Anúncio
Check these out next
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
10 de Nov de 2020•0 gostou•83 visualizações
0 gostaram
Seja o primeiro a gostar disto
mostrar mais
visualizações
Vistos totais
0
No Slideshare
0
De incorporações
0
Número de incorporações
0
Baixar para ler offline
Denunciar
Tecnologia
DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they? In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights. Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about: The current challenges of the security and development teams when it comes to AppSec The contradicting views and gaps between the teams on DevSecOps maturity How to break the silos and advance toward DevSecOps maturity
DevOps.comSeguir
DevOps.comAnúncio
Anúncio
Anúncio
Recomendados
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
The Future of DevSecOpsStefan Streichsbier
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
A journey from dev ops to devsecopsVeritis Group, Inc
DevSecOps without DevOps is Just SecurityKevin Fealey
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
- DevSecOps Insights Security vs. Developers Showdown 2020 Presented by: Jeff Martin, Associate VP of Product Management & Rhys Arkins, Director of Product Management At WhiteSource
- 3 01
- Most respondents think they are in the process of DevSecOps maturity
- But - both security professionals and developers sacrifice security for speed
- 02 AppSec tools are bought simply to ‘tick the box’ disregarding developers needs and processes
- Developers and security professionals are aligned on the features needed for developer adoption
- But - security professionals usually consider other priorities over developer adoption
- The result: companies waste budget investing in Ap tools that are simply not used by developers
- Meeting regulations and compliance with industry standards are top two reasons for purchasing new AppSec tools Meanwhile, day to day security needs are pushed aside...
- 03 Huge AppSec knowledge and skills gaps are still neglected by organisations
- Most developers are unaware of an AppSec program
- While most smaller organizations don’t actually have an AppSec program in place
- Developers do not get training (although security believes they do)
- Security professionals’ top challenge is prioritization but they lack standardized processes 04
- Biggest challenges identified by security professionals include:
- However, most organizations lack a standardized prioritization pr ocess ...which leads to friction between teams
- An AppSec champion helps build skills, prioritization and communication
- Together, let’s break the Silos and Advance Towards DevSecOps Maturity
- Q&A? WhiteSourceSoftware.com
Notas do Editor
- This is why we are the leading vendor in the Software Composition Analysis space. With over 700 customers, 23% of which are fortune 100 companies, we’re growing at an amazing rate helping the biggest enteprises of the world work better with open source
- Our vision goes much further than just ensuring the security of your open source usage. We want to help you build better software, faster, by consuming open source with no restriction or hesitation and without adding unnecessary risks or frictions.
- Customer Story – Telecommunications Conglomerate The joint customer in our story is a ostensibly a telecommunications conglomerate that offers entertainment, internet, cellular service, and many other services to business and consumer customers, but really their business is so much more than that. Building software-based services and deploying them in cloud infrastructure running on AWS is a huge part of their business.
- Business Requirement – Application Modernization This customer is ultimately a high tech product development company. They employee around 10,000 developers. They knew, in order to provide their services at the scale their business required, they would have to modernize how they delivered software applications. That meant using DevSecOps practices to manage their product development and delivery. It also meant significant use of open source components in their software.
- Business Challenge – Speed and Agility in software development In order to meet the requirements of the business this company's development teams were challenged to maintain speed and agility. They needed to make the next compelling product or feature as quickly as possible and get it to market as quickly as possible. They also needed to be agile build features that met market demand warfix performance or budget issues in their products as quickly as possible.
- Business Challenges – Security and Compliance This company knew that open source software could be the Golden ticket maintaining speed and agility and building new software. Using open source meant they would be writing less cooked. But it also meant that they were required to comply with the terms of the open source licenses of the open source components that they were using. It also meant they needed to identify and remediate known security vulnerabilities in the open source components of the they were using in a way that did not disrupt their speed and agility goals.
