Stefan Streichsbier, profile picture
Uploaded byStefan Streichsbier
171 views

The Future of DevSecOps

The document discusses the evolution of DevSecOps, focusing on historical milestones in security practices and the current challenges faced in integrating security within software development. It highlights the need for smarter, more unified security tools that can automate vulnerability detection and remediation while being accessible to developers. The future envisions all-in-one security solutions that seamlessly integrate into development workflows, enhancing continuous verification and reducing the complexity of security management.

Embed presentation

Downloaded 18 times
www.guardrails.ioStefan StreichsbierVersion 1.2 (11-20) The Future of DevSecOps
Stefan Streichsbier @s_streichsbier Actively involved in building the Dev(Sec)Ops community (Events/Author) Identified severe shortcomings in security processes and technologies Background Previously professional white-hat hacker Founder of GuardRails.io
The Present Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment. - Buddha
The talk is split into three segments: 1. The past: Ride down memory lane 2. The present: Where things are at today 3. The future: Take a look into the crystal ball Agenda
The Past “To understand the future ... we have to understand the past.” - Carl Sagan
1760-1830 1870-1914 1947-1989 1990-2020 2021-... Revolution #1 ● New manufacturing processes ● Hand production to machines ● Use of steam and water power ● Rise of population and cities Revolution #2 ● New steel making processes ● Mass production/assembly lines ● Electrical grid systems ● Telephones Revolution #3/1 ● Use of digital logic (MOS transistors) ● 1985: Waterfall methodology ● 1989: Invention of the Internet ● Rise of home computers (15%) Revolution #3/2 ● 1990: First web browser (pictures) ● 1994: First online banking ● 2001: Agile, 2009: DevOps ● 60% access to Internet Revolution #4 ● Merging physical, digital, and biological worlds ● Quantum Computing ● Robotics ● Artificial Intelligence The industrial revolutions
Focus on Applications ● DevOps ● Containers ● Smart Everything (IoT) ● Rust, Kotlin, Elixir, Swift 1990-1999 ● Waterfall ● Public access to the Internet ● Personal computers ● Java, Python, Ruby, JavaScript1990-1999 ● 1991: First version of AntiVirus ● 1994: Hack $10 million from Citibank ● 1995: Arrest of Kevin Mitnick ● 1996: Smashing the stack for fun and profit ● 1999: Hundreds of advisories for Windows 2000-2009 ● Agile ● Cloud Computing ● Smart phones ● C#, Scala, PowerShell, Go 2010-2020 2000-2009 ● 2001: Code Red Worm ● 2003: First Static Analysis Tools ● 2004: Microsoft SDL Version 1 ● 2006/8: Building Security In/BSIMM ● 2009: Conficker Worm 2010-2020 ● 2010: Operation Aurora/Stuxnet ● 2013: 65M records hacked from Tumblr ● 2016: $101M stolen from Bangladesh Bank ● 2017+: Data breaches Equifax, LinkedIn, ... 01 02 03 04 05 06 Security vs. Software Focus on Operating System Focus on Network Services
Present State: Software Engineering A lot has happened in the past and software development has evolved by leveraging the principles of lean manufacturing and iterative & incremental software processes. ● Slow release cycles (quarters) ● Manual Deployments ● Only code is version controlled ● Strict separation of teams (dev/ops/sec) ● Monolithic Architecture ● Lack of visibility ● Fast release cycles (<days) ● Automatic CI/CD Pipelines ● Everything is version controlled (IaC, etc) ● Cross functional teams (dev/ops/sec) ● Microservice Architecture ● Full Stack Visibility
Present State: Security Engineering Security has evolved a lot as well from existing security testing techniques, to the required skills, to the mindset of how security can support the business. ● Department of No ● One-off security scans ● Security test at the end ● Waiting for issue reports ● Pentesting mindset ● Business Enabler ● Continuous security scanning ● Upfront security analysis ● Proactive vulnerability detection ● Security Engineering mindset
Present State: Challenges Feedback Time Many existing security tools take a long time to scan and as such can’t easily be implemented in CI/CD pipelines. Nightly scans are still a thing. Find vs Fix The main problem is that most applications (especially legacy ones), have many security vulnerabilities when they first get tested. Knowing that there are vulns is good, but fixing them would take a lot of time. Fragmentation Many solutions out there only provide part of the picture, which results in needing different dashboards and unify different data sources to get actionable visibility. Which is a pain for managers, security engineers, and developers. Security Noise Security tools are traditionally designed for security engineers and as such aim to provide a lot of results to catch anything that’s possibly a vulnerability. Which causes a lot of noise and tends to result in outputs being ignored. Integration Many existing tools work stand alone and don’t integrate well into the development workflows. Dropping tools into a CI/CD pipeline, takes a lot of effort to maintain and rollout org-wide and is typically not enough. Testing Techniques There are a lot of security testing techniques available these days. SAST. SCA, CCA, DAST, IAST, RASP, VA, Cloud it is very difficult for organizations to understand what these do and how to use them.
