SlideShare a Scribd company logo

DevSecOps: Continuous Engineering with Security by Design: Challenges and Solutions

C
CREST @ University of Adelaide

Some key takeaways from this talk are outlined below. The main focus area for researchers in DevSecOps is automation and tool usage. Older technologies, such as SAST & DAST tools have drawbacks that affect DevSecOps goals. Shift-left security and continuous security assessment are two key recommendations. These practices prioritise security in a continuous manner throughout the deployment cycle. Inability to automate traditionally manual security practices is a significant problem in this field. These practices are hard to be fully integrated with the continuous practices of DevOps. Even though cultural or human aspects are critical for DevSecOps success, these has not been much done in the state-of-the-art and the state-of-the-practice domains Adopting DevSecOps principles or practices in various complex, resource-constrained, and highly regulated infrastructures is a growing area of research. More empirically evaluated solutions are needed to ensure wider adoption of such tools or frameworks

Software
1 of 18
Download to read offline
DevSecOps: Continuous Engineering with Security by Design: Challenges and Solutions Ali Babar CREST – Centre for Research on Engineering Software Technologies NJSD, China, 10th December 2022
• Why Development and Operations (DevOps)? • Embedding Security by Design in DevOps • Building and Exploiting DevSecOps Body of Knowledge • Reported Challenges of Integrating Security in DevOps • Recommended Solutions to Address the Challenges • Workflow Support for Integrating Security in DevOps • SomeAreas of Future R&D Actions Talk’s Roadmap CREST| The University of Adelaide 3
From DevOps to DevSecOps • DevOps: Breaking down ‘‘silos’’ of development (Dev) and operations (Ops) • DevOps’ rapid and frequent delivery of software creates security challenges • DevSecOps: Integrating security controls and practices into DevOps CREST| The University of Adelaide 4
Study # 1 DevSecOps = DevOps with security by design Building support knowledge & infrastructure Study #1: Rajapakse, R. N., Zahedi, M., Ali Babar, M., Shen, H., Challenges and solutions when adopting DevSecOps: A systematic review, Journal of Information and Software Technology, 141, 106700, 2022 .
• Systemizing the knowledge of the challenges faced by practitioners when adopting DevSecOps and the reported solutions by answering the following questions • RQ1: What are the specific challenges of adopting DevSecOps? • RQ2: What are the reported solutions to address the DevSecOps adoption challenges? • RQ3: What are the opportunities for the future R&D activities? 6 CREST| The University of Adelaide Building DevSecOps Body of Knowledge
Key Findings
DevSecOps – Four Areas of Focus Reproduced from: Rajapakse, R. N., Zahedi, M., Ali Babar, M., Shen, H., Challenges and solutions when adopting DevSecOps: A systematic review, Journal of Information and Software Technology, 141, 106700, 2022. CREST| The University of Adelaide 8
SoK of DevSecOps: Identified Challenges -Inability of established security tools to support rapid deployment cycles -Large number of security vulnerabilities are affecting popular tools used in the DevSecOps pipeline -Many manual security practices are difficult to be fully automated and integrated into DevSecOps -Developers face trade-offs between speed and security in a DevOps setting - The nature of certain challenging infrastructures or restrictive policies (e.g., access control) conflict with DevSecOps principles - Inability of team members/ management to engage in the required culture change - Developers lacking security skills DevSecOps Challenges CREST| The University of Adelaide 9
- Hybrid tools (e.g., Interactive Application Security Testing) - Moving to cloud/as-a-service solutions - Security to be treated as a key concern from the start of the process (shift-left), and it should continue to be so, throughout the cycle (continuous security) - Strict access management, model-driven engineering and setting up simulation environments - Security champions - Controlled and standardized communication strategies Proposed Solutions SoK of DevSecOps: Identified Solutions CREST| The University of Adelaide 10
