The document discusses the concept of DevSecOps, emphasizing the importance of integrating security into the DevOps lifecycle through collaboration, automation, and education. It highlights the efficiency gains and cost savings achieved by adopting DevSecOps practices and addresses common challenges, including security automation and communication between developers and security teams. Additionally, it advocates for the need of security champions and shares insights on the current state of security understanding among developers.

1. DevSecOps: Minimizing Risk,
Improving Security
@fpmosley3 | /in/franklinmosley |
franklin.mosley@ellucian.com

2. Who Am I?
• Information
Security
Professional
• Reincarnated
Software
Engineer

3. Today’s Discussion
• Time For Change
• Communication and Collaboration
• Automation
• Education

4. Traditional

5. Today

6. DevOps Cycle

7. Is there a reason I wasn’t invited to the party?

9. Security

10. Poll Question
What impact do you think DevOps have on
the security of production systems?

12. Why DevSecOps?
40%
Efficiency Cost SavingsQuality
Source: Verizon 2016 Data Breach Investigation Report
Data breach incidents resulting from
attacks on web applications.

13. What is DevSecOps?
• Shared responsibility
• Automated Security
• Security at Scale

15. Business Driven Security

16. Eliminate Friction

17. Don’t Just Say No

18. Translate Security for the Layperson

19. Communication and Collaboration

20. Onboard to DevSecOps

21. How do they collaborate?

22. Collaboration Opportunities
ChatOps
Security Bot

23. 50%of developers know security is important but don’t have
enough time to spend on it.
Source: Sonatype 2017 DevSecOps Community Survey: https://www.sonatype.com/2017survey

24. What methodologies do your devs use?

25. User Stories
As a [role], I want to
[desired featured] so that
[value/benefit].

26. User Stories
As a customer, I want to
ensure my data is protected from
unintentional disclosure so that other
customers or external parties may
not access it.
Acceptance Criteria: Data is segregated by tenant.
Administrators and users must be separated by role to prevent
unauthorized disclosure or alteration.

27. Evil User Stories
As a malicious customer, I want to
send another customer’s tenant ID in
a request so that I may access
another customer’s data.
Acceptance Criteria: Access controls prevent unauthorized
disclosure or alteration of another customer’s data.

28. Developers often outnumber AppSec
professionals by
Source: Sonatype 2017 DevSecOps Community Survey: https://www.sonatype.com/2017survey
100 to 1

29. What is a Security Champion?

30. Automation

31. IASTDASTSAST
DevOps Pipeline
Golden Image Container
TestPackageBuildCode

32. Poll Question
In your opinion, what do you think is the
biggest challenge in security automation?

33. Testing Challenges
• False Positives
• Long scan times
• Communicating
Findings
• Remediation

34. Open Source Software
Open Source
80%
Custom Code
20%
Source: The Forrester Wave™: Software Composition Analysis (SCA) Q1 2017

35. MTTR
MTTD
Measuring
Group
Findings
Trending

36. Sharing
Dashboards
Transparent Accessible
Meaningful Visualized

38. Of U.S. computer science programs
1 of the
top 36
requires a security course for graduation
Source: CloudPassage

39. Computer-Based Training

40. Lunch & Learn

42. Common DevSecOps Mistakes
Not Understanding
DevOps
Traditional Tooling
Aim for Improvement, not perfection!
Traditional Security
Manual Gating
Tunnel Vision
No Collaboration

43. Thank You
@fpmosley3
/in/franklinmosley
franklin.mosley@ellucian.com