KEMBAR78
DevSecOps Study Notes | PDF
100% found this document useful (1 vote)
2K views55 pages

DevSecOps Study Notes

Uploaded by

Cj Artist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
100% found this document useful (1 vote)
2K views55 pages

DevSecOps Study Notes

Uploaded by

Cj Artist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 55

Page 1 of 55

DevOps Is Automation , DevSecOps Is People

DevSecOps Question and Answers

1. Security + DevOps
2. Security becomes integral part of process
Page 2 of 55

3. Shift from Traditional to Continuous Security


4. How to apply security controls
5. Continuous testing
6. Automated testing
7. AppSec Pipeline
1. Incorporating Security into DevOps
2. Tools and Frameworks
3. Critical Role
1
4. Building the case

By 2018, 90 percent of infrastructure and operations organizations attempting use DevOps without
specifically addressing their culture foundation will fail

Regardless of the software development and lifecycle management approach, security needs to be built
into the software, not bolted on after the fact.

DevOps was pioneered by smaller, lean-thinking, “born on the web” companies.

DevOps = Development + Operations

 Practices
 Tools
 Deliver at high velocity
 Evolve and improve
 Speed = better served customers
 Compete more effectively

Infrastructure as Code : Defining and managing system configuration through code that can be
versioned and tested in advance, to increase the speed of the building systems, and offering efficiencies
at scale.

Continuous Delivery: Using Continuous Integration and test automation to build pipelines from
DEVELOPMENT to TEST and then to PRODUCTION.

Continuous Monitoring and Measurement: Creating feedback loop from production back to engineering,
collecting metrics, and making them visible to everyone to understand how the system is actually used
and using this data to learn and improve

Continuous Integration / Continuous Delivery


Page 3 of 55

Decreased time to market

Decreased cost of deployment

Improved mean time between deployments

Improved quality

CD is as much a cultural shift as it is a technical one. The biggest shift is from separate teams dealing
with the writing, testing, and deployment of software to a single team that is responsible for the successful
deployment of quality software - albeit one staffed by people who have specialized skills and are tasked
with specific responsibilities.

1. DevOps defined
2. Reason for embracing DevOps
3. Evolution of SDLC
4. Involve security sooner

Paradigm Shifts
1. Transform role of security
2. Give more responsibility to developer
3. Engage security and quality teams both early and often
Page 4 of 55

How to Develop a Security Strategy within DevOps

1. Culture
2. Processes
3. Technologies

Adapting Security for Success

Secuirty

Focus on minmizing enterprise risk

Deliver more secure code at DevOps speed

Activities & controls must change to allow for adaptation

Controls that require adaptions:

 Static analysis
 Dynamic scanning
 Security code reviews
 Feedback

Other crtical security activities:

 Developer training
 Threate modeling
 Penetration testing

Shifting to the left

The only way to build security into the software is to introduce security practices as early as
possible

Design Coding Testing Security

Design Security Coding Testing

Secuirty Design Coding Testing

SATS and DAST


Page 5 of 55

1. Develop
2. Build & Test
3. Static Analysis
4. Check in
5. Build (CI)
6. Static Analysis & Unit Test (CI)
7. Deploy to QA/Stage (CD)
8. Dynamic Analysis & Regression Testing (CD)

With every check-in:

 Triggers compilation process - Run unit test  Run quality tests Runs static analysis tools

The Security Professional’s Role

Embedding Secuirty SMEs Into Development and Operations

 Difficult to scale
 Limited Resources
 Dev and Ops given for security

Training

 Principles
 Practices
 Tools
 Avoid unsafe practice
 Security becomes frame of mind

Building Case
Page 6 of 55

 2014 – 16% DevOps teams


 2017 – 27% DevOps teams
 2018 – 29% DevOps teams

High performenres spent 50 % less time remediating security issues

Involvel security and quality teams in the development process early and often.

When we say “shifting security to the left” mean: To introduce security practice as early as possible

When shifting from a DevOps to DevSecOps workflow, a company must always embed a SME from
security into the development and operation teams. (False)

In this we explore the benefits to the organization that occur when security, development and operations
work together; learn to importance of assembling a team of advocates and champions to bridge the gap
between development and security and discover how successful transformation and cultural change leads
to positive results. 

 Analyze the benefits to the organization that occur when security, development and operations
work together.
 Assemble a team of advocates and champions to bridge the gap between development and
security.
 Create positive results towards business goals through successful transformation and cultural
change.

Changing the Culture – A How-To Dev – Sec- Ops

 Team of advocates & champions


 Postive results
 Business goals
 Successful tranformation
 Cultural change

Joining Security with DevOps

 Develpoment
 Security
 Operations

Traditional Security:
Operational and Engineering
Must yield to risk aversion & protective measure
Security maintained veto power
Yet DevOps and Business
Needed freedom
To drive business forward

Cultural Challenges
Frictions
Page 7 of 55

Resistance

Adapting to a New Way

Dev – Sec – Ops

Communication is the key

 Learn from leaders


 Teamwork
 Collaboration

 Daily Touchpoints
 Wikis, Blogs & Portal
 Messaging App
 Lunch & Learn

Opportunities to Communicate
Page 8 of 55

Velocity vs Quality Tradeoff

DevSecOps

 Succeed together
 Fail together

Changing behaviors & culture is funamental to success

BY 2018, 90 percent of infrastructure and operation organizations attempting to use DevOps without
specifically addressing their cultural foundation will fail.

