SlideShare a Scribd company logo

5 principles-securing-devops-veracode-whitepaper

wardell henley
wardell henley

The document discusses five principles for securing DevOps: 1) Automate security testing by integrating it into CI/CD pipelines. 2) Integrate security testing early to "fail quickly" and avoid issues late in the process. 3) Avoid false positives from security tests to prevent blocking critical updates. 4) Build security expertise among developers by training them in secure coding practices. 5) Maintain visibility into application security for deployed software to enable quick responses to attacks.

Technology
1 of 14
Download to read offline
FIVE PRINCIPLES FOR Securing DevOps VERACODE EBOOK 5
FIVE PRINCIPLES FOR SECURING DEVOPS 2 INTRODUCTION In fact, there are sound business reasons for executives to embrace these changes. DevOps, a new organizational and cultural way of organizing development and IT operations work, and its sister technologies, continuous integration and continuous deployment (CI/CD), have transformed the way we create software. And there is widespread evidence that DevOps practices, despite their substantial organizational, cultural and technological requirements, are spreading rapidly. A recent study shows that firms with high-performing IT organizations are twice as likely to exceed their profitability, market share and productivity goals. Forsgren, N., J. Humble (2016). “DevOps: Profiles in ITSM Performance and Contributing Factors.” In the Proceedings of the Western Decision Sciences Institute (WDSI) 2016, Las Vegas, NV. Available at SSRN: ssrn.com/abstract=2681906
3FIVE PRINCIPLES FOR SECURING DEVOPS THIS PAPER Provides background on the evolution of DevOps. Proposes five principles that solutions seeking to integrate application security into DevOps and CI/CD must address. But reaping these gains requires rethinking application security. To secure DevOps, it is critical to understand how DevOps and CI/CD are different from Agile development and how this difference changes the requirements for application security solutions. It is also important to recognize that, as CI/CD in particular continue to evolve, so do the requirements for application security. Further, specific disciplines of continuous delivery, including test and deployment automation, trunk-based development, continuous integration and version control of app and system configuration, all lead directly to higher levels of IT performance and, therefore, to higher levels of organization performance.
4FIVE PRINCIPLES FOR SECURING DEVOPS DevOps Evolution and Revolution Many Agile software projects have succeeded in improving their quality practices only to face the reality of failed deployments when unanticipated operational requirements resulted in software that did not meet the needs of availability, scalability or manageability. By integrating activities and organizations like operations earlier into the development process, DevOps seeks to expose the development team to these potentially surprising or disruptive requirements early so that the team can plan for and address them ahead of time. The process of bringing other teams, in particular operations, into the development process began as a revolt against heavyweight and highly manual operations practices that were seen as slowing development down. DevOps seeks to enable software development teams to more consistently hit or exceed their goals for on-time delivery of high-quality software that meets the needs of the business. It does this by removing organizational barriers between Agile development teams and non-Agile supporting processes.
IT OPERATION TEAMS “Keep everything stable” 5FIVE PRINCIPLES FOR SECURING DEVOPS DevOps thought leader Gene Kim has stated that DevOps practices explicitly seek to align the potentially at-odds goals of “make changes quickly” (development) and “keep everything stable” (IT operations) by bringing the teams together and giving them shared responsibility for software delivery and operation. This organizational alignment supports all the other activities of DevOps. FOR INSTANCE, DEVOPS: 1. Embraces an existing software development trend, continuous integration, and its transformation into continuous deployment. 2. Implements insights from traditional manufacturing quality control processes to the software development process. DEVELOPMENT TEAMS “Make changes quickly” COMMON GOAL In this way, DevOps is a natural evolution of Agile software development and its culture of “retrospectives,” “do better” and clearing blockages to getting work done. But the specific manifestations of this cultural and organizational change have been revolutionary for how software is built, beginning with how — and how frequently — it is delivered to market.
6FIVE PRINCIPLES FOR SECURING DEVOPS If DevOps includes cultural, organizational and technological components, continuous integration and continuous delivery, or CI/CD, is the technological foundation on which DevOps builds its practices. CI/CD seeks to automate much of the routine work of transforming code changes into working software, including delivering tested code into production. From its roots in build servers like Hudson, Jenkins and Microsoft Team Foundation Server, CI/CD has become a collection of technologies and practices that supports the integrated mission of releasing new code changes while keeping things stable. Technologies that allow DevOps organizations to move faster include: AUTOMATED BUILD AND VERIFICATION OF CODE CHANGES UNIT TESTS CONTAINERIZATION TRUNK-BASED DEVELOPMENT FEATURE TOGGLES MICROSERVICES OPERATIONAL MONITORING
