put in silence that the dev team and the IT Ops team does not talk I'm sure some of you have had this voice personally the way some of my deaf team is not here we usually have those fights because when you're in silos you don't communicate and we have recently still been sending barely 48 hours ago a company called Uber got hacked and if you've been reading the the reports coming from it is that this guy he come and find out the box because it helps them and went on their
until they pay I've hacked you so what did the other team team members do is that they thought it was a joke they started laughing about him this guy was already inside the lack of communication between teams inside an organization really cause massive losses let's call it trans you've seen recently so when you come to devops what you're trying to do is you will find what the top Steam and the dev team that you don't want to communicate you want you want to suffer honey you want me to move your data center from which said the original there must be that communication that you can be able to move this product to turn to Market
our product is really short while at the same time I'm not compromising the quality of the quote I'm not compromising the time of this Market foreign changes [Music]
[Music] so between the space of the past 10 years you see the real big uptick in terms of the products that are being shipped because software guns right up really fast and as I said in terms of club which is really good at the club one of the agility of cloud is that to be able to build things really really fast the agility you don't have to wait for some of I think two weeks nothing to see a few hours or so I can get some you know so we've come up with so many tools that has become really difficult in terms of the whole software development life cycle that all of these things as Charlie has actually been
really scared of him whatever you can do because in terms of devops in terms of systems my main job is actually to ensure that all this works together it really works fine so we have seen that as things continue in terms of software being really fast these things are not in terms of upset let's call it they're not really secure right and it's uh I think the next thing I think we can have are actually one of the greatest things we can see is that with the increase in terms of applications and interest in terms of lack of integration there's a lot of things going to cloud with a lot of things going to microservices the
vulnerabilities are white uh I think one of the most famous things in the same as this bootcamp was that I think isn't it and I remember there was another session where he showed us a really awesome a really awesome how to make last year that you're never really secure because malicious actors are really looking in different ways to experience you you see the Curiosity that is there without we will tell you over there you're saying that's the same curiosity that malicious actors across the globe have uh he has also I don't know he has also the phrase that was also mentioned in terms of equities that some countries you've seen Russia do it they have
dedicated teams which maliciously look to experience any of any any anything we can get in terms of compromise you've seen any so which are mostly on the private side of malicious actors but they do this for money right so and as the threat landscape is changing it's increased we moved from to an end I think the most thing could get hacked from from back then was just your phone right now people are hacking cars but I think later on we have a talk of someone who's using what is it called the feeder fish or something yeah that's people are hacking everything you've seen tons of Tesla getting taken down through uh their AC and stuff so as the
third landscape increases and you've seen some really good uh bridge is happening I think the most famous one that each other and everyone knows he is look for today I think that was really big well it's a simple thing that was forgotten in a Java in a Java pocket manager for Marvel which uh which brought the insecurity and yeah Lucas that came over to escalate as far as an rce and it was at monitor for a long time and when it's used in so many articles so as they they have to come they are parts of the people who built Tech and Technical College code is the people who build systems we are at any
disadvantage let's say of trying to keep up with these things thank you [Music] so I think the next part of this one I'll give to my able Department to explain uh I think this is more of expertise [Music] thank you so [Music] um so what do you guys know what do you mean by dead circles now so he's mentioned one democracies and there are limitations to devops uh you're deploying all these tools you have no consideration security and you might be interpreting a tool which is also vulnerable and hands are also increasing your threat landscape um so that's why we have to integrate and work closely with the developer and as well as operations team to integrate
security throughout your software development life cycle so I would say that's like update shot is doing devops right from the Whiteboard okay so um so it's definitely a combination of a developer security and operation I've been guilty in terms of being in working in the green company for some couple of years and working with the development and then they are pushing a product and then it comes over to you you get all this and then you push it back to the developers and there's a lot of back and forth between developers and security team and then once you have maybe the vulnerabilities and then now you move down to Ops and then now obviously see that this won't
work through this particular environment and then now we have to go back and now the problem is delayed that's why you have to work together throughout the whole solution throughout the whole software development life cycle to prevent delays and to bring more features to customers um quickly in a secure way so um there's several benefits to having a death Circle so we are trying to reduce the remediation Time by shifting security left as much as possible so we are Keen to say that security everyone's responsibility including you including you including you as a developer including you as if you're working with the operations team it's everyone's responsibility so that's why we have to do a lot of training in terms of
