Credit to Franklin Mosley for much of the content presented. This presentation is based on our work on the DevSecOps pipeline at Ellucian. In the movie, RoboCop is given three primary directives: "Serve the public trust, Protect the innocent, and Uphold the law". We built our own RoboCop in order to bring law and order to our CICD pipeline. DevOps practices are all about enabling fast and frequent delivery of new software. In order to keep pace in a DevOps culture, application security must be reliably integrated into the CICD pipeline. In this talk, I will show how our small AppSec team combined automated tools along with human oversight in order to achieve our directives at scale, while winning the hearts and minds of our development teams.

1. © 2016 ELLUCIAN. 1
Bringing Law and Order to CI/CD

2. © 2016 ELLUCIAN. 2
Agenda
1 Background
2 RoboCop
3 DevSecOps at Ellucian
4 Lessons Learned

3. © 2016 ELLUCIAN. 3
40years
2,400
institutions
18,000,000
students
40
countries

4. Ellucian Ethos Platform
Integrated
Secure
Extensible
Analytics

5. © 2016 ELLUCIAN. 5
RoboCop

6. © 2016 ELLUCIAN. 7
RoboCop’s Prime Directives

7. © 2016 ELLUCIAN. 8
Serve the Public Trust
“Excuse me. I have to go. Somewhere there is a crime happening.”
RoboCop “RoboCop”
• Business Driven Security
• Open Collaboration
• Leaning In
• Translate Security for the Layperson

8. © 2016 ELLUCIAN. 9
Protect The Innocent
“Come quietly or there will be… trouble"
RoboCop “RoboCop”
• Developers are not security experts
• Security can be an afterthought
• Developers are lazy

9. © 2016 ELLUCIAN. 10
Uphold The Law
• What are your policies?
• What are your standards?
• Security Gates
“You are illegally parked on private property. You have twenty seconds to move
your vehicle.”
ED-209 “RoboCop”

10. © 2016 ELLUCIAN. 13
How We Define DevOps

11. © 2016 ELLUCIAN. 14
Scaling Application Security

12. © 2016 ELLUCIAN. 15
DevSecOps
DevSecOps: automation of security tasks by embedding security controls
and processes into the DevOps workflow

13. © 2016 ELLUCIAN. 16
Application Security Testing Technologies
Dynamic InfrastructureStatic

14. © 2016 ELLUCIAN. 17
Static Application Security Testing (SAST)

15. © 2016 ELLUCIAN. 18
Dynamic Application Security Testing (DAST)

16. © 2016 ELLUCIAN. 20
Infrastructure

17. © 2016 ELLUCIAN. 21

18. © 2016 ELLUCIAN. 22

19. © 2016 ELLUCIAN. 23

20. © 2016 ELLUCIAN. 24
DAST Evolution

21. © 2016 ELLUCIAN. 25
DAST Evolution

22. © 2016 ELLUCIAN. 26
DAST Evolution

23. © 2016 ELLUCIAN. 27
DAST Evolution

24. © 2016 ELLUCIAN. 28
DAST Evolution

25. © 2016 ELLUCIAN. 29
SAST Approach

26. © 2016 ELLUCIAN. 30
Mindset is critical

27. © 2016 ELLUCIAN. 31
You have to get your hands dirty
"construction-workers" (CC BY 2.0) by dandeluca

28. © 2016 ELLUCIAN. 32
Don’t let perfect be the enemy of good

29. © 2016 ELLUCIAN. 33
When all you have is a hammer…

30. © 2016 ELLUCIAN. 34
Invest for the future
"Piggy Bank" (CC BY 2.0) by free pictures of money

31. © 2016 ELLUCIAN. 35
Be an enabler not a
barrier
Make security a
feature
Summary
People and culture
not tools and
technology

32. © 2016 ELLUCIAN. 36
My team:
• Arjun BM
• Mehul Gadhia
• Franklin Mosley
• Swayam Sarangi
RoboCop is a trademark of Orion Pictures Corp.
All images © their respective owner
Acknowledgements

33. © 2016 ELLUCIAN. 37
Thank you.
Troy Marshall
troy.marshall@ellucian.com
/in/troymarshall
@RTroyMarshall