7FIVE PRINCIPLES FOR SECURING DEVOPS “Shifting Security Left” Drives New Requirements for AppSec Like operations, security’s goals of minimizing enterprise risk sometimes seem to be at odds with development’s mandate for change. In reality, there is a middle path that can allow development to deliver more secure code at DevOps speed, but it requires security to adapt to the principles that have proven successful for DevOps. Automate Security In Integrate to “Fail Quickly” No False Alarms Build Security Champions Keep Operational Visibility 1. 2. 3. 4. 5. Considering the goals of CI/CD helps us identify the following five principles for securing DevOps:
8FIVE PRINCIPLES FOR SECURING DEVOPS Automated invocation of security testing requires a comprehensive API to initiate, control and return results from software testing, and should include productized support for common tools of development teams. 1 PRINCIPLE ONE Automate Security In API
9FIVE PRINCIPLES FOR SECURING DEVOPS Integrating security into the CI/CD pipeline ensures that security testing happens with every release, and avoids the problem of leaving application security entirely in the hands of the developer or as a step late in the process. There are several ways to address this requirement, for instance: • Scan small units of code so that results can be returned within the latency tolerance of the existing process in the pipeline. • Allow the pipeline to kick off tests and feed the results into the backlog of the development team outside of the pipeline, essentially conducting the full application test in parallel. Regardless of how you integrate static testing into the pipeline, full application testing is still necessary: security issues may be introduced into the code that can only be found via a full program analysis. You can conduct full application tests outside the scope of the pipeline, or only on builds that make it to a certain stage of release candidate qualification. In addition, you don’t need to stop at integrating with the pipeline. The best way to catch software defects quickly is to introduce tests that run as close to the developer as possible — for example, with quick-running tests triggered on check-in or even as pre-check-in gates. You can also allow developers to quickly test from the IDE. 2 PRINCIPLE TWO Integrate to “Fail Quickly”
10FIVE PRINCIPLES FOR SECURING DEVOPS As the industry has learned, a technology that reports too many false positives will be ignored and will fail to be adopted. This is doubly true in CI/CD, where a failed security test may stop a critical business function from being delivered to production — or a critical patch from being released. That may be tolerable if the security issue is real, but is completely intolerable if the finding is a false positive. Most developers are not trained in the practices of secure coding. But doing so gives the security team a force multiplier and reduces culture conflict by embedding application security knowledge directly in the team. 3 4 PRINCIPLE THREE No False Alarms PRINCIPLE FOUR Build Security Champions
11FIVE PRINCIPLES FOR SECURING DEVOPS Application security cannot stop after deployment. As with other aspects of DevOps, a well-engineered solution must support “closed loop” feedback from production in the event of a security incident. There are several scenarios in which operational visibility into application security is particularly important. TO ENABLE THE TEAM TO DEPLOY FASTER. The business may choose to trade full application security testing for faster deployment and, therefore, rely on the ability to test after deployment and quickly update if an issue is found. TO CATCH EXCEPTIONS. There will be cases when an application gets to production without going through the automated pipeline, or when a misconfiguration results in a vulnerable application. These cases make discovery and testing of web applications in production critical. TO DETECT AND PROTECT AGAINST AN ATTACK. Operations needs visibility into potential security issues in deployed software so that they can drive a quick response. 5 PRINCIPLE FIVE Keep Operational Visibility 1 2 3
12FIVE PRINCIPLES FOR SECURING DEVOPS Having the Conversation Questions to Ask When Integrating Security Into DevOps Many organizations are at the earliest stages of considering how to integrate security into their DevOps practices. The following questions will help you think about how to design an integrated solution for securing the CI/CD pipeline: Have you rearchitected your applications for microservices, or is that work still in progress? Which of your applications will pass through a CI/CD pipeline? Microservice- based? Monoliths? In what languages? What tolerance do you have for “false alarms” (FPs) from an application security capability that is integrated into your DevOps practices? Are you practicing trunk- based development, or do you still practice release and feature branching? How do you plan to monitor your operational applications for security attacks? How do you plan to bring security expertise into the DevOps team? 1 4 5 6 2 3
CONCLUSION 13 The process and technical requirements for integrating security with DevOps practices and CI/CD technology are challenging for any application security technology to meet. By embracing DevOps principles and looking beyond the pipeline to organizational and production capabilities, you greatly increase the chances of successfully integrating security with DevOps. FIVE PRINCIPLES FOR SECURING DEVOPS DEV OPS
Veracode’s cloud-based service and systematic approach deliver a simpler and more scalable solution for reducing global application-layer risk across web, mobile and third-party applications. Recognized as a Gartner Magic Quadrant Leader since 2010, Veracode secures hundreds of the world’s largest global enterprises, including 3 of the top 4 banks in the Fortune 100 and 20+ of Forbes’ 100 Most Valuable Brands. LEARN MORE AT WWW.VERACODE.COM, ON THE VERACODE BLOG, AND ON TWITTER.