Shifting security left throughout the localization so another benefit of devsecup is to integrate uh with the security with secure and secure your existing tool chains so you might already have your two chains already in your environment so we want to work with you to make sure that your existing two genes are secure as well and also have to make sure that you have quickly your quickly identifying new threat vectors so um Charlie mentioned zero days so um in most cases now you'll be able to identify these Church Landscapes a little bit more faster but we still have barriers in their circles so you still find organizations are and teams are working with their own guts
it's very easy to work in silos because communication is not that easy like between the teams you have your own um you you have your own calls this period of time for developers and for Ops you are working in different time zones you work in different meeting so we want to find a way of working together even if it's meetings you're watching me having meetings together so at least you are able to narrow down that Gap and work as a team as well so there's also skills and knowledge God so um still find developers still not integrating security we still find Ops Team still not deploying security tools correctly um so that's why you have to do a lot of
knowledge sharing in terms of skills tooling processes and people as well so the third barrier we have is Solutions are introduced for developers how many of you guys believe that like you feel like there's a time I was working with some developers integrating some security tools so and then you find that maybe there's a lot of false positives so by the time it's generating may be a report the time it takes for them to identify that this particular issues actually false positive is a lot longer than actually the time you took for them to build flash code [Music] um so yes we understand the security is important but it's delaying our products delaying our delivery it's not there's
no developer velocity in this case so these are still challenges that we are facing event two days so uh we have um we still have um to shift security left despite all these barriers because um 80 of reproduction Institute incidents are extended through security to development so you're able to pick 80 percent of security incidents as early as possible you're able to do to reduce costs of circuit incidents by 60 percent when you shift security left and you're able to have 60 percent of interfaces um actually do not integrate to the execution development by psychology which is quite hazardous so um I'll finish off this theoretical part we just uh trying to understand so what are the three things for
successfully securing your developer workflow so we want to see okay so how can we integrate security through the social column life cycle we have to deploy developer fast to you so by developer first tooling um it's made sure that you provide empower the developers to be more cognizant of the security impacts of the code that they are building you'll find in most cases available for that all you know the kind of code that the building is not secure so they are the best people to actually train and because they are strange to push more secure equipment it's true because you'll find that um to do something right sometimes maybe like um two ways to tell might take a long time
to to build affect maybe the delivery group is softer so sometimes we find our developers go into a short way and doing stuff maybe not so secure so we also have to build in um we have native and building security capabilities so by providing data and building the history of this into your workflow and the type of thing for a developer workflow is automation so when we're talking about that supports it's mainly about now automation people and processes and tooling but nowadays if I was concentrating so much about stooling but the main things around your people and your processes so by people who want to work with developers having security Champions empowering them on how to
increase security vulnerabilities as early as possible so at least you can scale down to their teams and having so having a everyone's program is something that all of us need in order to identify security vulnerabilities as early as possible so um we'll go right in into so what do we mean by this level so we were saying that we wanted W security into the software development life cycle so what do these software development guys so um we have um all these like during the pre-commits I'll have the commits the deploy and the operation and monitoring so we have to interpret security throughout all these stages as well so um so for pre-commits we have track
modeling which is quite key identify trying to sleep so what side after can be used what Vector can be used to attack this particular system so later on in the afternoon this session on trash modeling by Sofina so please um taking attention uh what she'll be saying how you can be able to do third modeling techniques to identify weak areas within your system and then also for pre-commit we have IDE security plugin so for ideas they're going to plug in I'll just show you very fast um as a developer um when you are developing you want to identify security vulnerabilities from the white people so whenever you are okay go on tonight [Music] okay so uh whenever you're you're programming
may be using your favorite ID I hope your favorite these yes good because yes so we want to we have very many security tools that you can use whenever you're developing um service you can get the beauty products on the go and identify them even before pushing it to your report so uh yeah when you're in vs code we have extensions so we have several tools in the marketplace uh where you can which you can use in your code to identify your availability so some of my favorites are some like sneak so um you can just go into your Market Marketplace and search for sneak it will take you to this extension where you you install it
and then once you install it it will start automatically pulling through your hood and identifying security vulnerability so I had already installed it because it takes a bit of time but [Music] um so it scrolled through my code and it gave me all these images so you're able to go in it tells you the line that is absolutely vulnerable and then it gives you recommendations as well so it tells you that this is actually uh this plugin does not covered by the life cycle of a qualification so some of these you'll find our best practices as well as maybe over to 10 as well as like known vulnerabilities as well so you go through each whenever