Infras- tructure People Practices Challenges in DevSecOps Proposed solutions based on main themes Documentation with security support Adopting best practices for tool usage Static analysis for Infrastructure as Code scripts Systematic evaluation of product-specific vulnerabilities Hybrid lifecycles with data-security focus Creating simulation or replication environments for testing Framework support for DevSecOps Implementing security knowledge sharing methods and training Integrity protection frameworks Facilitating inter-team communication and collaboration with the appropriate controls or standards Strict access management and policies Adopting Infrastructure as Code Model-driven engineering to support DevSecOps Big data and behavioral analytics techniques Shifting security to the left Security patch management using DevOps practices Implementing continuous security assessment practices Practitioners converge towards tool standards Using orchestration platforms Reusable design fragments and security tactics Tools for continuous vulnerability assessment Interactive Application Security Testing (IAST) tools Move to cloud based solutions (e.g static analysis as a service) Using a virtualization tool to encapsulate part of the system Proposed future research directions Consensus on shift left and continuous security The need for security tools that target developers and not security experts (i.e. developer-centered security) Application security testing as a service Continuous vulnerability discovery and management practices Empirically validated security metrics for DevSecOps Infras- tructure People Practices Tools Defining security roles in DevSecOps The need for socio-technical studies addressing people related challenges in DevSecOps Empirically validated frameworks in different contextual settings Challenges related to tool selection in DevSecOps Limitations of dynamic analysis tools restricting its usage in DevSecOps Vulnerabilities affecting CI systems Limitations of Infrastructure or Configuration as Code tools and scripts Security limitations or vulnerabilities affecting the container ecosystem Security limitations or vulnerabilities affecting the CD pipeline Inability to fully automate traditionally manual security practices to integrate into DevSecOps Inability to carry out rapid security requirements assessment Challenges related to security measurement practices in rapid deployment environments Inter-team collaboration issues Challenges in organizational culture Knowledge gap in security Insider threats Difficult to adopt DevSecOps in complex cloud environments (e.g. multi cloud env.) Difficult to adopt DevSecOps in resource constrained environments (e.g. embedded systems, IoT) Difficult to adopt DevSecOps in highly regulated environments (e.g. air-gapped env., medical devices) Using threat analysis practices Adapting standards, policies, models, service agreements into testable criteria Automated vulnerability detection through requirement analysis Devising security metrics or metric based approaches Effective process documentation and logging strategies Having security champions in the teams Carrying out organizational HRM programs in parallel The need for security tools that compliment the rapid Tools deployment cycles in DevSecOps Security issues resulting from tool complexity and integration challenges Limitations of static analysis tools affecting rapid deployment cycles Configuration management issues of tools Challenges related to continuous security assessment Incompatibility between security and DevOps practices due to velocity of change, complexities and dependencies DevSecOps: Mapping Challenges onto Solutions Reproduced from: Rajapakse, R. N., Zahedi, M., Ali Babar, M., Shen, H., Challenges and solutions when adopting DevSecOps: A systematic review, Journal of Information and Software Technology, 141, 106700, 2022. CREST| The University of Adelaide 11
What is the problem? Security tools in DevOps • Challenging to introduce and fully leverage security tools in the DevOps pipeline • Application Security tools: test applications for security vulnerabilities • Many drawbacks which affect DevOps goals • Our aim: Empirically investigate how security tools can be integrated into a DevOps workflow without affecting its rapid delivery goals Dev Ops CREST| The University of Adelaide 14
