The document discusses the importance of testing early in the Software Development Life Cycle (SDLC) and the integration of security within DevSecOps practices. It emphasizes a culture shift towards collaboration, automation, and continuous feedback among development teams, alongside the tools provided by CA Veracode. Additionally, it introduces CA Veracode Greenlight, which offers rapid security testing feedback directly in developers' Integrated Development Environments (IDEs).

1. 1 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
When You Test Matters: Why Testing Early in the
SDLC is Important
Vineeta Puranik
DEVSECOPS
Vice President Engineering
Veracode
Sr. Product Manager
Veracode
Janet Worthington
DST40T

2. 2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
For Informational Purposes Only
Terms of This Presentation
© 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at
CA World 2017 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with
customer references relate to customer's specific use and experience of CA products and solutions so actual results may vary.
Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the
rights and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any
CA software product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is
based on current information and resource allocations as of November 1, 2017, and is subject to change or withdrawal by CA at any
time without notice. The development, release and timing of any features or functionality described in this presentation remain at
CA’s sole discretion.
Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release
referenced in this presentation, CA may make such release available to new licensees in the form of a regularly scheduled major
product release. Such release may be made available to licensees of the product who are active subscribers to CA maintenance and
support, on a when and if-available basis. The information in this presentation is not deemed to be incorporated into any contract.

3. 3 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Agenda
CA | VERACODE’S DEVSECOPS JOURNEY
CA | VERACODE INTEGRATION IN THE SDLC
CA | VERACODE GREENLIGHT
QUESTIONS
1
2
3
4

4. 4 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CA | Veracode’s DevSecOps Journey

5. 5 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
DevSecOps: Shift in culture
Dev
Sec
Ops
Work in
small
batches
Automate
when
possible
Security
controls:
automate
Trust:
Safe to fail
Fast
delivery to
customers
Collaborate
Feedback
Learn

6. 6 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Empower Your Agile Development Team
 Dev, QA, IT, Ops, Security
 Modular Architecture
 Automate Everything
 Empower Developers
– Developer Training
– Security Champions
– Actionable Tools
 Small Continuous Deploys

7. 7 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CI
CD
1
Develop
4
Check in
Build
& Test
2
Backlog
Continuous Integration Continuous Deployment
Pass?
7
Synchronize
No Yes
7
Deploy to
StageProd
6
Static
Analysis
6
Unit
Tests
8
Blue Green
Testing
Pass?
Yes
Live!
Per
Check-in
5
Build
CI/CD
Pipeline
Static
Analysis
3

8. 8 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
DevSecOps Takeaway
 Continuous Feedback and Learning
– Monitor Metrics, Logs
– Continuous Improvement
 DevSecOps Adoption
– Bring Developer Closer to Customer Experience
 Testing Security is Everyone’s Job Everyday

9. 9 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CA | Veracode Integration in the SDLC

10. 10 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
DevSecOps: Tool Chain Integration
IDE
Build / CI Systems
Ticketing &
Bug Tracking
GRC
Code Build Test Deploy Operate

11. 11 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CA | Veracode Greenlight

12. 12 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Security at Speed of DevOps
Get Secure
Coding Feedback
In Seconds –
Right in Your IDE

13. 13 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CA Veracode Greenlight for Your IDE
How we do it better …
• Positive reinforcement when best practice is detected.
• Highly accurate actionable results.
• Results returned at speed of DevOps.
How does it work?
Scanning files or small packages are initiated from the IDE
with results delivered back to the IDE in seconds.
Testing of a project or complete application is executed with
CA Veracode Static Analysis.
Who is it for?
CA Veracode Greenlight is for developers seeking fast,
frequent security testing early in the Development lifecycle.

14. 14 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CA Veracode Greenlight: Product Demo

15. 15 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Veracode Greenlight Free Trial

16. 16 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Recommended Sessions
SESSION # TITLE DATE/TIME
DST38T
Shifting Security to the Left – Watch End-to-End
DevSecOps Solution in Action
11/15/2017 at 4:15 pm
Keynote Richard Clarke – Security Theatre 11/16/2017 at 10:30 am
DST39T DevOps: Security’s Big Opportunity 11/16/2017 at 12:45 pm
SCT41T
Testing the Fences: Recent Attacks Are Harbingers
of a More Serious Threat
11/16/2017 at 4:15 pm

17. 17 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Must See Demos – Wed & Thurs
Securing
Apps From Dev
to Production CA Veracode Static Analysis
CA Veracode Greenlight
CA Veracode Remediation
Guidance
Manage
Your
Software Risk
Open Sourced Component
Scanning
Developer Training on Secure
Coding
Integrations Into Your Dev
Tools
301
Manage
Your
Software Risk
CA Veracode Static Analysis
CA Veracode Web Application
Scanning
CA Veracode Greenlight
CA Veracode Static Analysis
CA Veracode Greenlight
CA Veracode Remediation
Guidance
506P 509P
DEVOPS-CD SECURITY SECURITY

18. 18 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
DevSecOps
For more information on DevSecOps,
please visit: http://cainc.to/CAW17-DevSecOps

19. 19 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Appendix

20. 20 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS

21. 21 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS

22. 22 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS

23. 23 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS

24. 24 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS