Manuel Pistner, profile picture
Uploaded byManuel Pistner
PDF, PPTX788 views

How to automate your DevSecOps successfully

This document discusses how to automate DevSecOps successfully. It outlines what DevSecOps is and how modern applications are built using many software components and libraries. This complexity increases risks from vulnerabilities in dependencies. The document recommends automating security practices like monitoring for vulnerabilities, updating dependencies continuously, and deploying updates immediately to "race the hacker." It advocates learning from hackers by automating everything to eliminate human errors. Specific automation approaches discussed include using containers and infrastructure as code, continuous integration/delivery pipelines, and monitoring tools to track open source updates and vulnerabilities. The goal is to fully automate the update and deployment process so that any new vulnerabilities can be addressed instantly regardless of available resources.

Embed presentation

Download as PDF, PPTX
How to automate your DevSecOps successfully
Manuel Pistner Hi everybody, nice to see you here! Founder & CEO of Bright Solutions Computer Sience at TU Darmstadt Grew up with Open Source Automation Enthusiast
What are DevSecOps? Static state Continuous process, including code & infrastructure security Culture + Practice + Tools + Automation
Agility & Security Speed & Stability + Continuous Security build test release monitorplan security customer developer
How modern apps are built library 2 library 1 library 3
The challange 1. software components increase complexity librar 1
The challange 2. Hackers are fast (they hack while you sleep)
The common goal Build & deliver security accross all components as a service. With speed & at scale.
Principle Nr. 1 Learn from hackers
Principle Nr. 1 Learn from hackers Automate everything Race the hacker! Get rid of human failure Make security independend of available resources
Basis for automation Build a continuous delivery pipeline For your application Use a code repository (GIT) CI (Travis CI, Circle CI, Jenkins...) Automate code tests for stability Automate penetration tests
Basis for automation For infrastructure Use containers Use scalable & secure Cloud systems Infrastructure as code
Update continuously Open Source Libraries need continuous updates Know your libraries (use package managers) Monitor security vulnerabilities Update continuously
Worst Case Scenario 0-day exploits Update all your projects, test & deploy in 0 time Only possible with automation
Is Open Source a risk? It's more secure than closed source: More people watch over the code The problem: vulnerabilities are announced in public The solution: Do your homework & update!
2. Manage new depen- dencies of updates The update process 3. Monitor vulnerabilities of your app stack 1. Monitor dependency updates 4. Manage the patches 6. Manage quality 7. Inform "stakeholders" & manual testers 8. Update package manager files 5. Commit code to GIT! 9. Deploy
Let's visualize it
Then...
Study of 80 Software-Development companies Status Quo 97,2 % 73,6 % 66,6 %
Study of 80 Software-Development companies Status Quo 58,3 % 16,7 % 18,1 %
Study of 80 Software-Development companies Status Quo 61,1 % 73,6 %
Scaring result 43% deploy & test updates manually - AND they think this process is slow 43 %
Keep track of open source updates Package managers only inform about updates You need to know your vulnerabilities ! There are different vulnDBs Versioneye as service or open source tool (https://github.com/versioneye/versioneye-security)
Other monitoring tools
Main Subject Enable ANYBODY (even your bots) to update your dependencies Integrate with your tools & workflows Make the update process independend from available resources Increase velocity Decrease fragility
The vision of the study QA Workflow integration (manual & automated tests) Tool integration (task/ ticket management, test automation) GIT integration & automated committing of new versions Auto deployment of new updates for vulnerable libraries Respect open source policies & licences Find a toolset / method to build a fully automated update delivery pipeline which makes the use of open source more secure
The vision of the study QA process hosting platform
Share your use case contact me at pistner@brightsolutions.de

More Related Content

PPTX
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
DevSecOps Days SF at RSA Conference 2018
byDevSecOps Days
 
PDF
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
PDF
PIACERE - DevSecOps Automated
byPIACERE
 
PPTX
DevSecOps reference architectures 2018
bySonatype
 
PDF
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
byHui (Henry) Chen
 
PPTX
DevSecOps : an Introduction
byPrashanth B. P.
 
