Mais conteúdo relacionado

Apresentações para você(20)

Similar a The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers(20)


Mais de



The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers

  1. DevSecOps Insights Security vs. Developers Showdown 2020 Presented by: Jeff Martin, Associate VP of Product Management & Rhys Arkins, Director of Product Management At WhiteSource
  2. 3 01
  3. Most respondents think they are in the process of DevSecOps maturity
  4. But - both security professionals and developers sacrifice security for speed
  5. 02 AppSec tools are bought simply to ‘tick the box’ disregarding developers needs and processes
  6. Developers and security professionals are aligned on the features needed for developer adoption
  7. But - security professionals usually consider other priorities over developer adoption
  8. The result: companies waste budget investing in Ap tools that are simply not used by developers
  9. Meeting regulations and compliance with industry standards are top two reasons for purchasing new AppSec tools Meanwhile, day to day security needs are pushed aside...
  10. 03 Huge AppSec knowledge and skills gaps are still neglected by organisations
  11. Most developers are unaware of an AppSec program
  12. While most smaller organizations don’t actually have an AppSec program in place
  13. Developers do not get training (although security believes they do)
  14. Security professionals’ top challenge is prioritization but they lack standardized processes 04
  15. Biggest challenges identified by security professionals include:
  16. However, most organizations lack a standardized prioritization pr ocess ...which leads to friction between teams
  17. An AppSec champion helps build skills, prioritization and communication
  18. Together, let’s break the Silos and Advance Towards DevSecOps Maturity
  19. Q&A?

Notas do Editor

  1. This is why we are the leading vendor in the Software Composition Analysis space. With over 700 customers, 23% of which are fortune 100 companies, we’re growing at an amazing rate helping the biggest enteprises of the world work better with open source
  2. Our vision goes much further than just ensuring the security of your open source usage. We want to help you build better software, faster, by consuming open source with no restriction or hesitation and without adding unnecessary risks or frictions.
  3. Customer Story – Telecommunications Conglomerate The joint customer in our story is a ostensibly a telecommunications conglomerate that offers entertainment, internet, cellular service, and many other services to business and consumer customers, but really their business is so much more than that. Building software-based services and deploying them in cloud infrastructure running on AWS is a huge part of their business.
  4. Business Requirement – Application Modernization This customer is ultimately a high tech product development company. They employee around 10,000 developers. They knew, in order to provide their services at the scale their business required, they would have to modernize how they delivered software applications. That meant using DevSecOps practices to manage their product development and delivery. It also meant significant use of open source components in their software.
  5. Business Challenge – Speed and Agility in software development In order to meet the requirements of the business this company's development teams were challenged to maintain speed and agility. They needed to make the next compelling product or feature as quickly as possible and get it to market as quickly as possible. They also needed to be agile build features that met market demand warfix performance or budget issues in their products as quickly as possible.
  6. Business Challenges – Security and Compliance This company knew that open source software could be the Golden ticket maintaining speed and agility and building new software. Using open source meant they would be writing less cooked. But it also meant that they were required to comply with the terms of the open source licenses of the open source components that they were using. It also meant they needed to identify and remediate known security vulnerabilities in the open source components of the they were using in a way that did not disrupt their speed and agility goals.
  7. Consistent policy enforcement for internal and external software development teams to build the amount of software they needed to build this company had to employ their own developers but also outsource some of their work to contractors and offshore developers. That meant they couldn't always control the methods that were used to manage security and compliance for open source coupons used in all of development teams in a consistent way. They needed to define policies that match their security and compliance objectives. But they also needed a way to enforce those policies consistently regardless of whether the developers writing the code were internal developers or external developers.
  8. Business Challenges – Automation to support Agility This company determined that the only way they could meet their security and compliance objectives without negatively impacting speed and agility was to implement automation for security and compliance scanning of open source components an automated policy enforcement and automated remediation. They were looking for processes and tools that would be able to intelligently and automatically identify issues in the open source components they were used Papa automatically create issues in there repose to track the security vulnerabilities identified, and automate the process of creating pull requests 2 update vulnerable open source components to stable non vulnerable versions.
  9. Consulting Partner + WhiteSource – A recipe for customer success The customer knew that the best way to get their development teams to build secure and compliant code was to prevent them from committing code that used vulnerable or non-compliant open source components. That meant requiring developers to pass security and compliance code scans before the developers were able to commit a pull request to add a new or improved feature to their code. Integrating WhiteSource directly into the build pipeline is the method they use to accomplish this.
  10. Consulting Partner + WhiteSource – A recipe for customer success But it's not enough to have tools to automate processes if you haven't defined effective processes for using the automation. That's where our dev OPS consulting partner provided the most value to our customer. By educating the customer about best practices for using open source software in the context of DevOps processes and identifying the most effective ways took look for an remediate security vulnerabilities and license compliance issues with open source components in use throughout the software development lifecycle, the DevOps consulting partner enabled our customer to use our tools affectively to meet their scale speed and agility objectives.
  11. Result – Improved Agility By following the recommendations of their DevOps consulting partner, and implementing light source in key points in the software development lifecycle, the customer is able to meet their agility objectives, maintaining release cycle processes that enable regular deployment of new and improved features and performance improvements for the applications supporting the services they are providing to their customers.
  12. Result – Improved Security + Reduced Risk In addition, the customer was able to identify and remediate no security vulnerabilities in the open source components they were using earlier in the development cycle, when it's less expensive and more efficient to do so. They were also able to identify when open source components selected by their development teams used open source licenses that were not in compliance with corporate compliance policies. real time alerts for security and compliance issues are triggered early and often using the processes and tools provided to this customer by white source and our partner.
  13. Why work with WhiteSource? - Completeness So why did this customer and our DevOps consulting hardware choose to work with white source. There are three key reasons. Number one is the completeness of our solution. We support over 200 programming languages, integrate with over a dozen commonly used CI CD tools, support not just scanning of source code but also scanning up containers for open source component usage, and our tool provides services to stakeholders throughout the enterprise; from developers all the way up to the CEO.
  14. Why work with WhiteSource? - Prioritization The second reason is prioritization. Using the white source product called prioritize, our customer was able to identify effective vulnerabilities in their code base. These were vulnerabilities that they were susceptible to exploit because they're proprietary code was proven to be making a direct call 2 a method in the open source library associated with unknown bore ability. This type of awareness labeled the customer to focus their security remediation efforts on the vulnerabilities they were at risk of having exploited wow deprioritising remediation of open source vulnerabilities which were not susceptible to exploitation.
  15. Why work with WhiteSource? - Remediation The third reason is remediation. WhiteSource not only alerts you to security and compliance issues in your open source use, we provide actionable, validated remediation tools that enable the fastest possible resolution of those issues. Using WhiteSource Remediate our customer is able to automate the creation of pull requests to patch open source libraries to stable, non vulnerable versions with minimal required action by the developer.
  16. As you can see Whitesource offers a comprehensive solution that addresses an often overlooked but critical security and compliance need. Our comprehensive partner program gives you the tools you need to build software composition analysis into your solution portfolio.
  17. With deal registration, generous margins, and simple engagement models that can fit your specific needs WhiteSource makes parnertieasy
  18. Tom and Adi to agree on the “offer”. Example: As an AWS partner we would like to offer you a free customer audit. Offer details to follow
  19. Thank you for your time today and we look forward to building a long and prosperous relationship. Please feel free to reach mout to use at the email above to learn more.