Key challenges of integrating security tools into DevOps Technology Function- ality Output Integration What Have We Learned? CREST| The University of Adelaide 15
What Have We Learned? Reproduced from: Rajapakse, R. N., Zahedi, M., Ali Babar, M., An Empirical Analysis of Practitioners’ Perspectives on Security Tool Integration into DevOps, the 15th ACM/IEEE International Symposium on Empirical Software Engineering (ESEM) 2021. CREST| The University of Adelaide 16
What Have We Learned? Reproduced from: Rajapakse, R. N., Zahedi, M., Ali Babar, M., An Empirical Analysis of Practitioners’ Perspectives on Security Tool Integration into DevOps, the 15th ACM/IEEE International Symposium on Empirical Software Engineering (ESEM) 2021. CREST| The University of Adelaide 17
What Have We Developed? Commit Build Developer codes in the IDE d) SCA e) IAST No Yes Triage results in issues? Raise ticket based on severity Yes No g) RASP a) Real-time SAST on the IDE: Limited rules h) WAF Merge approval Pull request Feature Branch Master branch Test - QA server Deploy Monitor- Production Yes No Issues present? Early vulnerability fixes Continuous Integration Continuous Delivery Continuous Deployment c) Deep SAST at build time (on CI server) Issues present? (pipeline not stopped) f) DAST performed in parallel No Yes Issues present? Continuous Monitoring and Detection input i) SIEM Alerts from all vulnerability detection tools Alerts from all exploit/attack detection tools Vulnerability remediation b) Incremental SAST: Limited rules Yes No Early vulnerability fixes Issues present? Tool type Developer activity I D E : Integrated d e v e l o p m e n t e n v i r o n m e n t S A S T : Static a p p lic ation s ec urity testing CI: C o n t i n u o u s integration S C A : S o f t w a r e c o m p o s i t i o n analys is I A S T : Interactive applic ation s ec urity testing Q A : Quality a s s u r a n c e D A S T : D y n a m i c applic ation s ec urity testing R A S P : R u n t i m e application self-protection W A F : W e b applic ation firewall S I E M : Sec urity inform ation a n d e v e n t m a n a g e m e n t 21 CREST| The University of Adelaide Reproduced from: Rajapakse, R. N., Zahedi, M., Ali Babar, M., An EmpiricalAnalysis of Practitioners’Perspectives on SecurityTool Integration into DevOps, the 15thACM/IEEE International Symposium on Empirical Software Engineering (ESEM) 2021.
The main focus area for researchers in DevSecOps is automation and tool usage. Older technologies, such as SAST & DAST tools have drawbacks that affect DevSecOps goals. Shift-left security and continuous security assessment are two key recommendations. These practices prioritise security in a continuous manner throughout the deployment cycle. Inability to automate traditionally manual security practices is a significant problem in this field. These practices are hard to be fully integrated with the continuous practices of DevOps. Even though cultural or human aspects are critical for DevSecOps success, these has not been much done in the state-of-the-art and the state-of-the-practice domains Adopting DevSecOps principles or practices in various complex, resource-constrained, and highly regulated infrastructures is a growing area of research. More empirically evaluated solutions are needed to ensure wider adoption of such tools or frameworks. DevSecOps: Key Takeaways CREST| The University of Adelaide 23
Acknowledgements • This presentation is based on the research studies (biblio details below) planned and carried out by the CREST researchers and collaborators: • Roshan Raja (PhD student), M. Ali Babar, Mansooreh Zahedi and Haifeng Shen • Slides taken from the presentations prepared by Roshan Rajapakse • Triet Le helped in adding some material and formatting the slides. • The Cybersecurity CRC provided the funding • The CREST team provided feedback/comments for improving the research studies Study #1: Rajapakse, R. N., Zahedi, M., Ali Babar, M., Shen, H., Challenges and solutions when adopting DevSecOps: A systematic review, Journal of Information and Software Technology, 141, 106700, 2022. Study #2: Rajapakse, R. N., Zahedi, M., Ali Babar,M., An Empirical Analysis of Practitioners’ Perspectives on Security Tool Integration into DevOps, the 15th ACM/IEEE International Symposium on Empirical Software Engineering (ESEM) 2021. CREST| The University of Adelaide 24
CRICOS 00123M Contact: Ali Babar ali.babar@adelaide.edu.au

