SlideShare a Scribd company logo

Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study

Download as PPTX, PDF
Deborah Schalm
Deborah Schalm

Discover how Sona Srinivasan, Senior Architect of Cisco IT’s Global Architecture and Technology Services group, helps transform an IT DevOps strategy to a Security DevOps strategy, with IBM Security's assistance. Cisco is presently implementing continuous security and agile methods throughout the software development lifecycle (SDLC), and specific examples of current initiatives will be reviewed in this session.

Software
1 of 20
© 2017 IBM Corporation Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study
Speakers Shuchita Gupta Senior Software Client Architect & Leader IBM Sona Srinivasan Senior IT Architect, Global Architecture and Technology Services IT CISCO Systems, Inc. Alan Shimel Moderator, Editor-in-Chief DevOps.com 2
State of Application Security Average time to detect APT 256 days Average cost of a U.S. data breach $6.5M Percentage of breaches due to Web attacks 40% Sources: IBM X-Force Threat Intelligence 2015; 2016 Verizon Data Breach Investigations Report; 2016 Cost of Data Breach Study: Global Analysis Average size of a U.S. data breach 30K records 3
Conversations & Challenges How often should you think about security in the SDLC? Are automated DAST scans enough? Should I stop my release in a continuous delivery pipeline if my critical vulnerabilities aren't fixed? Can running SAST scans on each build reduce my need to run DAST scans? Should my user stories for security be incorporated in a sprint, or be a part of my design? Key: SAST – Static Application Security Testing DAST – Dynamic Application Security Testing 4
Poll Question #1 5
The Sec Ops Journey Conversations that launched with Agile The Steps to Cognitive Security Examples of Continuous Security Continuous Security at Cisco Adapting to Threats & Attacks Together 6 6
Continuous Security Example #1 Architecture & Security Requirements • Threat Modeling By Feature & Design - For every major application re-design or major feature change, Threat Models must be built based on the application’s design changes • Security assessments and User Stories Tie in, where security assessments answer the Who, Why and What of the feature and application. Documented Security Design Revisit of the data classification for data at Rest, and Transit • E.g.: Employee data on Company System becomes Customer Data on Insurance System, data changes classification from system to system, depending on the consuming application • Application Profiling at the time of Provisioning for baselining 7
Continuous Security Example #2 Running static security scans on GIT repo branches is considered continuous security with: • Code Tagging (E.g.: deployed code tags needs to have meta data about the code) with insights into code patterns (E.g.: Singleton Usages, Factory patterns etc. tied to security insights) • Developer Behaviors (E.g.: Developers who code in JAVA might need training in SQL Injections etc., novice developers might need training in XSS) • Code-branch Patterns (E.g.: Code reposes with fewer branches might have more to catch as branched code might be more modularized and secure) • Vulnerability Trends (E.g.: HR apps have SQL Injections, while Service X might have the most vulnerable code) • Types of Languages used tied to type of data classification (E.g.: Cisco is a big JAVA and PL/SQL Shop with movement towards Apex and Angular etc.…) 8
Continuous Security Example #3 Automated DAST is seen as continuous security with security benchmarking • Quality Pre-requisites for DAST – Can Deployment workflows check for Quality & Load Tests before running DAST scans? (Have QA bugs been fixed so DAST is spending more time on the security threat classes?) • Are the DAST Test environments close to Production and stable enough for graceful recovery from the DAST attacks (DMZ, Core Zone, Data Center, PaaS profile), especially in a continuous environment? Example - Network latency of the source call of the DAST scan to the Application Destination environment (Eg: India to Richardson) 9
Continuous Security Example #4 Management of Incident Response data and mapping to application attacks, environment attacks with: • Pre-Deployment Security Posture and: • SAST • DAST • Open Source Scanning • App Profiling (Cloud native, hybrid, on premise etc.) • Penetration Test Results • Post-Deployment Security Posture of: • Applications • Data • Environment 10
Poll Question #2 11
Development Platform as a Service Cloud Apps Apps Built Apps Bought Web Mobile Mobile Web DAST Deployment …… Repo Mgmt. Binary Executable Mgmt. Executable Mgmt. …… …… …… …… Binary Analyzer Mobile DAST Build Automation SAST Cloud Ready DAST Quality Assurance Deployment Post-Deployment Mgmt. Penetration Test Deployment Repo Mgmt. Repo Mgmt. Build Automation Build Automation Quality Assurance Quality Assurance SAST SAST Penetration Test Penetration Test Post-Deployment Mgmt. Post-Deployment Mgmt. Quality Assurance Quality Assurance DAST Binary Analyzer Mobile DAST Deployment Deployment Penetration Test Penetration Test Post-Deployment Mgmt. Post-Deployment Mgmt. APIs Repo Mgmt. Build Automation Quality Assurance SAST Deployment Cloud Ready DAST Penetration Test Post-Deployment Mgmt. 12
APP Profiling & DPAAS Choice App Stack Provisioning & App Profiling Cloud API Web App Built Cloud App Mobile App Built Web App Packaged Mobile App Packaged Incidents & Security Breaches App Profile (comp- osite) 13
Poll Question #3 14
Continuous Security at Cisco People & Skillset Technology & Automation Governance & Audits 1. Continuous Education on Process & Technology 2. In-Context Training as opposed to On-Demand  3. Federated Security Personnel in the functions 1. Watch the Market & Developer world 2. Our eyes are on PaaS changes and Developer Tools & Technology Changes 1. Bringing The Policy to the user 2. Moving Governance into the Life Cycle – Start Right, rather than shift left  3. Multi-Check Points 15
Journey to COGNITIVE •Good Domain Knowledge • Developer Skill-Set will range from beginner to seasoned Simplify • Process is simple and mature for automation •Intermediate Skill-Set of the Developer Automate • Go from multiple sub- systems to digital components in streams • Expert Developer Digitize • Developer is knowledgeable enough on when to apply machine learning to enable speed • Adding Specific Bots to address bottlenecks is a great way to ease the experience problem for security tools & their complexity Machine Learning • Developer is a Highly Seasoned with domain expertise and data architectures which then leverage cognitive APIs for Proactive Security Guidance Cognitive Process Complexity Developer Skillset 16
Managing Risk Holistically Comprehensive attack surface minimization through insights Bottoms up & Top down Vulnerability management Technology ecosystem – with Vendors Always remember the application is the front door - Trained Ninjas 17
Key Resources to Learn More 18 • Forrester Report “Secure Applications at the Speed of DevOps” • Gartner 2017 Magic Quadrant for Application Security Testing • Forrester Total Economic Impact (TEI) Study • E-Guide: 5 Steps to Achieve Risk-Based Application Security Management
Q & A 19
© 2017 IBM Corporation Thank You!

