SlideShare a Scribd company logo

Scale DevSecOps with your Continuous Integration Pipeline

DevOps.com
DevOps.com

Hear from AppSec and Development leaders on how they apply the principles of DevOps to deliver secure products and services to customers. Learn how you can scale your DevSecOps initiatives to reduce time-to-deployment and lower costs as you deliver secure software. During this webinar, you will learn about the latest tools and techniques that will enable your development teams to embed security scanning into your IDE as you are coding, returning most scans in seconds – all while integrating into your CI pipeline. Our speaker will provide: An overview of Veracode Greenlight and its integrations with developer tools; A summary of recent Greenlight use cases and successes; Examples of how Greenlight integrates into your CI pipeline

Technology
1 of 36
Download to read offline
© 2019 VERACODE INC.1 © 2019 VERACODE INC. Scale DevSecOps with your Continuous Integration Pipeline Presented by DevOps.com and Veracode
© 2019 VERACODE INC.2 Today’s Presenters Janet Worthington Principal Product Manager Vineeta Puranik Vice President of Engineering and Operations
© 2019 VERACODE INC.3 Audience Poll What is your role on the team? • Developer • Developer in Test • Security • DevOps • Manager
© 2019 VERACODE INC.4 What is Dev(Sec)Ops? • “DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.” • “DevOps is also characterized by operations staff using many of the same techniques as developers for their systems work.” Source : ‘What Is DevOps?’ 2010. The Agile Admin. August 2. https://theagileadmin.com/what-is-devops/
© 2019 VERACODE INC.5 DevSecOps: Shift in culture Dev Sec Ops Work in small batches Automate when possible Security controls: automate Trust: Safe to fail Fast delivery to customers Collaborate Feedback Learn
© 2019 VERACODE INC.6 Metrics to measure Source: DORA: 2018 State of DevOps Report
© 2019 VERACODE INC.7 DevOps allows teams to deploy code daily/hourly, reduce lead time for changes, reduce time to restore service and minimize the impact of new changes on production. Source: DORA: 2018 State of DevOps Report
© 2019 VERACODE INC.8 Work Flow cycle: Agile Development Team • Dev, QA, IT, Ops, UX, Security – cross functional teams collaborate to achieve common organizational goal • Less friction, more velocity – Work flows smoothly through entire value stream to customer • Plan, code, Test – Agile – Modular – Automate • Small continuous deploys • Infrastructure as code Recommended book DevOps Handbook by Gene Kim
© 2019 VERACODE INC.9 Software Deployment CICD • Promote code early and often Test early and often, including security issues • Continuous integration, builds, and tests • Fast and reliable automation test suites • Package once, deploy anywhere • Canary or blue green deployments
© 2019 VERACODE INC.10 Software Availability: Operations • Monitoring- server, app performance • Continuous Feedback, Learning • Experiment: Fail fast; learn fast • Testing Operations Security – everyone’s job everyday • Increased awareness of production issues
© 2019 VERACODE INC.11 DevSecOps Best Practices Source: Veracode: The Developer’s Guide to the DevSecOps Galaxy
© 2019 VERACODE INC.12 Benefits of DevSecOps for Developers Source: Stripe: The Developer Coefficient, Sept 2018 Source: Puppet: 2016 State of DevOps Report
© 2019 VERACODE INC.13 Source: Veracode: State of Software Security Volume 9
© 2019 VERACODE INC.14 Security Throughout The Lifecycle Static Policy Speed & Prevention Coverage & Remediation Is the Application Secure? Is My Code Secure? Is Our Combined Code Secure? Static SandboxGreenlight JAVA JAVA
© 2019 VERACODE INC.15 Greenlight Helps developers answer the question – “Is my code good?” Continuous Flaw Feedback Fast, Early, Focused scans of code that a developer is currently working on Secure Coding Education Remediation guidance provided directly to the Developer to assist with quick fixes  Reduce the number of flaws entered into downstream activities  Maintain development velocity  Improve adoption with tools that work the way developers expect them to
© 2019 VERACODE INC.16 Greenlight Where You Want It IDE Build CI RAD
© 2019 VERACODE INC.17 Code Code Continuous Testing Pipeline Functional Tests / Integration Tests / Performance Tests + Static Sandbox DevSecOps: Scan Early, Scan Often Continuous Integration Pipeline Build / Unit Test / Code Quality / Code Review + Greenlight API Continuous Delivery Pipeline Stage/ UAT/ Final Validation / Deploy + Static Policy Continuous Development Code / Compile / Debug / Unit Test / Commit + Greenlight IDE
© 2019 VERACODE INC.18 CI CD Workflow Example
© 2019 VERACODE INC.19 Continuous Integration Pipelines
© 2019 VERACODE INC.20 Dev Env: Write, Commit and Push
© 2019 VERACODE INC.21 Feature Branch Pipeline: Failed scan new/changed files Greenlight
© 2019 VERACODE INC.22 Greenlight Scan: Summary Results
© 2019 VERACODE INC.23 Greenlight JSON Results Archive Greenlight results JSON file with scan details is archived to: gl-scanner-java_<projectref-commithash>_greenlight-results.zip
© 2019 VERACODE INC.24 Dev Env: Fix, Commit and Push
© 2019 VERACODE INC.25 Feature Branch Pipeline: Success Greenlight scan new/changed files
© 2019 VERACODE INC.26 Feature Branch: Merge Request
© 2019 VERACODE INC.27 Feature Branch: Merge Approval
© 2019 VERACODE INC.28 Continuous Integration Succeeds, Continuous Test Triggered Tag for Release
© 2019 VERACODE INC.29 Continuous Test Succeeds & Continuous Delivery Triggered Veracode Static Scan Project Deploy
© 2019 VERACODE INC.30 Pipeline Configuration Code .gitlab-ci.yml Greenlight CI Tool
© 2019 VERACODE INC.31 DevSecOps Examples
© 2019 VERACODE INC.32 Veracode integrated into pipeline. Greenlight stage runs after Code Quality testing. Veracode Static Scan is run on a nightly scheduled pipeline. Example#1: Veracode in CI/CD Pipeline
© 2019 VERACODE INC.33 Veracode integrated into pipeline. The Veracode stage executes Greenlight on feature or dev branch. On a master branch, the Veracode Stage uploads the whole application to Static. Example#2: Veracode in CI/CD Pipeline
© 2019 VERACODE INC.34
© 2019 VERACODE INC.35 DevSecOps Resources Kim, Gene, Patrick Debois, and John Willis. 2016. The Devops Handbook: How to Create World- Class Agility, Reliability, and Security in Technology Organizations Veracode Helps Developers Find Security Flaws Faster Using AWS. 2017. AWS. https://aws.amazon.com/sol utions/case- studies/veracode/ State of Software Security. Volume 9. Veracode. https://www.veracode.com /state-of-software-security- report The Developers Guide To The DevSecOps Galaxy. 2017. Veracode. https://info.veracode.com /guide-developers-to- devsecops-galaxy.html ‘2018 Accelerate: State of DevOps Report’. 2018. Dora. https://cloudplatformonline. com/rs/248-TPC- 286/images/DORA- State%20of%20DevOps.pdf
© 2019 VERACODE INC.36 Thank You