Recommended

DevSecOps_Talk_Oracle_Sept2022.pdf
DevSecOps_Talk_Oracle_Sept2022.pdfDevSecOps_Talk_Oracle_Sept2022.pdf
DevSecOps_Talk_Oracle_Sept2022.pdfAli Babar
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
Continuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and WhatContinuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and WhatMarc Hornbeek
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital LandscapeDevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital Landscapestevecooper930744
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 

Recommended

DevSecOps_Talk_Oracle_Sept2022.pdf
DevSecOps_Talk_Oracle_Sept2022.pdfDevSecOps_Talk_Oracle_Sept2022.pdf
DevSecOps_Talk_Oracle_Sept2022.pdfAli Babar
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
Continuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and WhatContinuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and WhatMarc Hornbeek
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital LandscapeDevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital Landscapestevecooper930744
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?Enov8
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
How DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptxHow DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptxDev Software
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenNadira Bajrei
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycleEnov8
 
DevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineDevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineEnov8
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDev Software
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Enov8
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessMohammed A. Imran
 
DevSecOps Integrating Security in to the DevOps Lifecycle
DevSecOps Integrating Security in to the DevOps LifecycleDevSecOps Integrating Security in to the DevOps Lifecycle
DevSecOps Integrating Security in to the DevOps LifecycleRobert Risch
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsRavindu Fernando
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDev Software
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Enov8
 
Shift Left Save Resources DevSecOps and the CICD Pipeline
Shift Left Save Resources DevSecOps and the CICD PipelineShift Left Save Resources DevSecOps and the CICD Pipeline
Shift Left Save Resources DevSecOps and the CICD PipelineCloudZenix LLC
 
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfMobibizIndia1
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...
Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...
Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...CREST @ University of Adelaide
 
Making Software and Software Engineering visible
Making Software and Software Engineering visibleMaking Software and Software Engineering visible
Making Software and Software Engineering visibleCREST @ University of Adelaide
 

More Related Content

Similar to DevSecOps: Continuous Engineering with Security by Design: Challenges and Solutions

Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?Enov8
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
How DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptxHow DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptxDev Software
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenNadira Bajrei
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycleEnov8
 
DevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineDevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineEnov8
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDev Software
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Enov8
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessMohammed A. Imran
 
DevSecOps Integrating Security in to the DevOps Lifecycle
DevSecOps Integrating Security in to the DevOps LifecycleDevSecOps Integrating Security in to the DevOps Lifecycle
DevSecOps Integrating Security in to the DevOps LifecycleRobert Risch
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDev Software
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Enov8
 
Shift Left Save Resources DevSecOps and the CICD Pipeline
Shift Left Save Resources DevSecOps and the CICD PipelineShift Left Save Resources DevSecOps and the CICD Pipeline
Shift Left Save Resources DevSecOps and the CICD PipelineCloudZenix LLC
 
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfMobibizIndia1
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 

Similar to DevSecOps: Continuous Engineering with Security by Design: Challenges and Solutions (20)

Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
How DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptxHow DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptx
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle
 
DevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineDevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps Pipeline
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and Delivery
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
DevSecOps Integrating Security in to the DevOps Lifecycle
DevSecOps Integrating Security in to the DevOps LifecycleDevSecOps Integrating Security in to the DevOps Lifecycle
DevSecOps Integrating Security in to the DevOps Lifecycle
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLC
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
 
Shift Left Save Resources DevSecOps and the CICD Pipeline
Shift Left Save Resources DevSecOps and the CICD PipelineShift Left Save Resources DevSecOps and the CICD Pipeline
Shift Left Save Resources DevSecOps and the CICD Pipeline
 
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 

More from CREST @ University of Adelaide

Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...
Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...
Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...CREST @ University of Adelaide
 
Understanding and Addressing Architectural Challenges of Cloud- Based Systems
Understanding and Addressing Architectural Challenges of Cloud- Based SystemsUnderstanding and Addressing Architectural Challenges of Cloud- Based Systems
Understanding and Addressing Architectural Challenges of Cloud- Based SystemsCREST @ University of Adelaide
 
A Deep Dive into the Socio-Technical Aspects of Delays in Security Patching
A Deep Dive into the Socio-Technical Aspects of Delays in Security PatchingA Deep Dive into the Socio-Technical Aspects of Delays in Security Patching
A Deep Dive into the Socio-Technical Aspects of Delays in Security PatchingCREST @ University of Adelaide
 