Recommended

Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps TransformationDeborah Schalm
 
How to plug the data gap in DevOps
How to plug the data gap in DevOpsHow to plug the data gap in DevOps
How to plug the data gap in DevOpsDeborah Schalm
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsJules Pierre-Louis
 
Scaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBeesScaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBeesDeborah Schalm
 
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...DevOpsDays Tel Aviv
 
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...Jules Pierre-Louis
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps SurveySonatype
 
cdSummit Austin - Jez Humble: CD Architecture
cdSummit Austin - Jez Humble: CD ArchitecturecdSummit Austin - Jez Humble: CD Architecture
cdSummit Austin - Jez Humble: CD ArchitectureMiles Blatstein
 

Recommended

Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps TransformationDeborah Schalm
 
How to plug the data gap in DevOps
How to plug the data gap in DevOpsHow to plug the data gap in DevOps
How to plug the data gap in DevOpsDeborah Schalm
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsJules Pierre-Louis
 
Scaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBeesScaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBeesDeborah Schalm
 
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...DevOpsDays Tel Aviv
 
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...Jules Pierre-Louis
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps SurveySonatype
 
cdSummit Austin - Jez Humble: CD Architecture
cdSummit Austin - Jez Humble: CD ArchitecturecdSummit Austin - Jez Humble: CD Architecture
cdSummit Austin - Jez Humble: CD ArchitectureMiles Blatstein
 
DevOps Explained
DevOps ExplainedDevOps Explained
DevOps ExplainedRichard Seroter
 
Enterprise DevOps and the Cloud
Enterprise DevOps and the CloudEnterprise DevOps and the Cloud
Enterprise DevOps and the CloudCloudCheckr
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOpsJules Pierre-Louis
 
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementThe Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementJules Pierre-Louis
 
DevOps Transformations
DevOps TransformationsDevOps Transformations
DevOps TransformationsErnest Mueller
 
Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast Compuware
 
Scaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBeesScaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBeesDevOps.com
 
DevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyDevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyCA Technologies
 
Introduction to devops
Introduction to devopsIntroduction to devops
Introduction to devopsUtpalenduChakrobortt1
 
SRE 101 (Site Reliability Engineering)
SRE 101 (Site Reliability Engineering)SRE 101 (Site Reliability Engineering)
SRE 101 (Site Reliability Engineering)Hussain Mansoor
 
Untangling Continuous Delivery
Untangling Continuous DeliveryUntangling Continuous Delivery
Untangling Continuous DeliveryPerforce
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systemsDevOps Indonesia
 
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationEnterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationCompuware
 
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next ProjectAbeer R
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementShriniKulkarni
 
Code-to-Cloud Visibility: An Essential Framework for DevOps Success
Code-to-Cloud Visibility: An Essential Framework for DevOps SuccessCode-to-Cloud Visibility: An Essential Framework for DevOps Success
Code-to-Cloud Visibility: An Essential Framework for DevOps SuccessJadeCampbell13
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Innovation in Action - #MFSummit2017
Innovation in Action - #MFSummit2017Innovation in Action - #MFSummit2017
Innovation in Action - #MFSummit2017Micro Focus
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkAnna Royzman
 

More Related Content

What's hot

Enterprise DevOps and the Cloud
Enterprise DevOps and the CloudEnterprise DevOps and the Cloud
Enterprise DevOps and the CloudCloudCheckr
 
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementThe Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementJules Pierre-Louis
 
DevOps Transformations
DevOps TransformationsDevOps Transformations
DevOps TransformationsErnest Mueller
 
Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast Compuware
 
Scaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBeesScaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBeesDevOps.com
 
DevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyDevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyCA Technologies
 
SRE 101 (Site Reliability Engineering)
SRE 101 (Site Reliability Engineering)SRE 101 (Site Reliability Engineering)
SRE 101 (Site Reliability Engineering)Hussain Mansoor
 
Untangling Continuous Delivery
Untangling Continuous DeliveryUntangling Continuous Delivery
Untangling Continuous DeliveryPerforce
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systemsDevOps Indonesia
 
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationEnterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationCompuware
 
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next ProjectAbeer R
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementShriniKulkarni
 
Code-to-Cloud Visibility: An Essential Framework for DevOps Success
Code-to-Cloud Visibility: An Essential Framework for DevOps SuccessCode-to-Cloud Visibility: An Essential Framework for DevOps Success
Code-to-Cloud Visibility: An Essential Framework for DevOps SuccessJadeCampbell13
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Innovation in Action - #MFSummit2017
Innovation in Action - #MFSummit2017Innovation in Action - #MFSummit2017
Innovation in Action - #MFSummit2017Micro Focus
 

What's hot (20)

DevOps Explained
DevOps ExplainedDevOps Explained
DevOps Explained
 
Enterprise DevOps and the Cloud
Enterprise DevOps and the CloudEnterprise DevOps and the Cloud
Enterprise DevOps and the Cloud
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOps
 
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementThe Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration Management
 
DevOps Transformations
DevOps TransformationsDevOps Transformations
DevOps Transformations
 
Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast
 
Scaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBeesScaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBees
 
DevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyDevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than Technology
 
Introduction to devops
Introduction to devopsIntroduction to devops
Introduction to devops
 
SRE 101 (Site Reliability Engineering)
SRE 101 (Site Reliability Engineering)SRE 101 (Site Reliability Engineering)
SRE 101 (Site Reliability Engineering)
 
Untangling Continuous Delivery
Untangling Continuous DeliveryUntangling Continuous Delivery
Untangling Continuous Delivery
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systems
 
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationEnterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast Presentation
 
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident Management
 
Code-to-Cloud Visibility: An Essential Framework for DevOps Success
Code-to-Cloud Visibility: An Essential Framework for DevOps SuccessCode-to-Cloud Visibility: An Essential Framework for DevOps Success
Code-to-Cloud Visibility: An Essential Framework for DevOps Success
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
Innovation in Action - #MFSummit2017
Innovation in Action - #MFSummit2017Innovation in Action - #MFSummit2017
Innovation in Action - #MFSummit2017
 