There are several tools out there now completely open source, that in some cases even outperform some existing enterprise security solutions. It is easier to develop tools now than 15 years ago. Harder to justify the price. Many of the “leading” software security tools have been founded over 15 years ago, and a lot of intellectual property has been created for a different era. Legacy IP Present State: Inconvenient Truths Acquisition Grown Increased Pressure Wrong Audience Most security companies have started with one scanning technique and then with success acquired more companies with more techniques, which have been patched together. The traditional software security tools have been developed for security experts, are difficult to use, very noisy and often hard to use in CI/CD pipelines.
Present State: A Ray of Hope? https://twitter.com/dcuthbert/status/1286226224172404738?s=20
The promise ● Simple, customizable, and fast static analysis tool for finding bugs ● Runs offline on uncompiled code in CI, at pre-commit, or in the editor ● Company and community backed The idea is indeed interesting, create a kind of smart grep that allows you to create rules in an easy way, then open it up for the community, et voila. SAST for everyone. Suddenly much of the IP of these “dinosaurs” has lost a lot of value, because now there is a good solution that’s available for free. Present State: CodeQL & SemGrep A Silver Bullet? ● Many concerns not addressed by this ○ Other security testing techniques ○ Curation of rules ○ Rollout and Orchestration Let’s say a perfect SAST solution is available for everyone, would that solve all problems? One of the main issues remains: Find vs. Fix
The Future There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in. - Bishop Desmond Tutu
Goals that need to be achieved ● Smart Security Scanning ● Unify all security testing techniques ● Native Integration ● Continuous Verification ● Auto-fixing of issues ● Security for developers ● Security available for all
Smart Security Scanning Data science is eating the world ● Rules are a great foundation ○ Leverage crowd to mark issues ● Findings data-set has to be verified ○ Leverage crowd to verify issues ● Identify issues by “understanding code” ○ With high levels of accuracy
All in One Stand on the shoulders of giants ● Adding a layer of abstraction ○ True tight unification of all solutions ● Ability to cross reference issues ○ Based on different scanning techniques ● Central Storage of all data ○ Used for data science
Native integration DevSecOps Native ● Tools should understand all events ○ Code, Runtime, Infrastructure ● No more pipelines that do different things ○ Standardized and fully managed ● Vulnerability lifecycle has to be clear ○ Created, changed, fixed, re-introduced
Continuous verification Scanning is not enough ● Continuously ensure a known safe state ○ Covering all security aspects ● Continuous verification against standards ○ PCI, HIPAA, ASVS, etc ● Provide instant security feedback ○ Whenever anything fails
Auto-Fixing Vulnerabilities Finding is not enough ● Even finding and fixing all new issues ○ Doesn’t really reduce the risk ● Real labor is fixing all issues ○ For each vulnerability class ● Implement controls to prevent it in the future ○ Thus sustainably eradicating issues Auto-fixing at scale ● Provide just in time training on the issue ○ Leverage gamification to fix more issues ● Leverage data science to fix issues ○ Can be a hybrid approach ● Rely on secure by default frameworks ○ Over others that are less opinionated
Empower Developers Focus on the right audience ● Standardize security issues ○ Which ones are important and why ● Focus on the right risk context ○ Security risk is not equal for every app ● Make it easy to understand and fix issues ○ Shouldn’t take a security PhD to get it
Security For All Make Security Accessible ● There is no security training in schools ○ Should take civil engineering approach ● Security is not affordable to everyone ○ Open source software vulnerabilities
The 3 Core Takeaways 01 02 03 Security Practices Security practices have evolved a lot, but overall there has not been a clear downward trend in vulnerabilities being fixed. Data Science Data science will completely change the way security is going to look in the future resulting in a paradigm shift. The Future of DevSecOps Will be a very bright one. Smart, all-in-one security testing technologies, that are tightly integrated into developer workflows will provide continuous verification, auto-fixing and be available to everyone.
Who wants a virtual goody bag? Consisting of: • GuardRails coupon code • Links to awesome security lists • Developer trainings • List of great security tools • Security Page templates • Free digital copy of my book • … and more Then send an email to: iwant@guardrails.io

