As DevOps continue to advance, and agile development continues to be widely adopted, the latest OWASP top 10 list shows little to no movement at the top in terms of the most serious vulnerabilities affecting web applications. With a plethora of tools and information to help reduce application vulnerabilities and increase the level of security awareness in development team available, why do we still see web applications as a significant attack vector?
This document summarizes ABN AMRO's DevSecOps journey and initiatives. It discusses their implementation of continuous integration and delivery pipelines to improve software quality, reduce lead times, and increase developer productivity. It also covers their work to incorporate security practices like open source software management, container security, and credentials management into the development lifecycle through techniques like dependency scanning, security profiling, and a centralized secrets store. The presentation provides status updates on these efforts and outlines next steps to further mature ABN AMRO's DevSecOps capabilities.
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
Secure your Azure and DevOps in a smart wayEficode
Victoria Almazova, Cloud Security Architect, Microsoft
Azure provides a set of security and governance controls to ensure that your environment is secure and complaint. Learn how to implement security on the subscription level, develop your applications securely, securely deploy, periodically scan production for compliance and security, and get a single security dashboard.
Delivered at DevSecOps Days 2018, RSA Conference
j. Wolfgang Goerlich
About J. Wolfgang Goerlich
About J Wolfgang Goerlich
CBI (Creative Breakthroughs, Inc.)
Cyber Security Strategist
J Wolfgang Goerlich provides strategic guidance for securing development and DevOps programs in the healthcare, education, financial services, and energy. He is currently with CBI, a cyber security consultancy, as the VP for strategic security programs. Wolfgang also leads the CBI Academy teams, providing mentoring and coaching to the junior-level talent. Prior roles included VP for a managed security services provider, VP for an IT firm specializing in high speed high secure networks, and IT security officer and manager for a financial services firm. He is an active part of the security community; co-founding the Converge Detroit and organizing the BSides Detroit conferences. Wolfgang regularly advises on and presents on the topics of secure development life cycle, DevOps, risk management, incident response, business continuity, and more.
Why Serverless is scary without DevSecOps and ObservabilityEficode
This document discusses the security challenges of serverless computing without proper DevSecOps practices and observability. It notes that serverless applications are often seen as more secure since the cloud provider manages the infrastructure, but they can still be vulnerable to events, libraries, and code issues. The document recommends implementing DevSecOps with a focus on permissions, security analysis, public scrutiny of practices, and crowdsourcing security through bug bounties and hackathons. It also stresses the importance of observability tools to monitor serverless applications and catch issues.
Implementing DevOps in a Regulated Environment - DJ SchleenSeniorStoryteller
The document discusses Aetna's journey towards implementing DevOps practices in a regulated environment. It describes Aetna's traditional "waterfall" development process and how it is evolving to integrate security practices into its continuous integration/delivery (CI/CD) process. This includes automating static code analysis, container vulnerability scanning, and identifying and remediating AWS security risks. The benefits of DevSecOps include more consistent security controls, reduced defects, increased security and speed to market. Challenges include evolving culture across 3,500+ developers and integrating security tools in a way that provides continuous feedback.
Barriers to Container Security and How to Overcome ThemWhiteSource
Over the past few years, more and more companies are turning to containerized environments to scale their applications.
However, keeping containers secure throughout the development life cycle presents many challenges to security and development teams. In order to address them, organizations need to adopt a new set of security processes and tools.
This session will focus on the three most vulnerable areas of container security and the best practices to help teams develop and deploy securely.
Join Jeffrey Martin, Senior Director of Product at WhiteSource, as he discusses:
The top challenges to security in containerized environments
How DevSecOps addresses security in containerized environments
Tips and tricks for successfully incorporating security into the container lifecycle
Microsoft DevOps Forum 2021 – DevOps & SecurityNico Meisenzahl
This document discusses implementing DevSecOps practices for small teams and organizations. It begins by noting that while DevOps is widely adopted, DevSecOps practices are less well-known and implemented. It then outlines some common security issues seen at clients and provides demos of implementing quick security wins through the DevOps cycle like enabling code scanning and ensuring secure code, runtimes, and monitoring. The document advocates starting small with security and integrating practices throughout the development lifecycle.
This document summarizes ABN AMRO's DevSecOps journey and initiatives. It discusses their implementation of continuous integration and delivery pipelines to improve software quality, reduce lead times, and increase developer productivity. It also covers their work to incorporate security practices like open source software management, container security, and credentials management into the development lifecycle through techniques like dependency scanning, security profiling, and a centralized secrets store. The presentation provides status updates on these efforts and outlines next steps to further mature ABN AMRO's DevSecOps capabilities.
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
Secure your Azure and DevOps in a smart wayEficode
Victoria Almazova, Cloud Security Architect, Microsoft
Azure provides a set of security and governance controls to ensure that your environment is secure and complaint. Learn how to implement security on the subscription level, develop your applications securely, securely deploy, periodically scan production for compliance and security, and get a single security dashboard.
Delivered at DevSecOps Days 2018, RSA Conference
j. Wolfgang Goerlich
About J. Wolfgang Goerlich
About J Wolfgang Goerlich
CBI (Creative Breakthroughs, Inc.)
Cyber Security Strategist
J Wolfgang Goerlich provides strategic guidance for securing development and DevOps programs in the healthcare, education, financial services, and energy. He is currently with CBI, a cyber security consultancy, as the VP for strategic security programs. Wolfgang also leads the CBI Academy teams, providing mentoring and coaching to the junior-level talent. Prior roles included VP for a managed security services provider, VP for an IT firm specializing in high speed high secure networks, and IT security officer and manager for a financial services firm. He is an active part of the security community; co-founding the Converge Detroit and organizing the BSides Detroit conferences. Wolfgang regularly advises on and presents on the topics of secure development life cycle, DevOps, risk management, incident response, business continuity, and more.