you're developing and then now you're able to fix on the goal so another tool that you can use um on vs code as well is like a good girl so in culture as well it's just installing the extension and then um for this it's it's a little bit more technical but um so you have to download your whole code in the form of a database and then upload the code the database in vs code and then query them so um I'll have a little bit more on top of this um follow me I'm sharing more content around code URL as well but you can go in and start playing this code job but it's not only those so you can go into
the marketplace and just search for other security extensions that you can use on the go without very very many so you can find that all these security intelligence we have a verb on we have all these we have [Music]
how many in here are the professional ones okay how many here are in Ops Cloud Engineers developing Engineers results how many are in security I'm sure that's majority of the population now you guys know you're actually you're supposed to at least know you can talk to your guys on here [Music] so that the developer doesn't really have to fall under the whole complicated uh in complicated example of in terms of integrating security Microsoft three High School products integrated that we are so so on the side of building the pipeline we have our vision Studio marketplace where over here you can be able to add Integrated Security security plugins in your cicd pipeline most of these like snake as you say to be able
to run through your code and tell you um if there's any vulnerabilities over there we have container security which must give us some linking in terms of how your artifacts are clean so that I think uh how many here are gamers was really impressive because the guy initially went and copied the what is it because he complete he copied the the Articles and it was really because it kept on being replicated and this game already can be able to plug in more secrets across the world so some of this security uh plugins in your cacp but can help you uh to work towards our thoughts just a minute
thank you
okay
[Music]
foreign
[Music]
[Music]
right and they're going to push it to your level and then I say now when you build this is where we have to integrate the security aspect of things in every stage of the sdlc pipeline as I can show you [Music] so from the pipeline if they go to have ways to integrate your
we're gonna be able to integrate from the IML file on the side of the Dust this is mostly uh you can get from the marketplace different security products that can be able to integrate with some as she has shown this like it's called Key Well is Sonic Youth this uh SC you can do the SSD test between the episode because the issue with pipelines let's see is that I think most of you are familiar with the tools returns of development number one and that's just important kindly as someone else suffered and this I beg you never tested for do not push anything is I think this one is more of Kenyan place we don't push anything
on Friday so when you come back to our pipeline you can see that as you add the task for example the dependency check most of our software today's as we have advanced and started using opens or software and as you've seen with their kind of malicious actors in terms of their ttps they really take advantage of this because hey which developers gonna go and ask continue to compromise and open source they usually human beings make intrinsic knowledge to things so some of these can be able to check on the dependency that you've been using whether they have vulnerabilities because High chances you developer would come to come this thing I found it on an open
source Frameworks but still on the side of the other one building this pipeline either the one who's gonna push this by the side of God you have to take this into consideration so uh we will drop the task but usually takes a little bit of time so I think it's going to show we've already done maybe a little bit of Crash Course on other type of pipeline so uh whenever you want to access the extensions from the marketplace for security tool that you can integrate you go to your you create how many of you have access to azure devops place by raise of hand if you don't I'll give you access yeah for for learning purposes
okay so crash course um so when you have access to Azure devops so you go to your organization settings and you have to go to extensions so you browse the marketplace remember the same thing we did um in vs code where you have a Marketplace um so we have partners that have generated all of these tools which you can integrate as tasks within your Azure pipeline so um when you're here you can just do as much as just searching for security and you'll find all these other extensions that are there in the marketplace for your integration within your pipeline so you see we did the same thing with sneak within your IDE so you can also integrate sneak within um
pipeline so for within your IDE we were doing it as pre-commit so but for here we'll be doing code scanning we'll be doing SCA scanning using snake so when you want to use something like snake you just go to it and you get it for free as simple as that foreign so when you get it for free you make sure that it's mapped to your organization and you click install
and then you proceed back to utilization so when you proceed back to organization remember I did not have sneak before so if I go to my extensions I should be able to see that snake is now part of the extensions that are there you can see it right here so that's actually the first bit you have to install the extension so now you have to go back to your project I'm using this project called Dev stickups and I have a yaml file so for this in this project called Webster comes I have my vanderbal code So within my vulnerable code um included maybe even from GitHub and so I have it here and I have an Azure