Recommended

Devops
DevopsDevops
Devops
Spark Tech Systems
 
The best way to design secure software products
The best way to design secure software productsThe best way to design secure software products
The best way to design secure software products
LabSharegroup
 
The State of DevOps Tools: A Primer
The State of DevOps Tools: A PrimerThe State of DevOps Tools: A Primer
The State of DevOps Tools: A Primer
DevOps.com
 
Why is dev ops essential for fintech development
Why is dev ops essential for fintech developmentWhy is dev ops essential for fintech development
Why is dev ops essential for fintech development
nimbleappgenie
 
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENTROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
Indium Software
 
DevOps – what is it? Why? Is it real? How to do it?
DevOps – what is it? Why? Is it real? How to do it?DevOps – what is it? Why? Is it real? How to do it?
DevOps – what is it? Why? Is it real? How to do it?
Sailaja Tennati
 
DevOps explained
DevOps explainedDevOps explained
DevOps explained
Jérôme Kehrli
 
DevOps and the Case for ROI to Executives
DevOps and the Case for ROI to ExecutivesDevOps and the Case for ROI to Executives
DevOps and the Case for ROI to Executives
IBM UrbanCode Products
 

Recommended

Devops
DevopsDevops
Devops
Spark Tech Systems
 
The best way to design secure software products
The best way to design secure software productsThe best way to design secure software products
The best way to design secure software products
LabSharegroup
 
The State of DevOps Tools: A Primer
The State of DevOps Tools: A PrimerThe State of DevOps Tools: A Primer
The State of DevOps Tools: A Primer
DevOps.com
 
Why is dev ops essential for fintech development
Why is dev ops essential for fintech developmentWhy is dev ops essential for fintech development
Why is dev ops essential for fintech development
nimbleappgenie
 
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENTROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
Indium Software
 
DevOps – what is it? Why? Is it real? How to do it?
DevOps – what is it? Why? Is it real? How to do it?DevOps – what is it? Why? Is it real? How to do it?
DevOps – what is it? Why? Is it real? How to do it?
Sailaja Tennati
 
DevOps explained
DevOps explainedDevOps explained
DevOps explained
Jérôme Kehrli
 
DevOps and the Case for ROI to Executives
DevOps and the Case for ROI to ExecutivesDevOps and the Case for ROI to Executives
DevOps and the Case for ROI to Executives
IBM UrbanCode Products
 
DevOps Hits Adolescence – what’s next?
DevOps Hits Adolescence – what’s next?DevOps Hits Adolescence – what’s next?
DevOps Hits Adolescence – what’s next?
XebiaLabs
 
SDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileSDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with Agile
Abdel Moneim Emad
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
Robert Sell
 
Mainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled RoadmapMainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled Roadmap
DevOps.com
 
XebiaLabs Enterprise DevOps
XebiaLabs Enterprise DevOpsXebiaLabs Enterprise DevOps
XebiaLabs Enterprise DevOps
Bob Sokol
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
SlideTeam
 
Building a Bridge Between CI/CD and ITSM
Building a Bridge Between CI/CD and ITSMBuilding a Bridge Between CI/CD and ITSM
Building a Bridge Between CI/CD and ITSM
XebiaLabs
 
More Than A Buzzword: How DevOps Can Impact Your Business
More Than A Buzzword: How DevOps Can Impact Your BusinessMore Than A Buzzword: How DevOps Can Impact Your Business
More Than A Buzzword: How DevOps Can Impact Your Business
ILM Professional Services
 
DevOps for the Discouraged
DevOps for the Discouraged DevOps for the Discouraged
DevOps for the Discouraged
James Wickett
 
Developing a Testing Strategy for DevOps Success
Developing a Testing Strategy for DevOps SuccessDeveloping a Testing Strategy for DevOps Success
Developing a Testing Strategy for DevOps Success
DevOps.com
 
Accelerate DevOps Transformation with App Migration to the Cloud
Accelerate DevOps Transformation with App Migration to the CloudAccelerate DevOps Transformation with App Migration to the Cloud
Accelerate DevOps Transformation with App Migration to the Cloud
XebiaLabs
 
Why DevOps Matters To The CIO
Why DevOps Matters To The CIOWhy DevOps Matters To The CIO
Why DevOps Matters To The CIO
benjaminwootton
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
OCTO Technology
 
DevOps101 (version 2)
DevOps101 (version 2)DevOps101 (version 2)
DevOps101 (version 2)
Sanjeev Sharma
 
Java deployments in an enterprise environment whitepaper - xebialabs
Java deployments in an enterprise environment whitepaper - xebialabsJava deployments in an enterprise environment whitepaper - xebialabs
Java deployments in an enterprise environment whitepaper - xebialabs
XebiaLabs
 
More than Technology - The Culture of DevOps
More than Technology - The Culture of DevOpsMore than Technology - The Culture of DevOps
More than Technology - The Culture of DevOps
Bob Sokol
 
Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...
Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...
Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...
Puppet
 
Engineering DevOps to meet Business Goals
Engineering DevOps to meet Business Goals Engineering DevOps to meet Business Goals
Engineering DevOps to meet Business Goals
Marc Hornbeek
 
IBM Innovate 2013 Session: DevOps 101
IBM Innovate 2013 Session: DevOps 101IBM Innovate 2013 Session: DevOps 101
IBM Innovate 2013 Session: DevOps 101
Sanjeev Sharma
 
DevOps 2020: How Enterprise Strategy has Matured
DevOps 2020: How Enterprise Strategy has MaturedDevOps 2020: How Enterprise Strategy has Matured
DevOps 2020: How Enterprise Strategy has Matured
Enterprise Management Associates
 