Similar to Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study

Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkAnna Royzman
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Trupti Shiralkar, CISSP
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesAvi Networks
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersIBM Security
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
AKS IT Corporate Presentation
AKS IT Corporate PresentationAKS IT Corporate Presentation
AKS IT Corporate Presentationaksit_services
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOpsAlert Logic
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
 

Similar to Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study (20)

Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing Framework
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange Partners
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
AKS IT Corporate Presentation
AKS IT Corporate PresentationAKS IT Corporate Presentation
AKS IT Corporate Presentation
 
Aksit profile final
Aksit profile finalAksit profile final
Aksit profile final
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 

More from Deborah Schalm

Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...Deborah Schalm
 
Discovering Dark Debt in your Culture
Discovering Dark Debt in your CultureDiscovering Dark Debt in your Culture
Discovering Dark Debt in your CultureDeborah Schalm
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleA Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleDeborah Schalm
 
Protect Your Organization Against Known Security Defects
Protect Your Organization Against Known Security DefectsProtect Your Organization Against Known Security Defects
Protect Your Organization Against Known Security DefectsDeborah Schalm
 
Putting the Ops in DevOps
Putting the Ops in DevOpsPutting the Ops in DevOps
Putting the Ops in DevOpsDeborah Schalm
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsDeborah Schalm
 
Post-Equifax: How to Trust But Verify Your Software Supply Chain
Post-Equifax: How to Trust But Verify Your Software Supply ChainPost-Equifax: How to Trust But Verify Your Software Supply Chain
Post-Equifax: How to Trust But Verify Your Software Supply ChainDeborah Schalm
 
30 Minutes to a Private Cloud
30 Minutes to a Private Cloud30 Minutes to a Private Cloud
30 Minutes to a Private CloudDeborah Schalm
 
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...Deborah Schalm
 
Top 5 Considerations for Operating a Kubernetes Environment at Scale
Top 5 Considerations for Operating a Kubernetes Environment at ScaleTop 5 Considerations for Operating a Kubernetes Environment at Scale
Top 5 Considerations for Operating a Kubernetes Environment at ScaleDeborah Schalm
 
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...Deborah Schalm
 
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017Deborah Schalm
 
Application Discovery! The Gift That Keeps on Giving
Application Discovery! The Gift That Keeps on GivingApplication Discovery! The Gift That Keeps on Giving
Application Discovery! The Gift That Keeps on GivingDeborah Schalm
 
Top 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield EnvironmentsTop 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield EnvironmentsDeborah Schalm
 
The Coming Earthquake in WebSphere Application Server Configuration Management
The Coming Earthquake in WebSphere Application Server Configuration ManagementThe Coming Earthquake in WebSphere Application Server Configuration Management
The Coming Earthquake in WebSphere Application Server Configuration ManagementDeborah Schalm
 
Planet of the APIs: Monitoring Transactions in the Wild
Planet of the APIs: Monitoring Transactions in the WildPlanet of the APIs: Monitoring Transactions in the Wild
Planet of the APIs: Monitoring Transactions in the WildDeborah Schalm
 
Get Loose! Microservices and Loosely Coupled Architectures
Get Loose! Microservices and Loosely Coupled ArchitecturesGet Loose! Microservices and Loosely Coupled Architectures
Get Loose! Microservices and Loosely Coupled ArchitecturesDeborah Schalm
 
Proactive Monitoring: Playing Offense for the Win
Proactive Monitoring: Playing Offense for the WinProactive Monitoring: Playing Offense for the Win
Proactive Monitoring: Playing Offense for the WinDeborah Schalm
 
No Tool is an Island: Building DevOps into your business
No Tool is an Island: Building DevOps into your businessNo Tool is an Island: Building DevOps into your business
No Tool is an Island: Building DevOps into your businessDeborah Schalm
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesDeborah Schalm
 

More from Deborah Schalm (20)

Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
 
Discovering Dark Debt in your Culture
Discovering Dark Debt in your CultureDiscovering Dark Debt in your Culture
Discovering Dark Debt in your Culture
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleA Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example
 
Protect Your Organization Against Known Security Defects
Protect Your Organization Against Known Security DefectsProtect Your Organization Against Known Security Defects
Protect Your Organization Against Known Security Defects
 
Putting the Ops in DevOps
Putting the Ops in DevOpsPutting the Ops in DevOps
Putting the Ops in DevOps
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOps
 