More Related Content

PDF
DevSecOps in 2031: How robots and humans will secure apps together Log
byStefan Streichsbier
 
PPTX
State of DevSecOps - DevSecOpsDays 2019
byStefan Streichsbier
 
PPTX
State of DevSecOps - DevOpsDays Jakarta 2019
byStefan Streichsbier
 
PDF
The State of DevSecOps
byDevOps Indonesia
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PPTX
Securing a great DX - DevSecOps Days Singapore 2018
byStefan Streichsbier
 
PDF
DevSecOps: Bringing security to the DevOps pipeline
byAarno Aukia
 
PDF
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
DevSecOps in 2031: How robots and humans will secure apps together Log
byStefan Streichsbier
 
State of DevSecOps - DevSecOpsDays 2019
byStefan Streichsbier
 
State of DevSecOps - DevOpsDays Jakarta 2019
byStefan Streichsbier
 
The State of DevSecOps
byDevOps Indonesia
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
Securing a great DX - DevSecOps Days Singapore 2018
byStefan Streichsbier
 
DevSecOps: Bringing security to the DevOps pipeline
byAarno Aukia
 
Dos and Don'ts of DevSecOps
byPriyanka Aash
 

What's hot

PPTX
State of DevSecOps - GTACS 2019
byStefan Streichsbier
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PPTX
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
byDevOps.com
 
PDF
The New Security Playbook: DevSecOps
byJames Wickett
 
PPT
DevSecOps Singapore introduction
byStefan Streichsbier
 
PDF
New Barriers of Transformation
byDevOps Indonesia
 
PPTX
A journey from dev ops to devsecops
byVeritis Group, Inc
 
PDF
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
byDevOps Indonesia
 
PDF
DevSecOps The Evolution of DevOps
byMichael Man
 
PDF
Maturing DevSecOps: From Easy to High Impact
bySBWebinars
 
PPTX
DevSecOps
byJoel Divekar
 
PPTX
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
PPTX
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
bySeniorStoryteller
 
PDF
DevSecOps - The big picture
byStefan Streichsbier
 
PPTX
Security and Mobility Co Create Week Jakarta
byStefan Streichsbier
 
PPTX
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
PDF
Take Control: Design a Complete DevSecOps Program
byDeborah Schalm
 
PDF
The Challenges of Scaling DevSecOps
byWhiteSource
 
PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
State of DevSecOps - GTACS 2019
byStefan Streichsbier
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
byDevOps.com
 
The New Security Playbook: DevSecOps
byJames Wickett
 
DevSecOps Singapore introduction
byStefan Streichsbier
 
New Barriers of Transformation
byDevOps Indonesia
 
A journey from dev ops to devsecops
byVeritis Group, Inc
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
byDevOps Indonesia
 