Why Serverless is scary without DevSecOps and ObservabilityEficode
This document discusses the security challenges of serverless computing without proper DevSecOps practices and observability. It notes that serverless applications are often seen as more secure since the cloud provider manages the infrastructure, but they can still be vulnerable to events, libraries, and code issues. The document recommends implementing DevSecOps with a focus on permissions, security analysis, public scrutiny of practices, and crowdsourcing security through bug bounties and hackathons. It also stresses the importance of observability tools to monitor serverless applications and catch issues.
Implementing DevOps in a Regulated Environment - DJ SchleenSeniorStoryteller
The document discusses Aetna's journey towards implementing DevOps practices in a regulated environment. It describes Aetna's traditional "waterfall" development process and how it is evolving to integrate security practices into its continuous integration/delivery (CI/CD) process. This includes automating static code analysis, container vulnerability scanning, and identifying and remediating AWS security risks. The benefits of DevSecOps include more consistent security controls, reduced defects, increased security and speed to market. Challenges include evolving culture across 3,500+ developers and integrating security tools in a way that provides continuous feedback.
Barriers to Container Security and How to Overcome ThemWhiteSource
Over the past few years, more and more companies are turning to containerized environments to scale their applications.
However, keeping containers secure throughout the development life cycle presents many challenges to security and development teams. In order to address them, organizations need to adopt a new set of security processes and tools.
This session will focus on the three most vulnerable areas of container security and the best practices to help teams develop and deploy securely.
Join Jeffrey Martin, Senior Director of Product at WhiteSource, as he discusses:
The top challenges to security in containerized environments
How DevSecOps addresses security in containerized environments
Tips and tricks for successfully incorporating security into the container lifecycle
Microsoft DevOps Forum 2021 – DevOps & SecurityNico Meisenzahl
This document discusses implementing DevSecOps practices for small teams and organizations. It begins by noting that while DevOps is widely adopted, DevSecOps practices are less well-known and implemented. It then outlines some common security issues seen at clients and provides demos of implementing quick security wins through the DevOps cycle like enabling code scanning and ensuring secure code, runtimes, and monitoring. The document advocates starting small with security and integrating practices throughout the development lifecycle.
Eight tips are provided for deploying DevSecOps:
1. Embrace automation and prepare security teams for automated integration with DevOps initiatives.
2. Enable security testing tools and processes earlier in the development process.
3. Prioritize automated tools that can quickly triage critical issues to reduce false positives.
4. Start identifying open source components and vulnerabilities in development as a high priority.
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
This document announces an upcoming webinar titled "Scaling Rugged DevOps to Thousands of Applications" on March 16th. It lists the panelists Aaron Rinehart, Tim Chase, and Surag Patel. It also provides information on how to register for the webinar, get the presentation slides, and take a DevSecOps survey.
DevOps is a software development approach that aims to shorten the systems development life cycle and provide continuous delivery with high software quality. It focuses on collaboration between development and operations teams. Key aspects of DevOps include automation of the software delivery process through tools like Docker and Jenkins, continuous integration and deployment, and monitoring of applications in production. While DevOps can improve speed and collaboration, security challenges arise from development teams prioritizing speed over security and keeping up with the fast pace of changes. Adopting DevSecOps practices like automation, clear security policies, and vulnerability management can help integrate security into the DevOps process.
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
In this presentation, it is outlined about DevOps, DevSecOps, Characteristics of DevSecOps, DevSecops Practises, Benefits of Implementing DevSecOps, Implementation Frameworks and the Challenges in Implementing DevSecOps.
This document discusses challenges with integrating security into agile development processes and proposes solutions. It notes that traditional security approaches like threat modeling and penetration testing don't work well in agile environments with short release cycles. The document recommends automating security scans and tests to run with each code change. It also suggests integrating security findings into existing bug tracking tools to streamline remediation. The overall goal is to make security practices more agile and collaborative to improve cycle times for fixing issues.
The document summarizes Suman Sourav's presentation on application security at the OWASP Indonesia Day 2017 conference. It discusses DevSecOps which aims to shift security left in the SDLC by integrating security practices and tools into development. It also outlines people, processes, and technologies needed for a DevSecOps approach, including training developers, defining security metrics and roadmaps, and using tools that automate security testing throughout the development cycle.
Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery.
Now some good news: you can easily integrate security into your existing processes to solve this challenge.
In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss:
- Leveraging the DevSecOps approach to help speed up security
- Scaling security into your agile processes
- 5 easy ways to start driving DevSecOps in your organization
More organizations are adopting mature DevOps practices, with 26% having mature practices and 41% improving. Those with mature practices are more likely to automate security testing in their CI/CD pipelines. While container security is a top concern, many organizations may not have the necessary governance policies for managing open source components, which pose a growing risk of security breaches.
Andreas Prins
Vice President Product Development – XebiaLabs
Andreas Prins is Vice President of Product Development for XebiaLabs. Andreas brings real-world experience building and scaling teams to deliver mission-critical software applications. He has extensive experience as an Agile Transformation coach and as a former manager of DevOps team. At XebiaLabs he is responsible for product development and product management to build Enterprise DevOps solutions that enable the digital transformation of the customers.
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
This talk is from DevSecOps Singapore, June 29th, 2017.
Continuous Delivery and Security are traveling companions if we want them to be. This talk highlights how to make that happen in three areas of the delivery pipeline.
The document discusses DevSecOps and securing the DevOps lifecycle. It begins with an introduction to DevSecOps and the need to integrate security from the beginning. It then discusses securing assets/infrastructure, securing the development process, and securing operations. This includes securing container registries, source code management, deployment, and APIs. The document provides examples of tools that can be used at different stages, such as Docker, Vault, SonarQube, ZAP, and ELK. It emphasizes that security needs to be automated and integrated into the entire DevOps pipeline from development to production.
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
This document summarizes the benefits experienced by MFS after implementing Jenkins and Nexus to help manage growth in their development organization. Some key points:
1) Jenkins and Nexus helped standardize MFS's development environment, shorten onboarding times, and improve security, code quality, and traceability.
2) Their initial implementation had limited success, but replacing build servers and addressing core issues like branching strategy and artifact management led to wider adoption.
