Learning the lessons from how the development and operations teams joined their forces together mobilizing themselves under a common DevOps umbrella, security teams don't want to stay behind. They see it as a chance to get more involved at each step of the software development in the Agile fashion. Hence DevSecOps approach, closing the gap between the security teams and the rest of the engineering organization.
In my talk I will show the examples of how DevSecOps can lead to a faster feedback loop related to the security issues in the software you are developing. Furthermore, I will explain how to transform your Agile Software Development practices to leverage this new DevSecOps approach and thanks to that produce code with much less security vulnerabilities.
But what after you have embraced this new practice? What will be the next “Holy Grail” of software development? I will try to put my Captain Kirk suit and try to see what is laying at the edges of the DevSecOps galaxy.
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
To boldly go where no one has gone before: life after the DevSecOps transformation
1. To boldly go where no one has gone before
Life after the DevSecOps transformation 🚀👨🚀
j-labs software specialists | Cracow | Warsaw | Munich j-labs.pl blog.j-labs.pl talk4devs.j-labs.pl
Kuba Sendor
Delivery Manager @ j-labs
2. 2Agenda
1.A brief history of where DevSecOps came from
2.So what DevSecOps really is?
3.To boldly go: transition into DevSecOps
Image source: omado.ca
3. 3Brief intro
since 2019: Delivery Manager, j-labs in Kraków
2010-2014: Security & Trust Research,
SAP Labs France in Sophia-Antipolis
2014-2018: Corporate Security, Yelp in London
and San Francisco
Jakub „Kuba” Sendor
12. 12DevSecOps Manifesto
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
Source: devsecops.org
13. 13DevSecOps Manifesto
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
Source: devsecops.org
16. 16The Six Pillars of DevSecOps – Cloud Security Alliance
Pillar 1: Collective Responsibility
Pillar 2: Collaboration and Integration
Pillar 3: Pragmatic Implementation
Pillar 4: Bridging Compliance and Development
Pillar 5: Automation
Pillar 6: Measure, Monitor, Report and Action
Source: cloudsecurityalliance.org
17. 17Collective Responsibility
Security as a first-class citizen
• Board-level interest in your organization
• CISO – Chief Information Security Officer
Source: linkedin.com
27. 27
Start small –
iterate fast
Journey to DevSecOps
Get the right tools
Be inclusive and
involve everybody
Measure and don’t be
afraid of course
correction
28. 28Start small – iterate fast
Education
• Awareness training
• Security conferences
Threat modeling
• You already know how to do it!
35. 35Get the right tools
• Incident Response
• Security Incident and Event
Management
• Threat Hunting
the list goes on and on...
36. 36DevSecOps Manifesto
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
Source: devsecops.org
42. 42Measure and don’t be afraid of course correction
• Measure
• Vulnerabilities detected
• Number of incidents
• Mean time to respond
• Retrospect
• Take action!
44. 44Thank you!
Jakub „Kuba” Sendor
Delivery Manager
jakub.sendor@j-labs.pl
Luise-Ullrich-Straße 20
80636 München
ul. Zabłocie 43a
30-701 Kraków
al. Armii Ludowej 26
00-609 Warszawa
j-labs.pl
blog.j-labs.pl
talk4devs.j-labs.pl