This document discusses DevSecOps, which involves infusing security practices into the development lifecycle to enable faster release cycles while maintaining security. It notes that over 53,000 cybersecurity incidents occurred in India in 2017. Implementing DevSecOps requires changes across an organization's people, processes, tools, and governance to embed security responsibilities across all teams. The typical DevSecOps pipeline shifts security left through activities like threat modeling, security testing, and monitoring throughout the development lifecycle.

1. Demystifying
DevSecOps
Archana Joshi
Director – Digital Engineering, Cognizant

2. Did you know?
Over 53, 000 cyber security incidents like phishing, website
intrusions and defacements, virus and ransomware attacks
were observed in the country during 2017, Parliament was informed
today….
Source: https://economictimes.indiatimes.com/tech/ites/over-53000-cyber-security-incidents-observed-in-
2017/articleshow/62852008.cms

3. Did you know?
Source: State of Application Security – Forrester 2018
https://www.forrester.com/report/...State...Application+Security+2018/-/E-RES141676

4. Did you know?
Source: “The State of Open Source Security,” Snyk, 2017

5. What is
DevSecOps?
Infusing Security practices that lead to
While still retaining the core DevOps benefits of
Faster Release Cycles
Early Defect Detection
Lesser Deployment Failures and Rollbacks
ReducedTime to Recover upon Failure

6. But, we have
security
related NFR in
our backlog
Isn’t that enough?
By 2021, DevSecOps will be embedded into 80%
of rapid development teams
Source: https://www.gartner.com/doc/3811369/-things-right-successful-devsecops

7. Needs
changes
across
People
Processes
Tools
Governance
Implementing
DevSecOps

8. Security is
everyone’s
business…
… Not just of Security & Compliance teams
 Culture that encourages “Security as a code”
 Equip developers on concepts of secure coding
People

9. Practice
“SecureSDLC”
Update your SDLC processes and practices to include
 Security Epics and User Stories in the backlog
 Security criteria included in Definition of Done for the sprint
 Secure coding practices as part ofTechnical Debt measurements
 Security testing embedded in the testing cycles
Processes

10. Select from
wide range of
available tools
Tools &Technology
Cloudwatch
Alarm
Docker Bench
Amazon Inspector
gitrob

11. Don’t forget to
govern
Governance
Security Officer
Security
Architect (Value
Stream 1)
DevSecOps
Engg (Release
Train 1)
DevSecOps
Engg (Release
Train 2)
Security
Architect
(Portfolio)
DevSecOps
Engg 1
DevSecOps
Engg 2
DevSecOps
Platform
Architect
Dedicated Roles and Ceremonies
Security Huddle Meetings / Security Chapter Leads / DevSecOps Engineers

12. Typical
DevOps
pipeline
Typical DevOps pipeline
Story
boarding
Coding Integrate Test Deploy Monitor

13. Typical DevSecOps pipeline
Security NFR
Story
boarding
• Threat
Modelling
• Security
Backlog
Security
Consultation
Coding
Security in
DoD
• IDE Security
Plugin
• Code reviews
• Regular
Expression
Analysis
Integrate
Analyse
• StaticApplication
Security
Testing(SAST)
• WebServices
• Automated
SecurityTests
Early Detection (Shift-Left)
Test
Scan
• Dynamic
Application
Security
Testing(DAST)
• DB SecurityTests
• Automated
SecurityTests
Outside-In Hacker
Style
Deploy
Inspect
• Config
Management
• PenTesting
• Compliance &
Audit
Exploit
Vulnerabilities
Monitor
Continuous
• Monitoring and
alerting(Intrusion/A
pp attack)
• BCP/DR
• Audit & compliance
Continuously
Improve
Security
Consultation
Early Detection (Shift-Left)
Outside-In Hacker
Style
Exploit
Vulnerabilities
Security
Consultation
Early Detection (Shift-Left)

14. Thank You
https://www.linkedin.com/in/arcjoshi
Note:The views represented in the presentation are solely of the author and do not represent those of the company / clients she is associated with