DevSecOps sets out to relieve the costly and stressful delays that can occur when security testing is performed late in the game, by setting up processes and tools for "shifting left" so security testing can happen early and often. As organizations continue to embrace this DevSecOps approach, testing tools and practices are integrated even further left in the development pipeline. Join Senior Product Manager, Shiri Ivtsan, as she discusses: Where and how developers are implementing DevSecOps in the SDLC; Best practices for developers to adopt DevSecOps and more efficiently handle vulnerabilities; Necessary steps for implementing a process for detection, prioritization, and remediation of open source vulnerabilities.

1. DevSecOps: Closing The
Loop from Detection to
Remediation
Shiri Ivtsan, Senior Product Manager

2. 2
From DevOps to DevSecOps

3.  Integrate the security aspects and practices with the DevOps processes
 Use agile methodologies to deliver small, secure pieces of code in frequent
releases
 Automate the security processes whenever possible
 The best response to the bottleneck effect of older security models on the
modern continuous delivery pipeline
3
DevSecOps: Integrating DevOps & Security Culture

4. The Common Way of Handling Security Issues
Security teams
analyze and
prioritize
vulnerabilities
Sending emails or
opening
issues/tickets
Closing the loop on
resolution is hard

5. Shifting the Mindset: Shift Left and Close the Loop
 Build guardrails, don't be gatekeepers
 Avoid Bottlenecks in the process: If the process
slows you down, it needs to be changed
 Make security everyone’s responsibility
 Facilitate regular discussions about application
security throughout the development process

6.  Cost Reduction
 Speed of delivery
 ‘Secure by design’
 Open discussion
6
The Business Benefits of DevSecOps
Quality
Time
Cost

7. 7
The Operational Benefits of DevSecOps
 Versions are up-to-date
 Nearly “zero” re-work
 Early identification of vulnerabilities in code
 Enables a culture of constant iterative improvements

8. 8
Step 1: Know Your Goal
Baking Security Into Existing Workflows

9. 9
Step 2: Identify the Processes

10. 10
Step 3: Determine Where to Automate
Build
Test
Detect
Issues
Remediate
Code

11. 11
Prioritize  Automate  Remediate  Repeat

12. • Focus on remediation funnel with automated policies
• Business priority, effectiveness, exploitability, severity, availability
of fixes
• Smart remediation
• Update to the earliest non-vulnerable version
• Update lock files where possible
Vulnerabilities Prioritization

13. • Focus on remediation funnel with automated policies
• Business priority, effectiveness, exploitability, severity, availability
of fixes
• Smart remediation
• Update to the earliest non-vulnerable version
• Update lock files where possible
Vulnerabilities Remediation
 One of the most reliable risk mitigation strategies is to keep your open
source components continuously patched.
 By doing this, you avoid being exposed to known vulnerabilities.
 Automated remediation workflows can be initiated based on security
vulnerability policies triggered by a vulnerability detection, vulnerability
severity, CVSS score or when a new version is released.

14. • Focus on remediation funnel with automated policies
• Business priority, effectiveness, exploitability, severity, availability
of fixes
• Smart remediation
• Update to the earliest non-vulnerable version
• Update lock files where possible
Focus on Remediation
 Business priority
 Effectiveness
 Exploitability
 Severity
 Availability of fixes

15. • of fixes
• Smart remediation
• Update to the earliest non-vulnerable version
• Update lock files where possible
Prioritization and Remediation – The Next Level
 Actionable information is critical: Minimum actions, maximum
impact
 Smart remediation
 Update to the earliest non-vulnerable version

16. Q & A

17. Thank You!
For more info please contact us:
product@whitesourcesoftware.com