Post-Equifax: How to Trust But Verify Your Software Supply Chain
Post-Equifax: How to Trust But Verify Your Software Supply ChainPost-Equifax: How to Trust But Verify Your Software Supply Chain
Post-Equifax: How to Trust But Verify Your Software Supply Chain
 
30 Minutes to a Private Cloud
30 Minutes to a Private Cloud30 Minutes to a Private Cloud
30 Minutes to a Private Cloud
 
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
 
Top 5 Considerations for Operating a Kubernetes Environment at Scale
Top 5 Considerations for Operating a Kubernetes Environment at ScaleTop 5 Considerations for Operating a Kubernetes Environment at Scale
Top 5 Considerations for Operating a Kubernetes Environment at Scale
 
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
 
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
 
Application Discovery! The Gift That Keeps on Giving
Application Discovery! The Gift That Keeps on GivingApplication Discovery! The Gift That Keeps on Giving
Application Discovery! The Gift That Keeps on Giving
 
Top 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield EnvironmentsTop 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield Environments
 
The Coming Earthquake in WebSphere Application Server Configuration Management
The Coming Earthquake in WebSphere Application Server Configuration ManagementThe Coming Earthquake in WebSphere Application Server Configuration Management
The Coming Earthquake in WebSphere Application Server Configuration Management
 
Planet of the APIs: Monitoring Transactions in the Wild
Planet of the APIs: Monitoring Transactions in the WildPlanet of the APIs: Monitoring Transactions in the Wild
Planet of the APIs: Monitoring Transactions in the Wild
 
Get Loose! Microservices and Loosely Coupled Architectures
Get Loose! Microservices and Loosely Coupled ArchitecturesGet Loose! Microservices and Loosely Coupled Architectures
Get Loose! Microservices and Loosely Coupled Architectures
 
Proactive Monitoring: Playing Offense for the Win
Proactive Monitoring: Playing Offense for the WinProactive Monitoring: Playing Offense for the Win
Proactive Monitoring: Playing Offense for the Win
 
No Tool is an Island: Building DevOps into your business
No Tool is an Island: Building DevOps into your businessNo Tool is an Island: Building DevOps into your business
No Tool is an Island: Building DevOps into your business
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
 

Recently uploaded

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 

Recently uploaded (20)

