SlideShare a Scribd company logo

DevSecOps - It can change your life (cycle)

Download as PPTX, PDF
Qualitest
Qualitest

QualiTest explains how a secured DevOps (DevSecOps) delivery process can be achieved using automated code scan, enabling significant shift left of issues detection and minimizing the time to fix. Whether you are considering DevSecOps, on the path, or already there, this slide is for you. For more information, please visit www.QualiTestGroup.com

Technology
1 of 31
Putting Security Into DevOps
Agenda Security is Everyone’s Problem What is DevOps? Summary & Questions Introduction The Evolution of Software Delivery Adapting Security for DevOps
Webinar Presenters Daniel Geater Senior Test Consultant Colin Domoney Consultant Solution Architect
Agenda Security is Everyone’s Problem What is DevOps? Summary & Questions Introduction The Evolution of Software Delivery Adapting Security for DevOps
The Evolution of Software Delivery Iterative/Waterfall Large phases of work Each phase completing fully before starting the next Clearly defined entry and exit criteria on each phase Analyse-Design-Build- Test-Release-Maintain Agile Little and often Small incremental changes Analysis, Build, Design, Test, Release Teams work together Specific types of testing (e.g. performance, security, usability) usually done infrequently for milestone releases ContinuousDelivery/DevOps Build on agile Fully automate build, functional test release Any code change can go all the way through to production automatically Liaise with operations to define environments as code and build performance metrics into automated pipeline
The importance of security |2/3 of large UK businesses have been hit by a cyber attack in the last year |70% of all attacks involve viruses, malware or spyware |Most attacks are preventable |The known monetary costs rank in the millions The true costs are unknown, many businesses do not disclose full details |What about the reputation damage? TalkTalk, Ashley Madison, Sony PSN,Yahoo!, NHS – not just famous for their services any more
No man is an island |Security is one of the last predominantly manual testing fields Very few automated tools exist, Hard to bake into pipeline |Comparatively late-stage |High defect fix costs and risk of late notice no-go |Many developers and functional testers don’t have much grounding in security |Security needs to integrate earlier in the lifecycle, current security practitioners can enable this
What is an application really? | Application DNA Framework Library Custom Code Data
Agenda Security is Everyone’s Problem What is DevOps? Summary & Questions Introduction The Evolution of Software Delivery Adapting Security for DevOps
Security is Everyone’s Problem |How big is your codebase? • 75% of a modern application’s code is from external sources • A single team will struggle to police the remaining 25% let alone everything • We need to build a culture where security and stability of an application is shared by all stakeholders • Everyone needs to collaborate to keep our apps and users safe • Security needs to shift-left and be present throughout the pipeline • <50,000 lines of code iOS App • >4,000,000 lines of code Photoshop CS6 • >9,000,000 lines of codeFireFox: • >44,000,000 lines of code Microsoft Office 2013: • ~100,000,000 lines Modern day car: Source: http://www.informationisbeautiful.net/visualizations/million-lines-of-code/
Agenda Security is Everyone’s Problem What is DevOps? Summary & Questions Introduction The Evolution of Software Delivery Adapting Security for DevOps
Walls have seperated Developers, Security and Ops folk For hundreds of years…
DevOps is not a technology It’s not a single process It’s not about job titles Annoyingly, I can’t sell you DevOps or even DevSecOps It is beautifully simple though…
https://devops-culture-hacks/
https://devops-culture-hacks/
| The First Way – Systems Thinking | Features • Increasing left-to-right flow from Development to IT Operations to the customer • Need for smaller batch sizes and intervals of work • Never passing defects to downstream work centers • Optimise for global (business) goals | Practices • Continuous build, integration and deployment • Creating environments on demand • Limiting work in process • Building safe systems and organisations that are safe to change The Three Ways
| The Second Way – Amplify Feedback Loops | Features • Constant flow of fast feedback from right-to-left at all stages • Amplifying it to ensure that we can prevent problems from repeating or enable faster detection / recovery • Enables creation of quality at the source, establishing or embedding knowledge where we need it | Practices “Stopping the production line” when builds and tests fail in the dev pipeline • Constantly elevating the improvement of daily work over daily work • Creating fast automated test suits – prove deployable code • Pervasive Telemetry The Three Ways
| The Third Way – Culture of Continual Experimentation & Learning | Features • Continual experimentation, risk taking and learning • Repetitive practice is the pre-requisite to Mastery | Practices • Failure is welcomed, but rarely repeated • Constant practice reinforces stability and safety • High trust amongst team members • Allocate >20% of cycles towards non-functional requirements – e.g. Security • Improvements are celebrated The Three Ways
Netflix - Fostering a Culture of Safety & Resilience | Features “Chaos Monkey” actually makes bad things happen to force the engineer to deal with real life | “Security Monkey” is a tool for monitoring and analyzing the security posture of Amazon Web Services configurations | Chaos Monkey | Chaos Gorilla | Chaos Kong | Janitor Monkey | Doctor Monkey | Compliance Monkey | Latency Monkey | Security Monkey
Agenda Security is Everyone’s Problem What is DevOps? Summary & Questions Introduction The Evolution of Software Delivery Adapting Security for DevOps
Five Principles for Integrating Security into DevOps 1 Automate Security In 2 Integrate to “Fail Quickly” 3 No false alarms 4 Build security champions 5 Keep operational visibility
Integration & Automation CI CD 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline
Remediation Coaching For applications that used remediation coaching, development teams fixed more than 2.5x the average # of flaws per megabyte
Security Champions |Eyes and ears of security |Specialized training • Basic security concepts • Threat modeling • Grooming guidelines • Secure code review training • Security controls • CTF Exercises |Escalate when necessary
Measurement & Transparency |Measurement • Executive buy-in • Baseline maturity across org • Tie to corporate goals |Transparency • Regular updates and reporting
Measurement (Scan Early, Scan Often) Applications that used sandbox had an average fix rate of 59%, or a 2x improvement in fix rate
Bridging The Gap • Scan/test early & often • Integrate & automate • Take Training • Request Remediation Guidance • Become a security champion Development Team Security • Be involved in all phases • Define & explain policy • Provide targeted training • Provide remediation guidance • Recruit & train champions
Agenda Security is Everyone’s Problem What is DevOps? Summary & Questions Introduction The Evolution of Software Delivery Adapting Security for DevOps
www.QualiTestGroup.com

