During the past two decades we have started shifting from the waterfall project planning to more agile organization of our software development practices. Utilizing Scrum, Kanban and Lean practices we are now better prepared for the unknown and can faster react to the changing requirements, product plans and team rotation. But it seems that the security requirements for the software we are producing are still living in the "Waterfall World". They are usually being verified as the last step of the development, introducing further delays or simply leaving the deployed software with more and more vulnerabilities.
Learning the lessons from how the Development and Operations teams joined their forces together mobilizing themselves under a common DevOps umbrella, security teams don't want to stay behind. They see it as a chance to get more involved at each step of the software development in the Agile fashion. Hence DevSecOps approach, closing the gap between the security teams and the rest of the engineering organization.
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
DevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
1. DevSecOps: The Final Frontier?
Building Secure Software in an Agile Organization
j-labs software specialists | Cracow | Warsaw | Munich j-labs.pl blog.j-labs.pl talk4devs.j-labs.pl
Kuba Sendor
Delivery Manager @ j-labs
2. 2Webinar Agenda
1.A brief history of where DevSecOps came from
2.So what DevSecOps really is?
3.To boldly go: transition into DevSecOps
Image source: omado.ca
3. 3Brief intro
since 2019: Delivery Manager, j-labs in Kraków
2010-2014: Security & Trust Research,
SAP Labs France in Sophia-Antipolis
2014-2018: Corporate Security, Yelp in London
and San Francisco
Jakub „Kuba” Sendor
12. 12DevSecOps Manifesto
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
Source: devsecops.org
13. 13DevSecOps Manifesto
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
Source: devsecops.org
16. 16The Six Pillars of DevSecOps – Cloud Security Alliance
Pillar 1: Collective Responsibility
Pillar 2: Collaboration and Integration
Pillar 3: Pragmatic Implementation
Pillar 4: Bridging Compliance and Development
Pillar 5: Automation
Pillar 6: Measure, Monitor, Report and Action
Source: cloudsecurityalliance.org
17. 17Collective Responsibility
Security as a first-class citizen
• Board-level interest in your organization
• CISO – Chief Information Security Officer
Source: linkedin.com
27. 27
Start small –
iterate fast
Journey to DevSecOps
Get the right tools
Be inclusive and
involve everybody
Measure and don’t be
afraid of course
correction
28. 28Start small – iterate fast
Education
• Awareness training
• Security conferences
Threat modeling
• You already know how to do it!
37. 37Measure and don’t be afraid of course correction
• Measure
• Vulnerabilities detected
• Number of incidents
• Mean time to respond
• Retrospect
• Take action!