3) Benefits included managing external resources better, inventorying all artifacts, understanding open source licensing risks, and gaining visibility into dependencies and modules.
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon
The document discusses how security practices can be integrated further left into the software development lifecycle using a DevSecOps approach. It outlines how traditional security operated in silos separate from development. DevSecOps aims to break down these silos by integrating security activities like policy, reviews, and audits directly into development practices like coding, continuous integration, and deployment. This is achieved through automation and tools as well as collaborative environments to bring together stakeholders from security, development, and operations. The document concludes that a DevSecOps approach following principles from Agile and DevOps can help redefine security and establish new baselines.
DevSecOps - It can change your life (cycle)Qualitest
QualiTest explains how a secured DevOps (DevSecOps) delivery process can be achieved using automated code scan, enabling significant shift left of issues detection and minimizing the time to fix. Whether you are considering DevSecOps, on the path, or already there, this slide is for you.
For more information, please visit www.QualiTestGroup.com
The document discusses the concepts of DevSecOps, which aims to integrate security practices into software development processes from the beginning. It notes trends in DevOps, cloud computing, and agile development that have led to this approach. DevSecOps seeks to shift security "left" so that it is designed into applications from the start rather than treated as an afterthought. This is achieved through continuous feedback between developers and security teams to build security into applications and infrastructure through automated testing and monitoring.
Sally Reade, Partner Manager, Puppet
Puppet's State of DevOps report is the most comprehensive study in the field, making it a must-read for practitioners and technological leaders alike. Sally Reade distills key takeaways, including practical tips like "start with the practices that are closest to production; then address processes that happen earlier in the software delivery cycle." Why do C-suite have too rosy a view of DevOps on the ground?
Eight tips are provided for deploying DevSecOps:
1. Embrace automation and prepare security teams for automated integration with DevOps initiatives.
2. Enable security testing tools and processes earlier in the development process.
3. Prioritize automated tools that can quickly triage critical issues to reduce false positives.
4. Start identifying open source components and vulnerabilities in development as a high priority.
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
This document announces an upcoming webinar titled "Scaling Rugged DevOps to Thousands of Applications" on March 16th. It lists the panelists Aaron Rinehart, Tim Chase, and Surag Patel. It also provides information on how to register for the webinar, get the presentation slides, and take a DevSecOps survey.
DevOps is a software development approach that aims to shorten the systems development life cycle and provide continuous delivery with high software quality. It focuses on collaboration between development and operations teams. Key aspects of DevOps include automation of the software delivery process through tools like Docker and Jenkins, continuous integration and deployment, and monitoring of applications in production. While DevOps can improve speed and collaboration, security challenges arise from development teams prioritizing speed over security and keeping up with the fast pace of changes. Adopting DevSecOps practices like automation, clear security policies, and vulnerability management can help integrate security into the DevOps process.
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
In this presentation, it is outlined about DevOps, DevSecOps, Characteristics of DevSecOps, DevSecops Practises, Benefits of Implementing DevSecOps, Implementation Frameworks and the Challenges in Implementing DevSecOps.
This document discusses challenges with integrating security into agile development processes and proposes solutions. It notes that traditional security approaches like threat modeling and penetration testing don't work well in agile environments with short release cycles. The document recommends automating security scans and tests to run with each code change. It also suggests integrating security findings into existing bug tracking tools to streamline remediation. The overall goal is to make security practices more agile and collaborative to improve cycle times for fixing issues.
The document summarizes Suman Sourav's presentation on application security at the OWASP Indonesia Day 2017 conference. It discusses DevSecOps which aims to shift security left in the SDLC by integrating security practices and tools into development. It also outlines people, processes, and technologies needed for a DevSecOps approach, including training developers, defining security metrics and roadmaps, and using tools that automate security testing throughout the development cycle.
Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery.
Now some good news: you can easily integrate security into your existing processes to solve this challenge.
In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss:
- Leveraging the DevSecOps approach to help speed up security
- Scaling security into your agile processes
- 5 easy ways to start driving DevSecOps in your organization
More organizations are adopting mature DevOps practices, with 26% having mature practices and 41% improving. Those with mature practices are more likely to automate security testing in their CI/CD pipelines. While container security is a top concern, many organizations may not have the necessary governance policies for managing open source components, which pose a growing risk of security breaches.
Andreas Prins
Vice President Product Development – XebiaLabs
Andreas Prins is Vice President of Product Development for XebiaLabs. Andreas brings real-world experience building and scaling teams to deliver mission-critical software applications. He has extensive experience as an Agile Transformation coach and as a former manager of DevOps team. At XebiaLabs he is responsible for product development and product management to build Enterprise DevOps solutions that enable the digital transformation of the customers.
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
This talk is from DevSecOps Singapore, June 29th, 2017.
Continuous Delivery and Security are traveling companions if we want them to be. This talk highlights how to make that happen in three areas of the delivery pipeline.
The document discusses DevSecOps and securing the DevOps lifecycle. It begins with an introduction to DevSecOps and the need to integrate security from the beginning. It then discusses securing assets/infrastructure, securing the development process, and securing operations. This includes securing container registries, source code management, deployment, and APIs. The document provides examples of tools that can be used at different stages, such as Docker, Vault, SonarQube, ZAP, and ELK. It emphasizes that security needs to be automated and integrated into the entire DevOps pipeline from development to production.
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
This document summarizes the benefits experienced by MFS after implementing Jenkins and Nexus to help manage growth in their development organization. Some key points:
1) Jenkins and Nexus helped standardize MFS's development environment, shorten onboarding times, and improve security, code quality, and traceability.
2) Their initial implementation had limited success, but replacing build servers and addressing core issues like branching strategy and artifact management led to wider adoption.
3) Benefits included managing external resources better, inventorying all artifacts, understanding open source licensing risks, and gaining visibility into dependencies and modules.