Secuirty consideration are always at odds with those of Development and Operations. (False)

Ease of communication is essential in building a DevSecOps culture. Which of the following can
encourage better and more frequent communication between various groups?

 Establishing daily touchpoints


 Blogs
 Wikis
 Messaging apps for mobile devices
 Info sharing session such as lunch & learns

A Five-Step Approach: Gartner’s 5-Step Approach

1. Gap Analysis
2. Gain Consensus
Page 9 of 55

3. Small Focused Pilot


4. Incremental Deploy With Feedback Loops
5. Continual Improvments Over Time

Benefits of Culture Change

Results of Culture Change

 Greater satisfaction
 Higher performance
 Increased throughput
 Better outcomes
 Higher financial performance

Engaging Advocates and Champions

Secuirty champions:

 Act as voice of security


 Decide when to engage security team
 Participate in code reviews
 Participate in threat modeling exercises
 Help with QA, testing
 Assist in triaging security bugs

For Secuirty Champions:

 Application scurity skills not a key requirment


 Skills can be gained through traiining
 Developers can be good candidates

Achieving Business Goals

Cultural changes come in the form of integrating teams that historically have been disparate around a
single vision. Technical changes come with automating as much of the development, deployment and
operational environment as possible to more rapidly deliver high-quality and highly secure code.

Transformation & Cultural Change

Tremendous values and benefit

 Better retention of talent


 Ability to better respond to change
 Increased efficiency
 Savings from reduction of manual processes
 Reduction of software fixes late in lifecycle

Place the steps of Garter’s 5-Step Approach to Cultural Challenge in the correct order?
Page 10 of 55

1. Gap Analysis
2. Gain Consensus
3. Small Focused Pilot
4. Incremental Deploy With Feedback Loops
5. Continual Improvments Over Time

Culture of Collaboration and Contribution

 Teams must understand and accept that everyone has something to offer
 Everyone is responsible for security
 Goal = safely distributing security decisions

Measurements: Team Communication, Collaboration, Reporting, Significant Changes to Existing


Workflows & Processes

 Multiple teams
 Various technologies
 Various languages
 Code repositories
 Open source code libraries
 Sophisticated practice for CI/CD

 Threat modeling
Attack surface evaluation
 Static & dynamic analysis
 Penetration testing
 Fuzzy testing

Five Principles for Securing DevOps Continuous Integration / Continuous Delivery

 Automate Security In
 Integrate to Fail Quickly
 No False Alarms
 Build Security Champions
 Keep Operational Visibility

Automated invocation Security testing Comprehensive API


Page 11 of 55

1. Initiate
2. Control
3. Return Results
4. Productized support

Integrating Security CI/CD pipeline Application Security

 Testing happens with every release


 NOT entirely up to developer
 NOT a last step in the process

FAILED SECURITY TEST

 Train developers in secure coding


 A force multiplier
 Reduce culture conflict
 Embed app security knowledge into team

Application Security continues

Closed loop feedback

Security Incidents

Integrating Secuirty into DevOps

DEV-SEC-OPS

1. Team of advocates & champions


2. Positive results
3. Business goals
4. Successful transformation
5. Cultural change

DevSecOps Culture Change

1 Cultural Challenge

2 Frictions
Page 12 of 55

3 Resistances

Secuirty must be communicated: 1) as a core value 2) as a critical enabler

 Learn from leaders


 Teamwork
 Collaboration
 Knowledge Transfer

Asking questions – Finding ways to compromise – Considering alternatives

Gartner’s 5-Step Approach To Cultural Challenges

1. Gap Analysis
2. Gain Consensuses
3. Small, Focused Pilot
4. Incremental Deploy with Feedback Loops
5. Continual Improvements Over Time.

DevOps

Automation

 Required to scale
 Establishes consistency
 Enables confident iteration

Dev[Sec]Ops

People

 Working with them


 Working for them
 Building for them.

Actual Problem Ignored

Users are stupid

Devs are lazy

Vuln equals risk.

CAN YOU TALK LIKE A HACKER?

Shared Vocabulary Communication, Empathy, Threats


Page 13 of 55

Communication: Listen – Acknowledge – Repeat back

Empathy – Broaden understanding, Reconsider viewpoints, Improve solutions

Threats – Ambiguity, Erasure, Essential zing

 In this we discuss influencing a shift from traditional security to continuous security, applying sets
of security controls in the application and infrastructure layers of the DevOps Pipeline and how
AppSec Pipelines can be applied to an application security program utilizing the principles of
DevOps and Lean. 

 Influence a shift from traditional Security to Continuous Security
 Apply sets of security controls in the application and infrastructure layers of the DevOps Pipeline
while testing them continuously, in an automated manner.
 Discover how AppSec Pipelines take the principles of DevOps and Lean and apply that to an
application security program.

Implementing a Successful DevSecOps Program

Shifting to a Fast-Paced Environments

Training -> Requirments-> Design -> Development-> Testing-> Operation-> Response

DevOps practitioners believe the SDL model doesn’t fit the bill for fast-paced environments.

