SlideShare a Scribd company logo
How to automate
your DevSecOps
successfully
Manuel Pistner
Hi everybody,
nice to see you here!
Founder & CEO of Bright Solutions
Computer Sience at TU Darmstadt
Grew up with Open Source
Automation Enthusiast
What are DevSecOps?
Static state
Continuous process,
including code
& infrastructure security
Culture + Practice + Tools + Automation
Agility & Security
Speed & Stability + Continuous Security
build test release
monitorplan
security
customer
developer
How modern apps are built
library
2
library
1 library
3
The challange
1. software components increase complexity
librar
1
The challange
2. Hackers are fast
(they hack while you sleep)
The common goal
Build & deliver security
accross all components
as a service.
With speed & at scale.
Principle Nr. 1
Learn from hackers
Principle Nr. 1
Learn from hackers
Automate everything
Race the hacker!
Get rid of human failure
Make security independend of
available resources
Basis for automation
Build a continuous delivery pipeline
For your application
Use a code repository (GIT)
CI (Travis CI, Circle CI, Jenkins...)
Automate code tests for stability
Automate penetration tests
Basis for automation
For infrastructure
Use containers
Use scalable & secure Cloud systems
Infrastructure as code
Update continuously
Open Source Libraries need
continuous updates
Know your libraries (use package managers)
Monitor security vulnerabilities
Update continuously
Worst Case Scenario
0-day exploits
Update all your projects, test & deploy in 0 time
Only possible with automation
Is Open Source a risk?
It's more secure than closed source:
More people watch over the code
The problem: vulnerabilities are announced in public
The solution: Do your homework & update!
2. Manage new depen-
dencies of updates
The update process
3. Monitor vulnerabilities
of your app stack
1. Monitor dependency
updates
4. Manage the patches
6. Manage quality
7. Inform "stakeholders"
& manual testers
8. Update package
manager files
5. Commit code
to GIT!
9. Deploy
Let's visualize it
Then...
Study of 80 Software-Development companies
Status Quo
97,2 %
73,6 %
66,6 %
Study of 80 Software-Development companies
Status Quo
58,3 %
16,7 %
18,1 %
Study of 80 Software-Development companies
Status Quo
61,1 %
73,6 %
Scaring result
43% deploy & test updates manually
- AND they think this process is slow
43 %
Keep track of open source updates
Package managers only inform about updates
You need to know your vulnerabilities !
There are different vulnDBs
Versioneye as service or open source tool
(https://github.com/versioneye/versioneye-security)
Other monitoring tools
Main Subject
Enable ANYBODY (even your bots) to update your
dependencies
Integrate with your tools & workflows
Make the update process independend from
available resources
Increase velocity
Decrease fragility
The vision of the study
QA Workflow integration (manual & automated tests)
Tool integration
(task/ ticket management, test automation)
GIT integration & automated committing of new
versions
Auto deployment of new updates for vulnerable
libraries
Respect open source policies & licences
Find a toolset / method to build a fully automated
update delivery pipeline which makes the use of
open source more secure
The vision of the study
QA
process
hosting
platform
Share your use case
contact me at
pistner@brightsolutions.de

More Related Content

What's hot

Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
SecureSoftwareDevOn SecureSoftwareDevOn
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
DevSecCon
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
DevSecOps Days
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
 
Microsoft DevOps Forum 2021 – DevOps & Security
 Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.
Vitaly Balashov
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Stefan Streichsbier
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
Michael Man
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOps
Tushar Gupta
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
WhiteSource
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
Michelangelo van Dam
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
James Wickett
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
Michelle Ribeiro
 

What's hot (20)

Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
Microsoft DevOps Forum 2021 – DevOps & Security
 Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOps
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CD
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
 

Similar to How to automate your DevSecOps successfully

Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Black Duck by Synopsys
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
How temenos manages open source use, the easy way combined
How temenos manages open source use, the easy way combinedHow temenos manages open source use, the easy way combined
How temenos manages open source use, the easy way combined
WhiteSource
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
Jerika Phelps
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
Antivirus Comparative junio 2014
Antivirus Comparative junio 2014Antivirus Comparative junio 2014
Antivirus Comparative junio 2014
Doryan Mathos
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarFind Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
WhiteSource
 
DevSecOps 101
DevSecOps 101DevSecOps 101
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Avc prot 2016a_en
Avc prot 2016a_enAvc prot 2016a_en
Avc prot 2016a_en
Andrey Apuhtin
 
Avc prot 2012b_en
Avc prot 2012b_enAvc prot 2012b_en
Avc prot 2012b_en
Anatoliy Tkachev
 