8 Ways to Boost Your DevOps Efforts
8 Ways to Boost Your DevOps Efforts8 Ways to Boost Your DevOps Efforts
8 Ways to Boost Your DevOps Efforts
Lucy Zeniffer
 
Introduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptxIntroduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptx
LAKSHMIS553566
 

More Related Content

What's hot

DevOps Hits Adolescence – what’s next?
DevOps Hits Adolescence – what’s next?DevOps Hits Adolescence – what’s next?
DevOps Hits Adolescence – what’s next?
XebiaLabs
 
SDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileSDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with Agile
Abdel Moneim Emad
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
Robert Sell
 
Mainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled RoadmapMainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled Roadmap
DevOps.com
 
XebiaLabs Enterprise DevOps
XebiaLabs Enterprise DevOpsXebiaLabs Enterprise DevOps
XebiaLabs Enterprise DevOps
Bob Sokol
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
SlideTeam
 
Building a Bridge Between CI/CD and ITSM
Building a Bridge Between CI/CD and ITSMBuilding a Bridge Between CI/CD and ITSM
Building a Bridge Between CI/CD and ITSM
XebiaLabs
 
More Than A Buzzword: How DevOps Can Impact Your Business
More Than A Buzzword: How DevOps Can Impact Your BusinessMore Than A Buzzword: How DevOps Can Impact Your Business
More Than A Buzzword: How DevOps Can Impact Your Business
ILM Professional Services
 
DevOps for the Discouraged
DevOps for the Discouraged DevOps for the Discouraged
DevOps for the Discouraged
James Wickett
 
Developing a Testing Strategy for DevOps Success
Developing a Testing Strategy for DevOps SuccessDeveloping a Testing Strategy for DevOps Success
Developing a Testing Strategy for DevOps Success
DevOps.com
 
Accelerate DevOps Transformation with App Migration to the Cloud
Accelerate DevOps Transformation with App Migration to the CloudAccelerate DevOps Transformation with App Migration to the Cloud
Accelerate DevOps Transformation with App Migration to the Cloud
XebiaLabs
 
Why DevOps Matters To The CIO
Why DevOps Matters To The CIOWhy DevOps Matters To The CIO
Why DevOps Matters To The CIO
benjaminwootton
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
OCTO Technology
 
DevOps101 (version 2)
DevOps101 (version 2)DevOps101 (version 2)
DevOps101 (version 2)
Sanjeev Sharma
 
Java deployments in an enterprise environment whitepaper - xebialabs
Java deployments in an enterprise environment whitepaper - xebialabsJava deployments in an enterprise environment whitepaper - xebialabs
Java deployments in an enterprise environment whitepaper - xebialabs
XebiaLabs
 
More than Technology - The Culture of DevOps
More than Technology - The Culture of DevOpsMore than Technology - The Culture of DevOps
More than Technology - The Culture of DevOps
Bob Sokol
 
Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...
Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...
Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...
Puppet
 
Engineering DevOps to meet Business Goals
Engineering DevOps to meet Business Goals Engineering DevOps to meet Business Goals
Engineering DevOps to meet Business Goals
Marc Hornbeek
 
IBM Innovate 2013 Session: DevOps 101
IBM Innovate 2013 Session: DevOps 101IBM Innovate 2013 Session: DevOps 101
IBM Innovate 2013 Session: DevOps 101
Sanjeev Sharma
 
DevOps 2020: How Enterprise Strategy has Matured
DevOps 2020: How Enterprise Strategy has MaturedDevOps 2020: How Enterprise Strategy has Matured
DevOps 2020: How Enterprise Strategy has Matured
Enterprise Management Associates
 

What's hot (20)

DevOps Hits Adolescence – what’s next?
DevOps Hits Adolescence – what’s next?DevOps Hits Adolescence – what’s next?
DevOps Hits Adolescence – what’s next?
 
SDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileSDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with Agile
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
 
Mainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled RoadmapMainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled Roadmap
 
XebiaLabs Enterprise DevOps
XebiaLabs Enterprise DevOpsXebiaLabs Enterprise DevOps
XebiaLabs Enterprise DevOps
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
 
Building a Bridge Between CI/CD and ITSM
Building a Bridge Between CI/CD and ITSMBuilding a Bridge Between CI/CD and ITSM
Building a Bridge Between CI/CD and ITSM
 
More Than A Buzzword: How DevOps Can Impact Your Business
More Than A Buzzword: How DevOps Can Impact Your BusinessMore Than A Buzzword: How DevOps Can Impact Your Business
More Than A Buzzword: How DevOps Can Impact Your Business
 
DevOps for the Discouraged
DevOps for the Discouraged DevOps for the Discouraged
DevOps for the Discouraged
 
Developing a Testing Strategy for DevOps Success
Developing a Testing Strategy for DevOps SuccessDeveloping a Testing Strategy for DevOps Success
Developing a Testing Strategy for DevOps Success
 