- Consistent policy enforcement for internal and external software development teams to build the amount of software they needed to build this company had to employ their own developers but also outsource some of their work to contractors and offshore developers. That meant they couldn't always control the methods that were used to manage security and compliance for open source coupons used in all of development teams in a consistent way. They needed to define policies that match their security and compliance objectives. But they also needed a way to enforce those policies consistently regardless of whether the developers writing the code were internal developers or external developers.
- Business Challenges – Automation to support Agility This company determined that the only way they could meet their security and compliance objectives without negatively impacting speed and agility was to implement automation for security and compliance scanning of open source components an automated policy enforcement and automated remediation. They were looking for processes and tools that would be able to intelligently and automatically identify issues in the open source components they were used Papa automatically create issues in there repose to track the security vulnerabilities identified, and automate the process of creating pull requests 2 update vulnerable open source components to stable non vulnerable versions.
- Consulting Partner + WhiteSource – A recipe for customer success The customer knew that the best way to get their development teams to build secure and compliant code was to prevent them from committing code that used vulnerable or non-compliant open source components. That meant requiring developers to pass security and compliance code scans before the developers were able to commit a pull request to add a new or improved feature to their code. Integrating WhiteSource directly into the build pipeline is the method they use to accomplish this.
- Consulting Partner + WhiteSource – A recipe for customer success But it's not enough to have tools to automate processes if you haven't defined effective processes for using the automation. That's where our dev OPS consulting partner provided the most value to our customer. By educating the customer about best practices for using open source software in the context of DevOps processes and identifying the most effective ways took look for an remediate security vulnerabilities and license compliance issues with open source components in use throughout the software development lifecycle, the DevOps consulting partner enabled our customer to use our tools affectively to meet their scale speed and agility objectives.
- Result – Improved Agility By following the recommendations of their DevOps consulting partner, and implementing light source in key points in the software development lifecycle, the customer is able to meet their agility objectives, maintaining release cycle processes that enable regular deployment of new and improved features and performance improvements for the applications supporting the services they are providing to their customers.
- Result – Improved Security + Reduced Risk In addition, the customer was able to identify and remediate no security vulnerabilities in the open source components they were using earlier in the development cycle, when it's less expensive and more efficient to do so. They were also able to identify when open source components selected by their development teams used open source licenses that were not in compliance with corporate compliance policies. real time alerts for security and compliance issues are triggered early and often using the processes and tools provided to this customer by white source and our partner.
- Why work with WhiteSource? - Completeness So why did this customer and our DevOps consulting hardware choose to work with white source. There are three key reasons. Number one is the completeness of our solution. We support over 200 programming languages, integrate with over a dozen commonly used CI CD tools, support not just scanning of source code but also scanning up containers for open source component usage, and our tool provides services to stakeholders throughout the enterprise; from developers all the way up to the CEO.
- Why work with WhiteSource? - Prioritization The second reason is prioritization. Using the white source product called prioritize, our customer was able to identify effective vulnerabilities in their code base. These were vulnerabilities that they were susceptible to exploit because they're proprietary code was proven to be making a direct call 2 a method in the open source library associated with unknown bore ability. This type of awareness labeled the customer to focus their security remediation efforts on the vulnerabilities they were at risk of having exploited wow deprioritising remediation of open source vulnerabilities which were not susceptible to exploitation.
- Why work with WhiteSource? - Remediation The third reason is remediation. WhiteSource not only alerts you to security and compliance issues in your open source use, we provide actionable, validated remediation tools that enable the fastest possible resolution of those issues. Using WhiteSource Remediate our customer is able to automate the creation of pull requests to patch open source libraries to stable, non vulnerable versions with minimal required action by the developer.
- As you can see Whitesource offers a comprehensive solution that addresses an often overlooked but critical security and compliance need. Our comprehensive partner program gives you the tools you need to build software composition analysis into your solution portfolio.
- With deal registration, generous margins, and simple engagement models that can fit your specific needs WhiteSource makes parnertieasy
- Tom and Adi to agree on the “offer”. Example: As an AWS partner we would like to offer you a free customer audit. Offer details to follow
- Thank you for your time today and we look forward to building a long and prosperous relationship. Please feel free to reach mout to use at the email above to learn more.
Anúncio