Stefan Streichsbier, profile picture
Uploaded byStefan Streichsbier
PDF, PPTX1,395 views

Application Security at DevOps Speed - DevOpsDays Singapore 2016

The document discusses how to integrate security practices into DevOps workflows at speed. It recommends a three step approach: 1) Make security part of agile planning and processes like Scrum, including security training, requirements, testing and demos. 2) Implement a "DevSecOps" pipeline that automates security checks and testing at each stage of development. 3) Continuously measure and reduce security debt and improve app robustness and security skills over time. The goal is to shift security left and make it part of fast-paced DevOps cycles.

Embed presentation

Download as PDF, PPTX
Security at DevOps Speed Stefan Streichsbier CTO Vantage Point Founder DevSecOps Singapore stefan@vantagepoint.sg @s_streichsbier
What is AppSec?
Why does AppSec == Pain?
Pentesters after turning a report in...
Security
Meanwhile outside the security camp ...
0 20 40 60 80 100 120 140 2005 2010 2015 2020 The frequency of releases over time Releases per app per year Towards CD From Waterfall The frequency increased
8 So many releases?!
Security DevOps
10 Agile + DevOps + Security = DevSecOps
Step 1: Security as part of Agile
1-4 Weeks 24 hours Develop Test Design Plan Output Shippable Increment Product Backlog Sprint Backlog Let’s look at SCRUM Start with understanding the process
1-4 Weeks 24 hours Develop Test Design Plan Output Shippable Increment Product Backlog Sprint Backlog Secure SCRUM Security Training Security Requirements Security Activities Threat Modelling Design Review Pairing Manual Security Tests Automatic Security Tests Security Feature Demo Security Retrospective Security Acceptance Criteria
(Security) User Stories
(Security) Unit Tests
0 20 40 60 80 100 120 Sprint 1 Sprint 2 Sprint 3 Sprint 4 Sprint 5 Sprint 6 % Remaining Security work % App Robustness, Security Skills Security Debt Burndown
Step 2: DevSecOps
Vulnerability Repository • Security Unit Tests • SAST • SCA • DAST • IAST • VA • Security as Code • RASP • NG WAF • Red Team • GOPT • Actual Attackers • Sec Requirements • Design Review • Threat Modelling AppSec Pipeline
Instead of this ...
...Let’s do this...

More Related Content

PPTX
Null application security in an agile world
byStefan Streichsbier
 
PDF
Application Security in an Agile World - Agile Singapore 2016
byStefan Streichsbier
 
PDF
Integrating DevOps and Security
byStijn Muylle
 
PDF
DevSecCon London 2017: How far left do you want to go with security? by Javie...
byDevSecCon
 
PDF
DevSecOps - The big picture
byDevSecOpsSg
 
PPTX
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
PDF
PIACERE - DevSecOps Automated
byPIACERE
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
Null application security in an agile world
byStefan Streichsbier
 
Application Security in an Agile World - Agile Singapore 2016
byStefan Streichsbier
 
Integrating DevOps and Security
byStijn Muylle
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
byDevSecCon
 
DevSecOps - The big picture
byDevSecOpsSg
 
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
PIACERE - DevSecOps Automated
byPIACERE
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 

What's hot

PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PPTX
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
byDevOps Indonesia
 
PPTX
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
Implementing an Application Security Pipeline in Jenkins
bySuman Sourav
 
PPTX
The Journey to DevSecOps
bySeniorStoryteller
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
PPTX
DevSecOps : an Introduction
byPrashanth B. P.
 
PDF
The Challenges of Scaling DevSecOps
byWhiteSource
 
PPTX
DevSecOps
byJoel Divekar
 
PPTX
DevSecOps-OWASP Indonesia Day 2017
bySuman Sourav
 
PDF
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
PDF
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
PDF
How to automate your DevSecOps successfully
byManuel Pistner
 
PDF
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
PDF
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
byDevSecOpsSg
 
PDF
A Secure DevOps Journey
byVeracode
 
PDF
DevSecOps: Minimizing Risk, Improving Security
byFranklin Mosley
 
PPTX
Turning security into code by Jeff Williams
byDevSecCon
 
PDF
Dev seccon london 2016 intelliment security
byDevSecCon
 
Introduction to DevSecOps
byabhimanyubhogwan
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
byDevOps Indonesia
 
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Implementing an Application Security Pipeline in Jenkins
bySuman Sourav
 
The Journey to DevSecOps
bySeniorStoryteller
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
DevSecOps : an Introduction
byPrashanth B. P.
 
