The document discusses DevSecOps, which integrates security practices into the DevOps development and operations process, enhancing software security while maintaining speedy delivery. It details a case study of XYZ Inc., highlighting their transition to DevSecOps to mitigate security vulnerabilities and costs through collaboration and automation. Additionally, it outlines various security testing tools and provides a tutorial for implementing DevSecOps in an organization.

1. Devsecops
development, security, and operations
Here is where your presentation begins

2. TABLE OF CONTENTS
01
02
03 08
DevSecOps
Case Study
Breakdown/
Tools
Analysis
07
Challenges
and pitfalls
06
Tutorial
05
Overview

3. DevSecOps is a subset of DevOps that focuses on
integrating security practices into the development
and operations process, ensuring that software is not
only delivered quickly but also securely.
DevOps VS Devsecops
DevOps is a methodology that aims to improve
collaboration and communication between
development and operations teams, leading to
faster and more efficient software delivery.

4. “The benefits of the DevSecOps approach are
numerous. By embedding security practices
into the development process, organizations
can identify and fix potential vulnerabilities
early on, reducing the risk of a security
breach

5. Due to lack of
collaboration
between the
development,
security, and
operations teams.
lack of integration
resulted in a high
number of security
vulnerabilities in
the applications
significant amount
of money was spent
on fixing security
vulnerabilities and
responding to
cyber attacks
Case Study
Slow development
process
Security
vulnerabilities High costs
XYZ Inc. is a software development company that specializes in creating custom applications for
businesses in the finance industry. The company has been in operation for over 10 years and has a team of
30 developers, 5 security experts, and 10 operations specialists. Challenges they faced were,

6. To overcome these
challenges, XYZ Inc.
decided to implement
DevSecOps practices in
their development
process.
Continuous monitoring
of their applications and
infrastructure to reduce
impact of cyberattacks
and vulnerabilities
Continuous
monitoring
Security considerations
and reduced the risk of
vulnerabilities
Collaboration and
integration
This reduced the
time and effort
required for
manual tasks, such
as code reviews
and testing
Automation

7. The collaboration and
integration between the
development, security,
and operations teams
reduced the time required
for the development
process.
The integration of
security
considerations into
the development
process reduced the
number of
vulnerabilities in the
applications.
Faster
development
Improved
security
The Implementation of DevSecOps
Practices resulted in

8. BreakDown of the Tools
Static application
security testing (SAST).
02
Software composition
analysis (SCA).
03
Interactive application
security testing (IAST).
04
Dynamic application
security testing (DAST)
01

9. Static application security testing
(SAST).
01
SAST tools scan proprietary or
custom code for coding errors and
design flaws that could lead to
exploitable weaknesses. SAST
tools, such as Coverity®, are used
primarily during the code, build,
and development phases of the
SDLC.

10. Software composition analysis
(SCA).
02 SCA tools such as Black Duck®
scan source code and binaries to
identify known vulnerabilities in
open-source and third-party
components. In addition, they can
be integrated seamlessly into a
CI/CD process to continuously
detect new open-source
vulnerabilities, from build
integration to preproduction
release

11. Interactive application security
testing (IAST).
03
IAST tools work in the background
during manual or automated
functional tests to analyze web
application runtime behavior. For
example, the Seeker® IAST tool
uses instrumentation to observe
application requests/responses.
This enables developers to focus
their time and effort on critical
vulnerabilities.

12. Dynamic application security
testing (DAST)
04
DAST is an automated opaque box
testing technology that mimics
how a hacker would interact with
your web application or API. It tests
applications over a network
connection and by examining the
client-side rendering of the
application

13. Tools OVERVIEW
Automation tools
•Jenkins
•Bamboo
•Ansible
•Puppet
Security testing tools Monitoring Solution
● Burp Suite
● Nessus
● WebInspet
● Checkmarx
● New Relic
● Datadog
● Zabbix
● Nagios

14. Tutotrial On Implementation of DevSecOps
01
Identify the current development processes
and tools in use, and assess their
security capabilities.

15. Tutotrial On Implementation of
DevSecOps
02
Engage with the development team to
understand their needs and concerns
regarding security.
03
Develop a security strategy that aligns
with the development processes and
tools, and integrates security controls
at every stage of the development
lifecycle.
04
Implement automated security testing tools,
such as static analysis, dynamic analysis,
and penetration testing, to identify and
remediate security vulnerabilities in the
code.

16. Tutotrial On Implementation of
DevSecOps
05
Collaborate with the development team to integrate
security testing into the continuous
integration/continuous delivery (CI/CD) pipeline,
ensuring that security is considered as part of the
development process
06
Monitor and assess the effectiveness of the
security controls, and provide feedback to
the development team to improve security
practices and reduce vulnerabilities.
07
Educate and train the development team on
best practices for secure coding, and
provide guidance on how to incorporate
security into the development process.

17. Tutotrial On Implementation of
DevSecOps
08
Regularly review and update the
security strategy to ensure it remains
aligned with the changing needs of the
development environment.
09
Collaborate with security experts and other
stakeholders to ensure that the security
controls are effective and aligned with
industry standards and best practices.
10
Continuously monitor the development
environment for security incidents and
vulnerabilities, and respond to them quickly
and effectively.

18. • Planning
• Development
• CI Process
Pipeline Of CI
CI process in DevSecOps

19. • Planning
• Development
• CI Process
Pipeline Of CI
CI process in DevSecOps

20. Example of a Base64 practice
Easy to use routines for you to
generate these Base64 strings.
Because the strings are plain
text, you also can easily send
them using simple text
transmission services such as
SMS text messages on a
mobile phone.

21. Example of a Base64 practice
Decoding the string
back is just as easy:

22. In the above quote, the encoded value
of Man is TWFu. Encoded in ASCII, the
letters "M", "a", and "n" are stored as the
bytes 77, 97, and 110, which are
equivalent to "01001101", "01100001", and
"01101110" in base-2. These three bytes are
joined together in a 24-bit buffer
producing the binary sequence
"010011010110000101101110". Packs of 6 bits (6
bits have a maximum of 64 different
binary values) are converted into 4
numbers (24 = 4 * 6 bits) which are then
converted to their corresponding
values in Base64
Because
DID YOU KNOW why Base64 isn’t a powerful
practice...?

23. A Jenkins end-to-end DevSecOps pipeline

24. Demo code of implementation of devSecops

25. Some open-source tools
02
Find Sec Bugs
01
03
Owasp Zap
Sql Map

26. Future of DevSecOps:

27. Because companies these
days are trying to shift
towards the continious
integratiuon / monitering,
collaboration and
automation and for that
purpose the Devsecop
Engineers are in very high
demand throughout the
world especially in USA
Avg PayScale of
DevSecOps in USA
DID YOU KNOW...?
$119k-$160k
$115k-$171k
$90k-$100k

28. CREDITS: This presentation template was created by
Slidesgo, including icons by Flaticon, and infographics
& images by Freepik.
THANKS!
Do you have
any questions?