Recommended

Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareSeniorStoryteller
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureDevSecOpsSg
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemWhiteSource
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 

Recommended

Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareSeniorStoryteller
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureDevSecOpsSg
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemWhiteSource
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoDJamesHarmison
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017Suman Sourav
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenSeniorStoryteller
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...SeniorStoryteller
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorDevSecCon
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps SurveySonatype
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementThe Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementJules Pierre-Louis
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 

More Related Content

What's hot

The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoDJamesHarmison
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017Suman Sourav
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenSeniorStoryteller
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...SeniorStoryteller
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorDevSecCon
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps SurveySonatype
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementThe Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementJules Pierre-Louis
 

What's hot (20)

The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoD
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer Maor
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementThe Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration Management
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 

Similar to DevSecOps - It can change your life (cycle)

How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
Introduction to 5w’s of DevOps
Introduction to 5w’s of DevOpsIntroduction to 5w’s of DevOps
Introduction to 5w’s of DevOpsCygnet Infotech
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
 
DevOps - The Key to Rapid Productization (Introduction to the 5C's of DevOps)
DevOps - The Key to Rapid Productization (Introduction to the 5C's of DevOps)DevOps - The Key to Rapid Productization (Introduction to the 5C's of DevOps)
DevOps - The Key to Rapid Productization (Introduction to the 5C's of DevOps)Cygnet Infotech
 
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarMaking the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarSumo Logic
 
Back To Basics
Back To BasicsBack To Basics
Back To Basicskamalikamj
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014Amazon Web Services
 
DevOps for absolute beginners (2022 edition)
DevOps for absolute beginners (2022 edition)DevOps for absolute beginners (2022 edition)
DevOps for absolute beginners (2022 edition)Ahmed Misbah
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application securityRogue Wave Software
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDag Rowe
 