DevOps Pipelines

Development Teams

 Develop
 Test
 Release

Cloud Services

 Deploy and host


 Private clouds
 Public clouds

Continuous Integration

Continuous Integration

 Routinely integrating code changes


Page 14 of 55

 Testing changes
 Code integrated daily

Continuous Delivery

Continuous Delivery

Building software that can be released -- Cloud environment

Continuous Deployment
Page 15 of 55

Cloud Environments

Cloud Environments play a central role in DevOps

Cost reduction, rapid elasticity, flexibility

Infrastructure as code (IaC)

Knowledge Check

Continuous Integration: Routinely integrating code change into a repository and testing changes.

Continuous Delivery: Building software that can be released to a cloud environment at any time.

Continuous Deployment: Every change that passes all stages of production pipeline is released to
customers. Fully automated.

Cloud Environment: Enable cost reduction of operating infrastructure, rapid elasticity, flexibility.

Moving Faster – But at What Cost?


Page 16 of 55

Continuous Security

1. Plan
2. Code
3. Build
4. Test
5. Release
6. Deploy
7. Operate
8. Monitor
Page 17 of 55

Application Security:

Infrastructure Security
Page 18 of 55

Pipeline Security

Testing Continuously
Page 19 of 55

Test Driven Security (TDS)1, a term coined by Mozilla, is a similar approach to Test DrivenDevelopment
(TDD) which recommends developers to write tests that represent the desired behavior first, then write
the code that implements the tests.
TDS proposes the following:
•• The list of security controls should be established between the Security, Development and IT
Operations teams.
•• The Security teams must clearly state and document what is expected from the application. They are
responsible for organizing a Rapid Risk Assessment (RRA)2 with appropriate stakeholders when the
project is initiated to capture any potential business and technical risks. They also need to write in
conjunction with the Development teams the security tests that represent the desire behavior of the
application. Finally, they are responsible for establishing the tools to be used in the AppSec Pipeline with
the help from IT Ops that will test the software being developed for security vulnerabilities at different
stages of the DevOps Pipeline.
•• The Development teams implement the controls that have been tested by Security and address any
vulnerabilities identified in the AppSec Pipeline.
•• The IT Operations teams write the code/templates that build the infrastructure. They are also
responsible to setup the DevOps and AppSec Pipelines and ensure the corresponding tools are properly
installed and security hardened to prevent any hacks/data breaches

1. Source: Test Driven Security (TDS):


https://freecontent.manning.com/where-security-meets-devops-test-driven-security/
2. Rapid Risk Assessment (RRA):
https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html

AppSec Pipeline 1) Intake Process 2) Test 3) Triage 4) Deliver


Page 20 of 55

Integrating DevOps and AppSec

AppSec Pipeline Consistent process

Application Security Team


Page 21 of 55
Page 22 of 55

Which of the following choices are security controls in the application and infrastructure layers of DevOps
pipeline. 1) Application Security 2) Infrastructure Security 3) Pipeline Secuirty are the application and
infrastructure layers of a DevOps pipeline.

Put the four steps of an AppSec Pipeline in consecutive order: 1) Intake Process 2) Triage 3) Test 4)
Deliver

The test-driven security test will initially fail. True; It is expected that TDS test will initially fail. Once the
controls are implemented, the TDS tests will pass.

Monitoring and Key Performance Indicators

The value of a logging pipeline, importance of getting incident management right, utilizing KPIs to
measure performance.  

 Discover the value of using a logging pipeline to analyze usage and security incidents in real-
time.
   Analyze the importance of getting incident management right.
 Construct KPIs to measure the performance of a DevSecOps program.

DevSecOps – Integrating Security into DevOps


Page 23 of 55

https://www.csoonline.com/article/3132078/security/devopssec‐secdevops‐devsecops‐whats‐in‐a‐
name.html

The importance of Automation and Continuous Monitoring


 Automation
 Metrics
 Continuous Monitoring
 Insight into the types of traffic
 Application-level security metrics
 Patterns of malicious activity
 Stored in logs

The Logging Pipeline


The Logging pipeline
 Analyze usage
 Analyze security incidents
 DevOps teams may not know how to identify security breaches, hacking attempts
 Log Management tool
 Reading & parsing logs
 Distinguishing unauthorized activity

Element of a Logging Pipeline


Page 24 of 55

Element of a Logging Pipeline


Collect > Stream > Analyze > Store > Access

Collect: Log events are recorded from various components of the infrastructure.
Stream: Log records are captured and routed to the corresponding Layer.
Analyze; Log records are inspected in order to detect anomalies and raise alerts
Store: Log records are stored in short & long-term storage facilities.
Access: Log administrative console to access and review logs/alerts

Incident Management
1. Preparation: Incident response, Creating documentation, Building tools
2. Detection & Analysis: Analyzes symptoms, Decides next steps,
3. Containment Eradication & Recovery: Tries to contain incident, Recover, Restore data,
processes
4. Post-Incident Activity: Review incident Two goals: 1) Reduce probability of recurrence 2)
Improve incident handling procedures.

