e

ut
ib
tr
is
D
or
ate
lic
up

DEVSECOPS FOUNDATION
D

SM
ot
N

©DevOps Institute unless otherwise stated

o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
Tell Us a Little About Yourself

tr
is
D
• Please let us know who you

or
are:
• Name, organization and role

te
• Cybersecurity experience

a
• DevOps experience
• Why you are attending this
l ic
course
up

• What you expect to learn

D
ot

What is your definition or perception of DevSecOps?

N

2
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
DevSecOps Foundation Course Goals

ib
tr
is
D
• Learn about DevSecOps

or
• Understand its core
vocabulary, principles,

te
practices and automation Pass the DevSecOps Foundation Exam

a
• 40 multiple choice questions
• Hear and share real life ic • 60 minutes
scenarios
l
up
• 65% is passing
• Have fun! • Accredited by DevOps Institute
D

• Get your digital badge

ot
N

3
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
About Bloom’s Taxonomy

tr
is
Bloom’s Taxonomy is used to categorize6.learning objectives and, from
Evaluation

D
there, assess learning achievements.
5. Synthesis

or
4. Analysis

a te
3. Application
ic
2. Comprehension
l
DevSecOps
up

Foundation
1. Knowledge
D
ot

Bloom’s Taxonomy is used to categorize learning objectives and, from there,

assess learning achievements.
N

4
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
About DevOps Institute

tr
is
D
or
te
DevOps Institute is dedicated to advancing the human elements
of DevOps success. As a global member association, DevOps

a
Institute is the go-to hub connecting IT practitioners, industry
ic
thought leaders, talent acquisition, business executives and
l
education partners to help pave the way to support digital
up
transformation and the New IT.
DevOps Institute helps advance careers and professional
D

development within the DevOps community through recognized

certifications, research and thought leadership, events and the
ot

fastest-growing DevOps member community.

N

5
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
DevSecOps Foundation Course Content

tr
is
D
Day 1 Day 2

or
Hello! Course & Class Welcome Warming Up Game

Module 1 Realizing DevSecOps Outcomes Module 5 Establishing DevSecOps Practices

te
Module 2 Defining the Cyberthreat Landscape Module 6 Best Practices to Get Started

a
Module 3 Building a Responsive DevSecOps
Model
l ic Module 7 DevOps Pipelines and Continuous
Compliance
up
Module 4 Integrating DevSecOps Stakeholders Module 8 Learning Using Outcomes
D

Sample Examination Review Examination Time

ot
N

©DevOps Institute unless otherwise stated 6

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
te
a
Module 1 ic
REALIZING DEVSECOPS OUTCOMES
l
up
D
ot
N

© DevOps Institute unless otherwise stated

o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module 1: Realizing DevSecOps Outcomes

ib
tr
is
D
• Origins of DevOps Component Module 1 Content

or
• Evolution of DevSecOps Video DevSecOps: What is It? Why is It
Taking Over Security?
Other Frameworks

te
•
Case Story Aetna
CALMS

a
• Discussion Does security slow us down?
• The Three Ways
lic Exercise Understanding and influencing
an organization
up
D
ot
N

8
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
a te
The Origins and Evolution of DevOps
l ic
up
D
ot
N

Module 1: Realizing DevSecOps Outcomes 9

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
The Dawn of DevOps

ib
tr
is
D
or
’10+ Deploys a Day at FlickR’
#devopsdays

te
“Agile system
Patrick infrastructure”

a
Debois John
l ic Allspaw
up

Paul
Hammond
D

Andrew
Clay Shafer
ot
N

Module 1: Realizing DevSecOps Outcomes 10

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
DevSecOps Manifestos

ib
Goal: Safely distributed security
decisions at speed and scale

tr
“I believe the DevOps

is
movement is a new fertile soil

D
from which the build-security-
in concept can be reborn,

or
renamed, and remade.”
Larry Maccherone

te
VALUES

a
Build security in more than bolt it on “Through Security as Code, we have
Rely on empowered development teams more
than security specialists
l ic and will learn that there is simply a
better way for security practitioners, like
up
Implement features securely more than security us, to operate and contribute value with
features less friction. We know we must adapt our
ways quickly and foster innovation to
D

Use tools as feedback for learning more than end-

of-phase stage gates ensure data security and privacy issues
are not left behind because we were
ot

Build on culture change more than policy

enforcement too slow to change.”
N

Module 1: Realizing DevSecOps Outcomes 11

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
DevSecOps Research

ib
tr
is
D
or
a te
l ic
up
D
ot
N

Module 1: Realizing DevSecOps Outcomes 12

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
DevSecOps in the DevOps Handbook

ib
tr
Chapter 22: Information Security as Everyone’s Job, Every Day

is
Chapter 23: Protecting the Deployment Pipeline, and

D
Integrating into Change Management and Other Security and
Compliance Controls

or
• Integrate security into development iteration

te
demonstrations
• Integrate security into defect tracking and post-

a
mortems
l ic
• Integrate preventative security controls into shared
source code repositories and shared services
• Integrate security into the deployment pipeline
up

• Ensure security of the application

• Ensure security of the software supply chain
D

• Ensure security of the environment

• Integrate information security into production telemetry
ot
N

Module 1: Realizing DevSecOps Outcomes 13

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
DISCUSSION

a te
Does security slow us down? l ic
up
D
ot
N

Module 1: Realizing DevSecOps Outcomes 14

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
CASE STORY: Aetna

ib
tr
”You can’t build a house without a solid foundation. If you look at

is
DevOps and your build and deployment pipelines, your toolsets, "DevOps is an
unprecedented

D
your automation and your culture, they are all part of you
building a foundation. Choosing and applying your security opportunity for

or
programme to any existing SDLC should just be like busting out a security. DevOps
few holes in your walls and your roof and installing some skylights breaks the chain
of waterfalls."

te
and windows."

a
l ic Benefits
up

• Productivity gain of 20-50% through security defect reduction

D

• Testing for security at multiple points in the SDLC

• SAST, DAST and IAST tooling for automated tests
ot

DJ Schleen,
Security Architect
N

Module 1: Realizing DevSecOps Outcomes 15

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
a te
CALMS l ic
up
D
ot
N

Module 1: Realizing DevSecOps Outcomes 16

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
CALMS & DEVSECOPS

ib
tr
CULTURE All technology teams have accountability for security; security is

is
everybody’s job. All understand the end-to-end system and
collaborate regularly to create trust.

D
AUTOMATION Automation helps assure security by strategic use of codifying the

or
orchestration and automation of tasks and processes that have
security vulnerabilities when done manually and where automation
can enhance security practices.

te
LEAN Security are not a constraint in the value stream and teams aren’t

a
waiting for security activities to happen – flow is optimized. Work is
visible through shared backlogs.
ic
MEASUREMENT Cost of breach is understood, business and attack metrics are
l
up
shared and a value stream centric approach is followed to
optimize cycle time and ensure no delays caused by security.
D

SHARING Security and software engineers cross-skill and collaborate to

automate knowledge. Stories are shared through wikis, standups
ot

and on a day to day basis..

N

Module 1: Realizing DevSecOps Outcomes 17

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
Module 1: Exploring DevOps

ut
ib
tr
is
D
or
a te
l ic
up

‘DevSecOps: What is it? Why is it taking

D

https://youtu.be/o7-IuYS0iSE
over security?’ with Shannon Lietz (19:18)
ot
N

Module 1: Realizing DevSecOps Outcomes 18

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
a te
THE THREE WAYS l ic
up
D
ot
N

Module 1: Realizing DevSecOps Outcomes 19

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
The Three Ways

ib
tr
is
D
or
FLOW FEEDBACK CONTINUOUS

te
EXPERIMENTATION &

a
LEARNING
Ensure that security is not a
constraint in the flow of work –
ic
Ensure fast feedback by
automating security testing,
l Ensure the security people
and software engineers are
up
shift security testing as far left including security early in the cross-skilling. Allocate time for
as possible and automate. process including them in them to sit and work together
Use pre-blessed security product demos and creating to learn from each other.
D

libraries, think like a value a continuous peer-to-peer Encourage the documenting

stream and create mutual conversation. Use telemetry and sharing of experiences –
ot

accountability. and observability. good and bad.

N

Module 1: Realizing DevSecOps Outcomes 20

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
a te
Other Frameworks l ic
up
D
ot
N

Module 1: Realizing DevSecOps Outcomes 21

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Scrum in a Nutshell

ib
tr
is
Scrum = 3 Roles + 3 Artifacts + 5 Events

D
Release Development Product Scrum
Team Owner Master
Planning

or
Meeting Sprint Daily Scrum
(Optional) Planning (15 minutes)
Meeting

te
(4-8 hours) 24
Sprint Review

a
hours
(2-4 hours)
ic Sprint
Scrum is based
2-4 Retrospective on timeboxed
Sprint
l
Product
weeks (1.5-3 hours) iterations.
up
Backlog Backlog

SPRINT Increment
D

No changes allowed!
ot

©DevOps Institute unless otherwise stated

Where do security people get involved?
N

Module 1: Realizing DevSecOps Outcomes 22

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Agile at Scale

ib
tr
is
D
or
SAFe

a te
l ic
up
D

LeSS
ot
N

Module 1: Realizing DevSecOps Outcomes 23

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
IT Service Management

ib
tr
is
“Security Officer’s role

D
shifts from specifying

or
requirements and
monitoring performance,

te
to enabling practitioners

a
to address security
l ic concerns.”
up
AXELOS®, ITIL® High Velocity IT
Manual ®
D

AXELOS®, ITIL® and IT Infrastructure

Library® are registered trademarks of
AXELOS Limited.
ot
N

Module 1: Realizing DevSecOps Outcomes 24

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Lean and Value Stream Thinking

ib
tr
is
• Lean aims to remove waste and In DevSecOps we use lean and value
elevate the customer stream thinking to ensure that security is

D
not causing waste or delays in the cycle
• It makes work visible time – that it’s not a constraint and is not

or
• Value stream thinking starts with interrupting flow.
the idea and tracks it until its

te
value is realized

a
• The key metric is cycle time ic
• Value Stream Mapping is a lean
l
up
tool that helps identify constraints
• Value Stream Management tools
D

facilitate ongoing inspection and

adaptation
ot
N

Module 1: Realizing DevSecOps Outcomes 25

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
EXERCISE

te
Understanding and influencing an
a
organization l ic
up
D
ot
N

Module 1: Realizing DevSecOps Outcomes 26

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Safety Culture

ib
tr
“A culture where employees can tell the

is
boss bad news.” Dr. Sidney Dekker

D
or
• The collection of beliefs, perceptions and values that
employees share in relation to risks within an
organization

te
• Part of organizational culture
• The premise that incidents are a result of a

a
breakdown in an organization’s policies and
l ic
procedures that were established to deal with safety,
and that the breakdown flows from inadequate
up
attention being paid to safety issues
• Safety culture can be promoted by leadership
D

commitment to safety and continuous organisational

learning
ot
N

Module 1: Realizing DevSecOps Outcomes 27

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
SRE and Resilience Engineering

ib
Site Reliability Engineering Resilience Engineering

tr
is
• “What happens when a software • The intrinsic ability of a system to
engineer is tasked with what used to adjust its functioning prior to, during,

D
be called operations.” Ben Treynor, or following changes and
Google disturbances, so that it can sustain

or
• Goals are to create ultra-scalable required operations under both
and highly reliable software systems expected and unexpected conditions

te
• 50% of their time doing "ops" related • Resilience engineering looks at how

a
work such as issues, on-call, and the organization functions as a whole
manual intervention
• 50% of their time on development
l ic • The best defense is a good offense
• Take an aggressive, blameless and
up
tasks such as new features, scaling or systemic view post incident
automation • Consider both human and technical
• SRE and DevOps share the same elements
D

foundational principles • Systems must be stronger than their

weakest link, recovering quickly and
ot

learning fast
N

Module 1: Realizing DevSecOps Outcomes 28

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
DevSecOps Outcomes

ib
tr
• Better value sooner faster safer happier

is
• Build security in

D
• The Three Ways: Flow, Feedback,
Continuous Experimentation and

or
Learning
• Agile: Transparency, inspection,

te
adaptation

a
• Lean: waste removal, flow optimization,
customer focus
l ic
• ITSM: Operations are predictable
up

• Safety culture: incidents are learning

• Higher performing organizations
D
ot

How are these outcomes different from DevOps outcomes?

