SlideShare a Scribd company logo

How to automate your DevSecOps successfully

Manuel Pistner
Manuel Pistner

This document discusses how to automate DevSecOps successfully. It outlines what DevSecOps is and how modern applications are built using many software components and libraries. This complexity increases risks from vulnerabilities in dependencies. The document recommends automating security practices like monitoring for vulnerabilities, updating dependencies continuously, and deploying updates immediately to "race the hacker." It advocates learning from hackers by automating everything to eliminate human errors. Specific automation approaches discussed include using containers and infrastructure as code, continuous integration/delivery pipelines, and monitoring tools to track open source updates and vulnerabilities. The goal is to fully automate the update and deployment process so that any new vulnerabilities can be addressed instantly regardless of available resources.

Software
1 of 28
Download to read offline
How to automate your DevSecOps successfully
Manuel Pistner Hi everybody, nice to see you here! Founder & CEO of Bright Solutions Computer Sience at TU Darmstadt Grew up with Open Source Automation Enthusiast
What are DevSecOps? Static state Continuous process, including code & infrastructure security Culture + Practice + Tools + Automation
Agility & Security Speed & Stability + Continuous Security build test release monitorplan security customer developer
How modern apps are built library 2 library 1 library 3
The challange 1. software components increase complexity librar 1
The challange 2. Hackers are fast (they hack while you sleep)
The common goal Build & deliver security accross all components as a service. With speed & at scale.
Principle Nr. 1 Learn from hackers
Principle Nr. 1 Learn from hackers Automate everything Race the hacker! Get rid of human failure Make security independend of available resources
Basis for automation Build a continuous delivery pipeline For your application Use a code repository (GIT) CI (Travis CI, Circle CI, Jenkins...) Automate code tests for stability Automate penetration tests
Basis for automation For infrastructure Use containers Use scalable & secure Cloud systems Infrastructure as code
Update continuously Open Source Libraries need continuous updates Know your libraries (use package managers) Monitor security vulnerabilities Update continuously
Worst Case Scenario 0-day exploits Update all your projects, test & deploy in 0 time Only possible with automation
Is Open Source a risk? It's more secure than closed source: More people watch over the code The problem: vulnerabilities are announced in public The solution: Do your homework & update!
2. Manage new depen- dencies of updates The update process 3. Monitor vulnerabilities of your app stack 1. Monitor dependency updates 4. Manage the patches 6. Manage quality 7. Inform "stakeholders" & manual testers 8. Update package manager files 5. Commit code to GIT! 9. Deploy
Let's visualize it
Then...
Study of 80 Software-Development companies Status Quo 97,2 % 73,6 % 66,6 %
Study of 80 Software-Development companies Status Quo 58,3 % 16,7 % 18,1 %
Study of 80 Software-Development companies Status Quo 61,1 % 73,6 %
Scaring result 43% deploy & test updates manually - AND they think this process is slow 43 %
Keep track of open source updates Package managers only inform about updates You need to know your vulnerabilities ! There are different vulnDBs Versioneye as service or open source tool (https://github.com/versioneye/versioneye-security)
Other monitoring tools
Main Subject Enable ANYBODY (even your bots) to update your dependencies Integrate with your tools & workflows Make the update process independend from available resources Increase velocity Decrease fragility
The vision of the study QA Workflow integration (manual & automated tests) Tool integration (task/ ticket management, test automation) GIT integration & automated committing of new versions Auto deployment of new updates for vulnerable libraries Respect open source policies & licences Find a toolset / method to build a fully automated update delivery pipeline which makes the use of open source more secure
The vision of the study QA process hosting platform
Share your use case contact me at pistner@brightsolutions.de

Recommended

DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)Hui (Henry) Chen
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 

Recommended

DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)Hui (Henry) Chen
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & SecurityNico Meisenzahl
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.Vitaly Balashov
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsTushar Gupta
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCIWhiteSource
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsWhiteSource
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOpsMichelangelo van Dam
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOpsFelicia Haggarty
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingAarno Aukia
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to meMichelle Ribeiro
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 