Managing Security Incidents

Detection & Analysis : Incident Handling Process

Blended Approach to Detection: Static, Synthetic, APM, Logging, Beware of alert fatigue
Business-focused Metrics: Mature DevSecOps teams, Business core metrics, Detect application health,
Expanded view, Additional inputs: social media, news feed
Data-driven Investigations: Mature DevSecOps teams, Clean observation, Testable hypotheses, Clear
success criteria, Iterative approach

Containment Eradication & Recovery

Actionable Alerts: Alerts require action, Delivery to appropriate person, Permission and ability to act
ChatOps for Communication: Common, Time-indexed, Searchable record of incidents, Useful records
Page 25 of 55

Runbooks for Remediation: Best runbooks explain: Metrics and alerts, Application or system roles,
Identify upstream and downstream dependencies, Identify an escalation point or Subject Matter Expert,
Enumerate know failure state or symptoms
Adopt Infrastructure as Code (IaC): Rebuilding a system or environment, Quick easy configuration

Post Incident Activity:


Keep Post-Mortems Actionable
Lose track of Ideas, Lose time to implement, Lose focus

Analysis phase is worthless if little or no action is taken


Lessons learned must be reflected in Incident Management Runbook

Key Performance Indicators (KPI)

 Metrics
 Language of cooperation
 Spoken in numbers
 Metrics for DevSecOps
 Choose the right metrics – Business needs, Compliance requirements

TERMS:
Availability: Amount of uptime/downtime in a given time period in accordance with the service-level
agreement (SLA)
Change Failure: Percentage of production deployments that failed.
Change Lead Time: Time between a code commit and production deployment of that code.
Change Volume: Number of user stories deployed in a given time frame
Customer Issues Resolution Time: Mean time to resolve a customer-reported issue
Customer Issue Volume: Number of issues reported by customers in a given time period
Detect Burn Rate: Amount of time to fix vulnerabilities an application.
Detect Density: The number of bugs identified divided by the codebase of an application
Deployment Frequency: Number of deployments to production in a given time frame
Logging Availabitlity: Amount of uptime/downtime of the logging pipeline in a given time period
Page 26 of 55

Mean Time Between Failures (MTBF): The amount of time that one failure and the next.
Mathematically, this is the sum of MTTF and MTTR, the total time required for a device to fail and that
failure to be repaired.
Mean Time to Failure (MTTF): Time that a system is online between outages or failures
Mean Time to Recovery (MTTR): Time between a failed production deployment to full restoration of
production operations.
Number of False Positives: The number of mistakenly flagged vulnerabilities for an application.
Number of Functional/Acceptance Tests: Number of automated functional acceptance test an
application.
Number of Passed/Failed Security Tests: Number of automated security tests for an application.
Number of Unit/Integration Test: Number of automated unit or integration test for an application
Security Benchmark Deviation: Deviation between security benchmarks applied to an image and
security benchmarks on an instaintated image.
Security Controls: Number of technical security controls partially or fully in place.
Test Coverage: Percentage of code that is covered by automated tests.
Time to Patch: Time between identification of vulnerability in platform or application and successful
production deployment of a patch.
Time to Value: Time between a feature requested (user story creation) and realization of business values
from that feature.

Vulnerability Patching Frequency: How often vulnerability patches are regularly deployed to production.
Vulnerability Patching Lead Time: Time between discovery of a new vulnerability (i.e. its publication) and
patching in productions.

Scoring Secuirty Testing

How to manage false positives in the DevSecOps pipeline


Score security testing
Assign security thresholds
 Low security threshold
 Development phase
Page 27 of 55

 70% most tests


 100% critical test
Raise threshold to 100% before going into production

 Adjust thresholds depending on pipeline


 And which products/test being used.

Result of Culture Change

1. Greater ratification
2. Higher Performance
3. Increased throughput
4. Better outcomes
5. Higher financial performance

Security Champions:

 Act as voice of security


 Decide when to engage security team
 Participate in code review
 Help with QA, testing
 Assist in triaging security bugs
 (Application Security skills is not a key requirement
 Skills can be gained through training
 Developers can be good candidates

Culture changes come in the form of integrating teams that historically have been disparate around a
single vision. Technical changes come with automating as much of the development, deployment, and
operational environemtn as possible to to more rapidly.

Successful

Transformation & Cultural Change

Tremendous value and benefit

1) Better retention of talent 2) Ability to better respond to change 3) Increased efficiency 4) Savings
from reduction of manual process 4) Reduction of software fixes late in life cycle.

For a successful DevSecOps program:

1) Influence the shift to Continuous Security


2) Apply security and test continuously
Page 28 of 55

3) Use AppSec Pipelines, using principles of DevOps and Lean

Training Requirements Design Development Testing Operation Response

Core Analyze Threat Specify tools Dynamic Response Response


training security and modeling and Fuzz plan execution
privacy risk Enforce banned testing
function Final
Define quality Attack Verify security
gates Surface Static analysis threat review
models/
attack Release
surface activity

Security Architecture Security Code Review Security Testing


and Design Review

The security Architecture and Design Review

The security teams look at: 1) Product requirements 2) Early designs 3) Add security based on threat
models 4) Architecture is reviewed 5) Security controls proposed.

Can the product withhold a simulated attack? 1) Manual testing 2) Automated tools

DevOps practitioners believe the SDL Model doesn’t fit the bill for the fast-pace envioronments.