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon
The document discusses how security practices can be integrated further left into the software development lifecycle using a DevSecOps approach. It outlines how traditional security operated in silos separate from development. DevSecOps aims to break down these silos by integrating security activities like policy, reviews, and audits directly into development practices like coding, continuous integration, and deployment. This is achieved through automation and tools as well as collaborative environments to bring together stakeholders from security, development, and operations. The document concludes that a DevSecOps approach following principles from Agile and DevOps can help redefine security and establish new baselines.
DevSecOps - It can change your life (cycle)Qualitest
QualiTest explains how a secured DevOps (DevSecOps) delivery process can be achieved using automated code scan, enabling significant shift left of issues detection and minimizing the time to fix. Whether you are considering DevSecOps, on the path, or already there, this slide is for you.
For more information, please visit www.QualiTestGroup.com
The document discusses the concepts of DevSecOps, which aims to integrate security practices into software development processes from the beginning. It notes trends in DevOps, cloud computing, and agile development that have led to this approach. DevSecOps seeks to shift security "left" so that it is designed into applications from the start rather than treated as an afterthought. This is achieved through continuous feedback between developers and security teams to build security into applications and infrastructure through automated testing and monitoring.
Sally Reade, Partner Manager, Puppet
Puppet's State of DevOps report is the most comprehensive study in the field, making it a must-read for practitioners and technological leaders alike. Sally Reade distills key takeaways, including practical tips like "start with the practices that are closest to production; then address processes that happen earlier in the software delivery cycle." Why do C-suite have too rosy a view of DevOps on the ground?
- Stefan Streichsbier is the CEO of GuardRails and a professional white-hat hacker who has identified severe shortcomings in security processes and technologies, leading him to create GuardRails.
- The document discusses the evolution of DevOps and increasing complexity, the state of security and how it needs to fit within modern development workflows, and introduces the concept of DevSecOps to address shortcomings and better integrate security.
- Key aspects of DevSecOps discussed include how to create, test, and monitor secure applications and empower development teams to build security in from the start rather than see it as a separate function. Automated security tools and the need to reduce noise and improve usability for developers is also
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
The document discusses various topics related to data security and privacy including:
1. International standards for data de-identification techniques and privacy models such as ISO 20889.
2. A comparison of different data de-identification techniques in terms of their ability to reduce risks like singling out, linking, and inference.
3. Examples of mapping de-identification techniques like tokenization and encryption to different data deployment models including centralized/distributed data warehouses and public/private/on-premises clouds.
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24
Our experts discuss the key considerations for implementing security training and application security into the SDLC, how to engage with developers through gamified learning and embed security testing without any downtime and costing the earth.
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...Siva Rama Krishna Chunduru
Understand DevOps and it's fitment to various types of applications.
Understand various Organization Roles after Org-restructure.
Understand the way to measure the success.
Continuous Security / DevSecOps- Why How and WhatMarc Hornbeek
This presentation explains what Continuous Security / DevSecOps is, Why it is important, How it works and What you can do to realized a well-engineered DevSecOps solution in your own organization or enterprise.
DevOps is a culture that promotes collaboration between Development and Operations Team to deploy code to production faster in an automated & repeatable way. The word 'DevOps' is a combination of two words 'development' and 'operations.'
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
This document outlines an approach for integrating security into the software development lifecycle (SDLC) using DevSecOps principles. It discusses how security can shift left by being incorporated into various phases of product development and delivery, including product management, design, development, deployment, defect management, and monitoring. It provides examples of how to integrate security practices and tools at each stage. The goal is to establish security as a critical product feature rather than an afterthought, and foster collaboration between security and development teams through a DevSecOps model and maturity criteria.
This document provides an introduction to DevOps including:
- A brief history of DevOps from 2007-2011 when the term was coined and practices began emerging.
- Definitions of DevOps focusing on bridging development and operations teams and delivering software faster.
- Why DevOps is used, particularly for large distributed applications, to increase delivery speed and reduce failures.
- Key DevOps principles of automation, continuous delivery, and measuring outcomes.
- Common DevOps practices like infrastructure as code, containerization, microservices, and cloud infrastructure.
The document discusses the Software Development Life Cycle (SDLC) and DevOps. It defines SDLC as a process used by the software industry to design, develop, and test high-quality software. SDLC aims to produce software that meets expectations within time and cost estimates. The document then discusses DevOps, defining it as a culture promoting collaboration between development and operations teams to deploy code to production faster using automation. It outlines the DevOps lifecycle and principles, why DevOps is needed to streamline the software delivery process, and tools used in DevOps.
Shift Left Save Resources DevSecOps and the CICD PipelineCloudZenix LLC
The power of "Shift Left, Save Resources: DevSecOps and the CI/CD Pipeline"! Discover how this approach not only enhances software development and delivery but also strengthens security measures. Let's optimize efficiency while safeguarding our digital assets. Read more: https://cloudzenix.com/cloud-solutions/cloud-computing-devsecops-solutions/
DevOps Culture transformation in Modern Software DeliveryNajib Radzuan
DevOps culture aims to shorten development cycles and enable continuous delivery of software through practices that combine software development and IT operations. This presentation discusses how digital transformation requires changes to applications, infrastructure, and processes. It defines DevOps and outlines the DevOps process and tools used. Challenges of adopting DevOps culture include overcoming resistance to change and lack of collaboration between teams. The benefits of DevOps include rapid innovation, faster time-to-market, and improved customer focus. Adopting DevOps requires improving skills, evaluating processes and tools, and starting with small changes.
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
This presentation looks at the problem of selecting the best programming language and tools to ensure IoT software is secure, robust, and safe. By taking a look at industry best practices and decades of knowledge from other industries (such as automotive and aerospace), you will learn the criteria necessary to choose the right language, how to overcome gaps in developers’ skills, and techniques to ensure your team delivers bulletproof IoT applications.
Here is the small presentation on DevOps to DevSecOps Journey..
- What is DevOps and their best practices.
- Practical Scenario of DevOps practices.
- DevOps transformation Journey.
- Transition to DevSecOps and why we need it.
- Enterprise CI/CD Pipeline.
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfMobibizIndia1
DevSecOps is a development methodology that combines security measures at every stage of the software development lifecycle in order to provide reliable and secure systems. DevSecOps, in general, increases the benefits of a DevOps service.