pipeline CML file so that's what I use to run my sales discounts and to integrate my tools and tasks and and everything else so we think so any change that I make to this Azure pipel XML file it throws a trigger to the pipeline and then you scan so whatever I had identified within um the tasks if it's adding um if adding the next task it will it will do that scan so um it's as simple as that so we can go to Pipelines and you edit your pipeline so I had this um so you can see the symptoms for younger file you have um your social you have your stages and then so within this stage at this stage
I'm coming into application secret so you can also have another take for building you have to be flowing and also doing some infrastructures code um it's a huge responsible so it depends on what you want to do so for this particular step So within this stage I have jobs so for this job I'm running test jobs so for within this job I'm running this task for white sauce this I had already installed its organization that was already available but uh when you hit the assistant stop here and you search for we installed which which extensions so I just do as much as this search for sneak and then click on it and then um so for this one it's a little bit
more complicated because I have to go into the sneak photo get your API token which is um integrated to through your project setting uh service connections and then put all those here and then now to be able to to scan um which is kind of your code so education is very simple so for this particular example if you want to play around with this um like for this only I'm running white sauce so um you can go into the task so now with my white source is called um main bolt so you can just go into your extensions install the main bolts extension and then add the task for that it's as easy as as
as bad I think is that
and then you you run against your good and then it gives you it triggers the pipeline to run and then it goes in and close through your code and gives you the YouTube Innovative which you can save as an artifact and push it and and you can build it and save it maybe as a machine readable format and see what you can do what to do with that executive Advantage maybe reporting portal as well so um that's a question about other devops pipeline in terms of interpreting security tooling so you can see it's doing all these jobs and in the end it will give your security vulnerability reports um so I will show you maybe what I have before
[Music]
so it ran before I had run this so when you go to your main boards it will give you um security vulnerabilities that have been identified within your code it's as easy as that isn't it very easy yes so even still do the same thing so you can see it gives you an open risk Report with severities and you can be able to identify um fix all this security vulnerabilities and even we run the pipeline once you've closed the issues and see um if the panel which is uploaded so just a quick one um you can still do the same thing using code ql and other dependent Dependable dependency checks on GitHub so once you
have your your repo app you just go there's a tab here that's available for everyone so even you have a public report you can just go here to security and enable it as easy as going to security policies and enabling usage advisories available a lot enabling it
and could scan individual setup serves that up as well so um this usually creates a workflow for code ql which goes into your code and [Music] gives you Security benefits for the interest of time I'm just showing you like how easy it is to enable that just go to security Tab and enable the security features um so the kind of security one officials that you will see is something like this so when you on the left you see Dependable Security issues and give give you all this you can see all these critical high-risk vulnerabilities which kind of able to address and it also gives you recommendations on how to fix them okay so um crash course as well for Gita
patterns maybe for those who have not interacted with this before so you've seen for all these security jobs that you're doing we are adding them as a workflows um so um if you want to add like a new workflow for a particular security toolkits as well as just going to new workflows it gives you um all the so we just search here this you can use the same thing as just searching for security and you can see all these workflows that are available for you to use within future abductions you can do productive security stands you can do all this just as well as easy as just taking configurations and starting from it is it right
easy right yeah it's not like it's that easy you know because the dialogue that goes into their cycle because you have to do um we've shown you the pre-commit yes that's just for the developers doing before you complete your code and then now for the commit you are doing continuous integration continuous deployment as well as the images that you're building you have to do security scans on them and your whole infrastructure and communicate those ability to do that with the Ops Team so there's a lot that goes into that and one big thing that you'll see around the earth circles is you need to learn a lot around and to continue security so if it's something that you're
interested in like um gets to there's a lot of resources as well so one thing that I liked uh when I was getting to their services um this particular course called practical their setup so if you're interested in that sometimes you can look into just to get started knowledge around container Security application security and how to interpret certainty into your stlc
thanks
foreign
[Music]
[Music]
[Music] the next one would be make sure all operations are there to the list privileged principles where you give people the permissions uh just in time for the missions let's say if they have to access a server you have um this is really no need for your foreign
[Music]
for identity access management to ensure that the least privileged access management policies are in place then we have to use any field identification and directly just in terms of it just in term approval for privileged operations human Industries then you can enable endpoint protection for all workstations and only allow registered devices still going back to the work the last but not least can live in sex identity I lead to the auto measurement that you have to know who is who who is in what this will be able to help you prevent this type of attacks which are compromised credentials and malicious and service yes we're done
Related talks
42:20
46:38
49:30
45:13
32:40
53:00