SlideShare a Scribd company logo

DevOps for Highly Regulated Environments

DevOps.com
DevOps.com

Financial institutions, medical groups, governmental organizations, automotive companies… these types of entities all have unique and sometimes difficult-to-meet regulations. You may be required to have fine-grained auditability of your SDLC or maintain specific third-party integrations. Security models may be heightened, or certain types of compliance processes maintained. So how are we supposed to “do the DevOps” when we have so many things to worry about? In this webinar, we’ll explore some ways that you can adopt DevOps best practices and even (gasp!) thrive when building your DevOps and DevSecOps pipelines in highly-regulated industries.

Technology
1 of 38
Download to read offline
SDLC in a Highly Regulated Environment
Who am I.. William Manning Senior Solutions Engineer @JFrog Twitter: @williammanning
What we will discuss ❖ What is a “highly regulated” environment ❖ Industry Examples ❖ Why Binary Management Matters ❖ Air Gapping ❖ DevSecOps ❖ How to meet regulation standards ❖ ❖
130% Net Expansion 5,000+ Customers 5 years FCF Positive $13B+ Market FY'16 FY'17 FY'18 ($M) 67% YoY ARR growth 65% Significant Growth Momentum Technology Leadership Deloitte 2018 Technology Fast 500 Winners Forbes CLOUD 100 LIST 2008 Founded 500+ Employees Clients include >70% $230M Raised to date The 2018 SD Times 100 Award JFROG IN A NUTSHELL
JFROG’S UNIFIED APPROACH
ARTIFACTORY EDGE ARTIFACTORY EDGE ARTIFACTORY EDGE Continuously Integrate & Deliver PIPELINES Clear Security & Compliance Issues XRAY Code & Build DeployToProduction VCS & CI Store & Manage Your Binaries Globally ARTIFACTORY Distribute To Production Site DISTRIBUTION Manage Authentication & Authorization Globally ACCESS Analyze & Measure The Flow MISSION CONTROL & INSIGHT THE JFROG PLATFORM - ENTERPRISE+
THE ECOSYSTEM STRENGTHENING UNIVERSALITY By partnering with other companies within the DevOps ecosystem, we are improving the way our customers can use JFrog products in their workflow. + CHEF
Sometimes feels like this..
Highly Regulated Environments Definition: “A physical or digital environment characterized by: air-gapped physical spaces, air-gapped computer systems, heighten access control, segregation of duties, inability to discuss certain topics outside of specific physical spaces, and an inability to transport certain artifacts off premise.”
What does that mean? ❖ Either Government or Industry regulation ❖ Role based access control (RBAC) ❖ Authorization To Operate (ATO) ❖ Content protection ❖ Encryption / Digital Signatures ❖ Process and Policies ❖ Auditing / Tracking ❖ Metadata Management ❖ Record Management ❖ Validation
Typical Problems ❖ Air-Gapped Environments ❖ Tedious change management process ❖ Slow approval process ❖ Limited communication between teams ❖ Gated SDLC processes ❖ Lack of centralized software management ❖ Varying stages of acceptance criteria ❖ Limited to no flexibility for developers ❖ Lifecycle / Archival requirements ❖ Long audit processes
Ideal Goals ❖ Identify roadblocks / process ❖ Look for ways to improve velocity through automation ❖ Make DevSecOps a requirement internally ❖ Build plans for all process gaps in DevOps ❖ Comply to regulations through scalable process ❖ Design with regulation when building SDLC ❖ Use tools that help the regulated SDLC process ❖ Automate, automate, automate…
Examples of Regulation in Software
Software Development Responsibility “A major vulnerability of many companies comes from Electronic Data Interchanges (EDI) and vendor system integration,” says Farris. “A 2017 report by Soha Systems indicated that as many as 63 percent of all reported data breaches originated directly or indirectly from third-party vendors.”
Financial / Banking Securities and Exchange Commission (SEC) European Central Bank (ECB) US Consumer Financial Protection Bureau (CFPB) General Data Protection Regulation (GDPR) Sarbanes-Oxley (SOX) Basel II Dodd-Franks FATCA
