- An Example of Best Practice.
- We have a Standard PCI DSS (Payment Card Industry Data Security Standard)
- Lets look at one rule (11.2)
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.
Address vulnerabilities and perform rescans as needed, until passing scans
After passing a scan for initial PCI DSS compliance, an entity must, in subsequent years, complete four consecutive quarters of passing scans.
Quarterly external scans must be performed by an Approved Scanning Vendor (ASV).
- This scan is supposed to be performed quarterly.
- DevSecOps is all about shift left i.e. what if we perform this scan after every build and deployment which happens daily.
- When we work with DevOps, to create infrastructure we use Infra Provisioning which has a key principle IAC (Infrastructure as Code)
- In DevSecOps we embrace the Concept of Security as Code
Including security in CI/CD Pipeline
- Typical DevOps Pipeline
- DevSecOps Pipeline/ Bringing Security to DevOps Pipeline
- Shift Left
- Roles & Responsibilities