More Related Content

What's hot

Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & SecurityNico Meisenzahl
 
Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.Vitaly Balashov
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsTushar Gupta
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCIWhiteSource
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsWhiteSource
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOpsFelicia Haggarty
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingAarno Aukia
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 

What's hot (20)

Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOps
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CD
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
 

Similar to How to automate your DevSecOps successfully

Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
 
How temenos manages open source use, the easy way combined
How temenos manages open source use, the easy way combinedHow temenos manages open source use, the easy way combined
How temenos manages open source use, the easy way combinedWhiteSource
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for DevopsJerika Phelps
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
Antivirus Comparative junio 2014
Antivirus Comparative junio 2014Antivirus Comparative junio 2014
Antivirus Comparative junio 2014Doryan Mathos
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarFind Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarWhiteSource
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Agile Engineering Sparker GLASScon 2015
Agile Engineering Sparker GLASScon 2015Agile Engineering Sparker GLASScon 2015
Agile Engineering Sparker GLASScon 2015Stephen Ritchie
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointIvanti
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 

Similar to How to automate your DevSecOps successfully (20)

Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
 
How temenos manages open source use, the easy way combined
How temenos manages open source use, the easy way combinedHow temenos manages open source use, the easy way combined
How temenos manages open source use, the easy way combined
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
Antivirus Comparative junio 2014
Antivirus Comparative junio 2014Antivirus Comparative junio 2014
Antivirus Comparative junio 2014
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarFind Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Avc prot 2016a_en
Avc prot 2016a_enAvc prot 2016a_en
Avc prot 2016a_en
 
Avc prot 2012b_en
Avc prot 2012b_enAvc prot 2012b_en
Avc prot 2012b_en
 
Agile Engineering Sparker GLASScon 2015
Agile Engineering Sparker GLASScon 2015Agile Engineering Sparker GLASScon 2015
Agile Engineering Sparker GLASScon 2015
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 

More from Manuel Pistner

So skalieren Agenturen erfolgreich
So skalieren Agenturen erfolgreichSo skalieren Agenturen erfolgreich
So skalieren Agenturen erfolgreichManuel Pistner
 
Building Drupal sites that content authors love
Building Drupal sites that content authors loveBuilding Drupal sites that content authors love
Building Drupal sites that content authors loveManuel Pistner
 
Marketing automation with Drupal
Marketing automation with DrupalMarketing automation with Drupal
Marketing automation with DrupalManuel Pistner
 
Drupal security best practices
Drupal security best practicesDrupal security best practices
Drupal security best practicesManuel Pistner
 
Drupal security - There is a mini Drupalgeddon every week & how to survive it
Drupal security - There is a mini Drupalgeddon every week & how to survive itDrupal security - There is a mini Drupalgeddon every week & how to survive it
Drupal security - There is a mini Drupalgeddon every week & how to survive itManuel Pistner
 
Enterpriseintegration mit Drupal und SAP
Enterpriseintegration mit Drupal und SAPEnterpriseintegration mit Drupal und SAP
Enterpriseintegration mit Drupal und SAPManuel Pistner
 
KonM 40 digital - Der schlanke Weg zur Digitalen Transformation
KonM 40 digital - Der schlanke Weg zur Digitalen TransformationKonM 40 digital - Der schlanke Weg zur Digitalen Transformation
KonM 40 digital - Der schlanke Weg zur Digitalen TransformationManuel Pistner
 
Digitale Innovation und neue Geschäftsmodelle
Digitale Innovation und neue GeschäftsmodelleDigitale Innovation und neue Geschäftsmodelle
Digitale Innovation und neue GeschäftsmodelleManuel Pistner
 
Recurring revenue for drupal shops
Recurring revenue for drupal shopsRecurring revenue for drupal shops
Recurring revenue for drupal shopsManuel Pistner
 
Drupal business applications
Drupal business applications Drupal business applications
Drupal business applications Manuel Pistner
 
Working in distributed remote teams
Working in distributed remote teamsWorking in distributed remote teams
Working in distributed remote teamsManuel Pistner
 