Mining Software Repositories for Security: Data Quality Issues Lessons from T...
Mining Software Repositories for Security: Data Quality Issues Lessons from T...Mining Software Repositories for Security: Data Quality Issues Lessons from T...
Mining Software Repositories for Security: Data Quality Issues Lessons from T...CREST @ University of Adelaide
 
A Decentralised Platform for Provenance Management of Machine Learning Softwa...
A Decentralised Platform for Provenance Management of Machine Learning Softwa...A Decentralised Platform for Provenance Management of Machine Learning Softwa...
A Decentralised Platform for Provenance Management of Machine Learning Softwa...CREST @ University of Adelaide
 
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...CREST @ University of Adelaide
 
Falling for Phishing: An Empirical Investigation into People's Email Response...
Falling for Phishing: An Empirical Investigation into People's Email Response...Falling for Phishing: An Empirical Investigation into People's Email Response...
Falling for Phishing: An Empirical Investigation into People's Email Response...CREST @ University of Adelaide
 
An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...
An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...
An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...CREST @ University of Adelaide
 
Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...
Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...
Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...CREST @ University of Adelaide
 
Detecting Misuses of Security APIs: A Systematic Review
Detecting Misuses of Security APIs: A Systematic ReviewDetecting Misuses of Security APIs: A Systematic Review
Detecting Misuses of Security APIs: A Systematic ReviewCREST @ University of Adelaide
 
Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...
Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...
Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...CREST @ University of Adelaide
 
Energy Efficiency Evaluation of Local and Offloaded Data Processing
Energy Efficiency Evaluation of Local and Offloaded Data ProcessingEnergy Efficiency Evaluation of Local and Offloaded Data Processing
Energy Efficiency Evaluation of Local and Offloaded Data ProcessingCREST @ University of Adelaide
 

More from CREST @ University of Adelaide (20)

Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...
Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...
Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...
 
Making Software and Software Engineering visible
Making Software and Software Engineering visibleMaking Software and Software Engineering visible
Making Software and Software Engineering visible
 
Understanding and Addressing Architectural Challenges of Cloud- Based Systems
Understanding and Addressing Architectural Challenges of Cloud- Based SystemsUnderstanding and Addressing Architectural Challenges of Cloud- Based Systems
Understanding and Addressing Architectural Challenges of Cloud- Based Systems
 
A Deep Dive into the Socio-Technical Aspects of Delays in Security Patching
A Deep Dive into the Socio-Technical Aspects of Delays in Security PatchingA Deep Dive into the Socio-Technical Aspects of Delays in Security Patching
A Deep Dive into the Socio-Technical Aspects of Delays in Security Patching
 
Mining Software Repositories for Security: Data Quality Issues Lessons from T...
Mining Software Repositories for Security: Data Quality Issues Lessons from T...Mining Software Repositories for Security: Data Quality Issues Lessons from T...
Mining Software Repositories for Security: Data Quality Issues Lessons from T...
 
A Decentralised Platform for Provenance Management of Machine Learning Softwa...
A Decentralised Platform for Provenance Management of Machine Learning Softwa...A Decentralised Platform for Provenance Management of Machine Learning Softwa...
A Decentralised Platform for Provenance Management of Machine Learning Softwa...
 
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
 
Falling for Phishing: An Empirical Investigation into People's Email Response...
Falling for Phishing: An Empirical Investigation into People's Email Response...Falling for Phishing: An Empirical Investigation into People's Email Response...
Falling for Phishing: An Empirical Investigation into People's Email Response...
 
An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...
An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...
An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...
 
Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...
Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...
Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...
 
Detecting Misuses of Security APIs: A Systematic Review
Detecting Misuses of Security APIs: A Systematic ReviewDetecting Misuses of Security APIs: A Systematic Review
Detecting Misuses of Security APIs: A Systematic Review
 
Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...
Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...
Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...
 