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.
Why DevSecOps Is Necessary For Your SDLC Pipeline?Enov8
DevSecOps environment allows integration of automated security checks within your SDLC pipeline to deliver early warnings and monitor escaped security vulnerabilities consistently.
DevOps CD and Multispeed IT in regulated industries (FUG Presentation)Serena Software
This document discusses DevOps, continuous delivery, and multi-speed IT in regulated environments. It addresses how organizations can drive competitive advantage through faster delivery while still maintaining stability, security, and compliance. DevOps aims to align development and operations goals, continuous delivery ensures software is always production-ready, and multi-speed IT understands different approaches and speeds for different applications and contexts. The document outlines challenges in regulated industries and provides recommendations around people, process, and technology to support DevOps adoption.
Similar to Outpost24 webinar - application security in a dev ops world-08-2018 (20)
Outpost24 webinar - A fresh look into the underground card shop ecosystemOutpost24
In this webinar, we provide insights on some of the most relevant underground card shops, which types of products are offered, their prices, and related threat actors and business models.
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24
In this webinar, our expert panel will discuss why continuous API security testing is critical to securing your applications and reducing risk of API hacking in the wild. We will provide best practice guidance to improve your API security posture through automated detection for vulnerabilities lurking in API endpoints, ensuring your application business is protected against abuse.
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24
In this webinar, our expert will discuss why CISOs must embrace unified cyber risk management for greater consolidation and simplification of business risk to build trust and maximize business resilience.
Outpost24 webinar - How to protect your organization from credential theftOutpost24
This document discusses how to protect organizations from credential theft. It provides an overview of the credential theft landscape and lifecycle. It explains how credential thieves gather credentials through various means like exploiting vulnerabilities, using compromised credentials from initial access brokers or ransomware-as-a-service groups, and monitoring for leaked credentials. The document recommends organizations implement account lockouts, anti-automation measures, strong password policies, and support for multi-factor authentication to help prevent credential theft. It promotes the services of Outpost24 and Blueliv to help customers assess security posture and discover threats.
Outpost24 webinar - Enhance user security to stop the cyber-attack cycleOutpost24
We discuss how securing Active Directory and helping employees recognize common attack methods are key to reducing cyber risk to your organization in and out of the office
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24
In this webinar we’ll discuss how you can map CVE records with the MITRE ATT&CK framework to enhance vulnerability management process and achieve better risk management.
Outpost24 webinar: best practice for external attack surface managementOutpost24
This document discusses best practices for external attack surface management. It explains how digital acceleration has increased organizations' attack surfaces and defines external attack surface management. The document outlines how to categorize and assess risk for web applications and common attack vectors in retail, finance and healthcare. It concludes with recommended best practices, which include discovering all external assets, categorizing them, monitoring for changes, and implementing controls like patching, access management and security assessments.
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24
We explain how best to identify security gaps through threat intelligence to get essential warning of impending ransomware threats targeting your organization.
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24
learn how an asynchronous approach can help build an enterprise CMDB and automate continuous detection for any new and critical vulnerabilities in your asset repository so you’ll never miss a critical risk again
API 101 discusses how to secure web applications and APIs. APIs are used extensively in web and mobile applications to allow communication between services but this can introduce security weaknesses if not implemented properly. API attacks are a growing threat, with 90% of breaches targeting web applications and APIs projected to become the most common attack vector by 2022. The document outlines security best practices for securing APIs throughout the development lifecycle from design to testing to runtime, and how one company implemented API security testing to improve their compliance and privacy posture.
Outpost24 Webinar - CISO conversation behind the cyber security technologyOutpost24
In this webinar we talk to Outpost24 customer Jaspal Jandu, Deputy Group CISO at ITV Plc and discuss how the iconic British TV channel tackles the growing cybersecurity threats to secure the high availability media operations (think Oprah with Megan and Harry and ITV Hub!) and delight millions of viewers.
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24
Learn how to discover every web application you own and ascertain their risk levels through the hacker’s lens to gain a better understanding of the overall attack surface and locate the right path for remediation.
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24
Our expert panel share their predictions for the vulnerabilities to watch out for in 2021 and explain how machine learning can be used effectively in these unpredictive times to get you ready for the security challenges ahead.
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24
Our security experts present how to step up your cyber hygiene best practice to prevent targeted hacking attempts from remote code execution to network exploitation.
Outpost24 webinar mastering container security in modern day dev opsOutpost24
Our cloud security expert examines the security challenges that come with container adoption and unpack the key steps required to integrate and automate container assessment into the DevOps cycle to help developers build and deploy cloud native apps at speed whilst keeping one eye on security.
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24
We discuss the importance of data protection in HR, and how a hybrid continuous assessment approach has helped secure their business critical apps and maintain ISO certification standards at scale.
What is Continuous Testing in DevOps - A Definitive Guide.pdfkalichargn70th171
Once an overlooked aspect, continuous testing has become indispensable for enterprises striving to accelerate application delivery and reduce business impacts. According to a Statista report, 31.3% of global enterprises have embraced continuous integration and deployment within their DevOps, signaling a pervasive trend toward hastening release cycles.
A neural network is a machine learning program, or model, that makes decisions in a manner similar to the human brain, by using processes that mimic the way biological neurons work together to identify phenomena, weigh options and arrive at conclusions.
Photoshop Tutorial for Beginners (2024 Edition)alowpalsadig
Photoshop Tutorial for Beginners (2024 Edition)
Explore the evolution of programming and software development and design in 2024. Discover emerging trends shaping the future of coding in our insightful analysis."
