"DevSecOps sets out to relieve the costly and stressful delays that can occur when security testing is performed late in the game, by setting up processes and tools for
""shifting left"" so security testing can happen early and often. As organizations continue to embrace this DevSecOps approach, testing tools and practices are integrated
even further left in the development pipeline.
Join Senior Product Manager, Shiri Ivtsan, as she discusses:
Where and how developers are implementing DevSecOps in the SDLC;
Best practices for developers to adopt DevSecOps and more efficiently handle vulnerabilities;
Necessary steps for implementing a process for detection, prioritization, and remediation of open source vulnerabilities."
DevSecOps: Closing the Loop from Detection to Remediation
1. Company Confidential & Proprietary
DevSecOps: Closing The
Loop from Detection to
Remediation
Shiri Ivtsan, Senior Product Manager
1
2. Company Confidential & ProprietaryCompany Confidential & Proprietary 2
From DevOps to DevSecOps
3. Company Confidential & ProprietaryCompany Confidential & Proprietary
▪ Integrate the security aspects and practices with the DevOps processes
▪ Use agile methodologies to deliver small, secure pieces of code in frequent
releases
▪ Automate the security processes whenever possible
▪ The best response to the bottleneck effect of older security models on the
modern continuous delivery pipeline
3
DevSecOps: Integrating DevOps & Security Culture
4. Company Confidential & Proprietary
The Common Way of Handling Security Issues
Security teams
analyze and
prioritize
vulnerabilities
Sending emails or
opening
issues/tickets
Closing the loop on
resolution is hard
5. Company Confidential & Proprietary
Shifting the Mindset: Shift Left and Close the Loop
▪ Build guardrails, don't be gatekeepers
▪ Avoid Bottlenecks in the process: If the process
slows you down, it needs to be changed
▪ Make security everyone’s responsibility
▪ Facilitate regular discussions about application
security throughout the development process
6. Company Confidential & ProprietaryCompany Confidential & Proprietary
▪ Cost Reduction
▪ Speed of delivery
▪ ‘Secure by design’
▪ Open discussion
6
The Business Benefits of DevSecOps
Quality
Time
Cost
7. Company Confidential & Proprietary 7
The Operational Benefits of DevSecOps
▪ Versions are up-to-date
▪ Nearly “zero” re-work
▪ Early identification of vulnerabilities in code
▪ Enables a culture of constant iterative improvements
8. Company Confidential & ProprietaryCompany Confidential & Proprietary 8
Step 1: Know Your Goal
Baking Security Into
Existing Workflows
9. Company Confidential & ProprietaryCompany Confidential & Proprietary 9
Step 2: Identify the Processes
10. Company Confidential & ProprietaryCompany Confidential & Proprietary 10
Step 3: Determine Where to Automate
Build
Test
Detect
Issues
Remediate
Code
12. Company Confidential & ProprietaryCompany Confidential & Proprietary
• Focus on remediation funnel with automated policies
• Business priority, effectiveness, exploitability, severity, availability
of fixes
• Smart remediation
• Update to the earliest non-vulnerable version
• Update lock files where possible
Vulnerabilities Prioritization
13. Company Confidential & ProprietaryCompany Confidential & Proprietary
• Focus on remediation funnel with automated policies
• Business priority, effectiveness, exploitability, severity, availability
of fixes
• Smart remediation
• Update to the earliest non-vulnerable version
• Update lock files where possible
Vulnerabilities Remediation
▪ One of the most reliable risk mitigation strategies is to keep your open
source components continuously patched.
▪ By doing this, you avoid being exposed to known vulnerabilities.
▪ Automated remediation workflows can be initiated based on security
vulnerability policies triggered by a vulnerability detection, vulnerability
severity, CVSS score or when a new version is released.
14. Company Confidential & ProprietaryCompany Confidential & Proprietary
• Focus on remediation funnel with automated policies
• Business priority, effectiveness, exploitability, severity, availability
of fixes
• Smart remediation
• Update to the earliest non-vulnerable version
• Update lock files where possible
Focus on Remediation
▪ Business priority
▪ Effectiveness
▪ Exploitability
▪ Severity
▪ Availability of fixes
15. Company Confidential & ProprietaryCompany Confidential & Proprietary
• of fixes
• Smart remediation
• Update to the earliest non-vulnerable version
• Update lock files where possible
Prioritization and Remediation – The Next Level
▪ Actionable information is critical: Minimum actions, maximum
impact
▪ Smart remediation
▪ Update to the earliest non-vulnerable version