SlideShare a Scribd company logo

Application Security in a DevOps World

CA Technologies
CA Technologies

Application Security in a DevOps World For more information on DevSecOps, please visit: http://ow.ly/QOuA50g63dJ

Technology
1 of 31
Download to read offline
Application Security in a DevOps World Peter Chestna DST37T DEVSECOPS Director of Developer Engagement Veracode
2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS © 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of This Presentation
3 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Who am I? • 25+ Years Software Development Experience • 11+ Years Application Security Experience • Certified Agile Product Owner and Scrum Master • At Veracode since 2006 • From Waterfall to Agile to DevOps • From Monolith to MicroService • Consultant on DevSecOps best practices • Fun Fact: I love whiskey! • Tell me where to drink local whiskey @PeteChestna
4 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Goals  Why is AppSec important?  How is DevOps changing application development?  How is AppSec traditionally done?  What needs to change? – What to build – What to measure – How to help
5 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Applications Are as Risky as Ever of all applications used some kind of hard-coded password of all applications use broken or risky cryptographic algorithms of all applications were vulnerable to open redirect attacks of all applications mix trusted and untrusted data in the same data structure or message 39% 35% 28% 16%
6 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Lack of App Security is Damaging Companies
7 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS High Profile Breaches Through the App Layer How: Vulnerability on website built and maintained by third-party vendor in support of a charity. Result: Usernames and passwords for 76 million households and 7 million business were stolen. Financial Institution How: Hackers exploited a known vulnerability in an open source component Result: Social Security Numbers and personal data for more than 143 million Americans stolen. Three executives lose their jobs. Financial Institution How: Targeted a flaw in OpenSSL, CVE-2014-0160, better known as Heartbleed Result: The theft of Social Security Numbers and other personal data belonging to 4.5 million patients Healthcare Provider How: Sophisticated kill chain including exploitation of vulnerable web application Result: Hackers stole names, mailing addresses, phone numbers and email addresses for more than 70 million shoppers Retailer
8 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Business Mandate
9 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Compressed Timelines & Smaller Teams Waterfall Agile DevOps 1-4 Releases Per Year 12-24 Releases Per Year 100+ Releases Per Year 50+ people 6-12 people 6-12 people
10 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Waterfall Technology Agile DevOps
11 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Definition of DevOps
12 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS What’s a DevOps Team? DevOps Team
13 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS DevOps – Process: Where is security? Security
14 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Agile – Process for DevOps Copyright 2005, Mountain Goat Software
15 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Is this your current AppSec program?
16 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS They/We know it’s coming…
17 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Which outcome do you see? @PeteChestna
18 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy  Relationship & Accountability  Integration & Automation  Training & Remediation Coaching  Security Champions
19 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy - Relationships  Who is your peer in development/security?  Do you meet with them?  Do you understand each others goals?  Are you sympathetic to each others struggles?
20 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Accountability  Shared between development and security  Part of annual goals for both teams  Measured and reported regularly
21 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS CI CD 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog Strategy – Integration & Automation Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 3a Manual Testing*
22 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Training  Security teams can help developers by providing training, either through eLearning or in-person instructor-led training  Think about targeted training based on policy violations CA Veracode State of Software Security 2017
23 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy - Training
24 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Remediation Coaching @PeteChestna CA Veracode State of Software Security 2017
25 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Security Champions  Eyes and ears of security  Specialized training – Basic security concepts – Threat modeling – Grooming guidelines – Secure code review training – Security controls – CTF Exercises  Escalate when necessary
26 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration Testing Red Team Activities Dynamic Application Security Testing Plan Code Build Test Stage Deploy Monitor Threat Modeling Security Grooming Secure Design Strategy - DevOps (Shift Left & Monitor) Runtime Application Self Protection Training (eLearning, instructor led, metadata driven)
27 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Bridge the Gap Between Development and Security 1. Scan early & often 2. Integrate & automate 3. Take Training 4. Request Remediation Guidance 5. Be a security champion Development Security 1. Be involved in all phases 2. Define & explain policy 3. Provide Targeted Training 4. Provide Remediation Guidance 5. Recruit & train champions
28 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Recommended Sessions SESSION # TITLE DATE/TIME DST43T The CA Technologies Veracode Platform: 360 Degree View of Your Application’s Security 11/15/2017 at 12:45 pm DST50T How Components Increase Speed & Risk 11/15/2017 at 1:45 pm DST40T Scale Your Application Security Program Effectively with the Right Program Management Model 11/15/2017 at 3:30 pm DST41T DevOps: Security’s Chance to Get It Right 11/16/2017 at 12:45 pm
29 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Must See Demos Securing Apps from Dev to Production CA Veracode Static Analysis CA Veracode Greenlight CA Veracode Remediation Guidance Manage Your Software Risk Open Sourced Component Scanning Developer Training on Secure Coding Integrations into Your Dev Tools 301 Manage Your Software Risk CA Veracode Static Analysis CA Veracode Web Application Scanning CA Veracode Greenlight CA Veracode Static Analysis CA Veracode Greenlight CA Veracode Remediation Guidance 506P 509P DevOps-CD SecuritySecurity
30 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Stay connected at https://community.veracode.com Thank you.
31 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS DevSecOps For more information on DevSecOps, please visit: http://cainc.to/CAW17-DevSecOps