Recommended

DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
Amazon Web Services
 
Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.
Vitaly Balashov
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
James Wickett
 

Recommended

DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
Amazon Web Services
 
Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.
Vitaly Balashov
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
James Wickett
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
Uchit Vyas ☁
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoD
JamesHarmison
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
Michael Man
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
Mohammed Ahmed
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
James Wickett
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
WhiteSource
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOps
Tushar Gupta
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
Michelangelo van Dam
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Enterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & ZoweEnterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & Zowe
DevOps.com
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 

More Related Content

What's hot

Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
Uchit Vyas ☁
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoD
JamesHarmison
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
Michael Man
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
Mohammed Ahmed
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
James Wickett
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
WhiteSource
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOps
Tushar Gupta
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
Michelangelo van Dam
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 

What's hot (20)

Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoD
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOps
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 

Similar to Scale DevSecOps with your Continuous Integration Pipeline

Enterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & ZoweEnterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & Zowe
DevOps.com
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
Testing 12-Factor Apps
Testing 12-Factor AppsTesting 12-Factor Apps
Testing 12-Factor Apps
Phillip Marlow
 
Deploy Code into Production Faster on Kubernetes
Deploy Code into Production Faster on KubernetesDeploy Code into Production Faster on Kubernetes
Deploy Code into Production Faster on Kubernetes
VMware Tanzu
 
DevOps: Security's Big Opportunity
DevOps: Security's Big OpportunityDevOps: Security's Big Opportunity
DevOps: Security's Big Opportunity
Timothy Jarrett
 
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS User Group - Thailand
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
 
Integrate Security and Compliance into your CI/CD Pipeline
Integrate Security and Compliance into your CI/CD PipelineIntegrate Security and Compliance into your CI/CD Pipeline
Integrate Security and Compliance into your CI/CD Pipeline
DevOps Indonesia
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINX
NGINX, Inc.
 