Here's an overview:Introduction: The Evolution of Programming and Software DevelopmentThe Rise of Artificial Intelligence and Machine Learning in CodingAdopting Low-Code and No-Code PlatformsQuantum Computing: Entering the Software Development MainstreamIntegration of DevOps with Machine Learning: MLOpsAdvancements in Cybersecurity PracticesThe Growth of Edge ComputingEmerging Programming Languages and FrameworksSoftware Development Ethics and AI RegulationSustainability in Software EngineeringThe Future Workforce: Remote and Distributed TeamsConclusion: Adapting to the Changing Software Development LandscapeIntroduction: The Evolution of Programming and Software Development
Photoshop Tutorial for Beginners (2024 Edition)Explore the evolution of programming and software development and design in 2024. Discover emerging trends shaping the future of coding in our insightful analysis."Here's an overview:Introduction: The Evolution of Programming and Software DevelopmentThe Rise of Artificial Intelligence and Machine Learning in CodingAdopting Low-Code and No-Code PlatformsQuantum Computing: Entering the Software Development MainstreamIntegration of DevOps with Machine Learning: MLOpsAdvancements in Cybersecurity PracticesThe Growth of Edge ComputingEmerging Programming Languages and FrameworksSoftware Development Ethics and AI RegulationSustainability in Software EngineeringThe Future Workforce: Remote and Distributed TeamsConclusion: Adapting to the Changing Software Development LandscapeIntroduction: The Evolution of Programming and Software Development
The importance of developing and designing programming in 2024
Programming design and development represents a vital step in keeping pace with technological advancements and meeting ever-changing market needs. This course is intended for anyone who wants to understand the fundamental importance of software development and design, whether you are a beginner or a professional seeking to update your knowledge.
Course objectives:
1. **Learn about the basics of software development:
- Understanding software development processes and tools.
- Identify the role of programmers and designers in software projects.
2. Understanding the software design process:
- Learn about the principles of good software design.
- Discussing common design patterns such as Object-Oriented Design.
3. The importance of user experience (UX) in modern software:
- Explore how user experience can improve software acceptance and usability.
- Tools and techniques to analyze and improve user experience.
4. Increase efficiency and productivity through modern development tools:
- Access to the latest programming tools and languages used in the industry.
- Study live examples of applications
Penify - Let AI do the Documentation, you write the Code.KrishnaveniMohan1
Penify automates the software documentation process for Git repositories. Every time a code modification is merged into "main", Penify uses a Large Language Model to generate documentation for the updated code. This automation covers multiple documentation layers, including InCode Documentation, API Documentation, Architectural Documentation, and PR documentation, each designed to improve different aspects of the development process. By taking over the entire documentation process, Penify tackles the common problem of documentation becoming outdated as the code evolves.
https://www.penify.dev/
In this infographic, we have explored cost-effective strategies for iOS app development, focusing on building high-quality apps within a budget. Key points covered include prioritizing essential features, leveraging existing tools and libraries, adopting cross-platform development approaches, optimizing for a Minimum Viable Product (MVP), and integrating with cloud services and third-party APIs. By implementing these strategies, businesses and developers can create functional and engaging iOS apps while minimizing development costs and time-to-market.
Ensuring Efficiency and Speed with Practical Solutions for Clinical OperationsOnePlan Solutions
Clinical operations professionals encounter unique challenges. Balancing regulatory requirements, tight timelines, and the need for cross-functional collaboration can create significant internal pressures. Our upcoming webinar will introduce key strategies and tools to streamline and enhance clinical development processes, helping you overcome these challenges.
Superpower Your Apache Kafka Applications Development with Complementary Open...Paul Brebner
Kafka Summit talk (Bangalore, India, May 2, 2024, https://events.bizzabo.com/573863/agenda/session/1300469 )
Many Apache Kafka use cases take advantage of Kafka’s ability to integrate multiple heterogeneous systems for stream processing and real-time machine learning scenarios. But Kafka also exists in a rich ecosystem of related but complementary stream processing technologies and tools, particularly from the open-source community. In this talk, we’ll take you on a tour of a selection of complementary tools that can make Kafka even more powerful. We’ll focus on tools for stream processing and querying, streaming machine learning, stream visibility and observation, stream meta-data, stream visualisation, stream development including testing and the use of Generative AI and LLMs, and stream performance and scalability. By the end you will have a good idea of the types of Kafka “superhero” tools that exist, which are my favourites (and what superpowers they have), and how they combine to save your Kafka applications development universe from swamploads of data stagnation monsters!
Stork Product Overview: An AI-Powered Autonomous Delivery FleetVince Scalabrino
Imagine a world where instead of blue and brown trucks dropping parcels on our porches, a buzzing drove of drones delivered our goods. Now imagine those drones are controlled by 3 purpose-built AI designed to ensure all packages were delivered as quickly and as economically as possible That's what Stork is all about.
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...Luigi Fugaro
Vector databases are transforming how we handle data, allowing us to search through text, images, and audio by converting them into vectors. Today, we'll dive into the basics of this exciting technology and discuss its potential to revolutionize our next-generation AI applications. We'll examine typical uses for these databases and the essential tools
developers need. Plus, we'll zoom in on the advanced capabilities of vector search and semantic caching in Java, showcasing these through a live demo with Redis libraries. Get ready to see how these powerful tools can change the game!
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISTier1 app
Are you ready to unlock the secrets hidden within Java thread dumps? Join us for a hands-on session where we'll delve into effective troubleshooting patterns to swiftly identify the root causes of production problems. Discover the right tools, techniques, and best practices while exploring *real-world case studies of major outages* in Fortune 500 enterprises. Engage in interactive lab exercises where you'll have the opportunity to troubleshoot thread dumps and uncover performance issues firsthand. Join us and become a master of Java thread dump analysis!
Building API data products on top of your real-time data infrastructureconfluent
This talk and live demonstration will examine how Confluent and Gravitee.io integrate to unlock value from streaming data through API products.
You will learn how data owners and API providers can document, secure data products on top of Confluent brokers, including schema validation, topic routing and message filtering.
You will also see how data and API consumers can discover and subscribe to products in a developer portal, as well as how they can integrate with Confluent topics through protocols like REST, Websockets, Server-sent Events and Webhooks.
Whether you want to monetize your real-time data, enable new integrations with partners, or provide self-service access to topics through various protocols, this webinar is for you!