PPTX
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
byMohamed Nizzad
 
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps Days SF at RSA Conference 2018
byDevSecOps Days
 
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
PIACERE - DevSecOps Automated
byPIACERE
 
DevSecOps reference architectures 2018
bySonatype
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
byHui (Henry) Chen
 
DevSecOps : an Introduction
byPrashanth B. P.
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
byMohamed Nizzad
 

What's hot

PDF
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
bySecureSoftwareDevOn SecureSoftwareDevOn
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PDF
DevSecCon London 2018: Open DevSecOps
byDevSecCon
 
PDF
Zero to Ninety in Securing DevOps
byDevSecOps Days
 
PDF
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
PDF
Microsoft DevOps Forum 2021 – DevOps & Security
byNico Meisenzahl
 
PPTX
DevSecOps
byJoel Divekar
 
PDF
Dev secops. Real experience.
byVitaly Balashov
 
PDF
Application Security at DevOps Speed - DevOpsDays Singapore 2016
byStefan Streichsbier
 
PDF
DevSecOps The Evolution of DevOps
byMichael Man
 
PDF
Automating Security Compliance on AWS with DevSecOps
byTushar Gupta
 
PDF
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
byWhiteSource
 
PDF
The Challenges of Scaling DevSecOps
byWhiteSource
 
PDF
DevSecOps: A New Hope for Security in CI/CD
byFranklin Mosley
 
PPTX
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
byDevOps Indonesia
 
PDF
DevOps or DevSecOps
byMichelangelo van Dam
 
PDF
8 Tips for Deploying DevSecOps
byFelicia Haggarty
 
PDF
DevOps & DevSecOps in Swiss Banking
byAarno Aukia
 
PDF
The New Security Playbook: DevSecOps
byJames Wickett
 
PDF
Talk DevSecOps to me
byMichelle Ribeiro
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
bySecureSoftwareDevOn SecureSoftwareDevOn
 
Introduction to DevSecOps
bySetu Parimi
 
DevSecCon London 2018: Open DevSecOps
byDevSecCon
 
Zero to Ninety in Securing DevOps
byDevSecOps Days
 
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
Microsoft DevOps Forum 2021 – DevOps & Security
byNico Meisenzahl
 
DevSecOps
byJoel Divekar
 
Dev secops. Real experience.
byVitaly Balashov
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
byStefan Streichsbier
 
DevSecOps The Evolution of DevOps
byMichael Man
 
Automating Security Compliance on AWS with DevSecOps
byTushar Gupta
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
byWhiteSource
 
The Challenges of Scaling DevSecOps
byWhiteSource
 
DevSecOps: A New Hope for Security in CI/CD
byFranklin Mosley
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
byDevOps Indonesia
 
DevOps or DevSecOps
byMichelangelo van Dam
 
8 Tips for Deploying DevSecOps
byFelicia Haggarty
 
DevOps & DevSecOps in Swiss Banking
byAarno Aukia
 
The New Security Playbook: DevSecOps
byJames Wickett
 
Talk DevSecOps to me
byMichelle Ribeiro
 

Similar to How to automate your DevSecOps successfully

PDF
All Things Open 2022 - State of OSS Security & Support
byJavier Perez
 
PPTX
Software Security Assurance for Devops
byJerika Phelps
 
PPTX
Software Security Assurance for DevOps
byBlack Duck by Synopsys
 
PPTX
DevSecOps and Drupal: Securing your applications in a modern IT landscape
byWill Hall
 
PDF
Building Blocks of Secure Development: How to Make Open Source Work for You
bySBWebinars
 
PPTX
L'impatto della sicurezza su DevOps
byGiulio Vian
 
PPTX
September 13, 2016: Security in the Age of Open Source:
byBlack Duck by Synopsys
 
PDF
Fire alarms vs. Fire hoses: Keeping up with Dependencies
byWhiteSource
 
PDF
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
PPTX
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
byWhiteSource
 
PPTX
Software rotting - DevOpsCon Berlin
byGiulio Vian
 
PPTX
Open Source Security - It can be done easily.
byFlexera
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PDF
Winning open source vulnerabilities without loosing your deveopers - Azure De...
byWhiteSource
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
byMatt Tesauro
 
PDF
Software Security Assurance for DevOps
byBlack Duck by Synopsys
 
PDF
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
PPTX
Open Source Insight: Balancing Agility and Open Source Security for DevOps
byBlack Duck by Synopsys
 
PPTX
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
byErkang Zheng
 
PDF
Donu’t Let Vulnerabilities Create a Hole in Your Organization
byDevOps.com
 
All Things Open 2022 - State of OSS Security & Support
byJavier Perez
 
Software Security Assurance for Devops
byJerika Phelps
 
Software Security Assurance for DevOps
byBlack Duck by Synopsys
 
DevSecOps and Drupal: Securing your applications in a modern IT landscape
byWill Hall
 