Development Teams Cloud Services


Develop Deploy and host
Test Private clouds
Release Public cloud

Continuous Integration

 Routinely integrating code changes


 Testing changes
 Code integrated daily

Continuous Delivery

Build Software that can be released - Cloud environment

Continuous introgression software

oSs_64099
Page 29 of 55

Cloud Environments play a central role in DevOps

Cost reduction, rapid elasticity, flexibility

Infrastructure as code (IaC)


Page 30 of 55

Open Web Application Security Project (OWASP)

Top 10 most common risks

 OWASP Application Security Verification Standard


 Basis for testing
 Requirement for secure development

Cloud Security Alliance (CSA) CSA Security Guidance for Critical Areas of Focus in Cloud Computing

Industry-wide standards Practical, actionable roadmap

Treacherous 12 Cloud Computing Top Threats Fore adopting the cloud paradigm

https://www.oreilly.com/ideas/9-tips-for-a-more-secure-continuous-delivery-pipeline

 Test Driven Security (TDS)


 Similar to Test Driven Development (TDD)
 Write test that represent desired behavior
 Then write code that implements the t est
 Test will fail and that is expected
 Implement controls to pass TDS test
 Security teams
 Help Developers and IT Operation teams
 Implement controls

Monitoring and Key Performance Indicator


Page 31 of 55

1. Metrics
2. Continuous Monitoring
3. Insight into the types of traffic
4. Application-level security metrics
5. Patterns of malicious activity
6. Stored logs

Loggin pipeline

1) Analyze usage
2) Analyze security incidents

Log management tools  Reading & parsing logs  Distinguishing unauthorized activity

TERMS: DEFINITION
Availability: Amount of uptime/downtime in a given time period, in accordance with the SLA.
Change Failure: Percentage of production deployments that failed.
Change Lead Time: Time between a code commit and production deployment of that code.
Change Volume: Number of user stories deployed in a given time frame.
Customer Issue Resolution Time: Mean time to resolve a customer-reported issue.
Customer Issue Volume: Number of issues reported by customers in a given time period.
Defect Burn Rate: Amount of time to fix vulnerabilities in an application.
Defect Density: The number of bugs identified divided by the codebase of an application.
Deployment Frequency; Number of deployments to production in a given time frame.
Logging Availability: Amount of uptime/downtime of the logging pipeline in a given time period.
Mean Time Between Failures (MTBF): The amount of time that elapses between one failure and the next.
Mathematically, this is the sum of MTTF and MTTR, the total time required for a device to fail and that
failure to be repaired.
Mean Time to Failure (MTTF): Time that a system is online between outages or failures.
Mean Time to Recovery (MTTR): Time between a failed production deployment to full restoration of
production operations.
Number of False Positives: The number of mistakenly flagged vulnerabilities for an application.
Number of Functional/Acceptance Tests: Number of automated functional or acceptance tests for an
application.
Number of Passed/Failed Security Tests: Number of automated security tests for an application.
Key Performance Indicators
Number of Unit/Integration Tests: Number of automated unit or integration tests for an
Page 32 of 55

application.
Security Benchmark Deviation: Deviation between security benchmarks applied to an image and security
benchmarks on an instantiated image.
Security Controls: Number of technical security controls partially or fully in place.
Test Coverage: Percentage of code that is covered by automated tests.
Time to Patch: Time between identification of a vulnerability in the platform or application and successful
production deployment of a patch.
Time to Value: Time between a feature request (user story creation) and realization of business value
from that feature.
Vulnerability Patching Frequency: How often vulnerability patches are regularly deployed to production.
Vulnerability Patching Lead Time: Time between discovery of a new vulnerability (i.e., its publication) and
patching in production Test Driven Security (TDS)1, a term coined by Mozilla, is a similar approach to
Test Driven Development (TDD) which recommends developers to write tests that represent the desired
behavior first, then write the code that implements the tests.

TDS proposes the following:


•• The list of security controls should be established between the Security, Development and IT
Operations teams.
•• The Security teams must clearly state and document what is expected from the application. They are
responsible for organizing a Rapid Risk Assessment (RRA)2 with appropriate stakeholders when the
project is initiated to capture any potential business and technical risks. They also need to write in
conjunction with the Development teams the security tests that represent the desire behavior of the
application. Finally, they are responsible for establishing the tools to be used in the AppSec Pipeline with
the help from IT Ops that will test the software being developed for security vulnerabilities at different
stages of the DevOps Pipeline.
•• The Development teams implement the controls that have been tested by Security and address any
vulnerabilities identified in the AppSec Pipeline.
•• The IT Operations teams write the code/templates that build the infrastructure. They are also
responsible to setup the DevOps and AppSec Pipelines and ensure the corresponding tools are properly
installed and security hardened to prevent any hacks/data breaches

https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html

https://freecontent.manning.com/where-security-meets-devops-test-driven-security/

1. Microsoft SDL: https://blogs.technet.microsoft.com/voy/2013/06/10/security-series-2-howto-


bake-security-in-products-and-services-sdl/

2. STRIDE: https://en.wikipedia.org/wiki/STRIDE_(security)
3. Waterfall Model: https://en.wikipedia.org/wiki/Waterfall_model
4. Test Driven Security (TDS):
https://freecontent.manning.com/where-security-meets-devops-test-driven-security/
5. Rapid Risk Assessment (RRA):
https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html
6. OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
7. OWASP ASVS: https://www.owasp.org/index.php/Category:OWASP_Application_Security_
Verification_Standard_Project
8. 9 tips for a more secure continuous delivery pipeline: https://www.oreilly.com/ideas/9-tips-for-amore-
secure-continuous-delivery-pipeline
9. CSA Treacherous 12: https://downloads.cloudsecurityalliance.org/assets/research/top-threats/
Treacherous-12_Cloud-Computing_Top-Threats.pdf
10. CSA Security Guidance for Critical Areas of Focus in Cloud Computing:
https://cloudsecurityalliance.org/download/security-guidance-v4/
Page 33 of 55