Recommended

The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
CA Technologies
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
Priyanka Aash
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
Priyanka Aash
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
Priyanka Aash
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
Archana Joshi
 

Recommended

The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
CA Technologies
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
Priyanka Aash
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
Priyanka Aash
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
Priyanka Aash
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
Archana Joshi
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security people
Priyanka Aash
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
Priyanka Aash
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With Confidence
WhiteSource
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source software
Priyanka Aash
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - Inglês
DeServ - Tecnologia e Servços
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
Frank Kim
 
Practical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationPractical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security Instrumentation
VMware Tanzu
 
Ten Tenets of CISO Success
Ten Tenets of CISO SuccessTen Tenets of CISO Success
Ten Tenets of CISO Success
Frank Kim
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
DevSecOps Days
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
 
When You Test Matters: Why Testing Early in the SDLC is Important
When You Test Matters: Why Testing Early in the SDLC is ImportantWhen You Test Matters: Why Testing Early in the SDLC is Important
When You Test Matters: Why Testing Early in the SDLC is Important
CA Technologies
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Software Integrity Group
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
A worldwide journey to build a secure development environment
A worldwide journey to build a secure development environmentA worldwide journey to build a secure development environment
A worldwide journey to build a secure development environment
Priyanka Aash
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecops
Veritis Group, Inc
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
CA Technologies
 
Do You Manage Software? Understanding Your Role in Cybersecurity Defense
Do You Manage Software? Understanding Your Role in Cybersecurity DefenseDo You Manage Software? Understanding Your Role in Cybersecurity Defense
Do You Manage Software? Understanding Your Role in Cybersecurity Defense
Flexera
 

More Related Content

What's hot

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security people
Priyanka Aash
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
Priyanka Aash
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With Confidence
WhiteSource
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source software
Priyanka Aash
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - Inglês
DeServ - Tecnologia e Servços
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
Frank Kim
 
Practical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationPractical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security Instrumentation
VMware Tanzu
 
Ten Tenets of CISO Success
Ten Tenets of CISO SuccessTen Tenets of CISO Success
Ten Tenets of CISO Success
Frank Kim
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
DevSecOps Days
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
 
When You Test Matters: Why Testing Early in the SDLC is Important
When You Test Matters: Why Testing Early in the SDLC is ImportantWhen You Test Matters: Why Testing Early in the SDLC is Important
When You Test Matters: Why Testing Early in the SDLC is Important
CA Technologies
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Software Integrity Group
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
A worldwide journey to build a secure development environment
A worldwide journey to build a secure development environmentA worldwide journey to build a secure development environment
A worldwide journey to build a secure development environment
Priyanka Aash
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecops
Veritis Group, Inc
 

What's hot (20)

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security people
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With Confidence
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source software
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - Inglês
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
Practical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationPractical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security Instrumentation
 
Ten Tenets of CISO Success
Ten Tenets of CISO SuccessTen Tenets of CISO Success
Ten Tenets of CISO Success
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CD
 
When You Test Matters: Why Testing Early in the SDLC is Important
When You Test Matters: Why Testing Early in the SDLC is ImportantWhen You Test Matters: Why Testing Early in the SDLC is Important
When You Test Matters: Why Testing Early in the SDLC is Important
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
A worldwide journey to build a secure development environment
A worldwide journey to build a secure development environmentA worldwide journey to build a secure development environment
A worldwide journey to build a secure development environment
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecops
 

Similar to Application Security in a DevOps World

Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
CA Technologies
 
Do You Manage Software? Understanding Your Role in Cybersecurity Defense
Do You Manage Software? Understanding Your Role in Cybersecurity DefenseDo You Manage Software? Understanding Your Role in Cybersecurity Defense
Do You Manage Software? Understanding Your Role in Cybersecurity Defense
Flexera
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon
 
