The document discusses the challenges and opportunities in DevSecOps, emphasizing the importance of tool adoption, constant feedback, and managing application security with practices like SAST, DAST, and OSS. It provides insights on onboarding processes, tool effectiveness, and practical strategies for managing security issues and zero-day vulnerabilities. The author advocates for developer engagement and effective monitoring to enhance security in production environments.

1. DEVSECOPS
CHALLENGES & OPPORTUNITIES
MOHAN YELNADU

3. P. P. T
•
• QUALITY
• PRAGMATIC
•
• OPEN
• ACCOMMODATING
•
• RIGHT SET
• SUIT MY REQUIREMENTS
People
Tools
Process

4. PEOPLE
• SMALL BUT SMART
• CAN ACHIEVE A LOT
•
•
•
•
•
• SAVVY
• CHANGE THE LANGUAGE
• BUSINESS RISKS

5. APPSEC TOOLS
•
• MAKE OR BREAK
• COE, TEAM WITH CURIOSITY..
•
•
•
•
• GO FOR POC/LISTEN TO EXPERTS IN THE FIELD

6. APPSEC TOOL GUIDANCE
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•

7. PROCESS
•
•
•
• S
• S
• S
•
• EARLY, EFFORTLESS, AND CONSTANT FEEDBACK

8. EXAMPLE
SAST – Static Application Security Testing OSS – Open Source Software Security CSec – Container Security DAST – Dynamic Application Security Testing

9. • SMOOTH ONBOARDING
• AUTOMATE WHAT YOU CAN
• IMPROVING TOOL ADOPTION
• ROLLOUT STRATEGY
• MANAGING CRITICAL ISSUES
• MAKING IT WORK FOR SOC
• PRODUCTION MONITORING
• TAILORED CONFIGURATION
• DO THE RIGHT THING
• PRAGMATIC HYGIENE
• MANAGING ZERO DAYS

10. SMOOTH ONBOARDING
• AUTOMATED ONBOARDING ON SECURITY TOOLS
•
•
• HEARD THE TOOL NAME, & ONBOARDED

11. AUTOMATE WHAT YOU CAN
O N B OA R D I N G S C A N N I N G T R I AG E B U I L D B R EA K E R
I S S U E M A N AG E M E N T

12. TRIAGE
Scan
Raise Triage
Request
Analyze
Findings
Fix
True
issues
False
Positives
Analyze Triage
Issues (If
required meet
developers)
True
issues
False
Positives
Ignore/Not
Applicable
Developer AppSec SME

13. BUILDBREAKER:
Pre-process Build
Security Scan
Code Quality
Scan
BuildBreaker
PROD
Example
BitBucket Artifactory
Source
Code
Build
Artefact
No-Go
Go
BuildBreaker Example:
• No critical security issues in production build

14. IMPROVING TOOL ADOPTION
Allow developers to Get
used to the Tools‘‘
’’
Give enough notice while
enabling BuildBreakers/Gating‘‘
’’
Create Ecosystem: FAQs,
Documentation, Demos,
Videos
‘‘
’’
Give as many Live Demos as
possible, share about new Tools
& Processes
‘‘
’’

15. ROLLOUT STRATEGY
Break Build:
In Stages‘‘
’’
Handholding in
False Positive Analysis:
Triage & Guidance‘‘
’’
Dispensation
Management:
Logging & Validity‘‘
’’

16. MANAGING CRITICAL ISSUES
•
• LEVEL 10/CRITICAL
• IDENTIFICATION
•
• FOLLOW-UP
•
Developers DO NOT
realise the Gravity of
Level 10 OSS Issues
Self-Expérience
J
‘‘
’’

17. •
•
•
• MAPPING APP WITH RIGHT STAKEHOLDERS IN
DASHBOARD
WORKING WITH SOC

18. PRODUCTION MONITORING
• MONITORING
•
• NIGHTLY
• ALERT
Effective PROD
Monitoring saved a
huge effort!
Self-Expérience
J
‘‘
’’

19. TAILORED CONFIGURATION
•
•
•
• DISPENSATION
• LOGGING
• CREATE DEVELOPER

20. DO THE RIGHT THING
•
• UPLOAD LIBRARY AND ANALYSE
• BROWSER PLUGIN TO SCAN
• IDE PLUGIN TO ENABLE LOCAL SCANS

21. PRAGMATIC HYGIENE
• UPGRADING THE TOOLS TO LATEST VERSIONS
• NEW FEATURES INNOVATIONS
• ANALYSE IN TEST ENVIRONMENT
01
03
05
04
02

22. MANAGING ZERO DAYS
• EYES AND EARS OPEN ZERO DAYS:
• YOUR LIBRARIES TOOLS
•
• WAF
• CONSTANT TOUCH WITH VENDOR
• EVER READY TO ACT
THE SHOW MUST GO ON!

23. IMPORTANT : SECRETS MANAGEMENT
•
•
•
•

25. THANK YOU!
MOHAN YELNADU
@monkelephant
https://www.linkedin.com/in/mohanyelnadu