Accelerate DevOps Transformation with App Migration to the Cloud
Accelerate DevOps Transformation with App Migration to the CloudAccelerate DevOps Transformation with App Migration to the Cloud
Accelerate DevOps Transformation with App Migration to the Cloud
 
Why DevOps Matters To The CIO
Why DevOps Matters To The CIOWhy DevOps Matters To The CIO
Why DevOps Matters To The CIO
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
DevOps101 (version 2)
DevOps101 (version 2)DevOps101 (version 2)
DevOps101 (version 2)
 
Java deployments in an enterprise environment whitepaper - xebialabs
Java deployments in an enterprise environment whitepaper - xebialabsJava deployments in an enterprise environment whitepaper - xebialabs
Java deployments in an enterprise environment whitepaper - xebialabs
 
More than Technology - The Culture of DevOps
More than Technology - The Culture of DevOpsMore than Technology - The Culture of DevOps
More than Technology - The Culture of DevOps
 
Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...
Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...
Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...
 
Engineering DevOps to meet Business Goals
Engineering DevOps to meet Business Goals Engineering DevOps to meet Business Goals
Engineering DevOps to meet Business Goals
 
IBM Innovate 2013 Session: DevOps 101
IBM Innovate 2013 Session: DevOps 101IBM Innovate 2013 Session: DevOps 101
IBM Innovate 2013 Session: DevOps 101
 
DevOps 2020: How Enterprise Strategy has Matured
DevOps 2020: How Enterprise Strategy has MaturedDevOps 2020: How Enterprise Strategy has Matured
DevOps 2020: How Enterprise Strategy has Matured
 

Similar to 5 principles-securing-devops-veracode-whitepaper

8 Ways to Boost Your DevOps Efforts
8 Ways to Boost Your DevOps Efforts8 Ways to Boost Your DevOps Efforts
8 Ways to Boost Your DevOps Efforts
Lucy Zeniffer
 
Introduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptxIntroduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptx
LAKSHMIS553566
 
6 Resons To Implememnt DevOps In Your Business
6 Resons To Implememnt DevOps In Your Business6 Resons To Implememnt DevOps In Your Business
6 Resons To Implememnt DevOps In Your Business
Skillmine Technology Consulting
 
DevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practicesDevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practices
ayoubbahaddouayoub
 
Ensuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps SecurityEnsuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps Security
Dev Software
 
Why is dev ops essential for fintech development
Why is dev ops essential for fintech developmentWhy is dev ops essential for fintech development
Why is dev ops essential for fintech development
nimbleappgenie
 
How To Effectively Build An Initial Level DevOps Pipeline.pdf
How To Effectively Build An Initial Level DevOps Pipeline.pdfHow To Effectively Build An Initial Level DevOps Pipeline.pdf
How To Effectively Build An Initial Level DevOps Pipeline.pdf
Minds Task Technologies
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
Techugo
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
Techugo
 
DevOps trends to look out for in 2022.pdf
DevOps trends to look out for in 2022.pdfDevOps trends to look out for in 2022.pdf
DevOps trends to look out for in 2022.pdf
Enov8
 
Devops Explained & Best Practices
Devops Explained & Best PracticesDevops Explained & Best Practices
Devops Explained & Best Practices
ShikhaKonda
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
Techugo
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
Mohammed Ahmed
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
Ajeet Singh
 
The Benefits of DevOps.pdf
The Benefits of DevOps.pdfThe Benefits of DevOps.pdf
The Benefits of DevOps.pdf
MPIRIC Software
 
DevOps: Benefits & Future Trends
DevOps: Benefits & Future TrendsDevOps: Benefits & Future Trends
DevOps: Benefits & Future Trends
9 series
 
Top Challenges Faced During DevOps Implementation and How to Overcome Them
Top Challenges Faced During DevOps Implementation and How to Overcome ThemTop Challenges Faced During DevOps Implementation and How to Overcome Them
Top Challenges Faced During DevOps Implementation and How to Overcome Them
riyak40
 
What Are The Top 5 Trending Technologies In DevOps?.pdf
What Are The Top 5 Trending Technologies In DevOps?.pdfWhat Are The Top 5 Trending Technologies In DevOps?.pdf
What Are The Top 5 Trending Technologies In DevOps?.pdf
Smith Daniel
 
What is DevOps Services_ Tools and Benefits.pdf
What is DevOps Services_ Tools and Benefits.pdfWhat is DevOps Services_ Tools and Benefits.pdf
What is DevOps Services_ Tools and Benefits.pdf
komalmanu87
 
What is DevOps Services_ Tools and Benefits.pdf
What is DevOps Services_ Tools and Benefits.pdfWhat is DevOps Services_ Tools and Benefits.pdf
What is DevOps Services_ Tools and Benefits.pdf
komalmanu87
 

Similar to 5 principles-securing-devops-veracode-whitepaper (20)

8 Ways to Boost Your DevOps Efforts
8 Ways to Boost Your DevOps Efforts8 Ways to Boost Your DevOps Efforts
8 Ways to Boost Your DevOps Efforts
 
Introduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptxIntroduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptx
 
6 Resons To Implememnt DevOps In Your Business
6 Resons To Implememnt DevOps In Your Business6 Resons To Implememnt DevOps In Your Business
6 Resons To Implememnt DevOps In Your Business
 
DevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practicesDevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practices
 
Ensuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps SecurityEnsuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps Security
 
Why is dev ops essential for fintech development
Why is dev ops essential for fintech developmentWhy is dev ops essential for fintech development
Why is dev ops essential for fintech development
 
How To Effectively Build An Initial Level DevOps Pipeline.pdf
How To Effectively Build An Initial Level DevOps Pipeline.pdfHow To Effectively Build An Initial Level DevOps Pipeline.pdf
How To Effectively Build An Initial Level DevOps Pipeline.pdf
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
 
DevOps trends to look out for in 2022.pdf
DevOps trends to look out for in 2022.pdfDevOps trends to look out for in 2022.pdf
DevOps trends to look out for in 2022.pdf
 
Devops Explained & Best Practices
Devops Explained & Best PracticesDevops Explained & Best Practices
Devops Explained & Best Practices
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
 
The Benefits of DevOps.pdf
The Benefits of DevOps.pdfThe Benefits of DevOps.pdf
The Benefits of DevOps.pdf
 
DevOps: Benefits & Future Trends
DevOps: Benefits & Future TrendsDevOps: Benefits & Future Trends
DevOps: Benefits & Future Trends
 
Top Challenges Faced During DevOps Implementation and How to Overcome Them
Top Challenges Faced During DevOps Implementation and How to Overcome ThemTop Challenges Faced During DevOps Implementation and How to Overcome Them
Top Challenges Faced During DevOps Implementation and How to Overcome Them
 
What Are The Top 5 Trending Technologies In DevOps?.pdf
What Are The Top 5 Trending Technologies In DevOps?.pdfWhat Are The Top 5 Trending Technologies In DevOps?.pdf
What Are The Top 5 Trending Technologies In DevOps?.pdf
 
What is DevOps Services_ Tools and Benefits.pdf
What is DevOps Services_ Tools and Benefits.pdfWhat is DevOps Services_ Tools and Benefits.pdf
What is DevOps Services_ Tools and Benefits.pdf
 
What is DevOps Services_ Tools and Benefits.pdf
What is DevOps Services_ Tools and Benefits.pdfWhat is DevOps Services_ Tools and Benefits.pdf
What is DevOps Services_ Tools and Benefits.pdf
 

More from wardell henley

RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdf
wardell henley
 
mita_overview.pdf
mita_overview.pdfmita_overview.pdf
mita_overview.pdf
wardell henley
 
Landscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdfLandscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdf
wardell henley
 
Facets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdfFacets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdf
wardell henley
 
self_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdfself_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdf
wardell henley
 
Itil a guide to cab meetings pdf
Itil a guide to cab meetings pdfItil a guide to cab meetings pdf
Itil a guide to cab meetings pdf
wardell henley
 
Mn bfdsprivacy
Mn bfdsprivacyMn bfdsprivacy
Mn bfdsprivacy
wardell henley
 
9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp
wardell henley
 
It security cert_508
It security cert_508It security cert_508
It security cert_508
wardell henley
 
15466 mba technology_white_paper
15466 mba technology_white_paper15466 mba technology_white_paper
15466 mba technology_white_paper
wardell henley
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_training
wardell henley
 
213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen
wardell henley
 
Soa security2
Soa security2Soa security2
Soa security2
wardell henley
 
Cissp chapter-05ppt178
Cissp chapter-05ppt178Cissp chapter-05ppt178
Cissp chapter-05ppt178
wardell henley
 
Enterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20securityEnterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20security
wardell henley
 
3 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp013 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp01
wardell henley
 
Splunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandardsSplunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandards
wardell henley
 
Ms app 1.5.1-msinfra-bestpracticesguide
Ms app 1.5.1-msinfra-bestpracticesguideMs app 1.5.1-msinfra-bestpracticesguide
Ms app 1.5.1-msinfra-bestpracticesguide
wardell henley
 
IBM enterprise Content Management
IBM enterprise Content ManagementIBM enterprise Content Management
IBM enterprise Content Management
wardell henley
 
oracle EBS
oracle EBSoracle EBS
oracle EBS
wardell henley
 

More from wardell henley (20)

RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdf
 
mita_overview.pdf
mita_overview.pdfmita_overview.pdf
mita_overview.pdf
 
Landscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdfLandscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdf
 
Facets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdfFacets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdf
 
self_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdfself_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdf
 
Itil a guide to cab meetings pdf
Itil a guide to cab meetings pdfItil a guide to cab meetings pdf
Itil a guide to cab meetings pdf
 
Mn bfdsprivacy
Mn bfdsprivacyMn bfdsprivacy
Mn bfdsprivacy
 
9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp
 
It security cert_508
It security cert_508It security cert_508
It security cert_508
 
15466 mba technology_white_paper
15466 mba technology_white_paper15466 mba technology_white_paper
15466 mba technology_white_paper
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_training
 