Financial / Banking Traceability Security and Privacy Data Portability and Interoperability License Governance Software Update and Patching Practices Segregation of duties Network Isolation
“Just as practicing professionals such as doctors, accountants, and nurses are licensed, so should software engineers,” Thornton says. “The public needs to be able to rely on some sort of credential when choosing a contractor to write software.” - Mitch Thornton, Vice Chair of the IEEE Licensure and Registration Medical / Healthcare
Medical / Healthcare E-health Apps that connect to a medical device to control the device or display, store, analyse, or transmit patient-specific medical device data. M-health Apps that transform a mobile platform into a regulated medical device. Genomics Apps that perform patient-specific analysis and provide patient-specific diagnosis, or treatment recommendations.
Medical / Healthcare US and EU regulations are very strict in dealing with medical data API data has to have extensive ACL and Protection 3rd Party libraries have to be scanned for possible breach causing issues and approved There are regulations for every aspect of building software for medical or healthcare
Recently software became the narrative to a disaster that cost 157 people their lives The responsibility of the developer is to ensure safety and security Aerospace / Aviation
Aerospace / Aviation National Airspace System (NAS) has a scale for software issues There are regulations for every component of aeronautics Focus on redundancy
Government Government Furnishes Software (GFS) Software Co-Developed by the Government Intellectual Property (IP) Data Rights Requirements Analysis (DRRA) Commercial-Off-The-Shelf (COTS) vs Open Source Software (OSS) Federal Risk and Authorization Management Program (FedRAMP)
What’s our options? ❖ How do you retain velocity without sacrificing security? ❖ What tools can help address regulations without impeding innovation? ❖ How do we …..? ❖ There are many questions but there also many solutions
Binary Management Control 3rd Party Dependencies FOSS management Release Storage Metadata information Automated Controls Air Gap Access Level Controls Replication to Multiple Sites DevSecOps
Most software is composed of 90% open source components Code base Java, C, NPM, etc. Operating System VM, Docker, Iron, etc API Libraries Base OS Your Code Open Source & Compliance
Open Source & Compliance Need for assessment of licenses associated with open source components Traceability of open source components Automating security / compliance tasks End to end coverage > Developer to Deployment
Application Containers Microservices Int/ext Packages Int/ext Depen. Can I deploy a new version? What does this application contain? Is this application license compatible? Is this container safe? Who is using this microservice? Can I deploy a new version? Who is using this package? Is this package safe? Is it license compatible? Is this package outdated? Components
Air Gapped
DEV : OPS : SEC 100 : 10 : 1
DevSecOps.. Providing safety and security for your business & customers More reliance on 3rd party software / libraries It’s not easy to implement Equifax, Marriott, Facebook, Google, etc. > Breaches Discovery of security / vulnerabilities before it become a business liability Philosophical change in SDLC No longer an afterthought but an imperative
https://breachlevelindex.com/
Security / Compliance was always “Someone else’s... “ Discovery security issues / threats are expensive.. Especially if found later on in your SDLC The pace of software development has increased and is increasing Increasing government regulations around customer data Exploits increases Vulnerabilities are increasing
“Organizations that had not deployed security automation experienced breach costs that were 95 percent higher than breaches at organizations with fully-deployed automation ($5.16 million average total cost of a breach without automation vs. $2.65 million for fully-deployed automation).”
Recap Binany Management Security and Vulnerability Scanning License Compliance and Governance Release Management Air Gap Developer Education Automation
Thank You