Data Quality for Software Vulnerability Dataset
Data Quality for Software Vulnerability DatasetData Quality for Software Vulnerability Dataset
Data Quality for Software Vulnerability Dataset
 
Mod2Dash Presentation
Mod2Dash PresentationMod2Dash Presentation
Mod2Dash Presentation
 
Run-time Patching and updating Impact Estimation
Run-time Patching and updating Impact EstimationRun-time Patching and updating Impact Estimation
Run-time Patching and updating Impact Estimation
 
ECSA 2023 Ubuntu Case Study
ECSA 2023 Ubuntu Case StudyECSA 2023 Ubuntu Case Study
ECSA 2023 Ubuntu Case Study
 
Energy Efficiency Evaluation of Local and Offloaded Data Processing
Energy Efficiency Evaluation of Local and Offloaded Data ProcessingEnergy Efficiency Evaluation of Local and Offloaded Data Processing
Energy Efficiency Evaluation of Local and Offloaded Data Processing
 
Designing Quality-Driven Blockchain Networks
Designing Quality-Driven Blockchain NetworksDesigning Quality-Driven Blockchain Networks
Designing Quality-Driven Blockchain Networks
 
Privacy Engineering in the Wild
Privacy Engineering in the WildPrivacy Engineering in the Wild
Privacy Engineering in the Wild
 
Security Data Quality Challenges
Security Data Quality ChallengesSecurity Data Quality Challenges
Security Data Quality Challenges
 

Recently uploaded

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 

Recently uploaded (20)

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 

DevSecOps: Continuous Engineering with Security by Design: Challenges and Solutions