11. Continuous Delivery vs Continuous Deployment:


https://www.atlassian.com/continuous-delivery/ci-vs-ci-vs-cd0
12. OWASP AppSec Pipeline: https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

1) Intake Process: Customer request application security service DAST, SAST, manual assessment
2) Triage: Determination mad for applying requested services
3) Test: The heart of pipeline where AppSec tools feed result into repository and check for false
positive
4) Deliver: Result are distributed to appropriated parties. Defects are tracked. Metrics
summarized.

AppSec Pipeline = DevOps + Lean

Application Security

Iterative improvement

Ability to grow in functionality over time

Greates pain point

Work on reusable path

Elements of a Logging Pipeline


Page 34 of 55

Collect Stream Analyze Store Access


Log events are Log records Log records Log records Log
recorded from are captured are inspected are stored in administrative
various and routed to in order to short & long- console to
components of the detect term storage access and
the corresponding anomalies and facilites review
Infrastructure layer raise alerts logs/alerts

Preparation Detection & Analysis Containment Post-incident Activity


Eradication & Recovery

Incident response Analyzes symptoms Tries to contain incident Review incident Two
goals:
Creating documentation Decides next steps Recover 1. Reduce
probability of
recurrences
Building

Restore Data, process 2. Improve


handling
procedures

Blended Approach to Detection Business-focused Metrics Data-driven Investigations


Static Mature DevSecOps teams Mature DevSecOps teams
Synthetic Business core metrics Clean observation
APM Detect application health Testable hypotheses
Logging Expanded view Clear success criteria
Beware of alert fatigure Additional inputs: social media, Iterative approach
news feed

Actionable Alerts Alerts require actions

Delivery to appropriate person

Permission and ability to act


ChatOps for Communication
Runbooks for Remediation’s
Adopt Infrastructure as Code (IaC)

Post-Incident Activity

Keep Post-Mortems Actionable


Page 35 of 55

Lose track of ideas

Lose time to implement

Lose focus

Analysis phases is worthless if little or no action is taken

Lessons learned must be reflected in Incident Management Runbook

Metrics Language of Spoken in Metrics for Choose the right


cooperation numbers DevSecOps metrics
Business needs

Compliance
requirements

Code stays secure Low security threshold


Development phase
But process is agile 70% most tests
100% critical tests

Raise threshold to 100% before going into production

Adjust threshold depending on pipeline

And which products/tests are being used


Into pipeline

When we say “shifting security to the left” we mean:

Question 1 options:

To introduce security practices as early as possible

To move security from a conservative to liberal perspective

To leverage frameworks and libraries

To introduce security practices later in development


Page 36 of 55

1 2979 4399 2 oSs_64100

A widely-accepted principle of security among practitioners is that security is a shared responsibility


among many stakeholders

Question 2 options:

True

False

True 1 2901 4316 3 oSs_64101

Agile and DevOps are one and the same.

Question 3 options:

True

False

oSs_64102

Which of the following describes the percentage of production deployments that failed?

Question 4 options:

Change volume

Change failure

Test coverage

Defect Burn Rate

Availability

The amount of uptime/downtime of the logging pipeline in a given time period is called:

Question 5 options:

Change Lead Time


Page 37 of 55

Mean Time Between Failures (MTBF)

Logging Availability

Security Benchmark Deviation

oSs_64104

Which of the following is an effective enabler of DevOps because it focuses on small teams continually
delivering high quality code to customers.

Question 6 options:

Waterfall

 Agile

Structured development methodologies

Service-oriented architecture

Routinely integrating code change into a repository and testing the changes is called:

Question 7 options:

Continuous integration

Continuous delivery

Continuous deployment

Cloud environment

Agile and DevOps each has its own set of objectives and methods of achieving its goals.

Question 8 options:

True

False
Page 38 of 55

oSs_64107

Building software that can be released to a cloud environment at any time is called:

Question 9 options:

Continuous integration

Continuous delivery

Continuous deployment

Cloud environment

oSs_64108

The duties of a security champion include which of the following:

Question 10 options:

Acting as the voice of security

Deciding when to engage the security team

Organizing code reviews

Helping with Quality Assurance

Question 11 (1 point)

The test-driven security tests will initially fail.

True

False

Which of the following is the latest approach to driving DevOps?

Question 12 options:

Embracing structured development methodologies since software became larger and more
complex
Page 39 of 55

Embracing service-oriented architecture to overcome the interoperability and reusability challenges

Embracing the waterfall model to meeting the needs of evolving business requirements

Removing much of the latency that has existed for years around software development through
automation.

Question 13 (1 point)

oSs_64111

True or False: A continuous-delivery tool chain can be an attack target itself.