Agile Engineering Sparker GLASScon 2015
Agile Engineering Sparker GLASScon 2015Agile Engineering Sparker GLASScon 2015
Agile Engineering Sparker GLASScon 2015
Stephen Ritchie
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
Ivanti
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 

Similar to How to automate your DevSecOps successfully (20)

Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
 
How temenos manages open source use, the easy way combined
How temenos manages open source use, the easy way combinedHow temenos manages open source use, the easy way combined
How temenos manages open source use, the easy way combined
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
Antivirus Comparative junio 2014
Antivirus Comparative junio 2014Antivirus Comparative junio 2014
Antivirus Comparative junio 2014
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarFind Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Avc prot 2016a_en
Avc prot 2016a_enAvc prot 2016a_en
Avc prot 2016a_en
 
Avc prot 2012b_en
Avc prot 2012b_enAvc prot 2012b_en
Avc prot 2012b_en
 
Agile Engineering Sparker GLASScon 2015
Agile Engineering Sparker GLASScon 2015Agile Engineering Sparker GLASScon 2015
Agile Engineering Sparker GLASScon 2015
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 

More from Manuel Pistner

So skalieren Agenturen erfolgreich
So skalieren Agenturen erfolgreichSo skalieren Agenturen erfolgreich
So skalieren Agenturen erfolgreich
Manuel Pistner
 
Building Drupal sites that content authors love
Building Drupal sites that content authors loveBuilding Drupal sites that content authors love
Building Drupal sites that content authors love
Manuel Pistner
 
Marketing automation with Drupal
Marketing automation with DrupalMarketing automation with Drupal
Marketing automation with Drupal
Manuel Pistner
 
Drupal security best practices
Drupal security best practicesDrupal security best practices
Drupal security best practices
Manuel Pistner
 
Drupal security - There is a mini Drupalgeddon every week & how to survive it
Drupal security - There is a mini Drupalgeddon every week & how to survive itDrupal security - There is a mini Drupalgeddon every week & how to survive it
Drupal security - There is a mini Drupalgeddon every week & how to survive it
Manuel Pistner
 
Enterpriseintegration mit Drupal und SAP
Enterpriseintegration mit Drupal und SAPEnterpriseintegration mit Drupal und SAP
Enterpriseintegration mit Drupal und SAP
Manuel Pistner
 
KonM 40 digital - Der schlanke Weg zur Digitalen Transformation
KonM 40 digital - Der schlanke Weg zur Digitalen TransformationKonM 40 digital - Der schlanke Weg zur Digitalen Transformation
KonM 40 digital - Der schlanke Weg zur Digitalen Transformation
Manuel Pistner
 
Digitale Innovation und neue Geschäftsmodelle
Digitale Innovation und neue GeschäftsmodelleDigitale Innovation und neue Geschäftsmodelle
Digitale Innovation und neue Geschäftsmodelle
Manuel Pistner
 
Recurring revenue for drupal shops
Recurring revenue for drupal shopsRecurring revenue for drupal shops
Recurring revenue for drupal shops
Manuel Pistner
 
Drupal business applications
Drupal business applications Drupal business applications
Drupal business applications
Manuel Pistner
 
Working in distributed remote teams
Working in distributed remote teamsWorking in distributed remote teams
Working in distributed remote teams
Manuel Pistner
 
Cyber physische Produktion von CNC Fräsprodukten
Cyber physische Produktion von CNC FräsproduktenCyber physische Produktion von CNC Fräsprodukten
Cyber physische Produktion von CNC Fräsprodukten
Manuel Pistner
 
Drupal integration best practises
Drupal integration best practisesDrupal integration best practises
Drupal integration best practises
Manuel Pistner
 
Open source business apps
Open source business appsOpen source business apps
Open source business apps
Manuel Pistner
 
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimierenWie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
Manuel Pistner
 
Cross enterprise CMS integration
Cross enterprise CMS integrationCross enterprise CMS integration
Cross enterprise CMS integration
Manuel Pistner
 
ERPAL for Service Providers - Vortrag TIZ
ERPAL for Service Providers - Vortrag TIZERPAL for Service Providers - Vortrag TIZ
ERPAL for Service Providers - Vortrag TIZ
Manuel Pistner
 
Online Konstruktion von 2D CNC Fräsprodukten
Online Konstruktion von 2D CNC FräsproduktenOnline Konstruktion von 2D CNC Fräsprodukten
Online Konstruktion von 2D CNC Fräsprodukten
Manuel Pistner
 