  • 1. DevSecOps: Continuous Engineering with Security by Design: Challenges and Solutions Ali Babar CREST – Centre for Research on Engineering Software Technologies NJSD, China, 10th December 2022
  • 2. • Why Development and Operations (DevOps)? • Embedding Security by Design in DevOps • Building and Exploiting DevSecOps Body of Knowledge • Reported Challenges of Integrating Security in DevOps • Recommended Solutions to Address the Challenges • Workflow Support for Integrating Security in DevOps • SomeAreas of Future R&D Actions Talk’s Roadmap CREST| The University of Adelaide 3
  • 3. From DevOps to DevSecOps • DevOps: Breaking down ‘‘silos’’ of development (Dev) and operations (Ops) • DevOps’ rapid and frequent delivery of software creates security challenges • DevSecOps: Integrating security controls and practices into DevOps CREST| The University of Adelaide 4
  • 4. Study # 1 DevSecOps = DevOps with security by design Building support knowledge & infrastructure Study #1: Rajapakse, R. N., Zahedi, M., Ali Babar, M., Shen, H., Challenges and solutions when adopting DevSecOps: A systematic review, Journal of Information and Software Technology, 141, 106700, 2022 .
  • 5. • Systemizing the knowledge of the challenges faced by practitioners when adopting DevSecOps and the reported solutions by answering the following questions • RQ1: What are the specific challenges of adopting DevSecOps? • RQ2: What are the reported solutions to address the DevSecOps adoption challenges? • RQ3: What are the opportunities for the future R&D activities? 6 CREST| The University of Adelaide Building DevSecOps Body of Knowledge
  • 7. DevSecOps – Four Areas of Focus Reproduced from: Rajapakse, R. N., Zahedi, M., Ali Babar, M., Shen, H., Challenges and solutions when adopting DevSecOps: A systematic review, Journal of Information and Software Technology, 141, 106700, 2022. CREST| The University of Adelaide 8
  • 8. SoK of DevSecOps: Identified Challenges -Inability of established security tools to support rapid deployment cycles -Large number of security vulnerabilities are affecting popular tools used in the DevSecOps pipeline -Many manual security practices are difficult to be fully automated and integrated into DevSecOps -Developers face trade-offs between speed and security in a DevOps setting - The nature of certain challenging infrastructures or restrictive policies (e.g., access control) conflict with DevSecOps principles - Inability of team members/ management to engage in the required culture change - Developers lacking security skills DevSecOps Challenges CREST| The University of Adelaide 9
  • 9. - Hybrid tools (e.g., Interactive Application Security Testing) - Moving to cloud/as-a-service solutions - Security to be treated as a key concern from the start of the process (shift-left), and it should continue to be so, throughout the cycle (continuous security) - Strict access management, model-driven engineering and setting up simulation environments - Security champions - Controlled and standardized communication strategies Proposed Solutions SoK of DevSecOps: Identified Solutions CREST| The University of Adelaide 10
  • 10. Infras- tructure People Practices Challenges in DevSecOps Proposed solutions based on main themes Documentation with security support Adopting best practices for tool usage Static analysis for Infrastructure as Code scripts Systematic evaluation of product-specific vulnerabilities Hybrid lifecycles with data-security focus Creating simulation or replication environments for testing Framework support for DevSecOps Implementing security knowledge sharing methods and training Integrity protection frameworks Facilitating inter-team communication and collaboration with the appropriate controls or standards Strict access management and policies Adopting Infrastructure as Code Model-driven engineering to support DevSecOps Big data and behavioral analytics techniques Shifting security to the left Security patch management using DevOps practices Implementing continuous security assessment practices Practitioners converge towards tool standards Using orchestration platforms Reusable design fragments and security tactics Tools for continuous vulnerability assessment Interactive Application Security Testing (IAST) tools Move to cloud based solutions (e.g static analysis as a service) Using a virtualization tool to encapsulate part of the system Proposed future research directions Consensus on shift left and continuous security The need for security tools that target developers and not security experts (i.e. developer-centered security) Application security testing as a service Continuous vulnerability discovery and management practices Empirically validated security metrics for DevSecOps Infras- tructure People Practices Tools Defining security roles in DevSecOps The need for socio-technical studies addressing people related challenges in DevSecOps Empirically validated frameworks in different contextual settings Challenges related to tool selection in DevSecOps Limitations of dynamic analysis tools restricting its usage in DevSecOps Vulnerabilities affecting CI systems Limitations of Infrastructure or Configuration as Code tools and scripts Security limitations or vulnerabilities affecting the container ecosystem Security limitations or vulnerabilities affecting the CD pipeline Inability to fully automate traditionally manual security practices to integrate into DevSecOps Inability to carry out rapid security requirements assessment Challenges related to security measurement practices in rapid deployment environments Inter-team collaboration issues Challenges in organizational culture Knowledge gap in security Insider threats Difficult to adopt DevSecOps in complex cloud environments (e.g. multi cloud env.) Difficult to adopt DevSecOps in resource constrained environments (e.g. embedded systems, IoT) Difficult to adopt DevSecOps in highly regulated environments (e.g. air-gapped env., medical devices) Using threat analysis