DevSecOps The Evolution of DevOps
byMichael Man
 
Maturing DevSecOps: From Easy to High Impact
bySBWebinars
 
DevSecOps
byJoel Divekar
 
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
bySeniorStoryteller
 
DevSecOps - The big picture
byStefan Streichsbier
 
Security and Mobility Co Create Week Jakarta
byStefan Streichsbier
 
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
Take Control: Design a Complete DevSecOps Program
byDeborah Schalm
 
The Challenges of Scaling DevSecOps
byWhiteSource
 
Secure DevOPS Implementation Guidance
byTej Luthra
 

Similar to The Future of DevSecOps

PDF
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
byAlex Senkevitch
 
PDF
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
byDicodingEvent
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PDF
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
byTom Stiehm
 
PPTX
Security within Scaled Agile
byMark Underwood
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
PDF
Shifting Security Left - The Innovation of DevSecOps - AgileDC
byTom Stiehm
 
PDF
Shift Left Security
byBATbern
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
PDF
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
PDF
How to adapt the SDLC to the era of DevSecOps
byZane Lackey
 
PDF
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PPTX
How to Get Started with DevSecOps
byCYBRIC
 
PPTX
API Security: Assume Possible Interference
byJulie Tsai
 
PDF
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
PDF
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PDF
DevSecOps for Developers, How To Start (ETC 2020)
byPatricia Aas
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
byAlex Senkevitch
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
byDicodingEvent
 
AppSec in an Agile World
byDavid Lindner
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
byTom Stiehm
 
Security within Scaled Agile
byMark Underwood
 
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
byTom Stiehm
 
Shift Left Security
byBATbern
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
How to adapt the SDLC to the era of DevSecOps
byZane Lackey
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
Introduction to DevSecOps
byabhimanyubhogwan
 
How to Get Started with DevSecOps
byCYBRIC
 
API Security: Assume Possible Interference
byJulie Tsai
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
DevSecOps for Developers, How To Start (ETC 2020)
byPatricia Aas
 

More from Stefan Streichsbier

PPTX
Practical Secure Coding Workshop - {DECIPHER} Hackathon
byStefan Streichsbier
 
PPTX
Securing a great Developer Experience - v1.3
byStefan Streichsbier
 
PDF
A Tale of Three Horses - RSAC 2017 APJ - DevOps Connect: DevSecOps Edition, S...
byStefan Streichsbier
 
PPTX
Null application security in an agile world
byStefan Streichsbier
 
PDF
Application Security in an Agile World - Agile Singapore 2016
byStefan Streichsbier
 
PDF
Application Security at DevOps Speed - DevOpsDays Singapore 2016
byStefan Streichsbier
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
byStefan Streichsbier
 
Securing a great Developer Experience - v1.3
byStefan Streichsbier
 
A Tale of Three Horses - RSAC 2017 APJ - DevOps Connect: DevSecOps Edition, S...
byStefan Streichsbier
 
Null application security in an agile world
byStefan Streichsbier
 
Application Security in an Agile World - Agile Singapore 2016
byStefan Streichsbier
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
byStefan Streichsbier
 