Question 13 options:

True

False

The time between a feature request and the realization of business value from that feature is called:

Question 14 options:

Deployment Frequency

Mean Time to Recovery (MTTR)

Customer Issue Volume

Time to Value

oSs_64113

Which of the following choices are security controls in the application and infrastructure layers of a
DevOps pipeline? Choose three:

Question 15 options:

Application Security

CSA Security
Page 40 of 55

TSA Security

Infrastructure Security

Pipeline Security

Test-driven Security

Securing a continuous delivery pipeline may involve which of the following? Select all that apply:

Question 16 options:

Strong access control across the entire toolchain and access audits

Hardening various systems

Protecting credentials, keys, and other secrets

Protecting (i.e. digitally signing) binaries and other build artifacts against tamper, etc.

Creating a culture conducive to successful DevOps practices requires which of the following? Select all
that apply:

Question 17 options:

Security awareness

Training

Abandoning software threat modeling

Avoiding application penetration testing

DevOps teams rely on a variety of tools to help them deploy code faster. Which of the following types of
tools are used by DevOps teams for that purpose? Select all that apply:

Question 18 options:

Continuous integration tools to ensure that every code change results in a new product build
Page 41 of 55

Configuration management tools to define the server infrastructure as code

Software application threat modeling tools to identify threats to the software

Automated test tools to verify code quality and provide quick feedback

A successful implementation of DevSecOps will require which of the following? Select all that apply

Question 19 options:

Elimination of silos

Promotion of collaboration and teamwork

Cross-training teams so that vulnerabilities can be identified early

All the above

DevOps allows an organization to increase its ability to deliver applications and services at high velocity.

Question 20 options:

True

False

What are the five principles for securing DevOps? Select all five principles:

Question 21 options:

Automate security in

Integrate to fail quickly

Thoroughly test each patch

Measure twice, cut once

No false alarms
Page 42 of 55

Build security champions

Keep operational viability

oSs_64120

Which of the following is true about security champions? Select all that apply:

Question 22 option

They must be able to code

They may help make decisions about when to engage the security team

They may act as the voice of security for a given product or team

They may assist in the triage of security bugs for their team or area

Which of the following is a correct statement in the context of a successful DevSecOps implementation?
Select all that apply:

Question 23 options:

Extensive additional automation may be required

Establishing a culture of openness and collaboration is a requisite

Adopting DevSecOps always results in reduced development costs for a software project

Investments in culture change will enhance communication and collaboration between


development, security, and operations, which in turn, could positively impact other areas such as
processes

oSs_64122

Below are the four steps of an AppSec pipeline. Which one shows the steps in the correct order?

Question 24 options:

Triage, Intake Process, Deliver, Test


Page 43 of 55

Test, Intake Process, Triage, Deliver

ntake Process, Triage, Deliver, Test

Intake Process, Triage, Test, Deliver

Which KPI measures the amount of time between identification of a vulnerability in the platform or
application and successful production deployment of a patch?

Question 25 options:

Vulnerability Patching Frequency

Vulnerability Patching Lead Time

Time to Patch

Mean Time to Failure (MTTF)

Customer Issue Resolution Time

Which of the following enables cost reduction of operating infrastructure, rapid elasticity, and flexibility?

Question 26 options:

Continuous integration

Continuous delivery

Continuous deployment

Cloud environment

Which KPI measures the number of automated security tests for an application?

Question 27 options:

Security Controls

Customer Issue Volume


Page 44 of 55

Number of Passed/Failed Security Tests

Defect Density

Number of False Positives

Cloud environments play a central role in DevOps by enabling which of the following? Select all that
apply:

Question 28 options:

Communication tools

Cost reduction of operating infrastructure

Rapid elasticity

Flexibility

Automated archiving

Which KPI reveals the company’s ability to react faster to threats?

Question 29 options:

Mean time to failure

Time to value

Defect density

Vulnerability patching lead time

, Company K had adopted Infrastructure as Code, which


IaC calls for managing and provisioning resources through which of the following?

Question 30 options:

Machine-readable definition files


Page 45 of 55

Physical hardware configuration

Interactive configuration tools

Quiz

Top of Form

-1881508120650 7169

5964 78436 1 0

false 0 30

oSs_64099
Question 1 

When shifting from a DevOps to DevSecOps workflow, a company must always embed a SME from
security into the development and operations teams.

Question 1 options:

True

False

Question 2

Ease of communication is essential in building a DevSecOps culture. Which of the following can
encourage better and more frequent communication between various groups? Select all that apply:

Question 2 options:

Establishing daily touchpoints

Wikis

Finger pointing

Name calling

Blogs
Page 46 of 55

Messaging apps for mobile devices

Managers who are uncomfortable with change

Info sharing sessions such as lunch & learns

Question 3

 DevSecOps attempts to bridge the gap between ________ and _________.

Question 3 options:

Security and Agility

Speed and Agility

Integration and Delivery

Theory and Application

Question 4

 What would an organization choose to move from a traditional SDLC structure to a DevOps structure?
Select all that apply.

Question 4 options:

Because regulations and privacy laws are forcing them to change their SDLC.

Because DevOps places more emphasis on software security than traditional SDLC.

Because they need to deliver high-quality software updates more frequently.

Because they need to deliver updates more reliably, in a cost-effective manner.

I wouldn’t advise the change. They should stick with traditional SDLC.

Question 5

Which of the following KPIs communicates to management how a DevSecOps workflow results in higher
customer satisfaction?