Scaling AppSec through Education
Scaling AppSec through EducationScaling AppSec through Education
Scaling AppSec through Education
Grant Ongers
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
VMware Tanzu
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
VMware Tanzu
 
CA - Entrega Continua
CA - Entrega ContinuaCA - Entrega Continua
CA - Entrega Continua
Software Guru
 
Upmc tpdev5
Upmc tpdev5Upmc tpdev5
Upmc tpdev5
Jean-Yves Rigolet
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
Deborah Schalm
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
DevOps.com
 
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
DevOps.com
 
IBM Pulse session 2727: Continuous delivery -accelerated with DevOps
IBM Pulse session 2727: Continuous delivery -accelerated with DevOpsIBM Pulse session 2727: Continuous delivery -accelerated with DevOps
IBM Pulse session 2727: Continuous delivery -accelerated with DevOpsSanjeev Sharma
 
Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack
Deborah Schalm
 

Similar to Scale DevSecOps with your Continuous Integration Pipeline (20)

Enterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & ZoweEnterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & Zowe
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
Testing 12-Factor Apps
Testing 12-Factor AppsTesting 12-Factor Apps
Testing 12-Factor Apps
 
Deploy Code into Production Faster on Kubernetes
Deploy Code into Production Faster on KubernetesDeploy Code into Production Faster on Kubernetes
Deploy Code into Production Faster on Kubernetes
 
DevOps: Security's Big Opportunity
DevOps: Security's Big OpportunityDevOps: Security's Big Opportunity
DevOps: Security's Big Opportunity
 
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
 
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
 
Integrate Security and Compliance into your CI/CD Pipeline
Integrate Security and Compliance into your CI/CD PipelineIntegrate Security and Compliance into your CI/CD Pipeline
Integrate Security and Compliance into your CI/CD Pipeline
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINX
 
Scaling AppSec through Education
Scaling AppSec through EducationScaling AppSec through Education
Scaling AppSec through Education
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
 
CA - Entrega Continua
CA - Entrega ContinuaCA - Entrega Continua
CA - Entrega Continua
 
Upmc tpdev5
Upmc tpdev5Upmc tpdev5
Upmc tpdev5
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
 
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
 
IBM Pulse session 2727: Continuous delivery -accelerated with DevOps
IBM Pulse session 2727: Continuous delivery -accelerated with DevOpsIBM Pulse session 2727: Continuous delivery -accelerated with DevOps
IBM Pulse session 2727: Continuous delivery -accelerated with DevOps
 
Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack
 

More from DevOps.com

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware Resolution
DevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
DevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with Datadog
DevOps.com
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid final
DevOps.com
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call Culture
DevOps.com
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 

More from DevOps.com (20)

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware Resolution
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with Datadog
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid final
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call Culture
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
 

Recently uploaded

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 

Recently uploaded (20)