Recommended

How Online Retailer Resident Scaled DevOps with AWS and CloudShell Colony
How Online Retailer Resident Scaled DevOps with AWS and CloudShell ColonyHow Online Retailer Resident Scaled DevOps with AWS and CloudShell Colony
How Online Retailer Resident Scaled DevOps with AWS and CloudShell Colony
DevOps.com
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise ScaleSecuring Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
DevOps.com
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
Amazon Web Services
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
DevOps Indonesia
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
DevOps.com
 
App Modernisation with Microsoft Azure
App Modernisation with Microsoft AzureApp Modernisation with Microsoft Azure
App Modernisation with Microsoft Azure
Adam Stephensen
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 

Recommended

How Online Retailer Resident Scaled DevOps with AWS and CloudShell Colony
How Online Retailer Resident Scaled DevOps with AWS and CloudShell ColonyHow Online Retailer Resident Scaled DevOps with AWS and CloudShell Colony
How Online Retailer Resident Scaled DevOps with AWS and CloudShell Colony
DevOps.com
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise ScaleSecuring Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
DevOps.com
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
Amazon Web Services
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
DevOps Indonesia
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
DevOps.com
 
App Modernisation with Microsoft Azure
App Modernisation with Microsoft AzureApp Modernisation with Microsoft Azure
App Modernisation with Microsoft Azure
Adam Stephensen
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
centralohioissa
 
State of Mainframe DevOps
State of Mainframe DevOpsState of Mainframe DevOps
State of Mainframe DevOps
DevOps.com
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armor
DevOps Indonesia
 
Securing Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB CredentialsSecuring Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB Credentials
DevOps Indonesia
 
Service Virtualization: Delivering Complex Test Environments on Demand
Service Virtualization: Delivering Complex Test Environments on DemandService Virtualization: Delivering Complex Test Environments on Demand
Service Virtualization: Delivering Complex Test Environments on Demand
Erika Barron
 
Case Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCase Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on Time
CA Technologies
 
DevSecOps in 10 minutes
DevSecOps in 10 minutesDevSecOps in 10 minutes
DevSecOps in 10 minutes
kieranjacobsen
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
DevOps.com
 
The DevOps Journey
The DevOps JourneyThe DevOps Journey
The DevOps Journey
Micro Focus
 
Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
Shannon Lietz
 
Introduction to Microservices
Introduction to MicroservicesIntroduction to Microservices
Introduction to Microservices
Amazon Web Services
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
Amazon Web Services
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecops
Veritis Group, Inc
 
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckHow PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
Amazon Web Services
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
DevOps.com
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
Shannon Lietz
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
baoyin
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 

More Related Content

What's hot

Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
centralohioissa
 
Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
Amazon Web Services
 
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckHow PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
Amazon Web Services
 

What's hot (20)

Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
 
State of Mainframe DevOps
State of Mainframe DevOpsState of Mainframe DevOps
State of Mainframe DevOps
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armor
 
Securing Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB CredentialsSecuring Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB Credentials
 
Service Virtualization: Delivering Complex Test Environments on Demand
Service Virtualization: Delivering Complex Test Environments on DemandService Virtualization: Delivering Complex Test Environments on Demand
Service Virtualization: Delivering Complex Test Environments on Demand
 
Case Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCase Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on Time
 
DevSecOps in 10 minutes
DevSecOps in 10 minutesDevSecOps in 10 minutes
DevSecOps in 10 minutes
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
 
The DevOps Journey
The DevOps JourneyThe DevOps Journey
The DevOps Journey
 
Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
 
Introduction to Microservices
Introduction to MicroservicesIntroduction to Microservices
Introduction to Microservices
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecops
 
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckHow PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
 

Similar to DevOps for Highly Regulated Environments

六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
baoyin
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
amburyj3c9
 
Embracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifyEmbracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and Centrify
Sumana Mehta
 
Appendix AOperating ScenarioGPSCDU Project for Wild B.docx
Appendix AOperating ScenarioGPSCDU Project for Wild B.docxAppendix AOperating ScenarioGPSCDU Project for Wild B.docx
Appendix AOperating ScenarioGPSCDU Project for Wild B.docx
lisandrai1k
 

Similar to DevOps for Highly Regulated Environments (20)

六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
Open Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated CompaniesOpen Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated Companies
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
 
Unc charlotte prezo2016
Unc charlotte prezo2016Unc charlotte prezo2016
Unc charlotte prezo2016
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
SIEM, malware protection, deep data visibility — for free
SIEM, malware protection, deep data visibility — for freeSIEM, malware protection, deep data visibility — for free
SIEM, malware protection, deep data visibility — for free
 
How to add security in dataops and devops
How to add security in dataops and devopsHow to add security in dataops and devops
How to add security in dataops and devops
 
Embracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifyEmbracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and Centrify
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
 