The Future of DevSecOps

  • 1.
    www.guardrails.ioStefan StreichsbierVersion 1.2(11-20) The Future of DevSecOps
  • 2.
    Stefan Streichsbier @s_streichsbier Actively involvedin building the Dev(Sec)Ops community (Events/Author) Identified severe shortcomings in security processes and technologies Background Previously professional white-hat hacker Founder of GuardRails.io
  • 3.
    The Present Do notdwell in the past, do not dream of the future, concentrate the mind on the present moment. - Buddha
  • 4.
    The talk issplit into three segments: 1. The past: Ride down memory lane 2. The present: Where things are at today 3. The future: Take a look into the crystal ball Agenda
  • 5.
    The Past “To understandthe future ... we have to understand the past.” - Carl Sagan
  • 6.
    1760-1830 1870-1914 1947-1989 1990-2020 2021-... Revolution #1 ● Newmanufacturing processes ● Hand production to machines ● Use of steam and water power ● Rise of population and cities Revolution #2 ● New steel making processes ● Mass production/assembly lines ● Electrical grid systems ● Telephones Revolution #3/1 ● Use of digital logic (MOS transistors) ● 1985: Waterfall methodology ● 1989: Invention of the Internet ● Rise of home computers (15%) Revolution #3/2 ● 1990: First web browser (pictures) ● 1994: First online banking ● 2001: Agile, 2009: DevOps ● 60% access to Internet Revolution #4 ● Merging physical, digital, and biological worlds ● Quantum Computing ● Robotics ● Artificial Intelligence The industrial revolutions
  • 7.
    Focus on Applications ●DevOps ● Containers ● Smart Everything (IoT) ● Rust, Kotlin, Elixir, Swift 1990-1999 ● Waterfall ● Public access to the Internet ● Personal computers ● Java, Python, Ruby, JavaScript1990-1999 ● 1991: First version of AntiVirus ● 1994: Hack $10 million from Citibank ● 1995: Arrest of Kevin Mitnick ● 1996: Smashing the stack for fun and profit ● 1999: Hundreds of advisories for Windows 2000-2009 ● Agile ● Cloud Computing ● Smart phones ● C#, Scala, PowerShell, Go 2010-2020 2000-2009 ● 2001: Code Red Worm ● 2003: First Static Analysis Tools ● 2004: Microsoft SDL Version 1 ● 2006/8: Building Security In/BSIMM ● 2009: Conficker Worm 2010-2020 ● 2010: Operation Aurora/Stuxnet ● 2013: 65M records hacked from Tumblr ● 2016: $101M stolen from Bangladesh Bank ● 2017+: Data breaches Equifax, LinkedIn, ... 01 02 03 04 05 06 Security vs. Software Focus on Operating System Focus on Network Services
  • 8.
    Present State: SoftwareEngineering A lot has happened in the past and software development has evolved by leveraging the principles of lean manufacturing and iterative & incremental software processes. ● Slow release cycles (quarters) ● Manual Deployments ● Only code is version controlled ● Strict separation of teams (dev/ops/sec) ● Monolithic Architecture ● Lack of visibility ● Fast release cycles (<days) ● Automatic CI/CD Pipelines ● Everything is version controlled (IaC, etc) ● Cross functional teams (dev/ops/sec) ● Microservice Architecture ● Full Stack Visibility
  • 9.
    Present State: SecurityEngineering Security has evolved a lot as well from existing security testing techniques, to the required skills, to the mindset of how security can support the business. ● Department of No ● One-off security scans ● Security test at the end ● Waiting for issue reports ● Pentesting mindset ● Business Enabler ● Continuous security scanning ● Upfront security analysis ● Proactive vulnerability detection ● Security Engineering mindset
  • 10.
    Present State: Challenges FeedbackTime Many existing security tools take a long time to scan and as such can’t easily be implemented in CI/CD pipelines. Nightly scans are still a thing. Find vs Fix The main problem is that most applications (especially legacy ones), have many security vulnerabilities when they first get tested. Knowing that there are vulns is good, but fixing them would take a lot of time. Fragmentation Many solutions out there only provide part of the picture, which results in needing different dashboards and unify different data sources to get actionable visibility. Which is a pain for managers, security engineers, and developers. Security Noise Security tools are traditionally designed for security engineers and as such aim to provide a lot of results to catch anything that’s possibly a vulnerability. Which causes a lot of noise and tends to result in outputs being ignored. Integration Many existing tools work stand alone and don’t integrate well into the development workflows. Dropping tools into a CI/CD pipeline, takes a lot of effort to maintain and rollout org-wide and is typically not enough. Testing Techniques There are a lot of security testing techniques available these days. SAST. SCA, CCA, DAST, IAST, RASP, VA, Cloud it is very difficult for organizations to understand what these do and how to use them.
  • 11.