Building Blocks of Secure Development: How to Make Open Source Work for You
bySBWebinars
 
L'impatto della sicurezza su DevOps
byGiulio Vian
 
September 13, 2016: Security in the Age of Open Source:
byBlack Duck by Synopsys
 
Fire alarms vs. Fire hoses: Keeping up with Dependencies
byWhiteSource
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
byWhiteSource
 
Software rotting - DevOpsCon Berlin
byGiulio Vian
 
Open Source Security - It can be done easily.
byFlexera
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
byWhiteSource
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
byMatt Tesauro
 
Software Security Assurance for DevOps
byBlack Duck by Synopsys
 
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
Open Source Insight: Balancing Agility and Open Source Security for DevOps
byBlack Duck by Synopsys
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
byErkang Zheng
 
Donu’t Let Vulnerabilities Create a Hole in Your Organization
byDevOps.com
 

More from Manuel Pistner

PDF
So skalieren Agenturen erfolgreich
byManuel Pistner
 
PDF
Building Drupal sites that content authors love
byManuel Pistner
 
PDF
Marketing automation with Drupal
byManuel Pistner
 
PDF
Drupal security best practices
byManuel Pistner
 
PDF
Drupal security - There is a mini Drupalgeddon every week & how to survive it
byManuel Pistner
 
PDF
Enterpriseintegration mit Drupal und SAP
byManuel Pistner
 
PDF
KonM 40 digital - Der schlanke Weg zur Digitalen Transformation
byManuel Pistner
 
PDF
Digitale Innovation und neue Geschäftsmodelle
byManuel Pistner
 
PPTX
Recurring revenue for drupal shops
byManuel Pistner
 
ODP
Drupal business applications
byManuel Pistner
 
ODP
Working in distributed remote teams
byManuel Pistner
 
PDF
Cyber physische Produktion von CNC Fräsprodukten
byManuel Pistner
 
PDF
Drupal integration best practises
byManuel Pistner
 
PDF
Open source business apps
byManuel Pistner
 
PDF
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
byManuel Pistner
 
PDF
Cross enterprise CMS integration
byManuel Pistner
 
ODP
ERPAL for Service Providers - Vortrag TIZ
byManuel Pistner
 
PDF
Online Konstruktion von 2D CNC Fräsprodukten
byManuel Pistner
 
ODP
Erpal Platform - Preview of the Drupal business application framework
byManuel Pistner
 
PPTX
Drupal cross enterprise integration on an example of Sharepoint
byManuel Pistner
 
So skalieren Agenturen erfolgreich
byManuel Pistner
 
Building Drupal sites that content authors love
byManuel Pistner
 
Marketing automation with Drupal
byManuel Pistner
 
Drupal security best practices
byManuel Pistner
 
Drupal security - There is a mini Drupalgeddon every week & how to survive it
byManuel Pistner
 
Enterpriseintegration mit Drupal und SAP
byManuel Pistner
 
KonM 40 digital - Der schlanke Weg zur Digitalen Transformation
byManuel Pistner
 
Digitale Innovation und neue Geschäftsmodelle
byManuel Pistner
 
Recurring revenue for drupal shops
byManuel Pistner
 
Drupal business applications
byManuel Pistner
 
Working in distributed remote teams
byManuel Pistner
 
Cyber physische Produktion von CNC Fräsprodukten
byManuel Pistner
 
Drupal integration best practises
byManuel Pistner
 
Open source business apps
byManuel Pistner
 
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
byManuel Pistner
 
Cross enterprise CMS integration
byManuel Pistner
 
ERPAL for Service Providers - Vortrag TIZ
byManuel Pistner
 
Online Konstruktion von 2D CNC Fräsprodukten
byManuel Pistner
 
Erpal Platform - Preview of the Drupal business application framework
byManuel Pistner
 
Drupal cross enterprise integration on an example of Sharepoint
byManuel Pistner
 

Recently uploaded

PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
PPTX
Device Repair and Maintenance Management
byAxisTechnolabs
 
PDF
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
PPTX
SAP S4 HANA Conversion and Migration .pptx
bysabeenakouser
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
PDF
Animated Safety Induction: A Smarter Way to Onboard for Workplace Safety
byTECH EHS Solution
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PDF
Ultimate Guide to CMMS An In-Depth Analysis - Zapium
byhello208828
 
PDF
apidays Amsterdam 2025 | APIs with a Purpose
byapidays
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PDF
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
PDF
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
PDF
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
PDF
Massage Booking App Development Company
byV3CUBE TECHNOLABS
 