Continuous Delivery for people who do not write code - Matthew Skelton - Conflux
Continuous Delivery for people who do not write code - Matthew Skelton - ConfluxContinuous Delivery for people who do not write code - Matthew Skelton - Conflux
Continuous Delivery for people who do not write code - Matthew Skelton - ConfluxMatthew Skelton
 
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENTROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENTIndium Software
 
Continuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and WhatContinuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and WhatMarc Hornbeek
 

Similar to DevSecOps - It can change your life (cycle) (20)

How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
Introduction to 5w’s of DevOps
Introduction to 5w’s of DevOpsIntroduction to 5w’s of DevOps
Introduction to 5w’s of DevOps
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
 
DevOps - The Key to Rapid Productization (Introduction to the 5C's of DevOps)
DevOps - The Key to Rapid Productization (Introduction to the 5C's of DevOps)DevOps - The Key to Rapid Productization (Introduction to the 5C's of DevOps)
DevOps - The Key to Rapid Productization (Introduction to the 5C's of DevOps)
 
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarMaking the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
 
Back To Basics
Back To BasicsBack To Basics
Back To Basics
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
 
DevOps for absolute beginners (2022 edition)
DevOps for absolute beginners (2022 edition)DevOps for absolute beginners (2022 edition)
DevOps for absolute beginners (2022 edition)
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application security
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
 
Continuous Delivery for people who do not write code - Matthew Skelton - Conflux
Continuous Delivery for people who do not write code - Matthew Skelton - ConfluxContinuous Delivery for people who do not write code - Matthew Skelton - Conflux
Continuous Delivery for people who do not write code - Matthew Skelton - Conflux
 
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENTROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
 
Continuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and WhatContinuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and What
 
Devops
DevopsDevops
Devops
 

More from Qualitest

10 must do’s for perfect customer experience (Cx) -Qualitest
10 must do’s for perfect customer experience (Cx) -Qualitest10 must do’s for perfect customer experience (Cx) -Qualitest
10 must do’s for perfect customer experience (Cx) -QualitestQualitest
 
Don’t Let Missed Bugs Cause Mayhem in your Organization!
Don’t Let Missed Bugs Cause Mayhem in your Organization!Don’t Let Missed Bugs Cause Mayhem in your Organization!
Don’t Let Missed Bugs Cause Mayhem in your Organization!Qualitest
 
DevOps and Groupthink An Oxymoron?
DevOps and Groupthink An Oxymoron?DevOps and Groupthink An Oxymoron?
DevOps and Groupthink An Oxymoron?Qualitest
 
Google SLS Outsourcing by Jeffrey Roth
Google SLS Outsourcing by Jeffrey RothGoogle SLS Outsourcing by Jeffrey Roth
Google SLS Outsourcing by Jeffrey RothQualitest
 
Successful Offshore Practices by Ofer Glanz
Successful Offshore Practices by Ofer GlanzSuccessful Offshore Practices by Ofer Glanz
Successful Offshore Practices by Ofer GlanzQualitest
 
Pricing Models by Michel Sharvit
Pricing Models by Michel SharvitPricing Models by Michel Sharvit
Pricing Models by Michel SharvitQualitest
 
5 keys to success at MTS by Tzahi Falkovich
5 keys to success at MTS by Tzahi Falkovich5 keys to success at MTS by Tzahi Falkovich
5 keys to success at MTS by Tzahi FalkovichQualitest
 
The Journey of QualiTest by Ayal Zylberman
The Journey of QualiTest by Ayal ZylbermanThe Journey of QualiTest by Ayal Zylberman
The Journey of QualiTest by Ayal ZylbermanQualitest
 
Designing for the internet - Page Objects for the Real World
Designing for the internet - Page Objects for the Real WorldDesigning for the internet - Page Objects for the Real World
Designing for the internet - Page Objects for the Real WorldQualitest
 
