SlideShare a Scribd company logo

Embrace DevSecOps and Enjoy a Significant Competitive Advantage!

DevOps.com
DevOps.com

As security and privacy permeate companies’ business practices, DevOps is leading a transformation in the way software is built and delivered. And despite its substantial organizational, cultural and technological requirements, DevOps continues to grow in popularity. Companies that are adopting continuous delivery disciplines demonstrate better IT and organizational performance. To achieve this level of performance, IT organizations must embrace a new way of thinking about application security. It is critical to understand how DevOps and continuous integration/continuous deployment (CI/CD) differ from agile development and how this changes the requirements for your application security. In this webinar, one of CA Veracode’s product and development experts will provide the latest update to the "Five Principles of Secure DevOps." Much has evolved in this space, and CA Veracode continues to share examples and best practices on how organizations can make the transition to DevSecOps to gain a competitive advantage.

Technology
1 of 17
Download to read offline
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES1 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES Five Principles For Securing DevOps Colin Domoney Senior Principal Transformation Consultant CA Technologies
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES2 Colin Domoney • Senior Principal Transformation Consultant • Offering coaching, collaboration and technical solutions to organization’s who need an impactful transformation to advance DevOps with optimised flow and security • At the forefront of CA Veracode’s product and innovation strategy, particularly in helping ensure the challenges of DevOps are met • Led a large scale application security program in a multinational investment bank where he was responsible for the deployment and operation of the Veracode service. Over 1,000 applications were assessed and remediated in a few years using very limited human resources. colin.domoney@ca.com @colindomoney
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES3 Defining DevOps “DevOps is a cultural and professional movement, focused on how we build and operate high velocity organizations, born from the experiences of its practitioners.” - Nathan Harvey (Chef)
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES4 The ‘Three Ways’ of DevOps
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES5 DevOps, a new model for software development, is transforming the way the world creates software. Despite its substantial organizational, cultural and technological requirements, this new way of organizing development and IT operations work is spreading rapidly. The DevOps Difference
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES6 DevOps is built on Agile Security
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES7 “Shift Left”: Securing DevOps • Goal: Minimize organization risk without slowing down development • Changing how security operates within an organization Security
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES8 Five Principles for Integrating Security into DevOps 1 Automate Security In DevOps Pipeline2 Integrate to “Fail Quickly” 3 No false alarms 4 Build security champions Development 5 Keep operational visibility Production
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES9 Principle #1: Automate Security In • Automate from Day 1 • Integrate into common development tools – IDE – Build Systems – Bug Tracking – GRC • Leverage comprehensive APIs • Integrate testing results within development backlogs
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES10 Principle #2: Integrate to Fail Quickly • Education that delivers cost savings – Inform development early • Two Phased approach – Consistent frequency (part of pipeline) – Development being proactive (testing outside of the pipeline) • AppSec must be a partnership – security defines the acceptable security quality level – developers implement continuous testing to address issues as they appear Development Operations Both failures create notifications within the backlog
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES11 Principle #3: No False Alarms • Too many false positives will frustrate development and security • Technology will end up being ignored • Action oriented and accurate findings are important • In CI/CD a failure may cause the entire pipeline to stop • Delays could yield lost revenue for the whole organization • Need to provide both maximum coverage for finding critical flaws while tuning out the noise of low-level issues
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES12 Principle #4: Build Security Champions • Eyes and ears of Security • Specialized training • Basic security concepts • Threat modeling • Grooming guidelines • Secure code review training • Security controls • Capture the Flag Exercises • Escalate when necessary
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES13 Principle #5: Keep Operational Visibility • Security doesn't stop once a release candidate has made it to production • Cultural decision to determine where to test – Pre production vs production • Business may decide to bypass security checks to move faster • Misconfigured pipelines are possible • Runtime environments are always changing
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES14 Integrating Security Into DevOps Questions to Ask!
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES15 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES CA Veracode’s Approach
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES17 DevSecOps: Uniting Development and Security
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES18 CA Veracode Platform: Security Throughout the SDLC Code Commit Build Test Release Deploy Operate CA Veracode Greenlight CA Veracode Static Analysis CA Veracode Web Application Scanning CA Veracode Runtime Protection CA Veracode Software Composition Analysis CA Veracode Integrations, APIs CA Veracode eLearning Code RepositoriesIDEs GRCs SIEMs WAFs Security Assurance Operational SecurityDevelopment Integration Bug Tracking Build and Deploy Systems Veracode Program Management and Services

Recommended

Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack
Deborah Schalm
 
SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...
SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...
SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...
Dárcio Takara
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
The DevOps Challenge: Open Source Security at Scale
The DevOps Challenge: Open Source Security at ScaleThe DevOps Challenge: Open Source Security at Scale
The DevOps Challenge: Open Source Security at Scale
DevOps.com
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
WhiteSource
 
A beginners guide to scaling DevOps
A beginners guide to scaling DevOpsA beginners guide to scaling DevOps
A beginners guide to scaling DevOps
Eficode
 