Erpal Platform - Preview of the Drupal business application framework
Erpal Platform - Preview of the Drupal business application frameworkErpal Platform - Preview of the Drupal business application framework
Erpal Platform - Preview of the Drupal business application framework
Manuel Pistner
 
Drupal cross enterprise integration on an example of Sharepoint
Drupal cross enterprise integration on an example of SharepointDrupal cross enterprise integration on an example of Sharepoint
Drupal cross enterprise integration on an example of Sharepoint
Manuel Pistner
 

More from Manuel Pistner (20)

So skalieren Agenturen erfolgreich
So skalieren Agenturen erfolgreichSo skalieren Agenturen erfolgreich
So skalieren Agenturen erfolgreich
 
Building Drupal sites that content authors love
Building Drupal sites that content authors loveBuilding Drupal sites that content authors love
Building Drupal sites that content authors love
 
Marketing automation with Drupal
Marketing automation with DrupalMarketing automation with Drupal
Marketing automation with Drupal
 
Drupal security best practices
Drupal security best practicesDrupal security best practices
Drupal security best practices
 
Drupal security - There is a mini Drupalgeddon every week & how to survive it
Drupal security - There is a mini Drupalgeddon every week & how to survive itDrupal security - There is a mini Drupalgeddon every week & how to survive it
Drupal security - There is a mini Drupalgeddon every week & how to survive it
 
Enterpriseintegration mit Drupal und SAP
Enterpriseintegration mit Drupal und SAPEnterpriseintegration mit Drupal und SAP
Enterpriseintegration mit Drupal und SAP
 
KonM 40 digital - Der schlanke Weg zur Digitalen Transformation
KonM 40 digital - Der schlanke Weg zur Digitalen TransformationKonM 40 digital - Der schlanke Weg zur Digitalen Transformation
KonM 40 digital - Der schlanke Weg zur Digitalen Transformation
 
Digitale Innovation und neue Geschäftsmodelle
Digitale Innovation und neue GeschäftsmodelleDigitale Innovation und neue Geschäftsmodelle
Digitale Innovation und neue Geschäftsmodelle
 
Recurring revenue for drupal shops
Recurring revenue for drupal shopsRecurring revenue for drupal shops
Recurring revenue for drupal shops
 
Drupal business applications
Drupal business applications Drupal business applications
Drupal business applications
 
Working in distributed remote teams
Working in distributed remote teamsWorking in distributed remote teams
Working in distributed remote teams
 
Cyber physische Produktion von CNC Fräsprodukten
Cyber physische Produktion von CNC FräsproduktenCyber physische Produktion von CNC Fräsprodukten
Cyber physische Produktion von CNC Fräsprodukten
 
Drupal integration best practises
Drupal integration best practisesDrupal integration best practises
Drupal integration best practises
 
Open source business apps
Open source business appsOpen source business apps
Open source business apps
 
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimierenWie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
Wie Web und Mobile-Technologien Service- und Vertriebsprozesse optimieren
 
Cross enterprise CMS integration
Cross enterprise CMS integrationCross enterprise CMS integration
Cross enterprise CMS integration
 
ERPAL for Service Providers - Vortrag TIZ
ERPAL for Service Providers - Vortrag TIZERPAL for Service Providers - Vortrag TIZ
ERPAL for Service Providers - Vortrag TIZ
 
Online Konstruktion von 2D CNC Fräsprodukten
Online Konstruktion von 2D CNC FräsproduktenOnline Konstruktion von 2D CNC Fräsprodukten
Online Konstruktion von 2D CNC Fräsprodukten
 
Erpal Platform - Preview of the Drupal business application framework
Erpal Platform - Preview of the Drupal business application frameworkErpal Platform - Preview of the Drupal business application framework
Erpal Platform - Preview of the Drupal business application framework
 
Drupal cross enterprise integration on an example of Sharepoint
Drupal cross enterprise integration on an example of SharepointDrupal cross enterprise integration on an example of Sharepoint
Drupal cross enterprise integration on an example of Sharepoint
 

Recently uploaded

Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Paul Brebner
 
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
kalichargn70th171
 
Streamlining End-to-End Testing Automation
Streamlining End-to-End Testing AutomationStreamlining End-to-End Testing Automation
Streamlining End-to-End Testing Automation
Anand Bagmar
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
Ensuring Efficiency and Speed with Practical Solutions for Clinical Operations
Ensuring Efficiency and Speed with Practical Solutions for Clinical OperationsEnsuring Efficiency and Speed with Practical Solutions for Clinical Operations
Ensuring Efficiency and Speed with Practical Solutions for Clinical Operations
OnePlan Solutions
 