IoT Quality Challenges - Testing & Engineering
IoT Quality Challenges - Testing & EngineeringIoT Quality Challenges - Testing & Engineering
IoT Quality Challenges - Testing & EngineeringQualitest
 
Webinar: How to get localization and testing for medical devices done right
Webinar: How to get localization and testing for medical devices done right Webinar: How to get localization and testing for medical devices done right
Webinar: How to get localization and testing for medical devices done right Qualitest
 
Webinar: DevOps challenges facing QA
Webinar: DevOps challenges facing QAWebinar: DevOps challenges facing QA
Webinar: DevOps challenges facing QAQualitest
 
Root Cause Analysis | QualiTest Group
Root Cause Analysis | QualiTest GroupRoot Cause Analysis | QualiTest Group
Root Cause Analysis | QualiTest GroupQualitest
 
Testing for a Great App and Web Experience | QualiTest Group
Testing for a Great App and Web Experience | QualiTest GroupTesting for a Great App and Web Experience | QualiTest Group
Testing for a Great App and Web Experience | QualiTest GroupQualitest
 
Killing the Myths of Outsourced Software Testing
Killing the Myths of Outsourced Software TestingKilling the Myths of Outsourced Software Testing
Killing the Myths of Outsourced Software TestingQualitest
 
Why do we need a Scrum Master?
Why do we need a Scrum Master?Why do we need a Scrum Master?
Why do we need a Scrum Master?Qualitest
 
How to Test Big Data Systems | QualiTest Group
How to Test Big Data Systems | QualiTest GroupHow to Test Big Data Systems | QualiTest Group
How to Test Big Data Systems | QualiTest GroupQualitest
 
The changing role of a QA | QualiTest Group
The changing role of a QA | QualiTest GroupThe changing role of a QA | QualiTest Group
The changing role of a QA | QualiTest GroupQualitest
 
Roaming Assurance | QualiTest Group
Roaming Assurance | QualiTest GroupRoaming Assurance | QualiTest Group
Roaming Assurance | QualiTest GroupQualitest
 

More from Qualitest (20)

10 must do’s for perfect customer experience (Cx) -Qualitest
10 must do’s for perfect customer experience (Cx) -Qualitest10 must do’s for perfect customer experience (Cx) -Qualitest
10 must do’s for perfect customer experience (Cx) -Qualitest
 
Don’t Let Missed Bugs Cause Mayhem in your Organization!
Don’t Let Missed Bugs Cause Mayhem in your Organization!Don’t Let Missed Bugs Cause Mayhem in your Organization!
Don’t Let Missed Bugs Cause Mayhem in your Organization!
 
DevOps and Groupthink An Oxymoron?
DevOps and Groupthink An Oxymoron?DevOps and Groupthink An Oxymoron?
DevOps and Groupthink An Oxymoron?
 
Google SLS Outsourcing by Jeffrey Roth
Google SLS Outsourcing by Jeffrey RothGoogle SLS Outsourcing by Jeffrey Roth
Google SLS Outsourcing by Jeffrey Roth
 
Successful Offshore Practices by Ofer Glanz
Successful Offshore Practices by Ofer GlanzSuccessful Offshore Practices by Ofer Glanz
Successful Offshore Practices by Ofer Glanz
 
Pricing Models by Michel Sharvit
Pricing Models by Michel SharvitPricing Models by Michel Sharvit
Pricing Models by Michel Sharvit
 
5 keys to success at MTS by Tzahi Falkovich
5 keys to success at MTS by Tzahi Falkovich5 keys to success at MTS by Tzahi Falkovich
5 keys to success at MTS by Tzahi Falkovich
 
The Journey of QualiTest by Ayal Zylberman
The Journey of QualiTest by Ayal ZylbermanThe Journey of QualiTest by Ayal Zylberman
The Journey of QualiTest by Ayal Zylberman
 
Designing for the internet - Page Objects for the Real World
Designing for the internet - Page Objects for the Real WorldDesigning for the internet - Page Objects for the Real World
Designing for the internet - Page Objects for the Real World
 