N

Module 1: Realizing DevSecOps Outcomes 29

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module One Quiz

ib
tr
is
1 When did the State of Agile Report start collecting data a) 2001
on agile at scale framework adoption? b) 2005

D
c) 2010
d) 2015

or
2 Which ITIL4 ® manual is concerned with DevOps? a) ITIL 4 Specialist Create, Deliver and Support
b) ITIL 4 Specialist Drive Stakeholder Value
c) ITIL 4 Specialist High-velocity IT
d) ITIL 4 Strategist Direct, Plan and Improve

te
3 What level of productivity gain did Aetna make through a) 1-5%

a
the adoption of DevSecOps practices? b) 5-10%
c) 20-50%

4
ic
How many times less are grumpy developers informed of
l d)
a)
80-90%
1.3x
up
application security issues by rumor? b) 1.8x
c) 3.3x
d) 3.8x
D

5 Who started the Safety Culture movement? a) Andrew J Shafer

b) Patrick Debois
c) Dr. Sidney Dekker
ot

d) John Allspaw
N

Module 1: Realizing DevSecOps Outcomes 30

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module One Quiz

ib
tr
is
1 When did the State of Agile Report start collecting data a) 2001
on agile at scale framework adoption? b) 2005

D
c) 2010
d) 2015

or
2 Which ITIL4 ® manual is concerned with DevOps? a) ITIL 4 Specialist Create, Deliver and Support
b) ITIL 4 Specialist Drive Stakeholder Value
c) ITIL 4 Specialist High-velocity IT
d) ITIL 4 Strategist Direct, Plan and Improve

te
3 What level of productivity gain did Aetna make through a) 1-5%

a
the adoption of DevSecOps practices? b) 5-10%
c) 20-50%

4
ic
How many times less are grumpy developers informed of
l d)
a)
80-90%
1.3x
up
application security issues by rumor? b) 1.8x
c) 3.3x
d) 3.8x
D

5 Who started the Safety Culture movement? a) Andrew J Shafer

b) Patrick Debois
c) Dr. Sidney Dekker
ot

d) John Allspaw
N

Module 1: Realizing DevSecOps Outcomes 31

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
te
a
Module 2 ic
DEFINING THE CYBERTHREAT LANDSCAPE
l
up
D
ot
N

© DevOps Institute unless otherwise stated

o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module 2: Defining the Cyberthreat

ib
Landscape (CTL)

tr
is
D
• Storytime and Outcomes Component Module 2 Content

or
• What is the Cyber Threat Video The Industrial Cyberthreat
Landscape? Landscape

te
• What is the threat? Case Story Maersk

a
• What do we protect from? Discussion What does Secure mean?
• What do we protect, and why?
lic Exercise EoP Card Game
up

• How do I talk to security?

D
ot
N

33
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
a te
l ic
up

‘The Industrial Cyberthreat Landscape: 2019 Year

D

https://youtu.be/uTEL8Ff1Zvk
in Review’ with Robert M Lee (09:16)
ot
N

Module 2: Defining the Cyberthreat Landscape 34

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Outcomes

ib
tr
“If you know the enemy and know yourself, you need not

is
fear the result of a hundred battles. If you know yourself but

D
not the enemy, for every victory gained you will also suffer
a defeat. If you know neither the enemy nor yourself, you

or
will succumb in every battle.”

te
• Goal: Understand threat to evaluate risk

a
• Goal: Support DevSecOps risk/threat conversations

aspects
l ic
• Goal: Understand human, process and technical security
up

TTPs
D

Tactics, techniques and procedures (TTPs) describe how threat

agents orchestrate and manage attacks. “Tactics” is also
ot

sometimes called “tools” in the acronym.

N

Module 2: Defining the Cyberthreat Landscape 35

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Blanc Brothers

ib
tr
• First telegraph was optical

is
• Semaphore

D
• Based on flag signaling
• First reported hack

or
• 1834 – Francois and Joseph Blanc,
• Injected symbol to reflect whether stock was up or down

te
• Copied via binoculars, human messenger ahead of post

a
schedule
ic
• Similar to SQL Injection
l
• Goal: Support DevSecOps risk/threat conversations
up

• Not having a conversation about vulnerabilities created

gaps
D

• Have to understand system goals (Faster than horse)

ot
N

Module 2: Defining the Cyberthreat Landscape 36

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
WannaCry and Marcus Hutchins

ib
tr
is
• A ransomware attack in May 2017

D
• A cryptoworm demanded Bitcoin payments
• Worldwide propagated by EternalBlue

or
• Exploited older Microsoft Windows OS
• 200,000 computers impacted across 150 countries

te
• Unpatched computers affected

a
• Hacker turned White Hat, Marcus Hutchins
ic
discovered ‘kill-switch’
l
up
• Goal: Support DevSecOps updates
• Ensuring patches are maintained
D
ot
N

Module 2: Defining the Cyberthreat Landscape 37

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
te
DISCUSSION

a
What do you mean when you say "secure"?
l ic
up
D
ot
N

Module 2: Defining the Cyberthreat Landscape 38

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Cybersecurity Forecasts

ib
tr
is
D
or
a te
l ic
up
D
ot
N

Module 2: Defining the Cyberthreat Landscape 39

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
What is the CTL ? 56%

ib
45% of breaches compromised
use hacking personal data

tr
is
70% caused by 22% used
• Threat – Any person or thing external actors social attacks
judged likely to cause

D
72% were large
damage/danger to your DevOps businesses

or
practices 43%
feature 28% small
• Cyber (NDAA- FY2015), web apps businesses

te
“Independent network of 59% from
Organized
information technology criminal groups

a
infrastructure and includes the 30% from
internet, telecommunications ic internal actors

networks, computer systems, and

l
86% financially
up
embedded processes and motivated
controllers”
D
ot
N

Module 2: Defining the Cyberthreat Landscape 40

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Risks and Vulnerabilities

ib
• Threat = Risk * Vulnerability

tr
is
• What is your Risk?

D
• What are your Vulnerabilities?

or
• How do you consider potential threat
impacts?

te
• Probability

a
• Intent
• Capability
l ic
up
• Can't I just buy insurance?
• Mondelez vs. Zurich American for $100M
D

NotPetya Damages
ot

• Filed in Oct 2018, Still Pre-trial

N

Module 2: Defining the Cyberthreat Landscape 41

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Threat Models

ib
tr
Optimize network security by identifying objectives and

is
vulnerabilities, before defining countermeasures
STRIDE DREAD OCTAVE

D
• Spoofing • Damage • Operationally Critical

or
• Tampering • Reproductability Threat
• Repudiation • Exploitability • Asset
Information Disclosure

te
• • Affected Users • Vulnerability Evaluation
• ––(
• Denial of Service • Discoverability

a
• Elevation of Privilege l ic
Built by Microsoft, no longer Built by Microsoft Assesses organizational risk.
up

supported Build profile, ID

infrastructure, develop
D

strategy
ot

Do you know of any other models?

N

Module 2: Defining the Cyberthreat Landscape 42

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
STRIDE Threat Model

ib
tr
Threat Property Threat Definition

is
Violated

D
S Spoofing identity Authentication Pretending to be something or someone other than

or
yourself
T Tampering with Integrity Modifying something on disk, network, memory or

te
data elsewhere

a
R Repudiation Non-
repudiation
Claiming that you didn’t do something or were not
ic
responsible; can be honest or false
I Information Confidentiality Providing information to someone not authorized to
l
up
disclosure access it
D Denial of service Availability Exhausting resources needed to provide service
D

E Elevation of Authorization Allowing someone to do something they are not

ot

privilege authorized to do
N

Module 2: Defining the Cyberthreat Landscape 43

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
MITRE ATT&CK®

ib
tr
• Tactical Threat Models

is
• Attack Tree

D
• ATT&CK – Adversarial Tactics,

or
Techniques, and Common
Knowledge
Initial access

te
•
• Execution
Persistence

a
•
• Privilege
•
•
Escalation
Defense evasion
l ic
up
• Credential Access
• Discovery
• Lateral Movement
D

• Collection
• Command and Control
ot

• Ex-filtration
• Impact
N

Module 2: Defining the Cyberthreat Landscape 44

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
te
EXERCISE

a
Elevation of Privilege Threat Modeling Game
l ic
up
D
ot
N

Module 2: Defining the Cyberthreat Landscape 45

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Who Do We Protect From?

ib
tr
EU Agency for Cybersecurity

is
Rank Threat
OWASP Top Ten 1 Malware

D
• What could happen? 2 Web Based Attacks

• National threat reports (ENISA) 3 Web Application Attacks

or
4 Phishing
• Corporate threat reports (DBIR)
5 Denial of Service
• Localized intelligence

te
6 Spam
7 Botnets

a
• What are the biggest holes? 8 Data Breaches

•
l ic
Published common flaws (OWASP)
9
10
Insider Threat
Physical
• Vulnerability studies (CVE) Manipulation/Damage/Loss/Theft
up
11 Information Leakage
• Bug Bounty 12 Identity Theft
• Scans
D

13 Cryptojacking
• Cyber Threat Intelligence Providers 14 Ransomware
ot

15 Cyber Espionage
N

Module 2: Defining the Cyberthreat Landscape 46

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Threat Actors

ib
tr
is
D
or
a te
Intruders/Attackers ic Defenders Actions
•State (China, Russia, USA) •State (China, Russia, USA) • Espionage (Steal it)
l
up
•Non-state (Syrian •Corporate (Managed • Sabotage (Break it)
Electronic Army Security Provider (MSSP) • Subversion (Change it)
•Criminal (Mafia, •Non-state (Citizen)
D

Sandworm)
•Hacktivist (Anonymous)
ot
N

Module 2: Defining the Cyberthreat Landscape 47

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Threat Agents

ib
tr
is
D
or
te
Bronze Soldier (2007) Stuxnet (2010) Qassam Cyber Fighters

a
(2012)
l ic
Russian Patriots attack First Cyber Warfare Operation Ababil
up

Estonia over WWII instance Retaliation from Iranian

memorial removal Multiple Zero-days group for Stuxnet
D

US/Israeli attack on Attack US banks with

Led to Tallinn manual Iranian centrifuges extended DOS
ot

development
N

Module 2: Defining the Cyberthreat Landscape 48

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
CASE STORY: Maersk

ib
” Maersk has always been a forward-looking business, but we have a heightened

tr
focus today in part because of a global cyberattack in 2017 that infected our

is
network across ports and offices in dozens of countries. As part of the recovery, "Given the ever-
we rebuilt our core IT capability, including reconstructing server and network evolving cyber

D
infrastructure, moving more than 60,000 devices to a new common standard, landscape, we’re
deploying a new standardized global operating system, restoring our entire building an even more

or
application stack, and restarting the world’s most automated terminal, all in a secure and reliable
matter of weeks. We now have one of the most standardized environments of any infrastructure that can
company in the industry - a foundation that’s letting us deliver change at the support Maersk’s

te
pace of digital business." future growth."

a
l ic Benefits
up

• Accelerated capability to deliver change

D

• Can deploy into production with no human touch

• Built SAST and DAST into CI/CD
ot

Adam Banks
CIO/CTO
N

Module 2: Defining the Cyberthreat Landscape 49

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Supply Chain Hygiene

ib
tr
is
D
or
te
Attacks Supply Chain Managing Supply Risk

a
•Avast - Oct 2019 • System of organizations, • Organization
•CC- Cleaner May 2018
ic
people, activities, information, and
l • Mission/Business Process
• Information Systems
•Telecom Counterfeit resources involved in supplying a
up
•Industrial Espionage product or service to a consumer
•Malicious Code • Supply Chain Vulnerabilities
D

Insertion are exposure to disturbance from

•Unintentional internal/external risks
ot

Compromise
N

Module 2: Defining the Cyberthreat Landscape 50

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
What Do We Protect?

ib
tr
• Measuring items for D I E

is
protection?

D
Distributed Immutable Ephemeral
• Do you have metrics? DDOS resistant Changes easier to Drives value of assets

or
• Selecting for security detect and reverse closer to zero
• Risks to CIA The best solution Unauthorized changes Makes attacker

te
• Confidentiality against a distributed stand out and can be persistence hard and
attack is a distributed reverted to known reduces concern for
• Integrity

a
service good assets at risk
• Availability ic
• Systems as DIE
l
up
• Distributed
• Immutable Availability Integrity Confidentiality
D

• Ephemeral
ot
N

Module 2: Defining the Cyberthreat Landscape 51

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Protection Metrics

ib
tr
1. Where are my ‘crown jewels’?

is
• What creates business value?
• Proprietary technical code

D
• Secure practices
• Elite employees?

or
2. How do I identify exposure?
3. Understand/Assign core metrics

te
• Deployment frequency

a
• Failed deployments
Code committed
•
• Lead time
l ic
• Mean Time to Change (MTTC)
up
• Error Rate
• Mean Time to Detect (MTTD)
D

• Mean Time to Recovery (MTTR)

4. Tie telemetry to process
ot

• Automated processes to capture and

report metrics
N

Module 2: Defining the Cyberthreat Landscape 52

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Good Questions for Security

ib
tr
• What are my vulnerabilities? Common Vulnerability and Exposure (CVE)

is
• What are the risks of these?