Cyber physische Produktion von CNC Fräsprodukten
Cyber physische Produktion von CNC FräsproduktenCyber physische Produktion von CNC Fräsprodukten
Cyber physische Produktion von CNC FräsproduktenManuel Pistner
 
Drupal integration best practises
Drupal integration best practisesDrupal integration best practises
Drupal integration best practisesManuel Pistner
 
Open source business apps
Open source business appsOpen source business apps
Open source business appsManuel Pistner
 
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimierenWie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimierenManuel Pistner
 
Cross enterprise CMS integration
Cross enterprise CMS integrationCross enterprise CMS integration
Cross enterprise CMS integrationManuel Pistner
 
ERPAL for Service Providers - Vortrag TIZ
ERPAL for Service Providers - Vortrag TIZERPAL for Service Providers - Vortrag TIZ
ERPAL for Service Providers - Vortrag TIZManuel Pistner
 
Online Konstruktion von 2D CNC Fräsprodukten
Online Konstruktion von 2D CNC FräsproduktenOnline Konstruktion von 2D CNC Fräsprodukten
Online Konstruktion von 2D CNC FräsproduktenManuel Pistner
 
Erpal Platform - Preview of the Drupal business application framework
Erpal Platform - Preview of the Drupal business application frameworkErpal Platform - Preview of the Drupal business application framework
Erpal Platform - Preview of the Drupal business application frameworkManuel Pistner
 
Drupal cross enterprise integration on an example of Sharepoint
Drupal cross enterprise integration on an example of SharepointDrupal cross enterprise integration on an example of Sharepoint
Drupal cross enterprise integration on an example of SharepointManuel Pistner
 

More from Manuel Pistner (20)

So skalieren Agenturen erfolgreich
So skalieren Agenturen erfolgreichSo skalieren Agenturen erfolgreich
So skalieren Agenturen erfolgreich
 
Building Drupal sites that content authors love
Building Drupal sites that content authors loveBuilding Drupal sites that content authors love
Building Drupal sites that content authors love
 
Marketing automation with Drupal
Marketing automation with DrupalMarketing automation with Drupal
Marketing automation with Drupal
 
Drupal security best practices
Drupal security best practicesDrupal security best practices
Drupal security best practices
 
Drupal security - There is a mini Drupalgeddon every week & how to survive it
Drupal security - There is a mini Drupalgeddon every week & how to survive itDrupal security - There is a mini Drupalgeddon every week & how to survive it
Drupal security - There is a mini Drupalgeddon every week & how to survive it
 
Enterpriseintegration mit Drupal und SAP
Enterpriseintegration mit Drupal und SAPEnterpriseintegration mit Drupal und SAP
Enterpriseintegration mit Drupal und SAP
 
KonM 40 digital - Der schlanke Weg zur Digitalen Transformation
KonM 40 digital - Der schlanke Weg zur Digitalen TransformationKonM 40 digital - Der schlanke Weg zur Digitalen Transformation
KonM 40 digital - Der schlanke Weg zur Digitalen Transformation
 
Digitale Innovation und neue Geschäftsmodelle
Digitale Innovation und neue GeschäftsmodelleDigitale Innovation und neue Geschäftsmodelle
Digitale Innovation und neue Geschäftsmodelle
 
Recurring revenue for drupal shops
Recurring revenue for drupal shopsRecurring revenue for drupal shops
Recurring revenue for drupal shops
 
Drupal business applications
Drupal business applications Drupal business applications
Drupal business applications
 
Working in distributed remote teams
Working in distributed remote teamsWorking in distributed remote teams
Working in distributed remote teams
 
Cyber physische Produktion von CNC Fräsprodukten
Cyber physische Produktion von CNC FräsproduktenCyber physische Produktion von CNC Fräsprodukten
Cyber physische Produktion von CNC Fräsprodukten
 
Drupal integration best practises
Drupal integration best practisesDrupal integration best practises
Drupal integration best practises
 
Open source business apps
Open source business appsOpen source business apps
Open source business apps
 
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimierenWie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
 
Cross enterprise CMS integration
Cross enterprise CMS integrationCross enterprise CMS integration
Cross enterprise CMS integration
 