2018 State Of DevOps Report Key Findings
2018 State Of DevOps Report Key Findings2018 State Of DevOps Report Key Findings
2018 State Of DevOps Report Key Findings
Eficode
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart way
Eficode
 

Recommended

Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack
Deborah Schalm
 
SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...
SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...
SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...
Dárcio Takara
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
The DevOps Challenge: Open Source Security at Scale
The DevOps Challenge: Open Source Security at ScaleThe DevOps Challenge: Open Source Security at Scale
The DevOps Challenge: Open Source Security at Scale
DevOps.com
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
WhiteSource
 
A beginners guide to scaling DevOps
A beginners guide to scaling DevOpsA beginners guide to scaling DevOps
A beginners guide to scaling DevOps
Eficode
 
2018 State Of DevOps Report Key Findings
2018 State Of DevOps Report Key Findings2018 State Of DevOps Report Key Findings
2018 State Of DevOps Report Key Findings
Eficode
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart way
Eficode
 
Security as Code
Security as CodeSecurity as Code
Security as Code
Deborah Schalm
 
How to apply DevOps in a regulated organisation
How to apply DevOps in a regulated organisationHow to apply DevOps in a regulated organisation
How to apply DevOps in a regulated organisation
Colin Domoney
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and Observability
Eficode
 
Addressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test AutomationAddressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test Automation
TechWell
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
SeniorStoryteller
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
Tales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformationTales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformation
Lee Eason
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
SeniorStoryteller
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
How To Become A DevOps Engineer? | DevOps Engineer Roadmap | DevOps Training ...
How To Become A DevOps Engineer? | DevOps Engineer Roadmap | DevOps Training ...How To Become A DevOps Engineer? | DevOps Engineer Roadmap | DevOps Training ...
How To Become A DevOps Engineer? | DevOps Engineer Roadmap | DevOps Training ...
Edureka!
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
SeniorStoryteller
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon Edwards
SeniorStoryteller
 
DevOps
DevOpsDevOps
DevOps
Gehad Elsayed
 
Scaling DevOps Adoption
Scaling DevOps AdoptionScaling DevOps Adoption
Scaling DevOps Adoption
Mark Rendell
 
DevSecOps for you Full Stack
DevSecOps for you Full StackDevSecOps for you Full Stack
DevSecOps for you Full Stack
Ron Nixon
 
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins WorldFail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
CA Technologies
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Estafet Eacis Demo Slides
Estafet Eacis Demo SlidesEstafet Eacis Demo Slides
Estafet Eacis Demo Slides
Nigel Whittaker
 
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 

More Related Content

What's hot

Addressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test AutomationAddressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test Automation
TechWell
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
How To Become A DevOps Engineer? | DevOps Engineer Roadmap | DevOps Training ...
How To Become A DevOps Engineer? | DevOps Engineer Roadmap | DevOps Training ...How To Become A DevOps Engineer? | DevOps Engineer Roadmap | DevOps Training ...
How To Become A DevOps Engineer? | DevOps Engineer Roadmap | DevOps Training ...
Edureka!
 
Scaling DevOps Adoption
Scaling DevOps AdoptionScaling DevOps Adoption
Scaling DevOps Adoption
Mark Rendell
 

What's hot (20)

Security as Code
Security as CodeSecurity as Code
Security as Code
 
How to apply DevOps in a regulated organisation
How to apply DevOps in a regulated organisationHow to apply DevOps in a regulated organisation
How to apply DevOps in a regulated organisation
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and Observability
 
Addressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test AutomationAddressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test Automation
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Tales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformationTales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformation
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
How To Become A DevOps Engineer? | DevOps Engineer Roadmap | DevOps Training ...
How To Become A DevOps Engineer? | DevOps Engineer Roadmap | DevOps Training ...How To Become A DevOps Engineer? | DevOps Engineer Roadmap | DevOps Training ...
How To Become A DevOps Engineer? | DevOps Engineer Roadmap | DevOps Training ...
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon Edwards
 
DevOps
DevOpsDevOps
DevOps
 
Scaling DevOps Adoption
Scaling DevOps AdoptionScaling DevOps Adoption
Scaling DevOps Adoption
 
DevSecOps for you Full Stack
DevSecOps for you Full StackDevSecOps for you Full Stack
DevSecOps for you Full Stack
 
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins WorldFail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
Fail Fast and Win with Continuous Testing: Uri Scheiner – Jenkins World
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
Estafet Eacis Demo Slides
Estafet Eacis Demo SlidesEstafet Eacis Demo Slides
Estafet Eacis Demo Slides
 

Similar to Embrace DevSecOps and Enjoy a Significant Competitive Advantage!

Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
 
DevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptxDevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptx
Gurajalanaganarasimh
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
DevOps.com
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
Amazon Web Services
 

Similar to Embrace DevSecOps and Enjoy a Significant Competitive Advantage! (20)

Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
 
DevOps: Security's Big Opportunity
DevOps: Security's Big OpportunityDevOps: Security's Big Opportunity
DevOps: Security's Big Opportunity
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev ops
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
 
SD DevOps Meet-up - Exploring Quadrants of DevOps Maturity
SD DevOps Meet-up - Exploring Quadrants of DevOps MaturitySD DevOps Meet-up - Exploring Quadrants of DevOps Maturity
SD DevOps Meet-up - Exploring Quadrants of DevOps Maturity
 
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINX
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
DevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptxDevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptx
 
Agile DevOps Transformation At HUD (AgileDC 2017)
Agile DevOps Transformation At HUD (AgileDC 2017)Agile DevOps Transformation At HUD (AgileDC 2017)
Agile DevOps Transformation At HUD (AgileDC 2017)
 
5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper
 
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
 
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationEnterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast Presentation
 
What is the role of DevSecOps in securing software development.pptx
What is the role of DevSecOps in securing software development.pptxWhat is the role of DevSecOps in securing software development.pptx
What is the role of DevSecOps in securing software development.pptx
 

More from DevOps.com

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
DevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 

More from DevOps.com (20)

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware Resolution
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with Datadog
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid final
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call Culture
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

Embrace DevSecOps and Enjoy a Significant Competitive Advantage!

  • 1. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES1 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES Five Principles For Securing DevOps Colin Domoney Senior Principal Transformation Consultant CA Technologies
  • 2. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES2 Colin Domoney • Senior Principal Transformation Consultant • Offering coaching, collaboration and technical solutions to organization’s who need an impactful transformation to advance DevOps with optimised flow and security • At the forefront of CA Veracode’s product and innovation strategy, particularly in helping ensure the challenges of DevOps are met • Led a large scale application security program in a multinational investment bank where he was responsible for the deployment and operation of the Veracode service. Over 1,000 applications were assessed and remediated in a few years using very limited human resources. colin.domoney@ca.com @colindomoney
  • 3. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES3 Defining DevOps “DevOps is a cultural and professional movement, focused on how we build and operate high velocity organizations, born from the experiences of its practitioners.” - Nathan Harvey (Chef)
  • 4. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES4 The ‘Three Ways’ of DevOps
  • 5. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES5 DevOps, a new model for software development, is transforming the way the world creates software. Despite its substantial organizational, cultural and technological requirements, this new way of organizing development and IT operations work is spreading rapidly. The DevOps Difference
  • 6. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES6 DevOps is built on Agile Security
  • 7. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES7 “Shift Left”: Securing DevOps • Goal: Minimize organization risk without slowing down development • Changing how security operates within an organization Security
  • 8. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES8 Five Principles for Integrating Security into DevOps 1 Automate Security In DevOps Pipeline2 Integrate to “Fail Quickly” 3 No false alarms 4 Build security champions Development 5 Keep operational visibility Production
  • 9. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES9 Principle #1: Automate Security In • Automate from Day 1 • Integrate into common development tools – IDE – Build Systems – Bug Tracking – GRC • Leverage comprehensive APIs • Integrate testing results within development backlogs
  • 10. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES10 Principle #2: Integrate to Fail Quickly • Education that delivers cost savings – Inform development early • Two Phased approach – Consistent frequency (part of pipeline) – Development being proactive (testing outside of the pipeline) • AppSec must be a partnership – security defines the acceptable security quality level – developers implement continuous testing to address issues as they appear Development Operations Both failures create notifications within the backlog
  • 11. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES11 Principle #3: No False Alarms • Too many false positives will frustrate development and security • Technology will end up being ignored • Action oriented and accurate findings are important • In CI/CD a failure may cause the entire pipeline to stop • Delays could yield lost revenue for the whole organization • Need to provide both maximum coverage for finding critical flaws while tuning out the noise of low-level issues
  • 12. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES12 Principle #4: Build Security Champions • Eyes and ears of Security • Specialized training • Basic security concepts • Threat modeling • Grooming guidelines • Secure code review training • Security controls • Capture the Flag Exercises • Escalate when necessary
  • 13. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES13 Principle #5: Keep Operational Visibility • Security doesn't stop once a release candidate has made it to production • Cultural decision to determine where to test – Pre production vs production • Business may decide to bypass security checks to move faster • Misconfigured pipelines are possible • Runtime environments are always changing
  • 14. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES14 Integrating Security Into DevOps Questions to Ask!
  • 15. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES15 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES CA Veracode’s Approach
  • 16. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES17 DevSecOps: Uniting Development and Security
  • 17. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES18 CA Veracode Platform: Security Throughout the SDLC Code Commit Build Test Release Deploy Operate CA Veracode Greenlight CA Veracode Static Analysis CA Veracode Web Application Scanning CA Veracode Runtime Protection CA Veracode Software Composition Analysis CA Veracode Integrations, APIs CA Veracode eLearning Code RepositoriesIDEs GRCs SIEMs WAFs Security Assurance Operational SecurityDevelopment Integration Bug Tracking Build and Deploy Systems Veracode Program Management and Services