Cost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App DevelopmentCost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App Development
Softradix Technologies
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
Jhone kinadey
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
The Third Creative Media
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
Alina Yurenko
 
Going AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applicationsGoing AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applications
Alina Yurenko
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.
KrishnaveniMohan1
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
Pedro J. Molina
 
Building API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructureBuilding API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructure
confluent
 
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
OnePlan Solutions
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Peter Caitens
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
Paul Brebner
 

Recently uploaded (20)

Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
 
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
 
Streamlining End-to-End Testing Automation
Streamlining End-to-End Testing AutomationStreamlining End-to-End Testing Automation
Streamlining End-to-End Testing Automation
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
bgiolcb
bgiolcbbgiolcb
bgiolcb
 
Ensuring Efficiency and Speed with Practical Solutions for Clinical Operations
Ensuring Efficiency and Speed with Practical Solutions for Clinical OperationsEnsuring Efficiency and Speed with Practical Solutions for Clinical Operations
Ensuring Efficiency and Speed with Practical Solutions for Clinical Operations
 
Cost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App DevelopmentCost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App Development
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
 
Going AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applicationsGoing AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applications
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
 
Building API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructureBuilding API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructure
 
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
 

How to automate your DevSecOps successfully

  • 1. How to automate your DevSecOps successfully
  • 2. Manuel Pistner Hi everybody, nice to see you here! Founder & CEO of Bright Solutions Computer Sience at TU Darmstadt Grew up with Open Source Automation Enthusiast
  • 3. What are DevSecOps? Static state Continuous process, including code & infrastructure security Culture + Practice + Tools + Automation
  • 4. Agility & Security Speed & Stability + Continuous Security build test release monitorplan security customer developer
  • 5. How modern apps are built library 2 library 1 library 3
  • 6. The challange 1. software components increase complexity librar 1
  • 7. The challange 2. Hackers are fast (they hack while you sleep)
  • 8. The common goal Build & deliver security accross all components as a service. With speed & at scale.
  • 9. Principle Nr. 1 Learn from hackers
  • 10. Principle Nr. 1 Learn from hackers Automate everything Race the hacker! Get rid of human failure Make security independend of available resources
  • 11. Basis for automation Build a continuous delivery pipeline For your application Use a code repository (GIT) CI (Travis CI, Circle CI, Jenkins...) Automate code tests for stability Automate penetration tests
  • 12. Basis for automation For infrastructure Use containers Use scalable & secure Cloud systems Infrastructure as code
  • 13. Update continuously Open Source Libraries need continuous updates Know your libraries (use package managers) Monitor security vulnerabilities Update continuously
  • 14. Worst Case Scenario 0-day exploits Update all your projects, test & deploy in 0 time Only possible with automation
  • 15. Is Open Source a risk? It's more secure than closed source: More people watch over the code The problem: vulnerabilities are announced in public The solution: Do your homework & update!
  • 16. 2. Manage new depen- dencies of updates The update process 3. Monitor vulnerabilities of your app stack 1. Monitor dependency updates 4. Manage the patches 6. Manage quality 7. Inform "stakeholders" & manual testers 8. Update package manager files 5. Commit code to GIT! 9. Deploy
  • 19. Study of 80 Software-Development companies Status Quo 97,2 % 73,6 % 66,6 %
  • 20. Study of 80 Software-Development companies Status Quo 58,3 % 16,7 % 18,1 %
  • 21. Study of 80 Software-Development companies Status Quo 61,1 % 73,6 %
  • 22. Scaring result 43% deploy & test updates manually - AND they think this process is slow 43 %
  • 23. Keep track of open source updates Package managers only inform about updates You need to know your vulnerabilities ! There are different vulnDBs Versioneye as service or open source tool (https://github.com/versioneye/versioneye-security)
  • 25. Main Subject Enable ANYBODY (even your bots) to update your dependencies Integrate with your tools & workflows Make the update process independend from available resources Increase velocity Decrease fragility
  • 26. The vision of the study QA Workflow integration (manual & automated tests) Tool integration (task/ ticket management, test automation) GIT integration & automated committing of new versions Auto deployment of new updates for vulnerable libraries Respect open source policies & licences Find a toolset / method to build a fully automated update delivery pipeline which makes the use of open source more secure
  • 27. The vision of the study QA process hosting platform
  • 28. Share your use case contact me at pistner@brightsolutions.de