213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen
 
Soa security2
Soa security2Soa security2
Soa security2
 
Cissp chapter-05ppt178
Cissp chapter-05ppt178Cissp chapter-05ppt178
Cissp chapter-05ppt178
 
Enterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20securityEnterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20security
 
3 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp013 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp01
 
Splunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandardsSplunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandards
 
Ms app 1.5.1-msinfra-bestpracticesguide
Ms app 1.5.1-msinfra-bestpracticesguideMs app 1.5.1-msinfra-bestpracticesguide
Ms app 1.5.1-msinfra-bestpracticesguide
 
IBM enterprise Content Management
IBM enterprise Content ManagementIBM enterprise Content Management
IBM enterprise Content Management
 
oracle EBS
oracle EBSoracle EBS
oracle EBS
 

Recently uploaded

20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 

Recently uploaded (20)

20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 

5 principles-securing-devops-veracode-whitepaper

  • 2. FIVE PRINCIPLES FOR SECURING DEVOPS 2 INTRODUCTION In fact, there are sound business reasons for executives to embrace these changes. DevOps, a new organizational and cultural way of organizing development and IT operations work, and its sister technologies, continuous integration and continuous deployment (CI/CD), have transformed the way we create software. And there is widespread evidence that DevOps practices, despite their substantial organizational, cultural and technological requirements, are spreading rapidly. A recent study shows that firms with high-performing IT organizations are twice as likely to exceed their profitability, market share and productivity goals. Forsgren, N., J. Humble (2016). “DevOps: Profiles in ITSM Performance and Contributing Factors.” In the Proceedings of the Western Decision Sciences Institute (WDSI) 2016, Las Vegas, NV. Available at SSRN: ssrn.com/abstract=2681906
  • 3. 3FIVE PRINCIPLES FOR SECURING DEVOPS THIS PAPER Provides background on the evolution of DevOps. Proposes five principles that solutions seeking to integrate application security into DevOps and CI/CD must address. But reaping these gains requires rethinking application security. To secure DevOps, it is critical to understand how DevOps and CI/CD are different from Agile development and how this difference changes the requirements for application security solutions. It is also important to recognize that, as CI/CD in particular continue to evolve, so do the requirements for application security. Further, specific disciplines of continuous delivery, including test and deployment automation, trunk-based development, continuous integration and version control of app and system configuration, all lead directly to higher levels of IT performance and, therefore, to higher levels of organization performance.
  • 4. 4FIVE PRINCIPLES FOR SECURING DEVOPS DevOps Evolution and Revolution Many Agile software projects have succeeded in improving their quality practices only to face the reality of failed deployments when unanticipated operational requirements resulted in software that did not meet the needs of availability, scalability or manageability. By integrating activities and organizations like operations earlier into the development process, DevOps seeks to expose the development team to these potentially surprising or disruptive requirements early so that the team can plan for and address them ahead of time. The process of bringing other teams, in particular operations, into the development process began as a revolt against heavyweight and highly manual operations practices that were seen as slowing development down. DevOps seeks to enable software development teams to more consistently hit or exceed their goals for on-time delivery of high-quality software that meets the needs of the business. It does this by removing organizational barriers between Agile development teams and non-Agile supporting processes.
  • 5. IT OPERATION TEAMS “Keep everything stable” 5FIVE PRINCIPLES FOR SECURING DEVOPS DevOps thought leader Gene Kim has stated that DevOps practices explicitly seek to align the potentially at-odds goals of “make changes quickly” (development) and “keep everything stable” (IT operations) by bringing the teams together and giving them shared responsibility for software delivery and operation. This organizational alignment supports all the other activities of DevOps. FOR INSTANCE, DEVOPS: 1. Embraces an existing software development trend, continuous integration, and its transformation into continuous deployment. 2. Implements insights from traditional manufacturing quality control processes to the software development process. DEVELOPMENT TEAMS “Make changes quickly” COMMON GOAL In this way, DevOps is a natural evolution of Agile software development and its culture of “retrospectives,” “do better” and clearing blockages to getting work done. But the specific manifestations of this cultural and organizational change have been revolutionary for how software is built, beginning with how — and how frequently — it is delivered to market.
  • 6. 6FIVE PRINCIPLES FOR SECURING DEVOPS If DevOps includes cultural, organizational and technological components, continuous integration and continuous delivery, or CI/CD, is the technological foundation on which DevOps builds its practices. CI/CD seeks to automate much of the routine work of transforming code changes into working software, including delivering tested code into production. From its roots in build servers like Hudson, Jenkins and Microsoft Team Foundation Server, CI/CD has become a collection of technologies and practices that supports the integrated mission of releasing new code changes while keeping things stable. Technologies that allow DevOps organizations to move faster include: AUTOMATED BUILD AND VERIFICATION OF CODE CHANGES UNIT TESTS CONTAINERIZATION TRUNK-BASED DEVELOPMENT FEATURE TOGGLES MICROSERVICES OPERATIONAL MONITORING