D
• How do I fix it?
• How long will that take?

or
• How can you help me fix it?
How do we make sure the same

te
•
problem isn’t anywhere else?

a
• Why should I care?
• Why should we tell?
l ic
up
• Where can we record this?
• Can we automate this?
D

• How do we stop this happening

again?
ot
N

Module 2: Defining the Cyberthreat Landscape 53

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Continuous Compliance

ib
tr
• Governance, Risk, and Compliance “I believe that Continuous
• Class of tools

is
Delivery is an essential
• Practice Area component of ANY regulated

D
• Legal approach. That is, I believe that it
• Global Data Protection Regulation is not possible to implement a

or
(GDPR) genuinely compliant, regulated
• SOX – Sarbanes Oxley system in the absence of

te
• PCI-DSS – Card certifications Continuous Delivery!”
• HIPAA – Medical privacy Dave Farley

a
• Regulatory
• National Institute of Standards and
Technology – Government
l ic
up
• Risk Management Framework (NIST)
• ISO 27001
D

• Capability maturity model Integration

(CMMI)
ot

• Paperwork vs. Automation

N

Module 2: Defining the Cyberthreat Landscape 54

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module Two Quiz

ib
tr
1 Which one of these is not a Threat Model? a) DREAD
b) STRIDE

is
c) LEAP
d) ATT&CK

D
2 Which attack involves a group of Russian hackers trying a) Bronze Soldier
to stop the removal of WWII statue in Estonia? b) Stuxnet

or
c) CCleaner
d) Fancy Bear
3 Which of these is not a standard cyberattack action? a) Subversion

te
b) Subtraction
c) Espionage
d) Sabotage

a
4 Which of these is #1 on the OWASP top ten vulnerability a) Cross-Site Scripting
list?
l ic b) Injection
c) Sensitive Data Exposure
up
d) Broken Access Control
5 Which of these is not part of the CIA triad for information a) Confidentiality
security? b) Integrity
D

c) Authenticity
d) Availability
ot
N

55
©DevOps Institute unless otherwise stated Module 2: Defining the Cyberthreat Landscape
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module Two Quiz

ib
tr
1 Which one of these is not a Threat Model? a) DREAD
b) STRIDE

is
c) LEAP
d) ATT&CK

D
2 Which attack involves a group of Russian hackers trying a) Bronze Soldier
to stop the removal of WWII statue in Estonia? b) Stuxnet

or
c) CCleaner
d) Fancy Bear
3 Which of these is not a standard cyberattack action? a) Subversion

te
b) Subtraction
c) Espionage
d) Sabotage

a
4 Which of these is #1 on the OWASP top ten vulnerability a) Cross-Site Scripting
list?
l ic b) Injection
c) Sensitive Data Exposure
up
d) Broken Access Control
5 Which of these is not part of the CIA triad for information a) Confidentiality
security? b) Integrity
D

c) Authenticity
d) Availability
ot
N

56
©DevOps Institute unless otherwise stated Module 2: Defining the Cyberthreat Landscape
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
te
a
Module 3 ic
BUILDING A RESPONSIVE DEVSECOPS
l
up

MODEL
D
ot
N

© DevOps Institute unless otherwise stated

o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module 3: Building a Responsive DevSecOps

ib
Model

tr
is
D
• Model with components Component Module 3 Content

or
• Technical, business and human Video What is DevSecOps
toll outcomes Explained by Dave Farley

te
• What’s being measured? Case Story NCR

a
Integration, current state and Discussion What do you want from
delta
lic security?
• Gating and thresholding
up
Exercise Validate a responsive
• Incremental improvements DevSecOps model
D
ot
N

58
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Responsive How?

ib
• Your model for working needs to:

tr
• Be adaptable when things change:

is
regulations, threats, finances

D
• Be the basic for continuous
conversation between security and

or
engineering teams
• Be easy and quick to change

te
• Have its own change processes
documented

a
l ic "DevSecOps essentially breaks down the
enterprise security silo by cultivating a
up
symbiotic relationship between security
and other business units and increases
D

product quality and delivery velocity by

adding security specific techniques and
ot

toolsets to DevOps practices.” DJ Schleen

N

Module 3: Building a Responsive DevSecOps Model 59

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Responsive to What?

ib
tr
• Every service or application will have The model will need to measure the

is
multiple standards applied and fitness of these components:

D
measured

or
• Risk management must be done with LAYERS OF PIPELINE GOVERNANCE STANDARDS
continuous verification which is not Regulatory (i.e. PCI)

te
driven by meetings
Criticality or Service Tier (i.e. Platinum)

a
• To achieve this, measure individual tasks Quality (i.e. Code)
in the CI/CD pipelines
l ic Stage (i.e. Development)
• Follow DevSecOps practices:
up
Target / Environment / Platform
• Implement security as code
D

• Leverage automation
ot

• Involve audit and compliance early

N

Module 3: Building a Responsive DevSecOps Model 60

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
DISCUSSION

a te
What Do You Want from Security? l ic
up
D
ot
N

Module 3: Building a Responsive DevSecOps Model 61

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
What Should the Output Look Like?

ib
tr
• The fitness measure needs to OUTPUT

is
provide a KPI per standard per KPIs – Compliance % per service

D
value stream
Auditability
• The output and values need to be

or
directly linked to the ability to audit
the process i.e. ITSM and Change

te
Key Performance Indicator (KPI) Definition
Management integration (design

a
data flows) ic A Key Performance Indicator is a measurable
• Map technology and processes to value that demonstrates how effectively a
l
company is achieving key business objectives.
up
core security operations Organizations use KPIs at multiple levels to
• Automatically log findings to issue evaluate their success at reaching targets.
D

management to reduce bottlenecks

between sec and dev teams
ot
N

Module 3: Building a Responsive DevSecOps Model 62

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Example KPIs

ib
tr
Value Stream Standard KPI

is
Standardization – Pipeline Creating an exemplar per Conformance % of

D
Archetype standard adopted (I.e pipeline to an exemplar
code quality) standard

or
Risk Management Measure and Quantify % High
each risk per standard % Medium

te
adopted per pipeline % Low

a
Auditability Tasks and evidence PCI compliance %
ic
collection per regulatory
standard in a pipeline
l
up

Observability Tracking the # of Jiras / SNOW tickets –

lack/adoption of integrati category – governance.
D

ons/tasks for % Completed

measurements per % Stale
ot

security standard
N

Module 3: Building a Responsive DevSecOps Model 63

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
CASE STORY: NCR

ib
”NCR’s software development teams have started using cloud native

tr
technologies such as microservices and containers to build and ship applications
faster than ever, while migrating to public cloud services to reduce infrastructure

is
costs. These changes created security and compliance challenges that could not "App sec has to be
be addressed with yesterday’s security tools. Customers trust NCR to secure their integrated into the

D
highly sensitive financial data, so it was cardinal for the company to implement a right place, and you
solution that both ensures the security of applications and data, as well as satisfies need to get support

or
strict compliance requirements. Achieving both goals required that NCR’s from both directions
Application Security and Site Reliability Engineering practices to gain greater - from the bottom
visibility and control over their security posture, without compromising on the

te
and the top."
velocity and scale of this new approach.”

a
l ic Benefits
up
• Scan container images in the CI/CD pipeline and in registries for known
vulnerabilities, embedded secrets, and unsecured configurations
D

• Prevent images with high severity vulnerabilities, root user privileges. Or hard-coded
secrets from running anywhere in the environment
ot

Shlomo Bielak • Ensure that running containers don’t drift from their originating images
CISO – App Security
N

Module 3: Building a Responsive DevSecOps Model 64

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Risk and Quality Are Measured

ib
tr
• Measure integration Fitness Components

is
and output as inputs Measure – Integration Measure - Output

D
to achieve continuous
Pipeline Standards – Identify Tech Debt Unique Per Stage
verification

or
Over time – Maturity & Standards
• Having the ability to Improve
Gate or Threshold or Track

te
manage the risk and
Continuous Improvement of Standards
the output of that

a
Evaluate - Release to Release Delta Values – Not starting value
measure are two
l ic
separate KPIs Better Worse
up

• Integration and output

gaps are used to
D

create a backlog
ot
N

Module 3: Building a Responsive DevSecOps Model 65

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Old and New Operating Models

ib
tr
• Adopting engineering

is
principles helps move from a

D
traditional security model
dictating standards to aligning

or
with value streams and
integrating with CI/CD

te
pipelines
• The effect will be to reverse the

a
truth that security slows
development down
l ic
Method Auditability Adaptability Engagement
up
• The outcome will be a model Traditional Operate Iterative Dictate
to continuously measure/set Governance Integrated Dynamic Collaborate
D

your security fitness at the Eng.

pipeline level
ot
N

Module 3: Building a Responsive DevSecOps Model 66

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Business Continuity Plan (BCP) Example

ib
tr
is
What does an example model measure and track

D
and how does it operate?

or
Criticality or Service Tier (i.e. Platinum) – SLA – SLO - SLI
Automation Pipeline

te
Integrated
Workflow Workflow Production

a
Create Attach
Task Task Task Task
Policy ic
Policy
Test
Policy
Check
Policy CI/CD
Tag/ Tag/ Tag/ Tag/ Tag/ Tag/ Tag/ Tag/
l
Value Value Value Value Value Value Value Value
up

Governance Standards – Checking Tags and Values = KPI per service

CLI/API –
D

Driven
ot
N

Module 3: Building a Responsive DevSecOps Model 67

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
a te
l ic
up
D

‘Whathttps://youtu.be/uTEL8Ff1Zvk
is DevSecOps?’ with Dave Farley (19:11)
ot
N

©DevOpsInstitute
Instituteunless
unlessotherwise
otherwisestated
stated Module 3: Building a Responsive DevSecOps Model 68
©DevOps
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Change Management Redesigned

ib
tr
• New operating models require integrated change management and ticket

is
tracking
• Constantly check security states

D
• SAST can verify continuous integration practices

or
• Updating ticket with outputs
• Pipeline approval stages track promoted code status and changes

te
• Remove physical approval stages when conformance is at 100%

a
• Change management adapts based on Key Performance Indicators (KPIs)
l ic
up
D
ot
N

Module 3: Building a Responsive DevSecOps Model 69

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
KPIs Defined and Visualized

ib
tr
• The KPIs are driven per

is
value stream or pipeline
or application

D
• The values represent the

or
adoption of the
standards

te
• The ability to threshold

a
and gate per SDLC
stage
l ic
• Keep in mind that the
up

output not the

integration should drive
D

the backlog and

approval state
ot
N

Module 3: Building a Responsive DevSecOps Model 70

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
GSA’s DevSecOps Maturity Model

ib
GOAL: Safer Software Sooner

tr
DevSecOps: A cultural

is
and engineering
practice that breaks

D
down barriers and
opens collaboration

or
between development,
security, and operations
organizations using

te
automation to focus on
rapid, frequent delivery

a
of secure infrastructure
and software to
l ic production. It
encompasses intake to
up
release of software and
manages those flows
predictably,
D

transparently, and with

minimal human
ot

intervention/effort.
N

Module 3: Building a Responsive DevSecOps Model 71

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
eDiscovery and Digital Forensics

ib
tr
is
How would your organization perform these tasks if need be?

D
Electronic discovery (sometimes

or
Digital forensics, sometimes
known as e-discovery, ediscovery, called computer forensics, is the
eDiscovery, or e-Discovery) is application of scientific investigatory

te
the electronic aspect of identifying, techniques to digital crimes and
collecting and producing attacks. It is a crucial aspect of law and

a
electronically stored business in the internet age. It’s he
information (ESI) in response to a
request for production in a lawsuit or
l ic identification, preservation, examination,
and analysis of digital evidence, using
up
investigation. ESI includes, but is not scientifically accepted and validated
limited to, emails, documents, process, and the ultimate presentation of
presentations, databases, voicemail, that evidence in a court of law to answer
D

audio and video files, social media, some legal question.

and web sites.
ot
N

Module 3: Building a Responsive DevSecOps Model 72

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Resilience Through Responsiveness

ib
tr
• This is not a perfect world and the ability

is
to build resilience through exception

D
handling is key
• The ability to whitelist for a time period

or
• If a whitelisting was applied, an ITSM

te
ticket should be auto generated to
track the risk and exception

a
• Automation pipelines with integrated ic
securities need to allow for unexpected
l
up

circumstances; rather than allow for ad-

hoc pipelines, create a rapid pipeline
D

with a higher level of auditability to deal

ot

with the gaps in gating

N

Module 3: Building a Responsive DevSecOps Model 73

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Incremental Improvements

ib
tr
• Visualizing each Business Unit (BU)

is
or departments progress of Security Progress Per BU

D
adopting and measuring risk
helps drive cultural change and

or
support
• This example is using Tableau and

te
BigQuery to ingest and parse API

a
calls to all the security tooling to
show adherences to the
l ic
governance standards overtime
up

• The pipeline measurements are

more for informed approvals via
D

change management
ot
N

Module 3: Building a Responsive DevSecOps Model 74

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Outcomes

ib
tr
is
D
or
Technical Business Human

a te
• Faster • Faster audit • Improvement
deployments
l ic
preparation and/or self-
• More code • Company-wide development
up

promotions security fitness hours

• Improved code • Risk identification • Reduced
D

quality • Faster flow of attrition

ot

value
N

Module 3: Building a Responsive DevSecOps Model 75

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Steps to Take to Build a Model

ib
tr
1 Move away from meetings: Require measurements of standards and values to be
defined and documented. This can also be in the form of a pipeline-as-code

is
example.