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 

Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study

  • 1. © 2017 IBM Corporation Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study
  • 2. Speakers Shuchita Gupta Senior Software Client Architect & Leader IBM Sona Srinivasan Senior IT Architect, Global Architecture and Technology Services IT CISCO Systems, Inc. Alan Shimel Moderator, Editor-in-Chief DevOps.com 2
  • 3. State of Application Security Average time to detect APT 256 days Average cost of a U.S. data breach $6.5M Percentage of breaches due to Web attacks 40% Sources: IBM X-Force Threat Intelligence 2015; 2016 Verizon Data Breach Investigations Report; 2016 Cost of Data Breach Study: Global Analysis Average size of a U.S. data breach 30K records 3
  • 4. Conversations & Challenges How often should you think about security in the SDLC? Are automated DAST scans enough? Should I stop my release in a continuous delivery pipeline if my critical vulnerabilities aren't fixed? Can running SAST scans on each build reduce my need to run DAST scans? Should my user stories for security be incorporated in a sprint, or be a part of my design? Key: SAST – Static Application Security Testing DAST – Dynamic Application Security Testing 4
  • 6. The Sec Ops Journey Conversations that launched with Agile The Steps to Cognitive Security Examples of Continuous Security Continuous Security at Cisco Adapting to Threats & Attacks Together 6 6
  • 7. Continuous Security Example #1 Architecture & Security Requirements • Threat Modeling By Feature & Design - For every major application re-design or major feature change, Threat Models must be built based on the application’s design changes • Security assessments and User Stories Tie in, where security assessments answer the Who, Why and What of the feature and application. Documented Security Design Revisit of the data classification for data at Rest, and Transit • E.g.: Employee data on Company System becomes Customer Data on Insurance System, data changes classification from system to system, depending on the consuming application • Application Profiling at the time of Provisioning for baselining 7
  • 8. Continuous Security Example #2 Running static security scans on GIT repo branches is considered continuous security with: • Code Tagging (E.g.: deployed code tags needs to have meta data about the code) with insights into code patterns (E.g.: Singleton Usages, Factory patterns etc. tied to security insights) • Developer Behaviors (E.g.: Developers who code in JAVA might need training in SQL Injections etc., novice developers might need training in XSS) • Code-branch Patterns (E.g.: Code reposes with fewer branches might have more to catch as branched code might be more modularized and secure) • Vulnerability Trends (E.g.: HR apps have SQL Injections, while Service X might have the most vulnerable code) • Types of Languages used tied to type of data classification (E.g.: Cisco is a big JAVA and PL/SQL Shop with movement towards Apex and Angular etc.…) 8
  • 9. Continuous Security Example #3 Automated DAST is seen as continuous security with security benchmarking • Quality Pre-requisites for DAST – Can Deployment workflows check for Quality & Load Tests before running DAST scans? (Have QA bugs been fixed so DAST is spending more time on the security threat classes?) • Are the DAST Test environments close to Production and stable enough for graceful recovery from the DAST attacks (DMZ, Core Zone, Data Center, PaaS profile), especially in a continuous environment? Example - Network latency of the source call of the DAST scan to the Application Destination environment (Eg: India to Richardson) 9
  • 10. Continuous Security Example #4 Management of Incident Response data and mapping to application attacks, environment attacks with: • Pre-Deployment Security Posture and: • SAST • DAST • Open Source Scanning • App Profiling (Cloud native, hybrid, on premise etc.) • Penetration Test Results • Post-Deployment Security Posture of: • Applications • Data • Environment 10
  • 12. Development Platform as a Service Cloud Apps Apps Built Apps Bought Web Mobile Mobile Web DAST Deployment …… Repo Mgmt. Binary Executable Mgmt. Executable Mgmt. …… …… …… …… Binary Analyzer Mobile DAST Build Automation SAST Cloud Ready DAST Quality Assurance Deployment Post-Deployment Mgmt. Penetration Test Deployment Repo Mgmt. Repo Mgmt. Build Automation Build Automation Quality Assurance Quality Assurance SAST SAST Penetration Test Penetration Test Post-Deployment Mgmt. Post-Deployment Mgmt. Quality Assurance Quality Assurance DAST Binary Analyzer Mobile DAST Deployment Deployment Penetration Test Penetration Test Post-Deployment Mgmt. Post-Deployment Mgmt. APIs Repo Mgmt. Build Automation Quality Assurance SAST Deployment Cloud Ready DAST Penetration Test Post-Deployment Mgmt. 12
  • 13. APP Profiling & DPAAS Choice App Stack Provisioning & App Profiling Cloud API Web App Built Cloud App Mobile App Built Web App Packaged Mobile App Packaged Incidents & Security Breaches App Profile (comp- osite) 13
  • 15. Continuous Security at Cisco People & Skillset Technology & Automation Governance & Audits 1. Continuous Education on Process & Technology 2. In-Context Training as opposed to On-Demand  3. Federated Security Personnel in the functions 1. Watch the Market & Developer world 2. Our eyes are on PaaS changes and Developer Tools & Technology Changes 1. Bringing The Policy to the user 2. Moving Governance into the Life Cycle – Start Right, rather than shift left  3. Multi-Check Points 15
  • 16. Journey to COGNITIVE •Good Domain Knowledge • Developer Skill-Set will range from beginner to seasoned Simplify • Process is simple and mature for automation •Intermediate Skill-Set of the Developer Automate • Go from multiple sub- systems to digital components in streams • Expert Developer Digitize • Developer is knowledgeable enough on when to apply machine learning to enable speed • Adding Specific Bots to address bottlenecks is a great way to ease the experience problem for security tools & their complexity Machine Learning • Developer is a Highly Seasoned with domain expertise and data architectures which then leverage cognitive APIs for Proactive Security Guidance Cognitive Process Complexity Developer Skillset 16
  • 17. Managing Risk Holistically Comprehensive attack surface minimization through insights Bottoms up & Top down Vulnerability management Technology ecosystem – with Vendors Always remember the application is the front door - Trained Ninjas 17
  • 18. Key Resources to Learn More 18 • Forrester Report “Secure Applications at the Speed of DevOps” • Gartner 2017 Magic Quadrant for Application Security Testing • Forrester Total Economic Impact (TEI) Study • E-Guide: 5 Steps to Achieve Risk-Based Application Security Management
  • 20. © 2017 IBM Corporation Thank You!

Editor's Notes

  1. Slides 1-2: Alan General introductions and topic overview