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...kalichargn70th171
Visual testing plays a vital role in ensuring that software products meet the aesthetic requirements specified by clients in functional and non-functional specifications. In today's highly competitive digital landscape, users expect a seamless and visually appealing online experience. Visual testing, also known as automated UI testing or visual regression testing, verifies the accuracy of the visual elements that users interact with.
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid
IBM watsonx Code Assistant for Z, our latest Generative AI-assisted mainframe application modernization solution. Mainframe (IBM Z) application modernization is a topic that every mainframe client is addressing to various degrees today, driven largely from digital transformation. With generative AI comes the opportunity to reimagine the mainframe application modernization experience. Infusing generative AI will enable speed and trust, help de-risk, and lower total costs associated with heavy-lifting application modernization initiatives. This document provides an overview of the IBM watsonx Code Assistant for Z which uses the power of generative AI to make it easier for developers to selectively modernize COBOL business services while maintaining mainframe qualities of service.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
React.js, a JavaScript library developed by Facebook, has gained immense popularity for building user interfaces, especially for single-page applications. Over the years, React has evolved and expanded its capabilities, becoming a preferred choice for mobile app development. This article will explore why React.js is an excellent choice for the Best Mobile App development company in Noida.
Visit Us For Information: https://www.linkedin.com/pulse/what-makes-reactjs-stand-out-mobile-app-development-rajesh-rai-pihvf/
Enhanced Screen Flows UI/UX using SLDS with Tom KittPeter Caitens
Join us for an engaging session led by Flow Champion, Tom Kitt. This session will dive into a technique of enhancing the user interfaces and user experiences within Screen Flows using the Salesforce Lightning Design System (SLDS). This technique uses Native functionality, with No Apex Code, No Custom Components and No Managed Packages required.
Software Test Automation - A Comprehensive Guide on Automated Testing.pdfkalichargn70th171
Moving to a more digitally focused era, the importance of software is rapidly increasing. Software tools are crucial for upgrading life standards, enhancing business prospects, and making a smart world. The smooth and fail-proof functioning of the software is very critical, as a large number of people are dependent on them.
4. 1960’s
Waterfall
Assembler code
widely used for
development. The
Waterfall
methodology was
coined in 1958
1970’s
New languages
COBOL, PL1, Pascal
all made an
appearance.
DBMS gains
traction in
database
management
1980’s
SQL and OO
SQL and object
orientated
languages appear.
Waterfall
development still
used but in 1986
SCRUM is coined
1990’s
WWW appears
94 – unified
process
95 – Javascript,
SCRUM
96 – Flash, Extreme
programming
99 – Concept of
Web applications
2000s
Agile (and Web) explode
01 – Agile
manifesto
05- Ajax created
for asynchronous
web application
development
05 – Declaration of
Interdependence
09 – Software
craftmanship
manifesto
04
Date
A brief history of (Application Development) time
6. DevOps
Coined in 2009
Agile success drove integration between
Development and Operations
Results in the need for cultural change to
encourages more collaboration
Focus on application release automation,
continuous integration and continuous delivery
People | Process | Technology approach
By Kharnagy - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=51215412
But what about the Security team?
7. But is it really a Silver bullet?
Source: Verizon data breach investigation report 2017 Source: Verizon data breach investigation report 2018
10. People | Process | Technology
christopherspenn.com | @cspenn
People
Who’s doing stuff
Process
How stuff
is done
Technology
What we
do stuff with
scaleinnovate
automate
Are we fast enough?
Are we efficient enough?
Are we creating enough new value?
11. Challenges with DevOps and
Security teams
What happened to Secure by Design?
Priority of security in DevOps migration
Buy your way out with tools
Focusing on the end instead of process
management pushes higher “per fix” cost
11
12. How do we
incorporate Security?
Security has historically been a silo
Secure by design is assumed part of
Agile mentality
Process | People can break down silo
But does DevSecOps really work?
13. Slaying the myths of
DevSecOps
• Security cant fit into
DevOps process.
• Configuration
management tools are all
DevOps need.
• Adopting DevOPs
eliminates the need for
Security experts.
• If we can do DevOps we
can do SecOps.
14. DevSecOps
• Distribute security decision
making
• to the right people
• with the right context
• at the right time
• Embedded into the team,
easily accessible by
Developers
• Gartner refers to these as
‘Champions’
16. Your Champion
• Have both domain experience and
desire to secure development
• Help spot security problems sooner
• Assign champions to security
analysts
• Helps security teams translate their
priorities into development practices
17. Champion & Analyst
CHAMPION
Member of project
team
Key contact for
security
Not an expert
A requirement for
each project
ANALYST
Security team member
Keeps security
involved
Key contact for the
Champion(s)
Security by design
thinking
• Links IT Security to Development teams and projects
• Encourage a community between champions and
brokers
• Goal to improve the overall security posture
• Encourage developer collaboration with champions
and analyst
22. Choose the right
tools for the job
• Before settling on what tools, ask yourself:
• How frequent are your ’sprints’?
• How long does each tool take to run?
• Can it be wholly automated into the CI/CD
process?
• Is it noisy, does it generate lots of false
positives?