D
2 Alert in Dev, protect in Prod. Every stage of the SDLC has different tolerances defined
to support shift-left. Development and production are not the same.

or
3 Provide artifacts for integration and adoption of measurement technologies

4 Do not gate: Data always starts poorly once measurements begin. Target deltas to

te
track required improvement increments per time period

a
5 Define and create exception handling processes that are tracked. Conformance of

are forced.
l ic
the majority. Responsiveness to the minority. This prevents untracked exceptions that
up
6 Tag and map values per application to visualize KPIs per governance engineering
standard. Aggregate per BU as well for higher level visualizations. The KPI that
matters is the conformance delta. Not the starting value.
D

7 Keep updating your standards and expected values. Update the pipeline-as-code to
ot

support the advancement of an exemplar. No one should hit 100%. Advance the
standard, shift all down to advance again.
N

Module 3: Building a Responsive DevSecOps Model 76

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Gartner’s View on DevSecOps

ib
tr
is
D
or
a te
l ic
up
D
ot
N

Module 3: Building a Responsive DevSecOps Model 77

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
DevSecOps According to OWASP

ib
tr
is
D
or
a te
l ic
up
D
ot
N

Module 3: Building a Responsive DevSecOps Model 78

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
te
EXERCISE

a
Validate a Responsive DevSecOps Model l ic
up
D
ot
N

Module 3: Building a Responsive DevSecOps Model 79

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module Three Quiz

ib
tr
is
1 Which is a characteristic of a traditional operating a) Integrated
model? b) Dictate

D
c) Dynamic
d) Collaborate

or
2 What is GSA’s DevSecOps goal? a) Safer Software Sooner
b) Better Value Sooner Safer Happier
c) CALMS
d) Rugged DevOps

te
3 According to NCR, from what direction does DevSecOps a) The top

a
adoption need support? b) The bottom
c) The left

4 What is a KPI?
l ic d) Both top and bottom
a) Key Practice Indicator
up
b) King Principle Interaction
c) Key Performance Indicator
d) King Principle Indicator
D

5 What is the application of scientific investigatory a) e-Discovery

techniques to digital crimes called? b) DevSecOps
c) Digital Forensics
ot

d) CSI
N

Module 3: Building a Responsive DevSecOps Model 80

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module Three Quiz

ib
tr
is
1 Which is a characteristic of a traditional operating a) Integrated
model? b) Dictate

D
c) Dynamic
d) Collaborate

or
2 What is GSA’s DevSecOps goal? a) Safer Software Sooner
b) Better Value Sooner Safer Happier
c) CALMS
d) Rugged DevOps

te
3 According to NCR, from what direction does DevSecOps a) The top

a
adoption need support? b) The bottom
c) The left

4 What is a KPI?
l ic d) Both top and bottom
a) Key Practice Indicator
up
b) King Principle Interaction
c) Key Performance Indicator
d) King Principle Indicator
D

5 What is the application of scientific investigatory a) e-Discovery

techniques to digital crimes called? b) DevSecOps
c) Digital Forensics
ot

d) CSI
N

Module 3: Building a Responsive DevSecOps Model 81

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
te
a
Module 4 ic
INTEGRATING DEVSECOPS STAKEHOLDERS
l
up
D
ot
N

© DevOps Institute unless otherwise stated

o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module 4: Integrating DevSecOps Stakeholders

ib
tr
is
D
• The DevSecOps State of Mind Component Module 4 Content

or
• What “good” culture looks like Video Lean and Agile Adoption
with Laloux’s Culture Model
The DevSecOps Stakeholders

te
•
Case Story US Department of Defense
What’s at stake for who?

a
•
Discussion How can you influence your
• People, process, technology and
governance
lic organization?
Exercise Modeling stakeholder
up

conversations - 'difficult
questions'
D
ot
N

83
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
The DevSecOps State of Mind

ib
tr
is
“I worked for Intuit for 18 months DevSecOps' main objective is to "ensure data security"
doing DevSecOps, and I’ve

D
versus Krav Maga's objective to "go home safe”. Both
drawn many parallels between it approaches are adapted defense systems and have
and Krav Maga. This post

or
several principles in common:
provides a comparative view of
DevSecOps vs. Krav Maga. “

te
Fabian Lim

a
LEGAL - BONUS!
SITUATION
l ic CHAOS
AWARENESS
up
DRILLS
RUGGEDNESS
POSITIONING
D
ot
N

Module 4: Integrating DevSecOps Stakeholders 84

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
What “Good Culture” Looks Like

ib
tr
Good DevSecOps practice:

is
D
• Starts with buy-in of the DevSecOps philosophy by
senior leaders within the organization

or
• This leads to:
• Change in the organizational culture
• New collaborative processes

te
• Tools to automate the process

a
• And to apply consistent governance
• A project must advance in all four areas to be
successful
l ic
up
• Safety culture and resilience engineering are key
D

“The best way to avoid failure is to fail

constantly.” Netflix
ot
N

Module 4: Integrating DevSecOps Stakeholders 85

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
The Trust Algorithm

ib
“About three weeks after I started at
Comcast, I realized that any behavior

tr
transformation that we wanted to

is
achieve within the development
organization would be impossible with

D
the current lack of trust between devs
and security. I mentioned this to one of

or
my bosses and he responded, “I
understand that’s a problem but it’s

te
not as if trust is a formula.” My response
was, “Well… maybe it is…” I then got

a
up from my chair and wrote the trust
l ic formula from Charlie Green at
TrustedAdvisor on the wall. We then
up
had a great conversation about how
to optimize the terms in that formula for
our context.” Larry Maccherone
D
ot
N

Module 4: Integrating DevSecOps Stakeholders 86

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
What “Good” Culture Looks Like

ib
tr
Erikson’s Stages of Psychosocial

is
Development
Westrum’s Organizational Typology

D
or
This is where
we want to be…

a te
l ic
up
D

Org culture is often “A generative culture will make the best use of its
still just here… assets, a pathological one will not.”
ot
N

Module 4: Integrating DevSecOps Stakeholders 87

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Laloux’s Advice Process

ib
tr
Be Lean:

is
• Minimize overhead and waste
• Automate as much as possible

D
Freedom & Self-Managed
Responsibility • Emphasize measurable results and
effectiveness

or
• No more “rules for the sake of rules”
• Focus on the customer

te
• Leverage Laloux’s ‘Advice Process’

a
LALOUX’S ADVICE PROCESS
l ic “Any person making a decision must seek
up
advice from everyone meaningfully
affected by the decision and people with
expertise in the matter. The objective of the
D

advice process is not to form consensus,

The Advice Process Inherent Trust in Others but to inform the decision-maker so that
they can make the best decision possible.”
ot

(Laloux, Reinventing Organizations)

N

Module 4: Integrating DevSecOps Stakeholders 88

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
Module 1: Exploring DevOps

ut
ib
tr
is
D
or
a te
l ic
up

‘Leanhttps://youtu.be/o7-IuYS0iSE
and Agile Adoption with the Laloux
D

Culture Model’ with Peter Green (09:21)

ot
N

Module 4: Integrating DevSecOps Stakeholders 89

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Understanding Cultural Differences

ib
tr
is
Culturally and behaviorally, Security and DevOps are worlds apart; in terms of subject matter
expertise, security architects and software engineers don’t speak the same language.

D
or
DevOps Security
Agile Waterfall

te
Horizontal Vertical

a
• •
Fast-paced Rigid
•
• Operates in quick sprint cycle
l ic •
• Step by step approach
• Team-based culture • Requires multiple lines of approval
up
• Trust and support others • Priority: safety and security
• Priority: react as quickly as possible to • Delayed verification
D

business needs
Effective DevSecOps practices can help change how businesses function.
ot
N

Module 4: Integrating DevSecOps Stakeholders 90

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Three Ways to Close the Culture Gap

ib
tr
1 2 3

is
Code in and reward the right Develop soft skills Value security as highly as

D
behaviours speed for digital
transformation

or
• To change behaviour, change • To develop softer skills will be • DevSecOps repositions security
habits essential higher up in the value chain
Introduce patterns accross the • Organizations could also • Reinforce this across the

te
•
environment so over time, consider looking for specific organization
people become used to personality types who may not • Ensure DevSecOps is included in

a
working in a certain way have the perfect technical skills investment cases for
• Over time, their mindset also
adapts and culture begins to
ic
for DevSecOps, but could be
upskilled
l transformation
up
shift • Not everyone currently Working
in DevOps and security teams
will be suited to a DevSecOps
D

environment, and that must be

recognized too
ot

Systems Thinking Requires a Different Approach to Skilling

N

Module 4: Integrating DevSecOps Stakeholders 91

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Cooperation > Internal Competition

ib
tr
Problems with turf wars:

is
• Inefficiency and waste

D
• People lose sight of business

or
objectives
• Decreased collaboration and

te
cooperation

a
“…arguments over turf are good
l ic
indicators that the facility has too many
up

people. No one worries about who

does what when there is enough work
D

to go around.” Dennis Bakke

ot
N

Module 4: Integrating DevSecOps Stakeholders 92

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Types of Stakeholders

ib
tr
is
Type of Stakeholders Categorize Stakeholders

D
RACI Method

or
R Responsible Works on and delivers the
initiative
Internal External
A Accountable Has authority over the initiative

te
and approves results
C Consulted Has insight and suggestions

a
Teams Functions Groups Customers Users Suppliers about the initiative
l ic Third parties.
! Informed Needs to know about the
outcomes of the initiative
up
Use the
Supply goods
Buy the services
and services
goods or on a daily
services basis
D
ot
N

Module 4: Integrating DevSecOps Stakeholders 93

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
CISOs and CIOs

ib
tr
is
CEO

D
or
CIO

te
Head of Head of

a
CISO
Dev Ops
l ic
In the 2014 PwC Global State of Information
up

Security Report, organizations where the

CISO reports to the CIO had 14% more
D

downtime due to cyber-attacks and their

financial losses were 46% higher.
ot
N

Module 4: Integrating DevSecOps Stakeholders 94

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
The DevSecOps Stakeholders

ib
tr
Dev Ops Leadership

is
All people involved in All people involved in All executives, directors and C-Suite. All
developing software delivering and directors need to have a basic

D
products and services managing software understanding and awareness of cyber
including but not products and services security based on jargon-free principles. To

or
exclusive to: including but not help with this, we could express governance
exclusive to: as a user story from the director’s perspective

te
 Architects,  Information security Directors want assurance, in concise, understandable
 Business representatives, professionals language, that they:

a
 Customers,  Systems engineers
 Product owners,  System administrators Have adequate management of cyber risks and


Project managers,
Quality assurance (QA)


ic
IT operations engineer,
Release engineers
l •

•
threats
Have been made aware of significant attacks and
Testers, Database administrators near misses, and advised of actions to prevent re-
up
 
 Analysts (DBAs) occurrence
 Suppliers  Network engineers • Have been made aware of security arrangements for
 Support professionals our significant third parties including any significant
D

 SREs attacks
 Security professionals • Have used the investment in cyber security effectively
ot

 Third party vendors and efficiently

 Suppliers
N

Module 4: Integrating DevSecOps Stakeholders 95

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Collaboration Between Stakeholders

ib
Compliance & Team

tr
Dear Auditor
Audit Overlap Communication

is
D
or
a te
l ic
Working with Audit, Easier:
up

• Map changes to approved users and • Integrate auditors into the advice
change record process
D

• Authenticate machine-to-machine • Build dashboards for the auditors

communication • Provide real-time reporting
ot

• Ensure all access is logged and monitored

N

Module 4: Integrating DevSecOps Stakeholders 96

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
What’s at Stake for Who?

ib
tr
is
D
Shared Metrics for Multiple Stakeholders Shared Metrics for Each Stakeholder

or
a te
l ic
up
D

Diagrams from Andi Mann, Splunk

ot
N

Module 4: Integrating DevSecOps Stakeholders 97

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Governance: DevSecOps Pillars

ib
tr
is
ORGANIZATION PROCESS TECHNOLOGY GOVERNANCE

D
or
• Culture shift & Buy-in • Collaborative design • Tool adoption • Built-in governance
• Communication & • Test – driven • Automation and control
Collaboration development orchestration • Uniform policy

te
• Security/QA Throughout • Common and • Cloud and enforcement
• Learn from automatable tasks containerization • Data-driven validation

a
success/failure • Continuous adaptation • Infraestructure as code • Enhanced visibility
• Feedback and user
driven change •
ic
and improvement
Continuous ATO
l • Security as code • Inherited certifications
and authorization
up

DevSecOps starts with buy-in of the DevSecOps philosophy by senior

D

leaders within the organization.

ot
N

Module 4: Integrating DevSecOps Stakeholders 98

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Next Generation Governance

ib
tr
Strategic
Management

is
1. Run IT with Mission Discipline

D
2. Invest in Automation
5 FUNDAMENTAL
Tactical 3. Embrace Adaptability

or
PRINCIPLES
Management OF NGG
4. Promote Transparency

te
5. Inherent Accountability

a
Operational
Management
l ic
up
ENABLING ELEMENTS
Equality and Indusiveness
D

Participation Consensus Oriented

Effectiveness and Efficiency Accountability
ot

Responsive Rule of Law Transparency

N

Module 4: Integrating DevSecOps Stakeholders 99

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
CASE STORY: US Department of Defense

ib
“People have different priorities, but when you don't bake security in,

tr
the number one issue is that it's very difficult to keep up with the pace of

is
the changing requirements. If you have security as an afterthought, it
just becomes this massive bottleneck. Being able to have it baked in “DevSecOps is the

D
from the start is critical as otherwise it's tough to catch up. If you scan industry best
your code multiple times a day and you're looking at the quality of the practice for rapid,

or
code continuously you can fix small changes slowly but surely every day. secure software
Incremental change is the critical piece. If you do it multiple times a development.”

te
day, it's much easier to fix than waiting a year and trying to tackle a
huge mound of what is effectively technical debt."

a
l ic Benefits
up

• Avoidance of vendor lock-in

D

• Architected for scale

• Abstraction and self-healing
ot

Nicolas Chaillen, CSO

N

Module 4: Integrating DevSecOps Stakeholders 100

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Governance Flow and Control

ib
tr
is
• Good control requires good corporate governance from the top
(directors and executive management)

D
• Top management should ensure that the organization is well structured

or
and managed with strong policies and a strong ethos
• Governance forms the foundation on which other controls and risk

te
mitigations can be built

a
• Ultimately, those who hold governance accountability will be held
ic
responsible for all failures regardless of where they occur
• They set the culture and tone for the organization to operate
l
up

• They should not, however, interfere with day-to-day operations

• Penetration testing may be used to support overall GRC requirements
D

1. Set the 2. Tell them what is 3. Let them get on 4. Monitor and
ot

boundaries needed with it report progress

N

Module 4: Integrating DevSecOps Stakeholders 101

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Governance Engineering Methodology

ib
tr
is
Convergence of Security Teams

D
or
TRI-CENTRIC APPROACH

te
SECURITY DEVELOPMENT OPERATIONS

a
lic
APPLICATION CYBER INFORMATION INTERNAL RELEASE APP
up
INFRAESTRUCTURE
SECURITY SECURITY SECURITY AUDIT ENGINEERING OPS
D

GOVERNANCE ENGINEERING SITE RELIABILITY ENGINEERING

ot
N

Module 4: Integrating DevSecOps Stakeholders 102

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
People, Process, Technology and Governance

ib
tr
is
D
MANAGE & OPERATE

or
TRADITIONAL IDENTITY TASK PER
SECURITY APPLY VERIFY MEASURE

te
SCOPE APPLICATION

a
GOVERNANCE IDENTITY
l ic
PIPELINE GOVERNANCE STANDARD (ALL)
up
ENGINEERING SCOPE CONTINUOUS IMPROVEMENT
D

Traditional Security vs Governance Engineering

ot
N

Module 4: Integrating DevSecOps Stakeholders 103

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
EXERCISE

a te
Modeling stakeholder conversations – ic
difficult questions
l
up
D
ot
N

Module 4: Integrating DevSecOps Stakeholders 104

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module Four Quiz

ib
tr
1 Who wrote ‘Reinventing Organizations’? a) Frederic Laloux

is
b) Erik Erickson
c) Larry Maccherone

D
d) Ron Westrrum
2 Where did The Trust Algorithm originate? a) The Department of Defense

or
b) Charlie Green
c) The DevOps Handbook
d) Comcast

te
3 According to Laloux’s advice process, under Seek advice from an expert
what condition can any person make any Seek advice from people who will be impacted
decision? Consider the cost

a
Both A and B
4 What is the most multi-functional type of
individual?
l ic
a) T-Shaped
b) Pi-Shaped
up
c) Comb-Shaped
d) E-Shaped
5 Which is the most evolved typology of a) Teal
D

organizational culture according to Westrum’s b) Bureaucratic

Typology? c) Generative
d) Pathological
ot
N

Module 4: Integrating DevSecOps Stakeholders 105

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module Four Quiz

ib
tr
1 Who wrote ‘Reinventing Organizations’? a) Frederic Laloux

is
b) Erik Erickson
c) Larry Maccherone

D
d) Ron Westrrum
2 Where did The Trust Algorithm originate? a) The Department of Defense

or
b) Charlie Green
c) The DevOps Handbook
d) Comcast

te
3 According to Laloux’s advice process, under a) Seek advice from an expert
what condition can any person make any b) Seek advice from people who will be impacted
decision? c) Consider the cost

a
d) Both A and B
4 What is the most multi-functional type of
individual?
l ic
a) T-Shaped
b) Pi-Shaped
c) Comb-Shaped
up
d) E-Shaped
5 Which is the most evolved typology of a) Teal
D

organizational culture according to Westrum’s b) Bureaucratic

Typology? c) Generative
d) Pathological
ot
N

Module 4: Integrating DevSecOps Stakeholders 106

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
te
a
Module 5 ic
ESTABLISHING DEVSECOPS PRACTICES
l
up
D
ot
N

© DevOps Institute unless otherwise stated

o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module 5: Establishing DevSecOps Practices

ib
tr
is
• Start where you are Component Module 5 Content

D
• Integrating people, Video The Rise of DevSecOps

or
process, technology and
governance Case Story Comcast
Discussion What are your worst

te
• Continuous Security for
DevSecOps practices?

a
• Onboarding process for ic Exercise Wicked Questions
stakeholders
l
up
• Practices and outcomes
• Data driven decision making and
D

response
ot
N

108
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Start Where You Are

ib
tr
• Before changing, realize where you are today

is
• How do you find out where your process is?

D
• Surveys and assessment
• Metrics – Repeatable, contextual data

or
• Sensing sessions
• Problem identification

te
• Know where you want to go

a
• Create a shared vision and objectives
• Use Value Stream Mapping techniques to align
l ic
process to pipeline
up
D
ot
N

Module 5: Establishing DevSecOps Practices 109

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
Integrating People, Process, Technology

ut
and Governance

ib
tr
What aligns with your values?

is
Sensing across all areas

D
or
a te
l ic
up
D
ot
N

Module 5: Establishing DevSecOps Practices 110

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
RISCS: Developer-Centred Security Research

ib
tr
• Appreciate that security fundamentals are

is
hard to get right
• Acknowledge that developers are not

D
necessarily security experts
• Help stimulate conversations about cyber

or
security from an early stage
• Facilitate collaboration between security

te
experts and developers
• Reward and motivate developers - both

a
intrinsically and through the work ic
environment
l
• Select tools and techniques that developers
up

find usable
• Promote a blame-free culture that
D

encourages developers to report incidents

(so that the team can learn from mistakes
ot

and continuously improve)

N

Module 5: Establishing DevSecOps Practices 111

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Continuous Security for DevSecOps

ib
tr
• Security is everywhere in

is
the corporate
workspace

D
• Every area has potential

or
security tools, which are
important for your
business

te
• Continuous Security is

a
the addressing
l ic of security concerns
and testing in
the Continuous Delivery
up

pipeline
D

In DevSecOps we use lean and value stream thinking to ensure that security is not causing
ot

waste or delays in the cycle time – that it’s not a constraint and is not interrupting flow.
N

Module 5: Establishing DevSecOps Practices 112

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
Module 1: Exploring DevOps

ut
ib
tr
is
D
or
a te
l ic
up

‘The Rise of DevSecOps’ with Yvonne

D

Wassenaar (14:58)
https://youtu.be/o7-IuYS0iSE
ot

Module 5: Establishing DevSecOps Practices

N

113
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Onboarding for Stakeholders

ib
tr
is
• Bring new people into process

D
• Where do I start new people?

Level of UNDERSTANDING
• Have a checklist
Critics Spectators Advocates

or
• Take time to orient

te
Dev Sec Ops

a
Identify
repos and
Compliance
standards,
Find SRE links,
what Alerts,
l ic Cynics Unengaged Enthusiasts
daily governance, where are
up
processes continuous logs
security
D

Level of EMOTIONAL ENGAGEMENT

ot
N

Module 5: Establishing DevSecOps Practices 114

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
3 Myths of Separation of Duties (SoD) vs DevOps

ib
tr
Clue: The systems are/do the separation

is
D
1. DevOps + CI/CD Means Pushing Straight to Production
– Code should always be tested/checked in the CI/CD pipeline

or
– There’s really no such thing as “straight to production”
– Dev and Ops is still 2 teams in most organizations

te
2. SoD Is Effective At Stopping Fraud and Errors
– Errors occur, regardless – but how well do you detect & recover?

a
– The Second Way: fail fast, recover fast, learn faster!
ic
– DevOps often means more testing but stops fraud and errors
l
3. SoD and DevOps Are Incompatible
up

– Ask audit to define the control objective, not the control

– Remember: the goal of SoD is reducing fraud and errors (so do that!)
D

– Don’t accept “no” / Don’t simply say “no”

ot
N

Module 5: Establishing DevSecOps Practices 115

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
EXERCISE

te
Roleplay: Wicked Questions – Why do
a
security teams think Dev and Ops should
l ic
care about their perspective?
up
D
ot
N

Module 5: Establishing DevSecOps Practices 116

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
Orchestrating Security in the Flow

tr
is
• Sample Orchestration

D
• Do you have the minimums?

or
DevSecOps

a te
CI/CD
l ic Compliance Repair and
Dev Security Ops Security
up
Security Ops Repeat
D

SAST DAST/IAST RASP/WAF GRC

ot
N

Module 5: Establishing DevSecOps Practices 117

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Practices and Outcomes

ib
tr
is
D
Flow Feedback Continuous Learning

or
• Security Driven Development • Shift security left • Continual experimentation
• Positive scenario • Shorten feedback loops • Indicator of compromise

te
• Negative scenario • Shared on-call tasks • SIEM (Security
• Data science Information and Event

a
• Product/feature teams Management)
collaborate with security • Share threat intel
• Security Acceptance criteria
ic
• Identify needed security
l • Indicator of Concern
feedback • Repetition of practices
up
• Establish policy
• Current Scan status • Security Scaling
• Legacy codes
• Pipeline acceptance • Verification of
D

• New implementations
• Fixed/Unfixed CVE continuous compliance
• Improve collaboration
ot
N

Module 5: Establishing DevSecOps Practices 118

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
DISCUSSION

a te
What are your worst practices? l ic
up
D
ot
N

Module 5: Establishing DevSecOps Practices 119

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Shift Security Left for Outcomes

ib
tr
Testing is integral to DevSecOps Practices

is
D
• Automated Testing
Unit

or
•
• Functional
• Regression
integration

te
•
• System
Others as required

a
•
• Test, Verify, Automate
• Move internal audit earlier
• Codify automated policies and
l ic
up
compliance
• Real-time reporting
• Logging
D

• Central repository
• Alerts – Who alerts whom?
ot

• Potential areas for automation

N

Module 5: Establishing DevSecOps Practices 120

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Securing Your CI/CD Pipeline

ib
• Implementing “Just Enough”

tr
•Security by stage
security

is
• Scan for code success
• Balance between real and

D
perceived exposure • Measure for integrated vulnerability
• Establish countermeasures based on • Assess integration

or
risk • Secure production data
• Artifacts for Continuous Compliance

a te
l ic
up
D
ot
N

Module 5: Establishing DevSecOps Practices 121

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
DevSecOps, Cloud and Containers

ib
tr
is
D
Cloud Security: Container Security:

or
• Always user’s responsibility • RBAC
• Manage user credentials • Securing orchestration platforms
• Limit storage accessibility to needed • Certificates

te
• Monitor API access logs • Service meshes and SDN

a
• Coordinate configurations • Host security - nodes that the containers
• Establish Disaster Recover plans
• Forensics/Incident Response emphasize
l ic are running on
• APIs
up
live response, based on incident • Base image vulnerability scanning
planning, automated data • Attack surface reduction using
D

capture/workflow containers (lib bluetooth for webservice)

ot
N

Module 5: Establishing DevSecOps Practices 122

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Security Champions

ib
tr
is
• In large organizations, it’s impossible to
put security specialists on every team:

D
• Choose champions to extend coverage

or
• Improve communication channels to
experts

te
• Interact regularly between

a
teams/experts
l ic • Scaling safety and security
up
• Coordinate champions
• Always:
D

• Plan, Review, Retro

ot

• Meaningful small work

N

Module 5: Establishing DevSecOps Practices 123

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
CASE STORY: Comcast

ib
tr
“From a DevSecOps perspective, the way security teams have been engaging
with development teams has not been fundamentally conducive to trust. They are

is
polite in a corporate, political sense, acknowledging each other’s work, then they
ignore what the opposite party is asking for from them. Behind each other's backs, “There are no best

D
the developers are essentially saying about the security folks, "Those security
people, they just don't get what we do, they don't understand. They're just trying to practices. Only

or
force mandates on us, and this too shall pass just like every other movement that's good practices in
been tried to be imposed upon us externally. We can just ride it out, and we will just context.”
ride it out." And then the security folks are saying, "Those developers, they're just

te
putting poor quality code out there that's going to get us hacked. They're lazy and
they don't care."

a
l ic Benefits
up

• Frameworks and practices bake security in to your business

D

• Establishes the DevSecOps Manifesto for delivering security

• Builds trust between people and teams
ot

Larry Maccherone,
DevSecOps
N

Transformation Director
Module 5: Establishing DevSecOps Practices 124
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Focus on Outcomes

ib
Metrics

tr
ID some metrics

is
numbers

D
Telemetry Personnel

or
•Uptime/downtime
•CVE status If you care about it, What do people need?
• Happiness
•Vulnerability assessment track it! • Job satisfaction

te
•Risk standards
• Growth
•Individuals with access

a
ic Debt
Occurs when fixes are
l
implemented in the short
up

term without long term

solutions
D

• Technical Debt
• Process Debt
ot

• Human Debt
N

Module 5: Establishing DevSecOps Practices 125

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Data Driven Decision Making

ib
tr
Types of Data

is
Quantitative (Numbers) Qualitative (Narrative) Hybrid (Mixing Qual/Quan)

D
1, 2, 3 … "Define, Relative Importance” Two or more sample types

or
Data Standards Validation of Data

te
• Setting code driven, peer- • Bug bashes/vulnerability bashes

a
reviewed standards • Process Bash
• Extreme Programming
• Pair Programming
l ic •
•
War games
Tabletop exercises
• Peer Review Bug bounties - 3rd Party
up
•
• Code quality standards • Red Team/Blue Team/Purple
• Repos Team
D

• Quality assurance
ot
N

Module 5: Establishing DevSecOps Practices 126

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Red, Blue and Purple Teams

ib
tr
• Red Team

is
• Always win – high motivation

D
• Attacks from outside to verify security

or
• Blue Team
• Always lose – low motivation

te
• Work from inside to discover and close
vulnerabilities

a
ic • Purple Team
• New Thinking
l
up
• Combine Red and Blue functions to
establish compiled solutions
D

• Allows "Blue" to test till completion

without losing
ot
N

Module 5: Establishing DevSecOps Practices 127

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Do Security Professionals Care About DevOps?

ib
tr
is
D
• Policy as code
• Stakeholders • Integrated frameworks

or
• Practitioners • Automated checks
• Observers • Refactoring debt

a te
l ic
• Threat hunters – everyone can report threats
up

• Error reporting – common framework

• Personal discussions - collaboration
D
ot
N

Module 5: Establishing DevSecOps Practices 128

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module Five Quiz

ib
tr
1 Which of the following is not a Separation of Duties (SoD) a) DevOps + CI/CD means pushing straight to production

is
myth? b)All DevSecOps practices should begin with establishing a
clear SoD
c) SoD Is effective at stopping fraud and errors

D
d) SoD and DevOps are incompatible
2 All of the following are examples of validating data a) Red/Blue/Purple teams

or
except: b) Tabletop exercises
c) Code quality standards
d) Bug bounty

te
3 What is the best reason to put security champions on a) Have an internal spy
your teams? b) Improve communication

a
c) Enforce standards on recalcitrant developers

4
ic
Shifting security left best exemplifies this aspect of
l d) Hire more people into the security team
a) The First Way
DevOps practices b) The Second Way
up
c) The Third Way
d) Improvement Kata
5 Establishing security policies is best accomplished during a) Continuous Security
D

this aspect of DevOps practices b) The First way

c) CI/CD Pipeline
ot

d) The Third Way

N

Module 5: Establishing DevSecOps Practices 129

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module Five Quiz

ib
tr
1 Which of the following is not a Separation of Duties (SoD) a) DevOps + CI/CD means pushing straight to production

is
myth? b)All DevSecOps practices should begin with establishing
a clear SoD

D
c) SoD Is effective at stopping fraud and errors
d) SoD and DevOps are incompatible
2 All of the following are examples of validating data a) Red/Blue/Purple teams

or
except: b) Tabletop exercises
c) Code quality standards
d) Bug bounty

te
3 What is the best reason to put security champions on a) Have an internal spy
your teams? b) Improve communication

a
c) Enforce standards on recalcitrant developers

4
ic
Shifting security left best exemplifies this aspect of
l d) Hire more people into the security team
a) The First Way
DevOps practices b) The Second Way
up
c) The Third Way
d) Improvement Kata
D

5 Establishing security policies is best accomplished during a) Continuous Security

this aspect of DevOps practices b) The First way
c) CI/CD Pipeline
ot

d) The Third Way

N

Module 5: Establishing DevSecOps Practices 130

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
te
a
Module 6 ic
BEST PRACTICES TO GET STARTED
l
up
D
ot
N

© DevOps Institute unless otherwise stated

o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module 6: Best Practices to Get Started

ib
tr
is
• Identifying target state

D
• Value stream-thinking Component Module 6 Content

or
Video Building Security into an
• Flow Agile Cloud Transformation

te
Project
• Feedback

a
Case Story Sentara Healthcare
• Learning ic Discussion Value Stream Mapping
Experiences
l
up
Exercise Reference Architecture
Analysis
D
ot
N

Module 6: Best Practices to Get Started

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
Identifying Target State

tr
is
• Start with Value Stream Mapping

D
• Visually collaborate to establish

or
where security activities currently
happen

te
• Identify where there are constraints

a
• Collaborate to design a target state ic
map to address security requirements
l
up
earlier
• Identify communication and
D

automation improvements
ot
N

Module 6: Best Practices to Get Started 133

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
DISCUSSION

a te
Value Stream Mapping Experiences l ic
up
D
ot
N

Module 6: Best Practices to Get Started 134

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module 7: DevOps Pipelines and Continuous Compliance

ib
tr
is
D
or
a te
l ic
up

‘Building Security into an Agile Cloud

D

https://youtu.be/o7-IuYS0iSE
Transformation Project’ by Chris Rutter (24:57)
ot
N

Module 6: Best Practices to Get Started 135

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
a te
BEST PRACTICES FOR FLOW l ic
up
D
ot
N

Module 6: Best Practices to Get Started 136

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
Artifact Management

tr
is
• Value key pairing is as important as any

D
other task in the organisation – mapping the

or
right resources to the right owners
• Automate the maintenance of the CMDB

te
(Configuration Management Database) via

a
your CI/CD pipeline
• Define artifact onboarding or offboarding
l ic
process
up

• Periodically review and update CMDB

• Data can be the biggest asset: When
D

replicating production data for tests, keep

ot

in a production secure environment

N

Module 6: Best Practices to Get Started 137

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
Risk Management

tr
is
• Understand the threat landscape for the

D
organisation and applications

or
• Perform threat modeling
• Automate the threat modeling as a

te
code (TaaC)

a
• Document the threat model process
• Risk acceptance from the relevant stake
l ic
holders
up

• Security fitness measurements allow you

to quantify your risk
D

• Use KPIs to visualize risks

ot
N

Module 6: Best Practices to Get Started 138

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Identity and Access Management (IAM)

ib
tr
is
• Regularly audit policies

D
• Identification of high-risk users
• Audit privileged accounts , grant least privilege

or
to all users
• Enable Multi-factor Authentication (MFA)

te
• Track app-to-app credentials
• Automate security checks on secrets

a
management ic
• Store and manage secrets, tokens, control
l
access only in Vault, not other files
up

• Privileged access management tools limit

production access for automation, orchestration
D

and configuration tools

ot
N

Module 6: Best Practices to Get Started 139

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Secrets Management

ib
tr
is
• Nobody knows the secrets
• Authorized people have the keys

D
• Secrets are dynamic: they are never

or
constant
• Make the secret a variable that is a pulled

te
artifact (avoid secrets sprawl)

a
• Have secrets rotate on a cadence
• Least privilege for secrets store access
l ic
• Do not hard code
up

• The lifecycle of the secret is auditable

• Ensure all secrets are encrypted
D
ot
N

Module 6: Best Practices to Get Started 140

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Encryption

ib
tr
is
• Know your targets
• Transit, data, points of interaction

D
• Ensure encryption standards are kept up to

or
date – your infrastructure needs to support
this – be wary of technical debt

te
• Use data classification to define the
intellectual property or data of the asset to

a
be encrypted ic
• Understand the risk and apply accordingly
l
up

• Encryption at rest and in transit and digital

signatures
D

• Artifacts used to encrypt should be stored

ot

securely
N

Module 6: Best Practices to Get Started 141

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
EXERCISE

a te
Reference Architecture Analysis l ic
up
D
ot
N

©DevOps Institute unless otherwise stated

Module 6: Best Practices to Get Started
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Web Applications

ib
tr
is
Keep a check on the
Continuous Security for Threat model the

D
source code
Apps applications
vulnerabilities

or
te
Automate the code
Don’t miss on Good documentation
commit security check
addressing the third- can address half of the

a
and application
party dependencies concerns.
testing.
l ic
up

Fail the build only when

it’s a critical bug until
D

the organization attains

a higher capability
ot
N

Module 6: Best Practices to Get Started 143

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
a te
BEST PRACTICES FOR FEEDBACK l ic
up
D
ot
N

Module 6: Best Practices to Get Started 144

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Governance, Risk and Compliance

ib
tr
is
• Implementation of configuration changes and

D
policy rules

or
• Automate Compliance to run as code (CaC)

te
• Versioning is important to maintain code

a
• Setting up the process on when to fail the build in
l ic
the pipeline
up

• Create feedback loops to understand the risks

D
ot
N

Module 6: Best Practices to Get Started 145

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Monitoring and Logging

ib
tr
is
• On-boarding critical log sources
(applications, servers, network devices,

D
etc.)

or
• Enable required logs (e.g application
logs, platform logs, security logs etc.)

te
• Building use cases to capture critical

a
activities
• Continuous monitoring of the production ic Spikes in utilization
environment for exploitation of
l
up

known/unknown vulnerabilities could be an indicator

• Prepare the response plan to handle the of an attack
D

incidents
ot
N

Module 6: Best Practices to Get Started 146

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Emergency Response

ib
tr
is
• Documented plan for handling the critical Incident Response

D
incidents • Be prepared to call in

or
• Agreed RACI (Responsible, Accountable, outside help
Consulted and Informed) Matrix • Know your limits and have
a contingency plan

te
• Identify the right stakeholders • Leverage automation
• Documented escalation matrix

a
opportunities
• High severity incident creation with the
ic • Tune your skills to include
the cloud
bridge (call) details
l
• Triggers on log data and
up
• Knowing the Disaster Recovery (DR) plan threat intelligence
• High Availability (HA) setup for critical
D

assets
ot
N

Module 6: Best Practices to Get Started 147

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Cyberthreat Intelligence Program

ib
tr
is
• Identify sources that define
and explain the evolving

D
threat landscape

or
• Document how the

te
sources will be used
• Assign roles and

a
responsibilities for
l ic
collecting, assessing, and
up

distributing the information

D
ot
N

Module 6: Best Practices to Get Started 148

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
a te
BEST PRACTICES FOR LEARNING l ic
up
D
ot
N

Module 6: Best Practices to Get Started 149

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Valuing Best Practices

ib
tr
Principle Practice

is
D
Team-external/Org-internal Process for assuring that team-external/org-internal vulnerabilities get resolved
vulnerability process in the SLA

or
High-severity clean Resolving the initial set of in pipeline scanning findings to zero

Security peer-review … as part of pull request

te
Secure coding training Checkmarx Codebashing (2-3 hours) required for all team members who

a
regularly write production code
Only merge secure code ic
Pull-request branch protection status check on scan results to stay at zero
l
up
Threat modeling 4-8 hour workshop with security architect facilitating an evaluation of your
product design
D

Production-ready security Periodically submitting your application(s) to internal white-box pen testing++
assessment assessment
ot

Secrets Management Assuring that passwords, certificates, API keys etc. are securely stored and not
in source code repositories
N

Module 6: Best Practices to Get Started 150

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
CASE STORY: Sentara Healthcare

ib
tr
”The important thing is always why. We are trying to improve our

is
ability to engage consumers and deliver more digital solutions.
This requires us to do things we haven’t done before and we’re ”Anything that falls

