DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government

Join the conversation #devseccon

DevSecOps in the Gov(ernment)Tech

By Fabian Lim@3jmaster

about.me/fabian.lim

2010... 2015 2016 2017

Fabian Lim

GovTech

(former IDA, launched Oct 2016)

https://tech.gov.sg

What do I do?

Platform as a Service

http://saphanatutorial.com/wp-content/uploads/2015/01/SAP-HANA-Cloud-Platform-PaaS-1.jpg

GovTech Products

https://data.gov.sg

SCDF MyResponder App

GovTech

Open Culture - Be Happy & Awesome

Agile -> DevOps

Hands-on

Software & Hardware

Full StackHow do we operate?

https://cdn.motivationgrid.com/wp-content/uploads/2014/02/Bruce-Lee-Quote-Be-like-Water.jpg

WaterRuns underneath our skins and this tiny island

Singapore River 1960s

<<INSERT DIAGRAM ABOUT DIRTY SINGAPORE RIVER>>

Singapore River 2017

<<INSERT DIAGRAM ABOUT NICE RIVER PICTURE SUCCESS>>

SoftwareRuns underneath all that technology and gadgets

GovTech 2017

<<INSERT DIAGRAM ABOUT TRADITIONAL DATA CENTER SUCCESS>>

http://agilebrick.com/images/agile-process-1.png

GovTech 2020s

<<INSERT DIAGRAM ABOUT CIS 20 CONTROLS SUCCESS>>

http://wyzguyscybersecurity.com/wp-content/uploads/2016/10/20-cis-controls.png

The Product

SoftwareWater

Everyone needs water.“Software is eating the world.”

- Marc Andreessen

http://angrytrainerfitness.com/wp-content/uploads/2012/05/Drinking-Water.jpg https://mattermark.com/wp-content/uploads/2015/06/startups.jpg

Software

Water

● Speak the language● Understand the

process● Be involved and use

tools to create tickets● Be involved to develop

and resolve the defects

Developers want

1. To create new features2. Secure the application

SPRINT!

Sprint Planning

Actual Software development

Code review + Merge to dev

QE and Security Testing

End of sprint

CheckmarxTwistLockNessusetc...

The Environment

a.k.a. Water infrastructure pipelines

SoftwareWater

Code Env

Developers want

1. Freedom to innovate2. Speedy delivery3. Access to build tools4. To manage their own

resources

● Virtual Machines● Cloud● Deployment / Build

Tools● Laptops● Phones● Network APs● Chat Messengers● ...

Securing the Environment

● Make sure to have logging and visibility

● Communication and understand the risks

● Tasks can be part of the Sprint too!

The Human

a.k.a. well...

SoftwareWater

http://us.123rf.com/450wm/anawat/anawat1509/anawat150901245/45074411-scientist-with-equipment-and-science-experiments-laboratory-glassware-containing-chemical-liquid-sci.jpg?ver=6 https://upload.wikimedia.org/wikipedia/commons/thumb/6/64/Coding_Shots_Annual_Plan_high_res-5.jpg/300px-Coding_Shots_Annual_Plan_high_res-5.jpg http://www.aboriginalaccess.ca/sites/aboriginalaccess.ca/files/img/hero/civil-eng-water-resource.jpg

Human_Security_as_Code.rbrequire ‘devsecops’role = getMyRole()privatedef get_to_do_list todo = ‘’

todo += ‘Learn about security;’ if role.contains(‘developer’) todo += ‘Learn about development;’ if role.contains(‘security_eng’) todo += ‘Define processes \ and get metrics;’ if role.contains(‘manager’) todo += ‘Educate and hire people;’ if role.contains(‘sole_security_guy’)

return todoendget_to_do_list

Developers want

● Fast● Built-In Security● Automated● Ease of use● Not to be blocked

Securing the Human

Change Behaviour;Behaviour maketh Culture

Securing the Human - BJ Fogg Model

http://www.behaviormodel.org/index_files/bj-fogg-behavior-model-grapic.jpg

Security Chapter:Champions who are passionate about security

Recipe for DevSecOps

What enables?

● Culture● Passion● Empathy● Skill Sets● Priorities

https://cdn.motivationgrid.com/wp-content/uploads/2014/02/Bruce-Lee-Quote-Knowing-is-not-Enough.jpg

Treat code like water; never take its security for granted.

Join the conversation #devseccon

@3jmasterdevsecops.org

tech.gov.sg

“Be water, my friend”

References

● https://www.pub.gov.sg/Documents/UFW_Guidebook.pdf● https://www.pub.gov.sg/Documents/WQ2016.pdf ● https://app.pub.gov.sg/waterlevel/pages/WaterLevelSensors.aspx ● https://www.pub.gov.sg/research ● https://www.pub.gov.sg/watersupply/waterquality/drinkingwater