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 

Scale DevSecOps with your Continuous Integration Pipeline

  • 1. © 2019 VERACODE INC.1 © 2019 VERACODE INC. Scale DevSecOps with your Continuous Integration Pipeline Presented by DevOps.com and Veracode
  • 2. © 2019 VERACODE INC.2 Today’s Presenters Janet Worthington Principal Product Manager Vineeta Puranik Vice President of Engineering and Operations
  • 3. © 2019 VERACODE INC.3 Audience Poll What is your role on the team? • Developer • Developer in Test • Security • DevOps • Manager
  • 4. © 2019 VERACODE INC.4 What is Dev(Sec)Ops? • “DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.” • “DevOps is also characterized by operations staff using many of the same techniques as developers for their systems work.” Source : ‘What Is DevOps?’ 2010. The Agile Admin. August 2. https://theagileadmin.com/what-is-devops/
  • 5. © 2019 VERACODE INC.5 DevSecOps: Shift in culture Dev Sec Ops Work in small batches Automate when possible Security controls: automate Trust: Safe to fail Fast delivery to customers Collaborate Feedback Learn
  • 6. © 2019 VERACODE INC.6 Metrics to measure Source: DORA: 2018 State of DevOps Report
  • 7. © 2019 VERACODE INC.7 DevOps allows teams to deploy code daily/hourly, reduce lead time for changes, reduce time to restore service and minimize the impact of new changes on production. Source: DORA: 2018 State of DevOps Report
  • 8. © 2019 VERACODE INC.8 Work Flow cycle: Agile Development Team • Dev, QA, IT, Ops, UX, Security – cross functional teams collaborate to achieve common organizational goal • Less friction, more velocity – Work flows smoothly through entire value stream to customer • Plan, code, Test – Agile – Modular – Automate • Small continuous deploys • Infrastructure as code Recommended book DevOps Handbook by Gene Kim
  • 9. © 2019 VERACODE INC.9 Software Deployment CICD • Promote code early and often Test early and often, including security issues • Continuous integration, builds, and tests • Fast and reliable automation test suites • Package once, deploy anywhere • Canary or blue green deployments
  • 10. © 2019 VERACODE INC.10 Software Availability: Operations • Monitoring- server, app performance • Continuous Feedback, Learning • Experiment: Fail fast; learn fast • Testing Operations Security – everyone’s job everyday • Increased awareness of production issues
  • 11. © 2019 VERACODE INC.11 DevSecOps Best Practices Source: Veracode: The Developer’s Guide to the DevSecOps Galaxy
  • 12. © 2019 VERACODE INC.12 Benefits of DevSecOps for Developers Source: Stripe: The Developer Coefficient, Sept 2018 Source: Puppet: 2016 State of DevOps Report
  • 13. © 2019 VERACODE INC.13 Source: Veracode: State of Software Security Volume 9
  • 14. © 2019 VERACODE INC.14 Security Throughout The Lifecycle Static Policy Speed & Prevention Coverage & Remediation Is the Application Secure? Is My Code Secure? Is Our Combined Code Secure? Static SandboxGreenlight JAVA JAVA
  • 15. © 2019 VERACODE INC.15 Greenlight Helps developers answer the question – “Is my code good?” Continuous Flaw Feedback Fast, Early, Focused scans of code that a developer is currently working on Secure Coding Education Remediation guidance provided directly to the Developer to assist with quick fixes  Reduce the number of flaws entered into downstream activities  Maintain development velocity  Improve adoption with tools that work the way developers expect them to
  • 16. © 2019 VERACODE INC.16 Greenlight Where You Want It IDE Build CI RAD
  • 17. © 2019 VERACODE INC.17 Code Code Continuous Testing Pipeline Functional Tests / Integration Tests / Performance Tests + Static Sandbox DevSecOps: Scan Early, Scan Often Continuous Integration Pipeline Build / Unit Test / Code Quality / Code Review + Greenlight API Continuous Delivery Pipeline Stage/ UAT/ Final Validation / Deploy + Static Policy Continuous Development Code / Compile / Debug / Unit Test / Commit + Greenlight IDE
  • 18. © 2019 VERACODE INC.18 CI CD Workflow Example
  • 19. © 2019 VERACODE INC.19 Continuous Integration Pipelines
  • 20. © 2019 VERACODE INC.20 Dev Env: Write, Commit and Push
  • 21. © 2019 VERACODE INC.21 Feature Branch Pipeline: Failed scan new/changed files Greenlight
  • 22. © 2019 VERACODE INC.22 Greenlight Scan: Summary Results
  • 23. © 2019 VERACODE INC.23 Greenlight JSON Results Archive Greenlight results JSON file with scan details is archived to: gl-scanner-java_<projectref-commithash>_greenlight-results.zip
  • 24. © 2019 VERACODE INC.24 Dev Env: Fix, Commit and Push
  • 25. © 2019 VERACODE INC.25 Feature Branch Pipeline: Success Greenlight scan new/changed files
  • 26. © 2019 VERACODE INC.26 Feature Branch: Merge Request
  • 27. © 2019 VERACODE INC.27 Feature Branch: Merge Approval
  • 28. © 2019 VERACODE INC.28 Continuous Integration Succeeds, Continuous Test Triggered Tag for Release
  • 29. © 2019 VERACODE INC.29 Continuous Test Succeeds & Continuous Delivery Triggered Veracode Static Scan Project Deploy
  • 30. © 2019 VERACODE INC.30 Pipeline Configuration Code .gitlab-ci.yml Greenlight CI Tool
  • 31. © 2019 VERACODE INC.31 DevSecOps Examples
  • 32. © 2019 VERACODE INC.32 Veracode integrated into pipeline. Greenlight stage runs after Code Quality testing. Veracode Static Scan is run on a nightly scheduled pipeline. Example#1: Veracode in CI/CD Pipeline
  • 33. © 2019 VERACODE INC.33 Veracode integrated into pipeline. The Veracode stage executes Greenlight on feature or dev branch. On a master branch, the Veracode Stage uploads the whole application to Static. Example#2: Veracode in CI/CD Pipeline
  • 35. © 2019 VERACODE INC.35 DevSecOps Resources Kim, Gene, Patrick Debois, and John Willis. 2016. The Devops Handbook: How to Create World- Class Agility, Reliability, and Security in Technology Organizations Veracode Helps Developers Find Security Flaws Faster Using AWS. 2017. AWS. https://aws.amazon.com/sol utions/case- studies/veracode/ State of Software Security. Volume 9. Veracode. https://www.veracode.com /state-of-software-security- report The Developers Guide To The DevSecOps Galaxy. 2017. Veracode. https://info.veracode.com /guide-developers-to- devsecops-galaxy.html ‘2018 Accelerate: State of DevOps Report’. 2018. Dora. https://cloudplatformonline. com/rs/248-TPC- 286/images/DORA- State%20of%20DevOps.pdf
  • 36. © 2019 VERACODE INC.36 Thank You