D
into our DevSecOps
using different tools and infrastructure. DevSecOps started out for
model - my team
us as a philosophy; ‘How we should do things”, and became a

or
now has complete
methodology; “How we do things.” It’s been a great learning visibility as every
process for us, learning how to work together, from the team that change happens.”

te
develop the code to the strategic leaders of the organization.”

a
l ic Benefits
up

• DevSecOps practices underpinned cloud migration

• Transparency with the Development and Operations teams
D

• Better understanding of how teams work together to get more

done
ot

Dan Bowden
CISO
N

Module 6: Best Practices to Get Started 151

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Continuous Learning Practices

ib
tr
is
• Module 8 focuses on

D
Continuous Learning and

or
Experimentation practices
• Identifying external options for

te
security training
• Implementing training as policy

a
• Delivering experiential learning ic
options
l
up
• Cross-Skilling
• Making use of the DevSecOps
D

Collective Body of Knowledge

ot
N

Module 6: Best Practices to Get Started 152

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module Six Quiz

ib
tr
is
1 Who wrote the book ‘Value Stream Mapping’? a) Karen Martin and Mike Osterling
b) Mike Orzen and Thomas Paider

D
c) Gene Kim and Jez Humble
d) Mike Rother and John Shook

or
2 What is CaC in the context of DevSecOps? a) Common access Card
b) Code as Competition
c) Cybersecurity as Code
d) Compliance as Code

te
3 What’s important according to Sentara Healthcare in a) What

a
their DevSecOps implementation? b) How
c) Why

4
ic
When considering encryption, what should you know?
l d) Where
a) Your threats
up
b) Your targets
c) Your purpose
d) Your secrets
D

5 In secrets management, who knows the secrets? a) Everyone

b) No-one
c) Only those authorized to do so
ot

d) Leadership
N

©DevOps Institute unless otherwise stated

Module 6: Best Practices to Get Started
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module Six Quiz

ib
tr
is
1 Who wrote the book ‘Value Stream Mapping’? a) Karen Martin and Mike Osterling
b) Mike Orzen and Thomas Paider

D
c) Gene Kim and Jez Humble
d) Mike Rother and John Shook

or
2 What is CaC in the context of DevSecOps? a) Common access Card
b) Code as Competition
c) Cybersecurity as Code
d) Compliance as Code

te
3 What’s important according to Sentara Healthcare in a) What

a
their DevSecOps implementation? b) How
c) Why

4
ic
When considering encryption, what should you know?
l d) Where
a) Your threats
up
b) Your targets
c) Your purpose
d) Your secrets
D

5 In secrets management, who knows the secrets? a) Everyone

b) No-one
c) Only those authorized to do so
ot

d) Leadership
N

©DevOps Institute unless otherwise stated

Module 6: Best Practices to Get Started
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
te
a
Module 7 ic
DEVOPS PIPELINES AND CONTINUOUS
l
up

COMPLIANCE
D
ot
N

© DevOps Institute unless otherwise stated

o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module 7: DevOps Pipelines and Continuous

ib
Compliance

tr
is
D
• The goal of a DevOps pipeline Component Module 7 Content

or
• Why continuous compliance is Video Overview of DevSecOps
important Case Story World Bank Group

te
• Archetypes and reference Discussion What are the goals of a

a
architectures DevOps pipeline?
• Coordinating DevOps Pipeline
l ic Exercise Explore SAST, DAST, IAST,
construction
up
SCA, CSA
• DevSecOps tool categories,
D

types and examples

ot
N

Module 7: DevOps Pipelines and Continuous Compliance 156

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
The Goals of a Pipeline

ib
tr
is
D
or
Quality in Rapid Time to
Early Failing Fast

te
check Market
Feedback
Automated

a
Detect bugs Deploy software
Is this build testing and
potentially ic
early before
production
l quality check
fast and
continuous
releasable?
up
tooling
D
ot
N

Module 7: DevOps Pipelines and Continuous Compliance 157

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
te
DISCUSSION

a
What are the goals of a DevOps pipeline? l ic
up
D
ot
N

Module 7: DevOps Pipelines and Continuous Compliance 158

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
The Goals of a Pipeline

ib
tr
Continuous Integration Continuous Delivery Continuous Deployment

is
Continuous Integration is a Continuous Delivery is the ability to Continuous Deployment means
software development practice get changes of all types— that every change goes through

D
where members of a team including new features, the pipeline and automatically
integrate their work frequently, configuration changes, bug fixes gets put into production, resulting

or
usually each person integrates at and experiments—into production, in many production deployments
least daily - leading to multiple or into the hands of every day. Continuous Delivery just
integrations per day. Each users, safely and quickly in means that you are able to do

te
integration is verified by an a sustainable way. frequent deployments but may
automated build (including test) to Our goal is to make deployments— choose not to do it, usually due to

a
detect integration errors as quickly whether of a large-scale businesses preferring a slower rate
as possible. Many teams find that
this approach leads to significantly
ic
distributed system, a complex
production environment, an
l of deployment. In order to do
Continuous Deployment you must
reduced integration problems and embedded system, or an app— be doing Continuous Delivery.
up
allows a team to develop cohesive predictable, routine affairs that
software more rapidly. can be performed on demand.
D

-Martin
Martin Fowler
Fowler Jez Humble Martin Fowler
ot
N

Module 7: DevOps Pipelines and Continuous Compliance 159

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
The Perils of a Pipeline

ib
tr
is
D
or
te
Beware of a
Operation of a Unattended Vulnerable

a
pipeline depends ‘Pipeline Bloat’
on the efficacy of
l ic Pipelines Pipelines

the pipeline
up
Too many tools could Who is accountable Hardcoded
Accuracy of results
be of too little value for what? credentials,
from the tooling in
D

pipeline is essential Unhardened host

environments
ot
N

Module 7: DevOps Pipelines and Continuous Compliance 160

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Planning a DevOps Pipeline

ib
tr
is
D
or
a te
The Pipeline Architecture
l ic The Outcome of the Pipeline
up

Involving the right stakeholders: Involving the right stakeholders:

D

Architects, DevOps Teams, Architects, Developers, Security,

Security, Business Owners Business Owners, DevOps Teams
ot
N

Module 7: DevOps Pipelines and Continuous Compliance 161

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
The Pipeline Itself

ib
tr
is
D
or
a te
Notification Health ic Architecture
Emails Status
l
Virtual Machines
up
Dashboards Available Agents
Containerized
ChatOps
Capacit y M onit oring
D

PaaS Model
ot
N

Module 7: DevOps Pipelines and Continuous Compliance 162

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module 7: DevOps Pipelines and Continuous Compliance

ib
tr
is
D
or
a te
l ic
up

‘Overview of DevSecOps’
D

https://youtu.be/o7-IuYS0iSE
by Nicolas Chaillan (6:24)
ot

Module 7: DevOps Pipelines and Continuous Compliance

N

©DevOps Institute unless otherwise stated 163

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Planning a DevOps Pipeline – The Outcome

ib
tr
is
What needs to be built?

D
• The technology and the framework stack for the software
• Dependency management

or
Non-Functional Requirements

te
• Performance
• Compliance

a
• Security

Approved Tooling
l ic
up

• Licensed tooling and Open Source tooling

D

Build Time
ot

• Target build time

N

Module 7: DevOps Pipelines and Continuous Compliance 164

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
An Example of a DevOps Pipeline

ib
tr
is
D
or
a te
l ic
up
D
ot
N

Module 7: DevOps Pipelines and Continuous Compliance 165

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Pipeline Tasks with Minimalistic Security Checks

ib
tr
is
D
Lint checks are the

or
automated checking of
your source code for

te
programmatic and stylistic

a
l ic errors.
up
D
ot
N

Module 7: DevOps Pipelines and Continuous Compliance 166

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Ensuring Software Security through Build Pipeline

ib
tr
is
Where tools work well:

D
or
• Finding known vulnerabilities (published CVEs) "Known bad"
• Finding common software weaknesses (CWEs)
• Automating repetitive security tasks (checking misconfigurations)

te
• Fuzz testing and long running security tasks

a
Where tools need improvement:
l ic
up

• Business logic flaws (Can’t request refund twice)

• Authorization flaws (Privilege escalations)
D

• Accuracy of scan results

ot
N

Module 7: DevOps Pipelines and Continuous Compliance 167

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Automated Security Checks and Tooling

ib
tr
is
D
or
Static (SAST) Dynamic (DAST) Hybrid (IAST/ RASP) Software Composition
Analysis SCA

te
Analyze either the Analyze running Agent installed on the Analyzing what the software is

a
source code or the application server combining both composed of in terms of
compiled binaries, also
SCA and CSA
l ic Dynamic and Static dependent frameworks and
libraries. Cheapest method.
up
D
ot
N

Module 7: DevOps Pipelines and Continuous Compliance 168

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
te
EXERCISE
Compare and contrast various categories of
a
l ic
up

security tooling
D
ot
N

Module 7: DevOps Pipelines and Continuous Compliance 169

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
SAST / DAST / IAST / RASP - Examples

ib
tr
Category Free or Open Source Commercial

is
SonarQube Coverity

D
VisualCodeGrepper Checkmarx
FindSecurityBugs FortifySource

or
Bandit Veracode
SAST Security Code Scan FindSecBugs

te
Nikto AppScan

a
OWASP ZAP Acunetix
Arachni
l ic Netsparker
Sqlmap Fortify
up

DAST WhiteHat
D

OWASP AppSensor Contrast

Synopsys
IAST / RASP
ot

HDIV Security
N

Module 7: DevOps Pipelines and Continuous Compliance 170

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
CASE STORY: World Bank Group

ib
”Our journey started as a Development project, then morphed

tr
into an Ops project. As the years have accumulated it’s become

is
almost a program. We started by addressing the most significant ” Moving to the
cloud raised the

D
risk decisions that we have to support in an automated manner.
Then we looked at speed versus scalability versus quality. The business'

or
goal is to support a service that can be done in minutes and expectations on
support an asynchronous mode. We phased the implementation the technology
of our automation. " group."

a te
l ic Benefits
up

• Automated risk decision gates: 500 decisions per month

• Matched technology speed to business’ expectations
D

• Codified security controls into Infrastructure-as-Code templates

ot

Srinivasa Kasturi,
Information Security
Officer
N

Module 7: DevOps Pipelines and Continuous Compliance 171

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Tooling Evaluation Criteria

ib
tr
is
• Integration with SDLC • Release frequency
Integrations with Build systems

D
•
• Signature update frequency
• Integrations with Bug Tracking systems
Integrations with IDEs • Learning/Customization/Tuning time

or
•
• Fuzzing/Regression testing • Developer usability
• APIs

te
• Support systems
• For custom automation and tuning

a
• For retrieving specific vulnerability • Detection accuracy
categories
• For retrieving specific risks
l ic • On-premise or SaaS
• Language, framework, technology
up
• Scanning Time
• Incremental scans for velocity support
D

• Integration with Ops • Customizable vulnerability rules and

• SIEM signatures
ot

• Integrations with Vulnerability Management

N

Module 7: DevOps Pipelines and Continuous Compliance 172

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Continuous Compliance

ib
tr
• Continuous Compliance aims at maintaining
compliancy of IT systems on an ongoing basis

is
when systems are ever evolving and changing

D
• Compliance teams need to engage with Dev
and Ops early on during systems design and

or
development, shifting left
• Compliance as Code helps in automating

te
compliance requirements as code to foster
collaboration, repeatability, and continuous

a
compliance. Example: InSpec from Chef
• Continuous Compliance could be achieved
using Compliance as Code, Security Policies,
l ic
up
Benchmarks, Auditing, and Monitoring
• Managing exceptions from compliance
D

requirements, and identifying compliance

drift, are key areas of focus in achieving
ot

Continuous Compliance
N

Module 7: DevOps Pipelines and Continuous Compliance 173

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
Continuous Compliance

ut
ib
An Example from Azure Security Center

tr
is
D
or
a te
l ic
up
D
ot
N

Module 7: DevOps Pipelines and Continuous Compliance 174

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Security Information and Event Management

ib
tr
SIEM assists in:

is
“Security information and
• Quantifying threat agents Event Management (SIEM) is

D
a subsection within the field
• Quantifying likelihood of a security of computer security, where

or
event software products and
• Offering threat intelligence services combine Security

te
Information Management
• Proving critical security analytics data (SIM) and Security Event

a
for apps, databases and networks Management (SEM). They
• Feeding information to Risk
l ic provide real-time analysis of
Management security alerts generated by
up

applications and network

• Aiding DevOps and security teams to hardware.” Wikipedia
D

build appropriate layered defenses

ot
N

Module 7: DevOps Pipelines and Continuous Compliance 175

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
SIEM

ib
Security Information and Event

tr
Management

is
Dashboarding capabilities:

D
Data Sources:
• LDAP • # Events created

or
• DNS • # Alerts raised
• Firewall • # Cases under

te
• Events investigation
• Database logs • # Blocked incidents

a
• Application logs
• Web Application Firewall
• IAST / RASP
l ic
up

Commonly used formats:

D

• Common Event Format

ot

• Syslog
• REST APIs
N

Module 7: DevOps Pipelines and Continuous Compliance 176

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
A DevSecOps Pipeline Reference

ib
tr
is
D
or
a te
l ic
up
D
ot
N

Module 7: DevOps Pipelines and Continuous Compliance 177

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module Seven Quiz

ib
tr
is
1 Common software weaknesses are captured by which a) CVE
list? b) CWE

D
c) CVSS
d) CIS

or
2 Which of these tools helps with automating compliance a) Chef
as code? b) InSpec
c) OWASP ZAP
d) AWS Inspector

te
3 The tool Arachni falls under which category? a) DAST

a
b) SAST
c) SCA

4
ic
Application security scans can be optimized through?
l d) IAST
a) Customizing scanning rules to application’s context
up
b) Scanning only the delta (changes from last build)
c) Increasing CPU and memory for parallelization
d) All the above
D

5 Which is an example of a non-functional software a) Compliance

requirement? b) Performance
c) Security
ot

d) All the above

N

Module 7: DevOps Pipelines and Continuous Compliance 178

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module Seven Quiz

ib
tr
is
1 Common software weaknesses are captured by which a) CVE
list? b) CWE

D
c) CVSS
d) CIS

or
2 Which of these tools helps with automating compliance a) Chef
as code? b) InSpec
c) OWASP ZAP
d) AWS Inspector

te
3 The tool Arachni falls under which category? a) DAST

a
b) SAST
c) SCA

4
ic
Application security scans can be optimized through?
l d) IAST
a) Customizing scanning rules to application’s context
up
b) Scanning only the delta (changes from last build)
c) Increasing CPU and memory for parallelization
d) All the above
D

5 Which is an example of a non-functional software a) Compliance

requirement? b) Performance
c) Security
ot

d) All the above

N

Module 7: DevOps Pipelines and Continuous Compliance 179

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
te
a
Module 8 ic
LEARNING USING OUTCOMES
l
up
D
ot
N

© DevOps Institute unless otherwise stated

o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module 8: Learning Using Outcomes

ib
tr
is
Security Training Options

D
•
• Training as Policy Component Module 8 Content

or
Video Failure and The Third Way
• Experiential Learning
Case Story Ericson

te
• Cross-Skilling
Discussion 3 Ways to Free Learning

a
• The DevSecOps Collective Body
of Knowledge
lic Exercise Retrospective

• Preparing for the DevSecOps

up

Foundation certification exam

D

• Next Steps
ot
N

181
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module 7: DevOps Pipelines and Continuous Compliance

ib
tr
is
D
or
a te
l ic
up

‘Failure and The Third Way’

D

https://youtu.be/o7-IuYS0iSE
with Aaron Blythe (5:26)
ot

Module 8: Learning Using Outcomes

N

182
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
DISCUSSION

a te
Your Three Ways to Free Learning l ic
up
D
ot
N

Module 7: DevOps Pipelines and Continuous Compliance 183

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
DevSecOps Learning Communities

ib
tr
is
• The Third Way: Continuous
Learning

D
• What should you value?

or
• Certification

te
• Degree

a
• Experiences ic
• Volunteer (OWASP, DevOps Days)
l
up
• Personal – (Git projects)
• Virtual groups: DevOps Institute
D

Community
• Previous jobs
ot
N

Module 8: Learning Using Outcomes 184

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Security Training

ib
tr
• Where do I get training?

is
• Short Courses/Boot Camp

D
• University
• Non-Boot Camp schools

or
When
• Where should we get training? Implementing

te
training, bring a
SCARF:

a
Status
l ic Certainty
Autonomy
Relatedness
up

Fairness
D
ot
N

Module 8: Learning Using Outcomes 185

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Training as Policy

ib
tr
is
• Lunch and Learn

D
• Organizational Requirements

or
• Mentoring
• Professional Ed requirements

te
• Individual Goals
• Employee Plans

a
• Mentoring
• Structured training
l ic
up
• Classes
• Dojo
D
ot
N

Module 8: Learning Using Outcomes 186

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
DevSecOps Dojos

ib
tr
• Dojo: a room or hall in which judo and

is
other martial arts are practised

D
• Means “Place of the way” in
Japanese

or
• In DevOps, it’s an immersive learning
environment

te
• Dojo experiences are typically
referred to as ”challenges”

a
• Two main goals: ic
1. Deliver current work
l
up
2. Learn how to acquire and develop
long-standing skills
• Join the Dojo Consortium to learn
D

more
ot
N

Module 8: Learning Using Outcomes 187

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Security Chaos Engineering

ib
tr
is
D
or
ate
lic
up
Aaron Rinehart, CTO
Verica and an originator
of Chaos Engineering
D
ot
N

188
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Reviewing Experiences

ib
tr
is
• Experiences stick for a while

D
• Lock experience in with the review process

or
• Implementing the Review process

te
• Document stories

a
• Share stories ic
• Sponsor Champions
l
up

• Reviewing the review process

D
ot
N

Module 8: Learning Using Outcomes 189

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Retrospective Learning

ib
tr
• Starting the Retrospective- Goals

is
Obtain honest feedback

D
•
• Find the holes in delivery

or
• Find strong points
• Create new work to fix holes

te
• Don’t lose strengths

a
• Can be better to improve
l ic
strengths than fix weaknesses
up

• Process Debt
• Human Debt
D

• Technical Debt
ot
N

Module 8: Learning Using Outcomes 190

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Innovative Learning

ib
tr
is
• Allocate time for

D
innovation and learning

or
• As part of the Sprint
• Hackathons

te
• Simulations
a
• Book Club
l ic
up

• Toastmasters
D
ot
N

Module 8: Learning Using Outcomes 191

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Gamification

ib
tr
• Gamification can be used to raise CWN uses Cyber

is
awareness in secure development Wraith tool to
• Code Hunt evaluate

D
• Build It, Break It, Fix It professional skills

or
• Code Defenders
• Dr. Manuel Maarek et al, RISCS

te
research project, ‘Impact of
Gamification on Developer-Centred

a
Security’ created an online platform
experiment:
l ic
• Extension of GitHub
up

• Coding-based game Secure Code Warrier houses a suite of

• Engage and help developers with tools to educate developers about
D

security practices security through games, training and real-

time corrections.
• Cyber Warrior Network (CWN)
ot
N

Module 8: Learning Using Outcomes 192

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Education and Awareness Plans

ib
tr
is
For Developers For Testers For Security For Leadership

D
Writing secure Automated Vulnerability Pipeline metrics

or
code testing analysis
Understanding

te
Programming Application Why security DevSecOps

a
languages Security testing is necessary
techniques ic Metric analysis
Tool training Dev processes
l
up

Tool training and tools Value streams

D
ot
N

Module 8: Learning Using Outcomes 193

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Cross-Skilling

ib
tr
The DevOps Institute

is
Certification program

D
• No formal prerequisites
Take the course you need

or
•
• Pass the exam

te
• No renewal requirements or
fees

a
lic
up
D
ot
N

194
©DevOps Institute unless otherwise stated Module 8: Learning Using Outcomes
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
DevOps Institute SKILup Days

ib
tr
is
D
• Monthly SKILup Days
Selected topics

or
•
• Vendor availability

te
• Community chat
Speaker presence

a
•
• View live or on-demand ic
• Slack channel
l
up

• SKILup Chapters
D
ot
N

Module 8: Learning Using Outcomes 195

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
The DevSecOps Collective Body of Knowledge

ib
tr
is
• Books

D
• Conferences

or
• Webpages

te
• Organization
a
• Community
l ic
up

• GitHub
D
ot
N

Module 8: Learning Using Outcomes 196

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
CASE STORY: Ericsson

ib
”Applying complex systems thinking, growing the agile mindset

tr
through storytelling, and visualizing the interplay; these are some

is
of the things that drove the agile transformation at Ericsson. “The learning here is,
that it starts with the

D
Having a leadership team that fully embraced agility, an
leaders and you need
independent group of agile coaches, and doing frequent well-educated and

or
retrospectives in the leadership team ensured that the skillful coaches to make
transformation stayed on track." the transformation
successful.”

a te
l ic Benefits
• Run organizational system leadership retrospectives. In the
up
beginning, more than 50% of leadership meetings addressed
system retrospection
D

• Include a self-organized, independent group of well-educated

Hendrik Esser,
agile coaches who support the agile transformation
ot

Manager Special
Projects
N

Module 8: Learning Using Outcomes 197

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Your DevSecOps Career

ib
tr
In 2019 there was a reported

is
global cybersecurity staffing

D
shortage of 3 million and

or
growing.

a te
l ic
up
D
ot
N

Module 8: Learning Using Outcomes 198

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
What comes next?

ib
tr
is
D
• Think this is the end?

or
te
• Continuous Learning means forever
a
l ic
up
D
ot
N

Module 8: Learning Using Outcomes 199

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
EXERCISE

a te
Retrospective l ic
up
D
ot
N

Module 8: Learning Using Outcomes 200

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module Eight Quiz

ib
tr
is
1 What is The Third Way of DevOps? a) Continuous Flow and Feedback
b) Continuous Feedback and Improvement

D
c) Continuous Experimentation and Learning
d) Continuous Security and Compliance

or
2 Which is not required for a good retrospective? a) Obtain honest feedback
b) Find the holes in delivery
c) Find strong points
d) Assign blame for mistakes

te
3 This term represents an immersive learning environment a) Kanban

a
and is taken from a martial arts term? b) Kaizen
c) Dojo

4
ic
What does the ‘S’ in David Rock’s SCARF acronym
l d)
a)
Kata
Stress
up
represent? b) Status
c) Simplicity
d) Sophistication
D

5 As a best practice, organizations should devote this a) 10-20%

amount of their energy to continuous learning practices b) 0-10%
during the sprint cycle c) 40-50%
ot

d) 30-50%
N

Module 8: Learning Using Outcomes 201

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Module Eight Quiz

ib
tr
is
1 What is The Third Way of DevOps? a) Continuous Flow and Feedback
b) Continuous Feedback and Improvement

D
c) Continuous Experimentation and Learning
d) Continuous Security and Compliance

or
2 Which is not required for a good retrospective? a) Obtain honest feedback
b) Find the holes in delivery
c) Find strong points
d) Assign blame for mistakes

te
3 This term represents an immersive learning environment a) Kanban

a
and is taken from a martial arts term? b) Kaizen
c) Dojo

4
ic
What does the ‘S’ in David Rock’s SCARF acronym
l d)
a)
Kata
Stress
up
represent? b) Status
c) Simplicity
d) Sophistication
D

5 As a best practice, organizations should devote this a) 10-20%

amount of their energy to continuous learning practices b) 0-10%
during the Sprint cycle c) 40-50%
ot

d) 30-50%
N

Module 8: Learning Using Outcomes 202

©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
Summary

is
D
• DevSecOps practices…

or
• Deliver better value
outcomes sooner, safer,

te
happier

a
• Lead to continuous
compliance
lic
• Measure and mitigate
up

risks associated with

cyber attacks
D
ot
N

203
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
ib
tr
is
D
or
"DevSecOps essentially breaks down
the enterprise security silo by
cultivating a symbiotic relationship

te
between security and other business
units and increases product quality

a
and delivery velocity by adding
security specific techniques and
toolsets to DevOps practices.”
ic
l
up

DJ Schleen
D
ot
N

204
©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM
 e
ut
Special Thanks to Contributors

ib
DevOps Institute would like to acknowledge and thank

tr
the subject matter experts and thought leaders who

is
contributed their valuable input, knowledge and
expertise to the development of this course and

D
certification.

or
• Lavanya Arul - DevOps and Agile Consultant and Trainer; DevOps
Institute Ambassador
• Helen Beal - DevOps Institute Chief Ambassador; Ways of Working

te
Coach

a
• Shlomo Bielak - Chief Technology Officer, Benchmark Corp;
DevOps Institute Ambassador
l ic
• Felipe Duenas - Consultant, agile + flow; DevOps Institute
Ambassador
up
• Marudhamaran Gunasekaran - Security Consultant;
DevOps Institute Ambassador
• Mark Peters - Cybersecurity & Intel Expert; Agile Leader; Author &
D

Speaker; DevOps Institute Ambassador

• Vandana Verma Sehgal - Global Board of Directors, OWASP
ot

Foundation; President, InfoSecGirls; DevOps Institute Ambassador

N

©DevOps Institute unless otherwise stated ©DevOps Institute unless otherwise stated
o
D

Licensed For Use Only By: NagaPavan Kurapati pavan92002@gmail.com Mar 16 2021 12:22PM