ERPAL for Service Providers - Vortrag TIZ
ERPAL for Service Providers - Vortrag TIZERPAL for Service Providers - Vortrag TIZ
ERPAL for Service Providers - Vortrag TIZ
 
Online Konstruktion von 2D CNC Fräsprodukten
Online Konstruktion von 2D CNC FräsproduktenOnline Konstruktion von 2D CNC Fräsprodukten
Online Konstruktion von 2D CNC Fräsprodukten
 
Erpal Platform - Preview of the Drupal business application framework
Erpal Platform - Preview of the Drupal business application frameworkErpal Platform - Preview of the Drupal business application framework
Erpal Platform - Preview of the Drupal business application framework
 
Drupal cross enterprise integration on an example of Sharepoint
Drupal cross enterprise integration on an example of SharepointDrupal cross enterprise integration on an example of Sharepoint
Drupal cross enterprise integration on an example of Sharepoint
 

Recently uploaded

Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 

Recently uploaded (20)

Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 

How to automate your DevSecOps successfully

  • 1. How to automate your DevSecOps successfully
  • 2. Manuel Pistner Hi everybody, nice to see you here! Founder & CEO of Bright Solutions Computer Sience at TU Darmstadt Grew up with Open Source Automation Enthusiast
  • 3. What are DevSecOps? Static state Continuous process, including code & infrastructure security Culture + Practice + Tools + Automation
  • 4. Agility & Security Speed & Stability + Continuous Security build test release monitorplan security customer developer
  • 5. How modern apps are built library 2 library 1 library 3
  • 6. The challange 1. software components increase complexity librar 1
  • 7. The challange 2. Hackers are fast (they hack while you sleep)
  • 8. The common goal Build & deliver security accross all components as a service. With speed & at scale.
  • 9. Principle Nr. 1 Learn from hackers
  • 10. Principle Nr. 1 Learn from hackers Automate everything Race the hacker! Get rid of human failure Make security independend of available resources
  • 11. Basis for automation Build a continuous delivery pipeline For your application Use a code repository (GIT) CI (Travis CI, Circle CI, Jenkins...) Automate code tests for stability Automate penetration tests
  • 12. Basis for automation For infrastructure Use containers Use scalable & secure Cloud systems Infrastructure as code
  • 13. Update continuously Open Source Libraries need continuous updates Know your libraries (use package managers) Monitor security vulnerabilities Update continuously
  • 14. Worst Case Scenario 0-day exploits Update all your projects, test & deploy in 0 time Only possible with automation
  • 15. Is Open Source a risk? It's more secure than closed source: More people watch over the code The problem: vulnerabilities are announced in public The solution: Do your homework & update!
  • 16. 2. Manage new depen- dencies of updates The update process 3. Monitor vulnerabilities of your app stack 1. Monitor dependency updates 4. Manage the patches 6. Manage quality 7. Inform "stakeholders" & manual testers 8. Update package manager files 5. Commit code to GIT! 9. Deploy
  • 19. Study of 80 Software-Development companies Status Quo 97,2 % 73,6 % 66,6 %
  • 20. Study of 80 Software-Development companies Status Quo 58,3 % 16,7 % 18,1 %
  • 21. Study of 80 Software-Development companies Status Quo 61,1 % 73,6 %
  • 22. Scaring result 43% deploy & test updates manually - AND they think this process is slow 43 %
  • 23. Keep track of open source updates Package managers only inform about updates You need to know your vulnerabilities ! There are different vulnDBs Versioneye as service or open source tool (https://github.com/versioneye/versioneye-security)
  • 25. Main Subject Enable ANYBODY (even your bots) to update your dependencies Integrate with your tools & workflows Make the update process independend from available resources Increase velocity Decrease fragility
  • 26. The vision of the study QA Workflow integration (manual & automated tests) Tool integration (task/ ticket management, test automation) GIT integration & automated committing of new versions Auto deployment of new updates for vulnerable libraries Respect open source policies & licences Find a toolset / method to build a fully automated update delivery pipeline which makes the use of open source more secure
  • 27. The vision of the study QA process hosting platform
  • 28. Share your use case contact me at pistner@brightsolutions.de