Building cybersecurity transparency with clients using compliance automation...
Building cybersecurity transparency with clients using compliance automation... Building cybersecurity transparency with clients using compliance automation...
Building cybersecurity transparency with clients using compliance automation...
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk Imperative
 
G05.2013 gartner top security trends
G05.2013 gartner top security trendsG05.2013 gartner top security trends
G05.2013 gartner top security trends
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous Delivery
 
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeDOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - Sonatype
 
Appendix AOperating ScenarioGPSCDU Project for Wild B.docx
Appendix AOperating ScenarioGPSCDU Project for Wild B.docxAppendix AOperating ScenarioGPSCDU Project for Wild B.docx
Appendix AOperating ScenarioGPSCDU Project for Wild B.docx
 
Anajli_Synopsis
Anajli_SynopsisAnajli_Synopsis
Anajli_Synopsis
 

More from DevOps.com

Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
DevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
DevOps.com
 
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
DevOps.com
 

More from DevOps.com (20)

Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware Resolution
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with Datadog
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid final
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call Culture
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
 
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
 

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

DevOps for Highly Regulated Environments

  • 1. SDLC in a Highly Regulated Environment
  • 2. Who am I.. William Manning Senior Solutions Engineer @JFrog Twitter: @williammanning
  • 3. What we will discuss ❖ What is a “highly regulated” environment ❖ Industry Examples ❖ Why Binary Management Matters ❖ Air Gapping ❖ DevSecOps ❖ How to meet regulation standards ❖ ❖
  • 4. 130% Net Expansion 5,000+ Customers 5 years FCF Positive $13B+ Market FY'16 FY'17 FY'18 ($M) 67% YoY ARR growth 65% Significant Growth Momentum Technology Leadership Deloitte 2018 Technology Fast 500 Winners Forbes CLOUD 100 LIST 2008 Founded 500+ Employees Clients include >70% $230M Raised to date The 2018 SD Times 100 Award JFROG IN A NUTSHELL
  • 6. ARTIFACTORY EDGE ARTIFACTORY EDGE ARTIFACTORY EDGE Continuously Integrate & Deliver PIPELINES Clear Security & Compliance Issues XRAY Code & Build DeployToProduction VCS & CI Store & Manage Your Binaries Globally ARTIFACTORY Distribute To Production Site DISTRIBUTION Manage Authentication & Authorization Globally ACCESS Analyze & Measure The Flow MISSION CONTROL & INSIGHT THE JFROG PLATFORM - ENTERPRISE+
  • 7. THE ECOSYSTEM STRENGTHENING UNIVERSALITY By partnering with other companies within the DevOps ecosystem, we are improving the way our customers can use JFrog products in their workflow. + CHEF
  • 9.
  • 10. Highly Regulated Environments Definition: “A physical or digital environment characterized by: air-gapped physical spaces, air-gapped computer systems, heighten access control, segregation of duties, inability to discuss certain topics outside of specific physical spaces, and an inability to transport certain artifacts off premise.”
  • 11. What does that mean? ❖ Either Government or Industry regulation ❖ Role based access control (RBAC) ❖ Authorization To Operate (ATO) ❖ Content protection ❖ Encryption / Digital Signatures ❖ Process and Policies ❖ Auditing / Tracking ❖ Metadata Management ❖ Record Management ❖ Validation
  • 12. Typical Problems ❖ Air-Gapped Environments ❖ Tedious change management process ❖ Slow approval process ❖ Limited communication between teams ❖ Gated SDLC processes ❖ Lack of centralized software management ❖ Varying stages of acceptance criteria ❖ Limited to no flexibility for developers ❖ Lifecycle / Archival requirements ❖ Long audit processes
  • 13. Ideal Goals ❖ Identify roadblocks / process ❖ Look for ways to improve velocity through automation ❖ Make DevSecOps a requirement internally ❖ Build plans for all process gaps in DevOps ❖ Comply to regulations through scalable process ❖ Design with regulation when building SDLC ❖ Use tools that help the regulated SDLC process ❖ Automate, automate, automate…
  • 14. Examples of Regulation in Software
  • 15. Software Development Responsibility “A major vulnerability of many companies comes from Electronic Data Interchanges (EDI) and vendor system integration,” says Farris. “A 2017 report by Soha Systems indicated that as many as 63 percent of all reported data breaches originated directly or indirectly from third-party vendors.”