The Challenges of Scaling DevSecOps
byWhiteSource
 
DevSecOps
byJoel Divekar
 
DevSecOps-OWASP Indonesia Day 2017
bySuman Sourav
 
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
How to automate your DevSecOps successfully
byManuel Pistner
 
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
byDevSecOpsSg
 
A Secure DevOps Journey
byVeracode
 
DevSecOps: Minimizing Risk, Improving Security
byFranklin Mosley
 
Turning security into code by Jeff Williams
byDevSecCon
 
Dev seccon london 2016 intelliment security
byDevSecCon
 

Similar to Application Security at DevOps Speed - DevOpsDays Singapore 2016

PPTX
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
bylior mazor
 
PPTX
State of DevSecOps - DevSecOpsDays 2019
byStefan Streichsbier
 
PPTX
State of DevSecOps - GTACS 2019
byStefan Streichsbier
 
PPTX
State of DevSecOps - DevOpsDays Jakarta 2019
byStefan Streichsbier
 
PDF
The State of DevSecOps
byDevOps Indonesia
 
PPTX
Lean_Security.pptx
byClase21
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
PDF
Working on DevSecOps culture - a team centric view
byPatrick Debois
 
PPTX
DevSecOps: Integrating Security Into DevOps! {Business Security}
byAlgoworks Inc
 
PPTX
DevSecOps Story with added security controls
byHareeshNani5
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PPTX
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
byNSC42 Ltd
 
PDF
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
bymohitd6
 
PDF
Continuous Security: Using Automation to Expand Security's Reach
byMatt Tesauro
 
PDF
How DevOps Improves Security DevSecOps Explained.pdf
byhimanshuwowit
 
PPTX
DevSecOps without DevOps is Just Security
byKevin Fealey
 
PPTX
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Introduction to DevSecOps OWASP Ahmedabad
bykunwaratul hax0r
 
PDF
SC conference - Building AppSec Teams
byDinis Cruz
 
PDF
Scale security for a dollar or less
byMohammed A. Imran
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
bylior mazor
 
State of DevSecOps - DevSecOpsDays 2019
byStefan Streichsbier
 
State of DevSecOps - GTACS 2019
byStefan Streichsbier
 
State of DevSecOps - DevOpsDays Jakarta 2019
byStefan Streichsbier
 
The State of DevSecOps
byDevOps Indonesia
 
Lean_Security.pptx
byClase21
 
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
Working on DevSecOps culture - a team centric view
byPatrick Debois
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
byAlgoworks Inc
 
DevSecOps Story with added security controls
byHareeshNani5
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
byNSC42 Ltd
 
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
bymohitd6
 
Continuous Security: Using Automation to Expand Security's Reach
byMatt Tesauro
 
How DevOps Improves Security DevSecOps Explained.pdf
byhimanshuwowit
 
DevSecOps without DevOps is Just Security
byKevin Fealey
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
byRobert Grupe, CSSLP CISSP PE PMP
 
Introduction to DevSecOps OWASP Ahmedabad
bykunwaratul hax0r
 
SC conference - Building AppSec Teams
byDinis Cruz
 
Scale security for a dollar or less
byMohammed A. Imran
 

More from Stefan Streichsbier

PDF
DevSecOps in 2031: How robots and humans will secure apps together Log
byStefan Streichsbier
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PPTX
Practical Secure Coding Workshop - {DECIPHER} Hackathon
byStefan Streichsbier
 
PPTX
Security and Mobility Co Create Week Jakarta
byStefan Streichsbier
 
PPTX
Securing a great Developer Experience - v1.3
byStefan Streichsbier
 
PPTX
Securing a great DX - DevSecOps Days Singapore 2018
byStefan Streichsbier
 
PDF
A Tale of Three Horses - RSAC 2017 APJ - DevOps Connect: DevSecOps Edition, S...
byStefan Streichsbier
 
PDF
DevSecOps - The big picture
byStefan Streichsbier
 
PPT
DevSecOps Singapore introduction
byStefan Streichsbier
 
DevSecOps in 2031: How robots and humans will secure apps together Log
byStefan Streichsbier
 
The Future of DevSecOps
byStefan Streichsbier
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
byStefan Streichsbier
 
Security and Mobility Co Create Week Jakarta
byStefan Streichsbier
 
Securing a great Developer Experience - v1.3
byStefan Streichsbier
 
Securing a great DX - DevSecOps Days Singapore 2018
byStefan Streichsbier
 
A Tale of Three Horses - RSAC 2017 APJ - DevOps Connect: DevSecOps Edition, S...
byStefan Streichsbier
 
DevSecOps - The big picture
byStefan Streichsbier
 
DevSecOps Singapore introduction
byStefan Streichsbier
 

Recently uploaded

PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
PPTX
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 

Application Security at DevOps Speed - DevOpsDays Singapore 2016