PDF
Project Tracking in Software Project Management
bySahanaBarveen1
 
PPTX
2025 S/4HANA Cloud Release Upgrade Overview.pptx
byssuser835a7b
 
PPTX
HR Software for Construction: Smarter Workforce & Payroll Management
byhelixtahr
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
Device Repair and Maintenance Management
byAxisTechnolabs
 
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
SAP S4 HANA Conversion and Migration .pptx
bysabeenakouser
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
Animated Safety Induction: A Smarter Way to Onboard for Workplace Safety
byTECH EHS Solution
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
Ultimate Guide to CMMS An In-Depth Analysis - Zapium
byhello208828
 
apidays Amsterdam 2025 | APIs with a Purpose
byapidays
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
Massage Booking App Development Company
byV3CUBE TECHNOLABS
 
Project Tracking in Software Project Management
bySahanaBarveen1
 
2025 S/4HANA Cloud Release Upgrade Overview.pptx
byssuser835a7b
 
HR Software for Construction: Smarter Workforce & Payroll Management
byhelixtahr
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 

How to automate your DevSecOps successfully

  • 1.
    How to automate yourDevSecOps successfully
  • 2.
    Manuel Pistner Hi everybody, niceto see you here! Founder & CEO of Bright Solutions Computer Sience at TU Darmstadt Grew up with Open Source Automation Enthusiast
  • 3.
    What are DevSecOps? Staticstate Continuous process, including code & infrastructure security Culture + Practice + Tools + Automation
  • 4.
    Agility & Security Speed& Stability + Continuous Security build test release monitorplan security customer developer
  • 5.
    How modern appsare built library 2 library 1 library 3
  • 6.
    The challange 1. softwarecomponents increase complexity librar 1
  • 7.
    The challange 2. Hackersare fast (they hack while you sleep)
  • 8.
    The common goal Build& deliver security accross all components as a service. With speed & at scale.
  • 9.
  • 10.
    Principle Nr. 1 Learnfrom hackers Automate everything Race the hacker! Get rid of human failure Make security independend of available resources
  • 11.
    Basis for automation Builda continuous delivery pipeline For your application Use a code repository (GIT) CI (Travis CI, Circle CI, Jenkins...) Automate code tests for stability Automate penetration tests
  • 12.
    Basis for automation Forinfrastructure Use containers Use scalable & secure Cloud systems Infrastructure as code
  • 13.
    Update continuously Open SourceLibraries need continuous updates Know your libraries (use package managers) Monitor security vulnerabilities Update continuously
  • 14.
    Worst Case Scenario 0-dayexploits Update all your projects, test & deploy in 0 time Only possible with automation
  • 15.
    Is Open Sourcea risk? It's more secure than closed source: More people watch over the code The problem: vulnerabilities are announced in public The solution: Do your homework & update!
  • 16.
    2. Manage newdepen- dencies of updates The update process 3. Monitor vulnerabilities of your app stack 1. Monitor dependency updates 4. Manage the patches 6. Manage quality 7. Inform "stakeholders" & manual testers 8. Update package manager files 5. Commit code to GIT! 9. Deploy
  • 17.
  • 18.
  • 19.
    Study of 80Software-Development companies Status Quo 97,2 % 73,6 % 66,6 %
  • 20.
    Study of 80Software-Development companies Status Quo 58,3 % 16,7 % 18,1 %
  • 21.
    Study of 80Software-Development companies Status Quo 61,1 % 73,6 %
  • 22.
    Scaring result 43% deploy& test updates manually - AND they think this process is slow 43 %
  • 23.
    Keep track ofopen source updates Package managers only inform about updates You need to know your vulnerabilities ! There are different vulnDBs Versioneye as service or open source tool (https://github.com/versioneye/versioneye-security)
  • 24.
  • 25.
    Main Subject Enable ANYBODY(even your bots) to update your dependencies Integrate with your tools & workflows Make the update process independend from available resources Increase velocity Decrease fragility
  • 26.
    The vision ofthe study QA Workflow integration (manual & automated tests) Tool integration (task/ ticket management, test automation) GIT integration & automated committing of new versions Auto deployment of new updates for vulnerable libraries Respect open source policies & licences Find a toolset / method to build a fully automated update delivery pipeline which makes the use of open source more secure
  • 27.
    The vision ofthe study QA process hosting platform
  • 28.
    Share your usecase contact me at pistner@brightsolutions.de