  • 7. 7FIVE PRINCIPLES FOR SECURING DEVOPS “Shifting Security Left” Drives New Requirements for AppSec Like operations, security’s goals of minimizing enterprise risk sometimes seem to be at odds with development’s mandate for change. In reality, there is a middle path that can allow development to deliver more secure code at DevOps speed, but it requires security to adapt to the principles that have proven successful for DevOps. Automate Security In Integrate to “Fail Quickly” No False Alarms Build Security Champions Keep Operational Visibility 1. 2. 3. 4. 5. Considering the goals of CI/CD helps us identify the following five principles for securing DevOps:
  • 8. 8FIVE PRINCIPLES FOR SECURING DEVOPS Automated invocation of security testing requires a comprehensive API to initiate, control and return results from software testing, and should include productized support for common tools of development teams. 1 PRINCIPLE ONE Automate Security In API
  • 9. 9FIVE PRINCIPLES FOR SECURING DEVOPS Integrating security into the CI/CD pipeline ensures that security testing happens with every release, and avoids the problem of leaving application security entirely in the hands of the developer or as a step late in the process. There are several ways to address this requirement, for instance: • Scan small units of code so that results can be returned within the latency tolerance of the existing process in the pipeline. • Allow the pipeline to kick off tests and feed the results into the backlog of the development team outside of the pipeline, essentially conducting the full application test in parallel. Regardless of how you integrate static testing into the pipeline, full application testing is still necessary: security issues may be introduced into the code that can only be found via a full program analysis. You can conduct full application tests outside the scope of the pipeline, or only on builds that make it to a certain stage of release candidate qualification. In addition, you don’t need to stop at integrating with the pipeline. The best way to catch software defects quickly is to introduce tests that run as close to the developer as possible — for example, with quick-running tests triggered on check-in or even as pre-check-in gates. You can also allow developers to quickly test from the IDE. 2 PRINCIPLE TWO Integrate to “Fail Quickly”
  • 10. 10FIVE PRINCIPLES FOR SECURING DEVOPS As the industry has learned, a technology that reports too many false positives will be ignored and will fail to be adopted. This is doubly true in CI/CD, where a failed security test may stop a critical business function from being delivered to production — or a critical patch from being released. That may be tolerable if the security issue is real, but is completely intolerable if the finding is a false positive. Most developers are not trained in the practices of secure coding. But doing so gives the security team a force multiplier and reduces culture conflict by embedding application security knowledge directly in the team. 3 4 PRINCIPLE THREE No False Alarms PRINCIPLE FOUR Build Security Champions
  • 11. 11FIVE PRINCIPLES FOR SECURING DEVOPS Application security cannot stop after deployment. As with other aspects of DevOps, a well-engineered solution must support “closed loop” feedback from production in the event of a security incident. There are several scenarios in which operational visibility into application security is particularly important. TO ENABLE THE TEAM TO DEPLOY FASTER. The business may choose to trade full application security testing for faster deployment and, therefore, rely on the ability to test after deployment and quickly update if an issue is found. TO CATCH EXCEPTIONS. There will be cases when an application gets to production without going through the automated pipeline, or when a misconfiguration results in a vulnerable application. These cases make discovery and testing of web applications in production critical. TO DETECT AND PROTECT AGAINST AN ATTACK. Operations needs visibility into potential security issues in deployed software so that they can drive a quick response. 5 PRINCIPLE FIVE Keep Operational Visibility 1 2 3
  • 12. 12FIVE PRINCIPLES FOR SECURING DEVOPS Having the Conversation Questions to Ask When Integrating Security Into DevOps Many organizations are at the earliest stages of considering how to integrate security into their DevOps practices. The following questions will help you think about how to design an integrated solution for securing the CI/CD pipeline: Have you rearchitected your applications for microservices, or is that work still in progress? Which of your applications will pass through a CI/CD pipeline? Microservice- based? Monoliths? In what languages? What tolerance do you have for “false alarms” (FPs) from an application security capability that is integrated into your DevOps practices? Are you practicing trunk- based development, or do you still practice release and feature branching? How do you plan to monitor your operational applications for security attacks? How do you plan to bring security expertise into the DevOps team? 1 4 5 6 2 3
  • 13. CONCLUSION 13 The process and technical requirements for integrating security with DevOps practices and CI/CD technology are challenging for any application security technology to meet. By embracing DevOps principles and looking beyond the pipeline to organizational and production capabilities, you greatly increase the chances of successfully integrating security with DevOps. FIVE PRINCIPLES FOR SECURING DEVOPS DEV OPS
  • 14. Veracode’s cloud-based service and systematic approach deliver a simpler and more scalable solution for reducing global application-layer risk across web, mobile and third-party applications. Recognized as a Gartner Magic Quadrant Leader since 2010, Veracode secures hundreds of the world’s largest global enterprises, including 3 of the top 4 banks in the Fortune 100 and 20+ of Forbes’ 100 Most Valuable Brands. LEARN MORE AT WWW.VERACODE.COM, ON THE VERACODE BLOG, AND ON TWITTER.