Question 5 options:
Page 47 of 55

Change failure

Test coverage

Customer issue resolution time

Logging availability

6
Question 6

oSs_64104

The Benefits of a successful implementation of DevOps include which of the following:

Question 6 options:

Streamlining of processes

Accelerated pace of interactions between the Development and Operations teams

 Increased level of automation

All the above

Question 7

oSs_64105

Agile and DevOps each has its own set of objectives and methods of achieving its goals.

Question 7 options:

True

False

Question 8

8 oSs_64106
 

Which of the following KPIs could indicate an overall increase in the speed of the software development
life cycle?
Page 48 of 55

Question 8 options:

Deployment frequency

Change failure

Security benchmark deviation

Question 9

oSs_64107

What would be the primary reason for an organization to transition from DevOps to DevSecOps at this
point?

Question 9 options:

To bring the development team up to speed with the latest on application security

To teach software developers how to think like attackersa

To bridge the gap between DevOps and security

To drive further automation across the environment

Question 10

Place the steps of Garter’s 5-Step Approach to Cultural Challenges in the correct order:

Question 10 options:

Continual Improvements Over Time

Small, Focused Pilot

Gain Consensus

Incremental Deploy with Feedback Loops

Gap Analysis

Question 11
Page 49 of 55

oSs_64109

The amount of uptime/downtime of the logging pipeline in a given time period is called:

Question 11 options:

Change Lead Time

Mean Time Between Failures (MTBF)

Logging Availability

Security Benchmark Deviation

12

Agile and DevOps are one and the same.

Question 12 options:

True

False

Question 13

2903 4318 13 oSs_64111


  Which of the following is an effective
enabler of DevOps because it focuses on small teams continually delivering high quality code to
customers.

Question 13 options:

Waterfall

 Agile

Structured development methodologies

Service-oriented architecture

14
Question 14
Page 50 of 55

Which of the following basic KPIs expresses ROI to management?

Question 14 options:

Number of false positives

Security benchmark deviation

Availability

Time to patch

Question 15

15 oSs_64113
 

When we say “shifting security to the left” we mean:

Question 15 options:

To introduce security practices as early as possible

To move security from a conservative to liberal perspective

To leverage frameworks and libraries

To introduce security practices later in development

Question 16 

A widely-accepted principle of security among practitioners is that security is a shared responsibility


among many stakeholders

Question 16 options:

True

False

Question 17

The test-driven security tests will initially fail.

Question 17 options:
Page 51 of 55

True

False

Question 18

Building software that can be released to a cloud environment at any time is called:

Question 18 options:

Continuous integration

Continuous delivery

Continuous deployment

Cloud environment

oSs_64117
Question 19

Security considerations are always at odds with those of Development and Operations.

Question 19 options:

True

False

oSs_64118
Question 20 

The duties of a security champion include which of the following:

Question 20 options:

Acting as the voice of security

Deciding when to engage the security team

Organizing code reviews

Helping with Quality Assurance


Page 52 of 55

21 oSs_64119
Question 21 

Which of the following describes the percentage of production deployments that failed?

Question 21 options:

Change volume

Change failure

Test coverage

Defect Burn Rate

Availability

Question 22

 Routinely integrating code change into a repository and testing the changes is called:

Question 22 options:

Continuous integration

Continuous delivery

Continuous deployment

Cloud environment

oSs_64121
Question 23

True or False: A continuous-delivery tool chain can be an attack target itself.

Question 23 options:

True

False

oSs_64122
Question 24
Page 53 of 55

Securing a continuous delivery pipeline may involve which of the following? Select all that apply:

Question 24 options:

Strong access control across the entire toolchain and access audits

Hardening various systems

Protecting credentials, keys, and other secrets

Protecting (i.e. digitally signing) binaries and other build artifacts against tamper, etc.

Question 25 (1 point)

oSs_64123

Which KPI measures the amount of time between identification of a vulnerability in the platform or
application and successful production deployment of a patch?

Question 25 options:

Vulnerability Patching Frequency

Vulnerability Patching Lead Time

Time to Patch

Mean Time to Failure (MTTF)

Customer Issue Resolution Time

Question 26

Which KPI measures the number of automated security tests for an application?

Question 26 options:

Security Controls

Customer Issue Volume

Number of Passed/Failed Security Tests


Page 54 of 55

Defect Density

Number of False Positives

oSs_64125
Question 27

Which KPI reveals the company’s ability to react faster to threats?

Question 27 options:

Mean time to failure

Time to value

Defect density

Vulnerability patching lead time

Question 28

28 oSs_64126
  Below are the four steps of an AppSec pipeline. Which one shows the
steps in the correct order?

Question 28 options:

Triage, Intake Process, Deliver, Test

Test, Intake Process, Triage, Deliver

ntake Process, Triage, Deliver, Test

Intake Process, Triage, Test, Deliver

Question 29

oSs_64127

DevOps teams rely on a variety of tools to help them deploy code faster. Which of the following types of
tools are used by DevOps teams for that purpose? Select all that apply:

Question 29 options:
Page 55 of 55

Continuous integration tools to ensure that every code change results in a new product build

Configuration management tools to define the server infrastructure as code

Software application threat modeling tools to identify threats to the software

Automated test tools to verify code quality and provide quick feedback

Question 30

Which of the following enables cost reduction of operating infrastructure, rapid elasticity, and flexibility?

Question 30 options:

Continuous integration

Continuous delivery

Continuous deployment

Cloud environment

You might also like