TS
Uploaded byTy Sbano
84 views

DevOps: Fast, furious, and Secure

The document discusses the integration of security within the DevOps framework, emphasizing the importance of embedding security throughout the development lifecycle. It highlights the need for intelligent planning, training opportunities, and the use of various tools for secure coding and automated security practices. The key takeaway is that effective DevOps combines development, operations, and security, leveraging automation to enhance security without incurring high costs.

Technology
Related topics:
Application Security

Embed presentation

Download to read offline
DevOps: The Fast, The Furious, The Secure.
Bio Background Former Application Security Director for Capital One Former Web Application Security SME for JPMorgan Chase Former Security Consultant for Protiviti Semi-Active Security Geek Education B.S. Information Science and Technology M.S. Information Assurance Certifications CISSP, SSCP, CEH, CPT @TySbano Sr. Director of Product Security at Target
What is DevOps? Where do we put Security? Image: Newcastleairport.au.com Mythical Cloud-Based Unicorn
The Traditional Approach to Application Security Image: www.ajc.com Gate-based Waterfall Methodology
Search Engine Image Results for “DevOps Security”
Security Security Security Security Security Embedding security earlier – “Moving To The Left?” Plan Code BuildTest Deploy
Planning requires intelligent requirements Plan Code BuildTest Deploy Plan• Accessible Guidance • Agile Security Stories • Secure Coding Guidelines • Security Engineers • Technical Training Open Training Opportunities: • AppsecTutorialSeries (YouTube) • www.SafeCode.org Open Training Labs: • WebGoat • HackMeBank • DVWA • Facebook CTF? • Threat Modeling
As code is developed, security is embedded • IDE Plug-ins • Self-Service Plan Code BuildTest Deploy Plan • Components & Frameworks • OWASP Dependency Check • Google Search Diggity • ESAPI • .Net AntiXSS • Conceal Code
Trust & Empowerment Trumps Security Gates • Smart Automation • Hudson/Jenkins • Controlled Scanning • On-demand • Time-based • Change-based • Static • Findbugs-Security • FxCop • Brakeman • SonarQube • Dynamic • nogotofail • OWASP ZAP • W3af / Nikto • OpenVAS • Chaos Monkey Plan Code BuildTest Deploy Build
Targeted Testing Must Be Performed By Experts • Penetration Testing • TargetedAbuse Cases • Risk Based Testing • Feature Based Assessments Plan Code BuildTest Deploy Test Image: www.clarotesting.com
Hardened Images Enable Faster Deployment • Build Automation • Chef – Audit Mode • Puppet – Security Integrity Management Platform • Docker – Docker Security Scanning • …subscription service? Plan Code BuildTest DeployDeploy
Continuous Monitoring, Continuous Protection • Continuous Monitoring • Sonar • Hygieia Plan Code BuildTest DeployDeploy • API Everything!
Take-Aways • Development Operations + Security = DevOps • Key security practices need SMEs, but many can be automated • Security doesn’t have to be expensive… • Full Stack Ownership includes Security
Q & A now or later - @TySbano

More Related Content

PPTX
Experience Credentials
bySandeep Sharma IIMA,Berkeley MBA Smart City,IoT,Bigdata,Cloud,BI,DW
 
PPTX
Career in IT - HMTIF UB Platform 2014
byEryk Budi Pratama
 
PDF
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
byDevSecCon
 
PDF
Security Training: Making your weakest link the strongest - CircleCityCon 2017
byAaron Hnatiw
 
PPTX
Security as an Enabler for the Digital World - CISO Perspective
byApigee | Google Cloud
 
PDF
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
byDevSecCon
 
PDF
Secure Your WordPress Site - And Your Business
byStacy Clements
 
PPTX
72% of Developers Can't be Wrong (Cloud Foundry Summit 2014)
byVMware Tanzu
 
Experience Credentials
bySandeep Sharma IIMA,Berkeley MBA Smart City,IoT,Bigdata,Cloud,BI,DW
 
Career in IT - HMTIF UB Platform 2014
byEryk Budi Pratama
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
byDevSecCon
 
Security Training: Making your weakest link the strongest - CircleCityCon 2017
byAaron Hnatiw
 
Security as an Enabler for the Digital World - CISO Perspective
byApigee | Google Cloud
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
byDevSecCon
 
Secure Your WordPress Site - And Your Business
byStacy Clements
 
72% of Developers Can't be Wrong (Cloud Foundry Summit 2014)
byVMware Tanzu
 

Similar to DevOps: Fast, furious, and Secure

PPTX
DevSecOps: Integrating Security Into DevOps! {Business Security}
byAlgoworks Inc
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
byEvident.io
 
PPTX
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
byPerforce
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PDF
DevOps for the Discouraged
byJames Wickett
 
PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PPTX
Outpost24 webinar - application security in a dev ops world-08-2018
byOutpost24
 
PPTX
DevSecOps Training Bootcamp - A Practical DevSecOps Course
byTonex
 
PDF
DevOps Vancouver Meetup - WSBC Progress
byAndre Kaminski
 
PPTX
DevSecOps in 10 minutes
bykieranjacobsen
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
PPTX
DevOps & Security: Here & Now
byCheckmarx
 
PPTX
Dev opsandsecurity owasp
byHelen Bravo
 
PPTX
The Journey to DevSecOps
byShannon Lietz
 
PPTX
The Journey to DevSecOps
bySeniorStoryteller
 
PDF
Securing DevOps Lifecycle
byDevOps Indonesia
 
PPTX
Dev Breakfast: Level up to DevSecOps
bykieranjacobsen
 
PDF
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
PPTX
ISACA Ireland Keynote 2015
byShannon Lietz
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
byAlgoworks Inc
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
byEvident.io
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
byPerforce
 
Introduction to DevSecOps
byabhimanyubhogwan
 
DevOps for the Discouraged
byJames Wickett
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
Outpost24 webinar - application security in a dev ops world-08-2018
byOutpost24
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
byTonex
 
DevOps Vancouver Meetup - WSBC Progress
byAndre Kaminski
 
DevSecOps in 10 minutes
bykieranjacobsen
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
DevOps & Security: Here & Now
byCheckmarx
 
Dev opsandsecurity owasp
byHelen Bravo
 
The Journey to DevSecOps
byShannon Lietz
 
The Journey to DevSecOps
bySeniorStoryteller
 
Securing DevOps Lifecycle
byDevOps Indonesia
 
Dev Breakfast: Level up to DevSecOps
bykieranjacobsen
 
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
ISACA Ireland Keynote 2015
byShannon Lietz
 

Recently uploaded

PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 

DevOps: Fast, furious, and Secure

  • 1.
  • 2.
    Bio Background Former Application SecurityDirector for Capital One Former Web Application Security SME for JPMorgan Chase Former Security Consultant for Protiviti Semi-Active Security Geek Education B.S. Information Science and Technology M.S. Information Assurance Certifications CISSP, SSCP, CEH, CPT @TySbano Sr. Director of Product Security at Target
  • 3.
    What is DevOps?Where do we put Security? Image: Newcastleairport.au.com Mythical Cloud-Based Unicorn
  • 4.
    The Traditional Approachto Application Security Image: www.ajc.com Gate-based Waterfall Methodology
  • 5.
    Search Engine ImageResults for “DevOps Security”
  • 6.
    Security Security Security Security Security Embedding security earlier– “Moving To The Left?” Plan Code BuildTest Deploy
  • 7.
    Planning requires intelligentrequirements Plan Code BuildTest Deploy Plan• Accessible Guidance • Agile Security Stories • Secure Coding Guidelines • Security Engineers • Technical Training Open Training Opportunities: • AppsecTutorialSeries (YouTube) • www.SafeCode.org Open Training Labs: • WebGoat • HackMeBank • DVWA • Facebook CTF? • Threat Modeling
  • 8.
    As code isdeveloped, security is embedded • IDE Plug-ins • Self-Service Plan Code BuildTest Deploy Plan • Components & Frameworks • OWASP Dependency Check • Google Search Diggity • ESAPI • .Net AntiXSS • Conceal Code
  • 9.
    Trust & EmpowermentTrumps Security Gates • Smart Automation • Hudson/Jenkins • Controlled Scanning • On-demand • Time-based • Change-based • Static • Findbugs-Security • FxCop • Brakeman • SonarQube • Dynamic • nogotofail • OWASP ZAP • W3af / Nikto • OpenVAS • Chaos Monkey Plan Code BuildTest Deploy Build
  • 10.
    Targeted Testing MustBe Performed By Experts • Penetration Testing • TargetedAbuse Cases • Risk Based Testing • Feature Based Assessments Plan Code BuildTest Deploy Test Image: www.clarotesting.com
  • 11.
    Hardened Images EnableFaster Deployment • Build Automation • Chef – Audit Mode • Puppet – Security Integrity Management Platform • Docker – Docker Security Scanning • …subscription service? Plan Code BuildTest DeployDeploy
  • 12.
    Continuous Monitoring, ContinuousProtection • Continuous Monitoring • Sonar • Hygieia Plan Code BuildTest DeployDeploy • API Everything!
  • 13.
    Take-Aways • Development Operations+ Security = DevOps • Key security practices need SMEs, but many can be automated • Security doesn’t have to be expensive… • Full Stack Ownership includes Security
  • 14.
    Q & Anow or later - @TySbano