KiwiQA-Corporate-Presefvdvdxvxcvxcntation (2).pptx
KiwiQA-Corporate-Presefvdvdxvxcvxcntation (2).pptxKiwiQA-Corporate-Presefvdvdxvxcvxcntation (2).pptx
KiwiQA-Corporate-Presefvdvdxvxcvxcntation (2).pptx
MeseAK
 
Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...
CA Technologies
 
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
CA Technologies
 
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
CA Technologies
 
Making Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security ProgramMaking Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security Program
CA Technologies
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Eric Vanderburg
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App Security
CA Technologies
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
SAP Customer Experience
 
CA's Vision for Business Automation
CA's Vision for Business AutomationCA's Vision for Business Automation
CA's Vision for Business Automation
CA Technologies
 
CA's Vision for Business Automation
CA's Vision for Business AutomationCA's Vision for Business Automation
CA's Vision for Business Automation
CA Technologies
 
Security and Data Breach
Security and Data BreachSecurity and Data Breach
Security and Data Breach
DevOps Indonesia
 
Introduction to Software Lifecycle Services 2018
Introduction to Software Lifecycle Services 2018Introduction to Software Lifecycle Services 2018
Introduction to Software Lifecycle Services 2018
Insight FR
 
From Rogue One to Rebel Alliance: Building Developers into Security Champions
From Rogue One to Rebel Alliance: Building Developers into Security Champions From Rogue One to Rebel Alliance: Building Developers into Security Champions
From Rogue One to Rebel Alliance: Building Developers into Security Champions
Digital Transformation EXPO Event Series
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data Security
SPLICE Software
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Software Integrity Group
 
Oracle Customer Engagement in a Digital World
Oracle Customer Engagement in a Digital WorldOracle Customer Engagement in a Digital World
Oracle Customer Engagement in a Digital World
Myles Freedman
 
Your vibe attracts your tribe: Create an experience that secures top talent |...
Your vibe attracts your tribe: Create an experience that secures top talent |...Your vibe attracts your tribe: Create an experience that secures top talent |...
Your vibe attracts your tribe: Create an experience that secures top talent |...
LinkedIn Talent Solutions
 

Similar to Application Security in a DevOps World (20)

Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
 
Do You Manage Software? Understanding Your Role in Cybersecurity Defense
Do You Manage Software? Understanding Your Role in Cybersecurity DefenseDo You Manage Software? Understanding Your Role in Cybersecurity Defense
Do You Manage Software? Understanding Your Role in Cybersecurity Defense
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
 
KiwiQA-Corporate-Presefvdvdxvxcvxcntation (2).pptx
KiwiQA-Corporate-Presefvdvdxvxcvxcntation (2).pptxKiwiQA-Corporate-Presefvdvdxvxcvxcntation (2).pptx
KiwiQA-Corporate-Presefvdvdxvxcvxcntation (2).pptx
 
Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...
 
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
 
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
 
Making Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security ProgramMaking Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security Program
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App Security
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
 
CA's Vision for Business Automation
CA's Vision for Business AutomationCA's Vision for Business Automation
CA's Vision for Business Automation
 
CA's Vision for Business Automation
CA's Vision for Business AutomationCA's Vision for Business Automation
CA's Vision for Business Automation
 
Security and Data Breach
Security and Data BreachSecurity and Data Breach
Security and Data Breach
 
Introduction to Software Lifecycle Services 2018
Introduction to Software Lifecycle Services 2018Introduction to Software Lifecycle Services 2018
Introduction to Software Lifecycle Services 2018
 
From Rogue One to Rebel Alliance: Building Developers into Security Champions
From Rogue One to Rebel Alliance: Building Developers into Security Champions From Rogue One to Rebel Alliance: Building Developers into Security Champions
From Rogue One to Rebel Alliance: Building Developers into Security Champions
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data Security
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
 
Oracle Customer Engagement in a Digital World
Oracle Customer Engagement in a Digital WorldOracle Customer Engagement in a Digital World
Oracle Customer Engagement in a Digital World
 
Your vibe attracts your tribe: Create an experience that secures top talent |...
Your vibe attracts your tribe: Create an experience that secures top talent |...Your vibe attracts your tribe: Create an experience that secures top talent |...
Your vibe attracts your tribe: Create an experience that secures top talent |...
 