IoT Quality Challenges - Testing & Engineering
IoT Quality Challenges - Testing & EngineeringIoT Quality Challenges - Testing & Engineering
IoT Quality Challenges - Testing & Engineering
 
Webinar: How to get localization and testing for medical devices done right
Webinar: How to get localization and testing for medical devices done right Webinar: How to get localization and testing for medical devices done right
Webinar: How to get localization and testing for medical devices done right
 
Webinar: DevOps challenges facing QA
Webinar: DevOps challenges facing QAWebinar: DevOps challenges facing QA
Webinar: DevOps challenges facing QA
 
Root Cause Analysis | QualiTest Group
Root Cause Analysis | QualiTest GroupRoot Cause Analysis | QualiTest Group
Root Cause Analysis | QualiTest Group
 
Testing for a Great App and Web Experience | QualiTest Group
Testing for a Great App and Web Experience | QualiTest GroupTesting for a Great App and Web Experience | QualiTest Group
Testing for a Great App and Web Experience | QualiTest Group
 
DevOps 101
DevOps 101 DevOps 101
DevOps 101
 
Killing the Myths of Outsourced Software Testing
Killing the Myths of Outsourced Software TestingKilling the Myths of Outsourced Software Testing
Killing the Myths of Outsourced Software Testing
 
Why do we need a Scrum Master?
Why do we need a Scrum Master?Why do we need a Scrum Master?
Why do we need a Scrum Master?
 
How to Test Big Data Systems | QualiTest Group
How to Test Big Data Systems | QualiTest GroupHow to Test Big Data Systems | QualiTest Group
How to Test Big Data Systems | QualiTest Group
 
The changing role of a QA | QualiTest Group
The changing role of a QA | QualiTest GroupThe changing role of a QA | QualiTest Group
The changing role of a QA | QualiTest Group
 
Roaming Assurance | QualiTest Group
Roaming Assurance | QualiTest GroupRoaming Assurance | QualiTest Group
Roaming Assurance | QualiTest Group
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 

DevSecOps - It can change your life (cycle)