practices Adapting standards, policies, models, service agreements into testable criteria Automated vulnerability detection through requirement analysis Devising security metrics or metric based approaches Effective process documentation and logging strategies Having security champions in the teams Carrying out organizational HRM programs in parallel The need for security tools that compliment the rapid Tools deployment cycles in DevSecOps Security issues resulting from tool complexity and integration challenges Limitations of static analysis tools affecting rapid deployment cycles Configuration management issues of tools Challenges related to continuous security assessment Incompatibility between security and DevOps practices due to velocity of change, complexities and dependencies DevSecOps: Mapping Challenges onto Solutions Reproduced from: Rajapakse, R. N., Zahedi, M., Ali Babar, M., Shen, H., Challenges and solutions when adopting DevSecOps: A systematic review, Journal of Information and Software Technology, 141, 106700, 2022. CREST| The University of Adelaide 11
  • 11. What is the problem? Security tools in DevOps • Challenging to introduce and fully leverage security tools in the DevOps pipeline • Application Security tools: test applications for security vulnerabilities • Many drawbacks which affect DevOps goals • Our aim: Empirically investigate how security tools can be integrated into a DevOps workflow without affecting its rapid delivery goals Dev Ops CREST| The University of Adelaide 14
  • 12. Key challenges of integrating security tools into DevOps Technology Function- ality Output Integration What Have We Learned? CREST| The University of Adelaide 15
  • 13. What Have We Learned? Reproduced from: Rajapakse, R. N., Zahedi, M., Ali Babar, M., An Empirical Analysis of Practitioners’ Perspectives on Security Tool Integration into DevOps, the 15th ACM/IEEE International Symposium on Empirical Software Engineering (ESEM) 2021. CREST| The University of Adelaide 16
  • 14. What Have We Learned? Reproduced from: Rajapakse, R. N., Zahedi, M., Ali Babar, M., An Empirical Analysis of Practitioners’ Perspectives on Security Tool Integration into DevOps, the 15th ACM/IEEE International Symposium on Empirical Software Engineering (ESEM) 2021. CREST| The University of Adelaide 17
  • 15. What Have We Developed? Commit Build Developer codes in the IDE d) SCA e) IAST No Yes Triage results in issues? Raise ticket based on severity Yes No g) RASP a) Real-time SAST on the IDE: Limited rules h) WAF Merge approval Pull request Feature Branch Master branch Test - QA server Deploy Monitor- Production Yes No Issues present? Early vulnerability fixes Continuous Integration Continuous Delivery Continuous Deployment c) Deep SAST at build time (on CI server) Issues present? (pipeline not stopped) f) DAST performed in parallel No Yes Issues present? Continuous Monitoring and Detection input i) SIEM Alerts from all vulnerability detection tools Alerts from all exploit/attack detection tools Vulnerability remediation b) Incremental SAST: Limited rules Yes No Early vulnerability fixes Issues present? Tool type Developer activity I D E : Integrated d e v e l o p m e n t e n v i r o n m e n t S A S T : Static a p p lic ation s ec urity testing CI: C o n t i n u o u s integration S C A : S o f t w a r e c o m p o s i t i o n analys is I A S T : Interactive applic ation s ec urity testing Q A : Quality a s s u r a n c e D A S T : D y n a m i c applic ation s ec urity testing R A S P : R u n t i m e application self-protection W A F : W e b applic ation firewall S I E M : Sec urity inform ation a n d e v e n t m a n a g e m e n t 21 CREST| The University of Adelaide Reproduced from: Rajapakse, R. N., Zahedi, M., Ali Babar, M., An EmpiricalAnalysis of Practitioners’Perspectives on SecurityTool Integration into DevOps, the 15thACM/IEEE International Symposium on Empirical Software Engineering (ESEM) 2021.
  • 16. The main focus area for researchers in DevSecOps is automation and tool usage. Older technologies, such as SAST & DAST tools have drawbacks that affect DevSecOps goals. Shift-left security and continuous security assessment are two key recommendations. These practices prioritise security in a continuous manner throughout the deployment cycle. Inability to automate traditionally manual security practices is a significant problem in this field. These practices are hard to be fully integrated with the continuous practices of DevOps. Even though cultural or human aspects are critical for DevSecOps success, these has not been much done in the state-of-the-art and the state-of-the-practice domains Adopting DevSecOps principles or practices in various complex, resource-constrained, and highly regulated infrastructures is a growing area of research. More empirically evaluated solutions are needed to ensure wider adoption of such tools or frameworks. DevSecOps: Key Takeaways CREST| The University of Adelaide 23
  • 17. Acknowledgements • This presentation is based on the research studies (biblio details below) planned and carried out by the CREST researchers and collaborators: • Roshan Raja (PhD student), M. Ali Babar, Mansooreh Zahedi and Haifeng Shen • Slides taken from the presentations prepared by Roshan Rajapakse • Triet Le helped in adding some material and formatting the slides. • The Cybersecurity CRC provided the funding • The CREST team provided feedback/comments for improving the research studies Study #1: Rajapakse, R. N., Zahedi, M., Ali Babar, M., Shen, H., Challenges and solutions when adopting DevSecOps: A systematic review, Journal of Information and Software Technology, 141, 106700, 2022. Study #2: Rajapakse, R. N., Zahedi, M., Ali Babar,M., An Empirical Analysis of Practitioners’ Perspectives on Security Tool Integration into DevOps, the 15th ACM/IEEE International Symposium on Empirical Software Engineering (ESEM) 2021. CREST| The University of Adelaide 24
  • 18. CRICOS 00123M Contact: Ali Babar ali.babar@adelaide.edu.au