More from CA Technologies

CA Mainframe Resource Intelligence
CA Mainframe Resource IntelligenceCA Mainframe Resource Intelligence
CA Mainframe Resource Intelligence
CA Technologies
 
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform ExcellenceMainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
CA Technologies
 
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
CA Technologies
 
Case Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software DevelopmentCase Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software Development
CA Technologies
 
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
CA Technologies
 
Case Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCase Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on Time
CA Technologies
 
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
CA Technologies
 
Case Study: Putting Citizens at The Center of Digital Government
Case Study: Putting Citizens at The Center of Digital GovernmentCase Study: Putting Citizens at The Center of Digital Government
Case Study: Putting Citizens at The Center of Digital Government
CA Technologies
 
Keynote: Making Security a Competitive Advantage
Keynote: Making Security a Competitive AdvantageKeynote: Making Security a Competitive Advantage
Keynote: Making Security a Competitive Advantage
CA Technologies
 
Emerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access ManagementEmerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access Management
CA Technologies
 
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
CA Technologies
 
Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...
CA Technologies
 
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
CA Technologies
 
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
CA Technologies
 
Blockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of DeploymentBlockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of Deployment
CA Technologies
 
Establish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital EnterpriseEstablish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital Enterprise
CA Technologies
 
How Components Increase Speed and Risk
How Components Increase Speed and RiskHow Components Increase Speed and Risk
How Components Increase Speed and Risk
CA Technologies
 
Case Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software DevelopmentCase Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software Development
CA Technologies
 
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
CA Technologies
 
Case Study: Continuous Delivery in a Tech Debt Laden World by Talk Talk.
Case Study: Continuous Delivery in a Tech Debt Laden World by Talk Talk.Case Study: Continuous Delivery in a Tech Debt Laden World by Talk Talk.
Case Study: Continuous Delivery in a Tech Debt Laden World by Talk Talk.
CA Technologies
 

More from CA Technologies (20)

CA Mainframe Resource Intelligence
CA Mainframe Resource IntelligenceCA Mainframe Resource Intelligence
CA Mainframe Resource Intelligence
 
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform ExcellenceMainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
 
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
 
Case Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software DevelopmentCase Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software Development
 
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
 
Case Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCase Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on Time
 
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
 
Case Study: Putting Citizens at The Center of Digital Government
Case Study: Putting Citizens at The Center of Digital GovernmentCase Study: Putting Citizens at The Center of Digital Government
Case Study: Putting Citizens at The Center of Digital Government
 
Keynote: Making Security a Competitive Advantage
Keynote: Making Security a Competitive AdvantageKeynote: Making Security a Competitive Advantage
Keynote: Making Security a Competitive Advantage
 
Emerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access ManagementEmerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access Management
 
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
 
Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...
 
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
 
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
 
Blockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of DeploymentBlockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of Deployment
 
Establish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital EnterpriseEstablish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital Enterprise
 
How Components Increase Speed and Risk
How Components Increase Speed and RiskHow Components Increase Speed and Risk
How Components Increase Speed and Risk
 
Case Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software DevelopmentCase Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software Development
 
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
 
Case Study: Continuous Delivery in a Tech Debt Laden World by Talk Talk.
Case Study: Continuous Delivery in a Tech Debt Laden World by Talk Talk.Case Study: Continuous Delivery in a Tech Debt Laden World by Talk Talk.
Case Study: Continuous Delivery in a Tech Debt Laden World by Talk Talk.
 

Recently uploaded

Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 

Recently uploaded (20)

Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 

Application Security in a DevOps World

  • 1. Application Security in a DevOps World Peter Chestna DST37T DEVSECOPS Director of Developer Engagement Veracode
  • 2. 2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS © 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of This Presentation
  • 3. 3 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Who am I? • 25+ Years Software Development Experience • 11+ Years Application Security Experience • Certified Agile Product Owner and Scrum Master • At Veracode since 2006 • From Waterfall to Agile to DevOps • From Monolith to MicroService • Consultant on DevSecOps best practices • Fun Fact: I love whiskey! • Tell me where to drink local whiskey @PeteChestna
  • 4. 4 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Goals  Why is AppSec important?  How is DevOps changing application development?  How is AppSec traditionally done?  What needs to change? – What to build – What to measure – How to help
  • 5. 5 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Applications Are as Risky as Ever of all applications used some kind of hard-coded password of all applications use broken or risky cryptographic algorithms of all applications were vulnerable to open redirect attacks of all applications mix trusted and untrusted data in the same data structure or message 39% 35% 28% 16%
  • 6. 6 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Lack of App Security is Damaging Companies
  • 7. 7 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS High Profile Breaches Through the App Layer How: Vulnerability on website built and maintained by third-party vendor in support of a charity. Result: Usernames and passwords for 76 million households and 7 million business were stolen. Financial Institution How: Hackers exploited a known vulnerability in an open source component Result: Social Security Numbers and personal data for more than 143 million Americans stolen. Three executives lose their jobs. Financial Institution How: Targeted a flaw in OpenSSL, CVE-2014-0160, better known as Heartbleed Result: The theft of Social Security Numbers and other personal data belonging to 4.5 million patients Healthcare Provider How: Sophisticated kill chain including exploitation of vulnerable web application Result: Hackers stole names, mailing addresses, phone numbers and email addresses for more than 70 million shoppers Retailer
  • 8. 8 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Business Mandate
  • 9. 9 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Compressed Timelines & Smaller Teams Waterfall Agile DevOps 1-4 Releases Per Year 12-24 Releases Per Year 100+ Releases Per Year 50+ people 6-12 people 6-12 people
  • 10. 10 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Waterfall Technology Agile DevOps
  • 11. 11 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Definition of DevOps
  • 12. 12 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS What’s a DevOps Team? DevOps Team
  • 13. 13 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS DevOps – Process: Where is security? Security
  • 14. 14 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Agile – Process for DevOps Copyright 2005, Mountain Goat Software
  • 15. 15 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Is this your current AppSec program?
  • 16. 16 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS They/We know it’s coming…
  • 17. 17 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Which outcome do you see? @PeteChestna
  • 18. 18 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy  Relationship & Accountability  Integration & Automation  Training & Remediation Coaching  Security Champions
  • 19. 19 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy - Relationships  Who is your peer in development/security?  Do you meet with them?  Do you understand each others goals?  Are you sympathetic to each others struggles?
  • 20. 20 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Accountability  Shared between development and security  Part of annual goals for both teams  Measured and reported regularly
  • 21. 21 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS CI CD 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog Strategy – Integration & Automation Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 3a Manual Testing*
  • 22. 22 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Training  Security teams can help developers by providing training, either through eLearning or in-person instructor-led training  Think about targeted training based on policy violations CA Veracode State of Software Security 2017
  • 23. 23 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy - Training
  • 24. 24 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Remediation Coaching @PeteChestna CA Veracode State of Software Security 2017
  • 25. 25 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Security Champions  Eyes and ears of security  Specialized training – Basic security concepts – Threat modeling – Grooming guidelines – Secure code review training – Security controls – CTF Exercises  Escalate when necessary
  • 26. 26 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration Testing Red Team Activities Dynamic Application Security Testing Plan Code Build Test Stage Deploy Monitor Threat Modeling Security Grooming Secure Design Strategy - DevOps (Shift Left & Monitor) Runtime Application Self Protection Training (eLearning, instructor led, metadata driven)
  • 27. 27 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Bridge the Gap Between Development and Security 1. Scan early & often 2. Integrate & automate 3. Take Training 4. Request Remediation Guidance 5. Be a security champion Development Security 1. Be involved in all phases 2. Define & explain policy 3. Provide Targeted Training 4. Provide Remediation Guidance 5. Recruit & train champions
  • 28. 28 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Recommended Sessions SESSION # TITLE DATE/TIME DST43T The CA Technologies Veracode Platform: 360 Degree View of Your Application’s Security 11/15/2017 at 12:45 pm DST50T How Components Increase Speed & Risk 11/15/2017 at 1:45 pm DST40T Scale Your Application Security Program Effectively with the Right Program Management Model 11/15/2017 at 3:30 pm DST41T DevOps: Security’s Chance to Get It Right 11/16/2017 at 12:45 pm
  • 29. 29 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Must See Demos Securing Apps from Dev to Production CA Veracode Static Analysis CA Veracode Greenlight CA Veracode Remediation Guidance Manage Your Software Risk Open Sourced Component Scanning Developer Training on Secure Coding Integrations into Your Dev Tools 301 Manage Your Software Risk CA Veracode Static Analysis CA Veracode Web Application Scanning CA Veracode Greenlight CA Veracode Static Analysis CA Veracode Greenlight CA Veracode Remediation Guidance 506P 509P DevOps-CD SecuritySecurity
  • 30. 30 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Stay connected at https://community.veracode.com Thank you.
  • 31. 31 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS DevSecOps For more information on DevSecOps, please visit: http://cainc.to/CAW17-DevSecOps