DevSecOps - Deloitte

DevSecOpsEmbedded Security Within theHyper Agile Speed of DevOpsMark G. Moore, Managing Director, Deloitte and Touche LLPAntonio L. Bovoso, Senior Manager, Deloitte and Touche LLP

What is DevSecOps?A transformational shift which incorporates secure culture, practices, and tools to drive visibility,collaboration, and agility of security into each phase of the DevOps pipelineGovernancePeopleProcessTechnologyEstablish security ‘guardrails’and monitor resultsBreak down silos betweensecurity and DevOps teams andinstill cyber awarenessOrchestrate an integratedprocess flow and drive ‘in- line’risk rationalized feedbackAutomate recurring securitytasks and harden thedevelopment pipeline Redesign the operational &compliance framework Incorporate security staff inDevOps teams Establish shared metrics toevaluate progress Have security teams brief dev andops teams on current threats /exploits/breaches Asset inventory and riskawareness Automate secure applicationdevelopment Integrated backlog and pipeline Security telemetry and incidentresponseProtect the toolchain andinfrastructureContinuous improvement and added valueImprove security and quality Increase deployment success rateReduce meantime to resolveincidentsReduce number of open securitydefectsImprove time to market Increase production deploymentfrequencyGreater speed of deploymentImprove compliance feedback Reduction in open compliancefindings Decrease time from audit request toevidence deliveryImprove productivity More story points per sprintIncrease pipeline velocityControlled production accessCopyright 2018 Deloitte Development LLC. All rights reserved.Copyright 2018 Deloitte Development LLC. All rights reserved.2

From DevOps to DevSecOpsWhat is DevOps?A set of practices that automates the processes between development andoperation teams to build, test, and release software quickly and reliablyWhy security in DevOps?How can we bring security into DevOps? The ability to deploy applications has improved in both scale andspeed while security considerations are often overlooked in favor ofmeeting business demands quickly Tightly integrate security tools and processes throughout the DevOpspipeline Given the reliance of applications to keep operations running; securityin the development process cannot be an afterthoughtKey Benefits Application security must speed up to keep pace with operationsContinuous securityDevSecOps implements the‘secure by design’ principle byusing automated securityreview of code and automatedapplication security testingCopyright 2018 Deloitte Development LLC. All rights reserved.Increased efficiency &product qualitySecurity issues aredetected and remediatedduring development phaseswhich increases the speedof delivery and enhancesquality Automate core security tasks by embedding security controls early on inthe software development lifecycle Continuous monitoring and remediation of security defects across theapplication lifecycle including development and maintenanceEnhanced complianceIn DevSecOps, security auditing,monitoring, and notificationsystems are automated andcontinuously monitored, whichfacilitates enhanced complianceIncreased collaborationBy integrating development,security and operations,DevSecOps fosters a culture ofopenness and transparencyfrom the earliest stages ofdevelopment3

Common myths and misconceptionsPerceived challenges and piece-meal integration often hinder organizations from realizing the value ofincorporating security into DevOpsDevSecOps is only “Security as Code”or AutomationDevSecOps is incompatiblewith my compliancerequirementsSecurity team does notrequire developmentknowledgeDevSecOps requires developersto be security expertsDevSecOps just meanscode scanningDevSecOps requiressignificant tool investmentDevSecOps preventsorganizations from meeting theirbusiness objectivesCopyright 2018 Deloitte Development LLC. All rights reserved.4