  • 2. Agenda Security is Everyone’s Problem What is DevOps? Summary & Questions Introduction The Evolution of Software Delivery Adapting Security for DevOps
  • 3. Webinar Presenters Daniel Geater Senior Test Consultant Colin Domoney Consultant Solution Architect
  • 4. Agenda Security is Everyone’s Problem What is DevOps? Summary & Questions Introduction The Evolution of Software Delivery Adapting Security for DevOps
  • 5. The Evolution of Software Delivery Iterative/Waterfall Large phases of work Each phase completing fully before starting the next Clearly defined entry and exit criteria on each phase Analyse-Design-Build- Test-Release-Maintain Agile Little and often Small incremental changes Analysis, Build, Design, Test, Release Teams work together Specific types of testing (e.g. performance, security, usability) usually done infrequently for milestone releases ContinuousDelivery/DevOps Build on agile Fully automate build, functional test release Any code change can go all the way through to production automatically Liaise with operations to define environments as code and build performance metrics into automated pipeline
  • 6. The importance of security |2/3 of large UK businesses have been hit by a cyber attack in the last year |70% of all attacks involve viruses, malware or spyware |Most attacks are preventable |The known monetary costs rank in the millions The true costs are unknown, many businesses do not disclose full details |What about the reputation damage? TalkTalk, Ashley Madison, Sony PSN,Yahoo!, NHS – not just famous for their services any more
  • 7. No man is an island |Security is one of the last predominantly manual testing fields Very few automated tools exist, Hard to bake into pipeline |Comparatively late-stage |High defect fix costs and risk of late notice no-go |Many developers and functional testers don’t have much grounding in security |Security needs to integrate earlier in the lifecycle, current security practitioners can enable this
  • 8. What is an application really? | Application DNA Framework Library Custom Code Data
  • 9. Agenda Security is Everyone’s Problem What is DevOps? Summary & Questions Introduction The Evolution of Software Delivery Adapting Security for DevOps
  • 10. Security is Everyone’s Problem |How big is your codebase? • 75% of a modern application’s code is from external sources • A single team will struggle to police the remaining 25% let alone everything • We need to build a culture where security and stability of an application is shared by all stakeholders • Everyone needs to collaborate to keep our apps and users safe • Security needs to shift-left and be present throughout the pipeline • <50,000 lines of code iOS App • >4,000,000 lines of code Photoshop CS6 • >9,000,000 lines of codeFireFox: • >44,000,000 lines of code Microsoft Office 2013: • ~100,000,000 lines Modern day car: Source: http://www.informationisbeautiful.net/visualizations/million-lines-of-code/
  • 11. Agenda Security is Everyone’s Problem What is DevOps? Summary & Questions Introduction The Evolution of Software Delivery Adapting Security for DevOps
  • 12. Walls have seperated Developers, Security and Ops folk For hundreds of years…
  • 13. DevOps is not a technology It’s not a single process It’s not about job titles Annoyingly, I can’t sell you DevOps or even DevSecOps It is beautifully simple though…
  • 16. | The First Way – Systems Thinking | Features • Increasing left-to-right flow from Development to IT Operations to the customer • Need for smaller batch sizes and intervals of work • Never passing defects to downstream work centers • Optimise for global (business) goals | Practices • Continuous build, integration and deployment • Creating environments on demand • Limiting work in process • Building safe systems and organisations that are safe to change The Three Ways
  • 17. | The Second Way – Amplify Feedback Loops | Features • Constant flow of fast feedback from right-to-left at all stages • Amplifying it to ensure that we can prevent problems from repeating or enable faster detection / recovery • Enables creation of quality at the source, establishing or embedding knowledge where we need it | Practices “Stopping the production line” when builds and tests fail in the dev pipeline • Constantly elevating the improvement of daily work over daily work • Creating fast automated test suits – prove deployable code • Pervasive Telemetry The Three Ways
  • 18. | The Third Way – Culture of Continual Experimentation & Learning | Features • Continual experimentation, risk taking and learning • Repetitive practice is the pre-requisite to Mastery | Practices • Failure is welcomed, but rarely repeated • Constant practice reinforces stability and safety • High trust amongst team members • Allocate >20% of cycles towards non-functional requirements – e.g. Security • Improvements are celebrated The Three Ways
  • 19. Netflix - Fostering a Culture of Safety & Resilience | Features “Chaos Monkey” actually makes bad things happen to force the engineer to deal with real life | “Security Monkey” is a tool for monitoring and analyzing the security posture of Amazon Web Services configurations | Chaos Monkey | Chaos Gorilla | Chaos Kong | Janitor Monkey | Doctor Monkey | Compliance Monkey | Latency Monkey | Security Monkey
  • 20. Agenda Security is Everyone’s Problem What is DevOps? Summary & Questions Introduction The Evolution of Software Delivery Adapting Security for DevOps
  • 21. Five Principles for Integrating Security into DevOps 1 Automate Security In 2 Integrate to “Fail Quickly” 3 No false alarms 4 Build security champions 5 Keep operational visibility
  • 22. Integration & Automation CI CD 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline
  • 23. Remediation Coaching For applications that used remediation coaching, development teams fixed more than 2.5x the average # of flaws per megabyte
  • 24. Security Champions |Eyes and ears of security |Specialized training • Basic security concepts • Threat modeling • Grooming guidelines • Secure code review training • Security controls • CTF Exercises |Escalate when necessary
  • 25. Measurement & Transparency |Measurement • Executive buy-in • Baseline maturity across org • Tie to corporate goals |Transparency • Regular updates and reporting
  • 26. Measurement (Scan Early, Scan Often) Applications that used sandbox had an average fix rate of 59%, or a 2x improvement in fix rate
  • 27.
  • 28. Bridging The Gap • Scan/test early & often • Integrate & automate • Take Training • Request Remediation Guidance • Become a security champion Development Team Security • Be involved in all phases • Define & explain policy • Provide targeted training • Provide remediation guidance • Recruit & train champions
  • 29. Agenda Security is Everyone’s Problem What is DevOps? Summary & Questions Introduction The Evolution of Software Delivery Adapting Security for DevOps
  • 30.