The document outlines five key principles for integrating security into DevOps, focusing on automation, quick failure integration, accurate alerts, building security champions, and maintaining operational visibility. It emphasizes a cultural shift in organizations towards high-velocity software development while addressing security challenges. Ultimately, the approach aims to minimize organizational risks without compromising development speed.

1. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES1 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
Five Principles For Securing
DevOps
Colin Domoney
Senior Principal Transformation Consultant
CA Technologies

2. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES2
Colin Domoney
• Senior Principal Transformation Consultant
• Offering coaching, collaboration and technical solutions
to organization’s who need an impactful transformation to
advance DevOps with optimised flow and security
• At the forefront of CA Veracode’s product and innovation
strategy, particularly in helping ensure the challenges of
DevOps are met
• Led a large scale application security program in a
multinational investment bank where he was responsible
for the deployment and operation of the Veracode
service. Over 1,000 applications were assessed and
remediated in a few years using very limited human
resources.
colin.domoney@ca.com
@colindomoney

3. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES3
Defining DevOps
“DevOps is a cultural and professional movement, focused
on how we build and operate high velocity organizations,
born from the experiences of its practitioners.”
- Nathan Harvey (Chef)

4. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES4
The ‘Three Ways’ of DevOps

5. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES5
DevOps, a new model for software
development, is transforming the
way the world creates software.
Despite its substantial
organizational, cultural and
technological requirements,
this new way of organizing
development and IT operations
work is spreading rapidly.
The DevOps Difference

6. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES6
DevOps is built on Agile
Security

7. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES7
“Shift Left”: Securing DevOps
• Goal: Minimize
organization
risk without
slowing down
development
• Changing how
security
operates within
an organization
Security

8. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES8
Five Principles for Integrating Security into DevOps
1 Automate Security In
DevOps Pipeline2 Integrate to “Fail Quickly”
3 No false alarms
4 Build security champions Development
5 Keep operational visibility Production

9. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES9
Principle #1: Automate Security In
• Automate from Day 1
• Integrate into common
development tools
– IDE
– Build Systems
– Bug Tracking
– GRC
• Leverage comprehensive APIs
• Integrate testing results within
development backlogs

10. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES10
Principle #2: Integrate to Fail Quickly
• Education that delivers cost savings
– Inform development early
• Two Phased approach
– Consistent frequency (part of pipeline)
– Development being proactive (testing
outside of the pipeline)
• AppSec must be a partnership
– security defines the acceptable
security quality level
– developers implement continuous
testing to address issues as they
appear
Development
Operations
Both failures create notifications within
the backlog

11. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES11
Principle #3: No False Alarms
• Too many false positives will frustrate
development and security
• Technology will end up being ignored
• Action oriented and accurate findings
are important
• In CI/CD a failure may cause the
entire pipeline to stop
• Delays could yield lost revenue for the
whole organization
• Need to provide both maximum
coverage for finding critical flaws
while tuning out the noise of low-level
issues

12. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES12
Principle #4: Build Security Champions
• Eyes and ears of Security
• Specialized training
• Basic security concepts
• Threat modeling
• Grooming guidelines
• Secure code review training
• Security controls
• Capture the Flag Exercises
• Escalate when necessary

13. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES13
Principle #5: Keep Operational Visibility
• Security doesn't stop once a release
candidate has made it to production
• Cultural decision to determine where
to test
– Pre production vs production
• Business may decide to bypass
security checks to move faster
• Misconfigured pipelines are possible
• Runtime environments are always
changing

14. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES14
Integrating Security
Into DevOps
Questions to Ask!

15. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES15 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
CA Veracode’s
Approach

16. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES17
DevSecOps: Uniting Development and Security

17. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES18
CA Veracode Platform:
Security Throughout the SDLC
Code Commit Build Test Release Deploy Operate
CA Veracode Greenlight CA Veracode Static Analysis
CA Veracode Web Application Scanning
CA Veracode Runtime Protection
CA Veracode Software Composition Analysis
CA Veracode Integrations, APIs
CA Veracode eLearning
Code RepositoriesIDEs GRCs
SIEMs
WAFs
Security Assurance Operational SecurityDevelopment Integration
Bug Tracking Build and Deploy
Systems
Veracode Program Management and Services