A DevSecOps program requires continuous improvement to achieve desired efficiencyStrategic GoalsArchitecture and OperationsStrategy: Establish strategic drivers for DevOpsteams to meet changing businessrequirements without excludingsecurity and compliance needsCultural transformation: Continuous enablement to initiateculture change to foster collaborationbetween developers, security teams,and operations.Design: Design a DevSecOps operating modelthat includes designing data flows,developing standards, and mappingtechnologies and processes to coresecurity operationsExecution: Implement new tools and processesto enable security in DevOpsenvironmentProgram EvaluationMonitor: Ensure processes are followed,maintained, reviewed and updatedregularly Implement processes to performlessons learned and evaluate policiesand enhance trainingContinuous Process ImprovementThe DevSecOps transformation is achieved through following pillars:GovernanceEstablish security ‘guardrails’and monitor resultsCopyright 2018 Deloitte Development LLC. All rights reserved.PeopleStaff against business prioritiesand disseminate securityknow-howProcessOrchestrate an integratedprocess flow and drive ‘in- line’risk rationalized feedbackTechnologyAutomate recurring securitytasks and harden thedevelopment pipeline5

Drive scalable governance for DevSecOpsThe approach to develop a sustainable governance model is through enabling security services that arebusiness aligned, agile, self-service and risk basedGovernanceDevSecOps Roles andResponsibilitiesEstablish Policiesand ProceduresEnable SecurityAutomationAutomated AuditEvidence CollectionEstablishing well defined rolesand responsibilities isimperative in the cross functionalDevOps teams. It leads to efficientoperations for a productIntroducing DevSecOpsspecific policies andprocedures will enableorganizations to keep up withthe pace of applicationdevelopment in a DevOpsenvironmentAutomated security tools in theDevSecOps pipeline improvesoverall security by reducingvulnerabilities and security flawsdue to human errorSecurity monitoring and notificationsystems in DevSecOps creates anautomated audit trail throughoutthe software development lifecycle,which facilitates compliancereportingCopyright 2018 Deloitte Development LLC. All rights reserved.Monitor SecurityMetrics forContinuousFeedbackContinuously monitoringsecurity metrics allowsDevOps teams to consistentlyimprove their securitydecisions and stay on top ofthe game6

DevSecOps success criteriaOpen collaborationto shared objectives Set shared expectations and metrics for measuring success Align security architects and focus activities based on business priorities Create consumable, self-service security capabilitiesSecurity at the source Establish security ‘guardrails’ and monitor results/provide targetedfeedbackReinforce and elevatethrough automation Orchestrate integrated process flow by automating recurring tasksRisk-oriented operationsand actionable insights Utilize operational insights and threat intelligence to drive process flow,prioritization and remediation recommendationsHolistic approach tosecurity objectivesProactive monitoringand recursive feedbackCopyright 2018 Deloitte Development LLC. All rights reserved. Embed preventative operational controls and audit trails Don’t just rely on scans; take risk-based approach to testing Integrate framework to secure both the pipeline and application End-to-end security implementation Provide defense-in-depth with production environment Continuous testing to identify problems before they become issues Leverage logging/telemetry to drive learning and innovation7

This presentation contains general information only and Deloitte Risk and Financial Advisory is not, by meansof this presentation, rendering accounting, business, financial, investment, legal, tax, or other professionaladvice or services. This presentation is not a substitute for such professional advice or services, nor should itbe used as a basis for any decision or action that may affect your business. Before making any decision ortaking any action that may affect your business, you should consult a qualified professional advisor.Deloitte Risk and Financial Advisory shall not be responsible for any loss sustained by any person who relieson this presentation.As used in this document, “Deloitte Risk and Financial Advisory” means Deloitte & Touche LLP, which provides audit and risk advisory services; DeloitteFinancial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business AnalyticsLLP, which provides a wide range of advisory and analytics services. These entities are separate subsidiaries of Deloitte LLP. Please seewww.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules andregulations of public accounting.Copyright 2018 Deloitte Development LLC. All rights reserved.

Hyper Agile Speed of DevOps. Mark G. Moore, Managing Director, Deloitte and Touche LLP. Antonio L. Bovoso, Senior Manager, Deloitte and Touche LLP . Automate core security tasks by embedding security controls early on in . technologies and processes to core security operations . Execution: Implement new tools and processes to enable .