• Answering these questions will help steer you in
identifying the tools appropriate for your needs
22
23. Perfect is the enemy of Good
• Chasing perfection in a DevOps culture
leads to slower development
• Don’t have to fix everything during
development
• Compensate with other tools : IPS, WAF
to mitigate unknown vulnerabilities
• Focus on fixing the critical known
vulnerabilities during Development
• The tools you select should be agile : in
both integration and scanning speed
23
24. Tools for
Success
OpenAPI based to integrate
seamlessly in the CI/CD
toolchain
Can be easily and quickly run
by Developers
24
25. 25
Tools in the AST kit
SAST - Static
Automated
Focused on developers
Noisy
DAST - Dynamic
Automated
Operational system test
Can’t address all cases
Penetration Test
Manual
Most comprehensive
Low frequency use
MAST – Mobile
Partially automated
Focused on developers
Lots of variants of test
target
IAST – Interactive
Automated
Included in code
Related to RASP
(runtime app self protection)
Bug Bounty
Manual
Independent security
researchers
Pay by finding
26. Shift left – improve maturity & lower fix costs
26
Development Pre-production Production
Code and commit
Continuous
integration
& automated
testing
Complete
build & test
Gate 1 Gate 2
Non-
functional
testing
UAT Ongoing
assessments
SAST $
IAST $$
DAST $$
MAST $$
Bug Bounty
$$$
Penetration Test $$$$
29. DevOps
• Agile success drove the need for tighter integration
between Development and Operations – Coined in 2009
• Encourages (and indeed needs) collaboration between
development, operations and QA – results in the need
for cultural change
• Allows for focus on application release automation,
continuous integration and continuous
delivery
• Process – People – Tools approach to development
• Often (and initially) leave out ‘Security teams’
Takeaways
DevSecOps – culture change implemented with People | Process | Technology
Process – small steps, not immediate perfection, mandate security
People – establish security champions in DevOps, support the mandate
Tools – integrate into the DevOps tool chain natively
Shift Left – introduce additional tools and information earlier in the DevOps process
2001 Writing Secure Code by Howard and LeBlanc from the earlier Microsoft’s Secure Windows Initiative
And so we end up with Agile + DevOPs being likened to that fabled Silver bullet. You know : the thing that slays the beast. In this case, addressing the need to align development to an efficient, digital pace of business today. Or the thing that magically addresses a complicated probbkem
With the success of Agile development, in 2009 the concept of DevOps was raised by Andrew Shafer and Patrick Debois.DevOps is essentially a natural evolution of Agile, it brings closer together the Development team. The Operations team and QA to allow for the rapid release of applications through sprints. Although it requires a cultural change, organizations embracing it can develop and deliver applications much fasters
Security by design is often shoe’horned into the Devops process, often focusing on the end of the development journey. however, for many years the security teams were still precluded from the process. In fact, whilst remaining a silo separate to the Agile and DevOps processes security can become the inhibitor to successfully implementing Agile and Devops cultures
Security by design,……
Agile and DevOPs allows customers to develop and deliver applications to the market at a quck pace. And yet, time after time the surveys show that web application attacks are continually features in the top lists of incidents and often right at the top in sources of breaches.
And OWASP constantly publish the top 10 list, not the top 3 or 5. Couple that with almost no change in top 10 over the last 4 years, its little wonder our customers are asking how, as they adopt DevOps they are constantly facing the quandary of can security fit into the DevOps model without it being a hinderance.
Earliest form of this was Harold Leavitt’s 1964 use of 4 elements (structure, tasks, people, technology) in describing organizational change – since then, we’ve improved it to just 3 elements
I like this version from Chris Penn because it clearly shows the where the benefits come from – the intersections
http://www.christopherspenn.com/2018/01/transforming-people-process-and-technology-part-1/
In 2017 Gartner shows that the biggest strategy to overcome was collaborating with Security. As organisations adopt a
If security teams remain silo’d and disengaged from the Agile DevOps process then challenges will arise. In fact, its highly likely that Security will become a stumbling block to the success of Agile.Remember, Agile and DevOps is about collaboration (and rapid iteration). So breaking down the silo’s between the teams, integrating them together to create ‘DevSecOps’
1. Wrong. With the right automation and tools security can be injected into the development process much earlier.
2. Wrong, whilst they help with deployment and redeployment they simply cannot handle the security analysis that a security professional can
3. Wrong. The majority of developers are NOT security experts. Neglecting the security experts can lead to your organization becoming the next statistic on the Verizon dibr report.
4. Wrong. Keeping security as its own functional area or Silo misses the point of Agile and DevOps – namely cross-functional integration. Security Experts must partner with development and operations at the beginning of the development process. It might mean a cultural change, but it is absolutely imperative to success
Point out – this is about situations where you have control over the DevOps process – if you outsource development, you may not be able to evolve with out external collaboration. For customization on COTS, you can still treat it as development and work towards this process
Whiilst we try to move away from waterfall in the agile devops world, if we take a moment to look atboth the types of tools available and where they sit in Software development lifecycle we can identify where our own organisation is.Think about a shift left approach, if you don’t have anything inplace today, then can you fit a penetration test into the process. However, remember agile is about shorter development sprints. Therefore your pen test partner needs to be able to deliver on demand and at speed.Likewise if your doing Dast today, shifting left might mean Sast or IAST or Mast depending on the applications you are developing.
Point out – this is about situations where you have control over the DevOps process – if you outsource development, you may not be able to evolve with out external collaboration. For customization on COTS, you can still treat it as development and work towards this process
Whiilst we try to move away from waterfall in the agile devops world, if we take a moment to look atboth the types of tools available and where they sit in Software development lifecycle we can identify where our own organisation is.Think about a shift left approach, if you don’t have anything inplace today, then can you fit a penetration test into the process. However, remember agile is about shorter development sprints. Therefore your pen test partner needs to be able to deliver on demand and at speed.Likewise if your doing Dast today, shifting left might mean Sast or IAST or Mast depending on the applications you are developing.
Ultimately when considering DevSecOP and starting the journey you need to consider Voltaire’s words: Perfect is the enemy of good.Don’t chase perfection, namely the fixing of ALL vulnerabilities during the Development cycle. This will kill your ability to deliver rapid sprints as you get bogged down with testing in the old Security by design mentality. Instead, use other tools to help mitigate the unknown or less common vulnerabilities : IPS, WAF, even next gen firewalls.
Have the development team focus on the known critical vulnerabiltiies and fix them, use OWASP to help guide them on how to fix and not repeat the same errors. And when selecting your SAST, DAST, Mast, IAST tools, make sure they too are agile : agile in scanning and agile in the way they integrate in the CI/CD process.
This is what our customers are asking us for time and again.1. in DevOps, the development team should be capable of launching and executing automated scans from directly within their native toolchain. The scanners should be easy to use and not require significant security expertise. Moreover, findings should appear in the same DevOps native toolchain.
Maturity curve is like climbing stairs – p p t
Now carrying a bike on foot
Now riding up