  • 16. Financial / Banking Securities and Exchange Commission (SEC) European Central Bank (ECB) US Consumer Financial Protection Bureau (CFPB) General Data Protection Regulation (GDPR) Sarbanes-Oxley (SOX) Basel II Dodd-Franks FATCA
  • 17. Financial / Banking Traceability Security and Privacy Data Portability and Interoperability License Governance Software Update and Patching Practices Segregation of duties Network Isolation
  • 18. “Just as practicing professionals such as doctors, accountants, and nurses are licensed, so should software engineers,” Thornton says. “The public needs to be able to rely on some sort of credential when choosing a contractor to write software.” - Mitch Thornton, Vice Chair of the IEEE Licensure and Registration Medical / Healthcare
  • 19. Medical / Healthcare E-health Apps that connect to a medical device to control the device or display, store, analyse, or transmit patient-specific medical device data. M-health Apps that transform a mobile platform into a regulated medical device. Genomics Apps that perform patient-specific analysis and provide patient-specific diagnosis, or treatment recommendations.
  • 20. Medical / Healthcare US and EU regulations are very strict in dealing with medical data API data has to have extensive ACL and Protection 3rd Party libraries have to be scanned for possible breach causing issues and approved There are regulations for every aspect of building software for medical or healthcare
  • 21. Recently software became the narrative to a disaster that cost 157 people their lives The responsibility of the developer is to ensure safety and security Aerospace / Aviation
  • 22. Aerospace / Aviation National Airspace System (NAS) has a scale for software issues There are regulations for every component of aeronautics Focus on redundancy
  • 23. Government Government Furnishes Software (GFS) Software Co-Developed by the Government Intellectual Property (IP) Data Rights Requirements Analysis (DRRA) Commercial-Off-The-Shelf (COTS) vs Open Source Software (OSS) Federal Risk and Authorization Management Program (FedRAMP)
  • 24. What’s our options? ❖ How do you retain velocity without sacrificing security? ❖ What tools can help address regulations without impeding innovation? ❖ How do we …..? ❖ There are many questions but there also many solutions
  • 25. Binary Management Control 3rd Party Dependencies FOSS management Release Storage Metadata information Automated Controls Air Gap Access Level Controls Replication to Multiple Sites DevSecOps
  • 26. Most software is composed of 90% open source components Code base Java, C, NPM, etc. Operating System VM, Docker, Iron, etc API Libraries Base OS Your Code Open Source & Compliance
  • 27. Open Source & Compliance Need for assessment of licenses associated with open source components Traceability of open source components Automating security / compliance tasks End to end coverage > Developer to Deployment
  • 28. Application Containers Microservices Int/ext Packages Int/ext Depen. Can I deploy a new version? What does this application contain? Is this application license compatible? Is this container safe? Who is using this microservice? Can I deploy a new version? Who is using this package? Is this package safe? Is it license compatible? Is this package outdated? Components
  • 30. DEV : OPS : SEC 100 : 10 : 1
  • 31. DevSecOps.. Providing safety and security for your business & customers More reliance on 3rd party software / libraries It’s not easy to implement Equifax, Marriott, Facebook, Google, etc. > Breaches Discovery of security / vulnerabilities before it become a business liability Philosophical change in SDLC No longer an afterthought but an imperative
  • 32.
  • 34.
  • 35. Security / Compliance was always “Someone else’s... “ Discovery security issues / threats are expensive.. Especially if found later on in your SDLC The pace of software development has increased and is increasing Increasing government regulations around customer data Exploits increases Vulnerabilities are increasing
  • 36. “Organizations that had not deployed security automation experienced breach costs that were 95 percent higher than breaches at organizations with fully-deployed automation ($5.16 million average total cost of a breach without automation vs. $2.65 million for fully-deployed automation).”
  • 37. Recap Binany Management Security and Vulnerability Scanning License Compliance and Governance Release Management Air Gap Developer Education Automation