    There are severaltools out there now completely open source, that in some cases even outperform some existing enterprise security solutions. It is easier to develop tools now than 15 years ago. Harder to justify the price. Many of the “leading” software security tools have been founded over 15 years ago, and a lot of intellectual property has been created for a different era. Legacy IP Present State: Inconvenient Truths Acquisition Grown Increased Pressure Wrong Audience Most security companies have started with one scanning technique and then with success acquired more companies with more techniques, which have been patched together. The traditional software security tools have been developed for security experts, are difficult to use, very noisy and often hard to use in CI/CD pipelines.
  • 12.
    Present State: ARay of Hope? https://twitter.com/dcuthbert/status/1286226224172404738?s=20
  • 13.
    The promise ● Simple,customizable, and fast static analysis tool for finding bugs ● Runs offline on uncompiled code in CI, at pre-commit, or in the editor ● Company and community backed The idea is indeed interesting, create a kind of smart grep that allows you to create rules in an easy way, then open it up for the community, et voila. SAST for everyone. Suddenly much of the IP of these “dinosaurs” has lost a lot of value, because now there is a good solution that’s available for free. Present State: CodeQL & SemGrep A Silver Bullet? ● Many concerns not addressed by this ○ Other security testing techniques ○ Curation of rules ○ Rollout and Orchestration Let’s say a perfect SAST solution is available for everyone, would that solve all problems? One of the main issues remains: Find vs. Fix
  • 14.
    The Future There comesa point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in. - Bishop Desmond Tutu
  • 15.
    Goals that needto be achieved ● Smart Security Scanning ● Unify all security testing techniques ● Native Integration ● Continuous Verification ● Auto-fixing of issues ● Security for developers ● Security available for all
  • 16.
    Smart Security Scanning Datascience is eating the world ● Rules are a great foundation ○ Leverage crowd to mark issues ● Findings data-set has to be verified ○ Leverage crowd to verify issues ● Identify issues by “understanding code” ○ With high levels of accuracy
  • 17.
    All in One Standon the shoulders of giants ● Adding a layer of abstraction ○ True tight unification of all solutions ● Ability to cross reference issues ○ Based on different scanning techniques ● Central Storage of all data ○ Used for data science
  • 18.
    Native integration DevSecOps Native ●Tools should understand all events ○ Code, Runtime, Infrastructure ● No more pipelines that do different things ○ Standardized and fully managed ● Vulnerability lifecycle has to be clear ○ Created, changed, fixed, re-introduced
  • 19.
    Continuous verification Scanning isnot enough ● Continuously ensure a known safe state ○ Covering all security aspects ● Continuous verification against standards ○ PCI, HIPAA, ASVS, etc ● Provide instant security feedback ○ Whenever anything fails
  • 20.
    Auto-Fixing Vulnerabilities Finding isnot enough ● Even finding and fixing all new issues ○ Doesn’t really reduce the risk ● Real labor is fixing all issues ○ For each vulnerability class ● Implement controls to prevent it in the future ○ Thus sustainably eradicating issues Auto-fixing at scale ● Provide just in time training on the issue ○ Leverage gamification to fix more issues ● Leverage data science to fix issues ○ Can be a hybrid approach ● Rely on secure by default frameworks ○ Over others that are less opinionated
  • 21.
    Empower Developers Focus onthe right audience ● Standardize security issues ○ Which ones are important and why ● Focus on the right risk context ○ Security risk is not equal for every app ● Make it easy to understand and fix issues ○ Shouldn’t take a security PhD to get it
  • 22.
    Security For All MakeSecurity Accessible ● There is no security training in schools ○ Should take civil engineering approach ● Security is not affordable to everyone ○ Open source software vulnerabilities
  • 23.
    The 3 CoreTakeaways 01 02 03 Security Practices Security practices have evolved a lot, but overall there has not been a clear downward trend in vulnerabilities being fixed. Data Science Data science will completely change the way security is going to look in the future resulting in a paradigm shift. The Future of DevSecOps Will be a very bright one. Smart, all-in-one security testing technologies, that are tightly integrated into developer workflows will provide continuous verification, auto-fixing and be available to everyone.
  • 24.
    Who wants avirtual goody bag? Consisting of: • GuardRails coupon code • Links to awesome security lists • Developer trainings • List of great security tools • Security Page templates • Free digital copy of my book • … and more Then send an email to: iwant@guardrails.io