The document presents a comprehensive overview of DevSecOps, emphasizing the integration of security into the development and operations lifecycle. It discusses the benefits of continuous integration and deployment pipelines, highlighting best practices for developers to ensure code security while maintaining development speed. The presentation includes tools like Veracode's Greenlight for real-time flaw feedback and emphasizes collaboration among cross-functional teams.

1. © 2019 VERACODE INC.1 © 2019 VERACODE INC.
Scale DevSecOps with
your Continuous
Integration Pipeline
Presented by DevOps.com and Veracode

2. © 2019 VERACODE INC.2
Today’s Presenters
Janet Worthington
Principal Product Manager
Vineeta Puranik
Vice President of Engineering and Operations

3. © 2019 VERACODE INC.3
Audience Poll
What is your role on the team?
• Developer
• Developer in Test
• Security
• DevOps
• Manager

4. © 2019 VERACODE INC.4
What is Dev(Sec)Ops?
• “DevOps is the practice of operations and development
engineers participating together in the entire service lifecycle,
from design through the development process to production
support.”
• “DevOps is also characterized by operations staff using many of
the same techniques as developers for their systems work.”
Source : ‘What Is DevOps?’ 2010. The Agile Admin. August 2.
https://theagileadmin.com/what-is-devops/

5. © 2019 VERACODE INC.5
DevSecOps: Shift in culture
Dev
Sec
Ops
Work in
small
batches
Automate
when
possible
Security
controls:
automate
Trust: Safe
to fail
Fast
delivery to
customers
Collaborate
Feedback
Learn

6. © 2019 VERACODE INC.6
Metrics to measure
Source: DORA: 2018 State of DevOps Report

7. © 2019 VERACODE INC.7
DevOps allows teams to
deploy code daily/hourly,
reduce lead time for
changes, reduce time to
restore service and minimize
the impact of new changes
on production.
Source: DORA: 2018 State of DevOps Report

8. © 2019 VERACODE INC.8
Work Flow cycle: Agile Development
Team
• Dev, QA, IT, Ops, UX, Security
– cross functional teams collaborate to achieve common organizational goal
• Less friction, more velocity
– Work flows smoothly through entire value stream to customer
• Plan, code, Test
– Agile
– Modular
– Automate
• Small continuous deploys
• Infrastructure as code
Recommended book
DevOps Handbook by Gene Kim

9. © 2019 VERACODE INC.9
Software Deployment CICD
• Promote code early and often
Test early and often, including security issues
• Continuous integration, builds, and tests
• Fast and reliable automation test suites
• Package once, deploy anywhere
• Canary or blue green
deployments

10. © 2019 VERACODE INC.10
Software Availability: Operations
• Monitoring- server, app performance
• Continuous Feedback, Learning
• Experiment: Fail fast; learn fast
• Testing Operations Security
– everyone’s job everyday
• Increased awareness of production issues

11. © 2019 VERACODE INC.11
DevSecOps Best Practices
Source: Veracode: The Developer’s Guide to the DevSecOps Galaxy

12. © 2019 VERACODE INC.12
Benefits of DevSecOps for Developers
Source: Stripe: The Developer Coefficient, Sept 2018 Source: Puppet: 2016 State of DevOps Report

13. © 2019 VERACODE INC.13 Source: Veracode: State of Software Security Volume 9

14. © 2019 VERACODE INC.14
Security Throughout The Lifecycle
Static Policy
Speed & Prevention Coverage & Remediation
Is the Application Secure?
Is My Code Secure? Is Our Combined Code Secure?
Static SandboxGreenlight
JAVA
JAVA

15. © 2019 VERACODE INC.15
Greenlight
Helps developers answer the question – “Is my code good?”
Continuous Flaw Feedback
Fast, Early, Focused scans of
code that a developer is
currently working on
Secure Coding Education
Remediation guidance provided
directly to the Developer to assist
with quick fixes
 Reduce the number of flaws entered into downstream activities
 Maintain development velocity
 Improve adoption with tools that work the way developers expect them to

16. © 2019 VERACODE INC.16
Greenlight Where You Want It
IDE Build CI
RAD

17. © 2019 VERACODE INC.17
Code
Code
Continuous Testing
Pipeline
Functional Tests / Integration Tests /
Performance Tests
+
Static Sandbox
DevSecOps: Scan Early, Scan Often
Continuous Integration
Pipeline
Build / Unit Test / Code Quality / Code Review
+
Greenlight API
Continuous Delivery
Pipeline
Stage/ UAT/ Final Validation / Deploy
+
Static Policy
Continuous Development
Code / Compile / Debug / Unit Test / Commit
+
Greenlight IDE

18. © 2019 VERACODE INC.18
CI CD Workflow Example

19. © 2019 VERACODE INC.19
Continuous Integration Pipelines

20. © 2019 VERACODE INC.20
Dev Env: Write, Commit and Push

21. © 2019 VERACODE INC.21
Feature Branch Pipeline: Failed
scan new/changed files
Greenlight

22. © 2019 VERACODE INC.22
Greenlight Scan: Summary Results

23. © 2019 VERACODE INC.23
Greenlight JSON Results Archive
Greenlight results JSON file with scan details is archived to:
gl-scanner-java_<projectref-commithash>_greenlight-results.zip

24. © 2019 VERACODE INC.24
Dev Env: Fix, Commit and Push

25. © 2019 VERACODE INC.25
Feature Branch Pipeline: Success
Greenlight
scan new/changed files

26. © 2019 VERACODE INC.26
Feature Branch: Merge Request

27. © 2019 VERACODE INC.27
Feature Branch: Merge Approval

28. © 2019 VERACODE INC.28
Continuous Integration Succeeds,
Continuous Test Triggered
Tag for Release

29. © 2019 VERACODE INC.29
Continuous Test Succeeds & Continuous
Delivery Triggered
Veracode Static
Scan Project
Deploy

30. © 2019 VERACODE INC.30
Pipeline Configuration Code
.gitlab-ci.yml
Greenlight CI Tool

31. © 2019 VERACODE INC.31
DevSecOps Examples

32. © 2019 VERACODE INC.32
Veracode integrated into pipeline. Greenlight stage runs after Code Quality
testing. Veracode Static Scan is run on a nightly scheduled pipeline.
Example#1: Veracode in CI/CD Pipeline

33. © 2019 VERACODE INC.33
Veracode integrated into pipeline. The Veracode stage executes Greenlight on
feature or dev branch. On a master branch, the Veracode Stage uploads the whole
application to Static.
Example#2: Veracode in CI/CD Pipeline

34. © 2019 VERACODE INC.34

35. © 2019 VERACODE INC.35
DevSecOps Resources
Kim, Gene, Patrick
Debois, and John
Willis. 2016. The
Devops Handbook:
How to Create World-
Class Agility, Reliability,
and Security in
Technology
Organizations
Veracode Helps Developers
Find Security Flaws Faster
Using AWS. 2017. AWS.
https://aws.amazon.com/sol
utions/case-
studies/veracode/
State of Software Security.
Volume 9. Veracode.
https://www.veracode.com
/state-of-software-security-
report
The Developers Guide To
The DevSecOps Galaxy.
2017. Veracode.
https://info.veracode.com
/guide-developers-to-
devsecops-galaxy.html
‘2018 Accelerate: State of
DevOps Report’. 2018. Dora.
https://cloudplatformonline.
com/rs/248-TPC-
286/images/DORA-
State%20of%20DevOps.pdf

36. © 2019 VERACODE INC.36
Thank You