www.guardrails.ioStefan StreichsbierVersion 1.2 (11-20)
The Future of DevSecOps

Stefan Streichsbier
@s_streichsbier
Actively involved in building
the Dev(Sec)Ops community
(Events/Author)
Identified severe shortcomings
in security processes and
technologies
Background
Previously professional
white-hat hacker
Founder of GuardRails.io

The Present
Do not dwell in the past, do not dream of the future,
concentrate the mind on the present moment. - Buddha

The talk is split into three segments:
1. The past: Ride down memory lane
2. The present: Where things are at today
3. The future: Take a look into the crystal ball
Agenda

The Past
“To understand the future ...
we have to understand the past.”
- Carl Sagan

1760-1830
1870-1914
1947-1989
1990-2020
2021-...
Revolution #1
● New manufacturing processes
● Hand production to machines
● Use of steam and water power
● Rise of population and cities
Revolution #2
● New steel making processes
● Mass production/assembly lines
● Electrical grid systems
● Telephones
Revolution #3/1
● Use of digital logic (MOS transistors)
● 1985: Waterfall methodology
● 1989: Invention of the Internet
● Rise of home computers (15%)
Revolution #3/2
● 1990: First web browser (pictures)
● 1994: First online banking
● 2001: Agile, 2009: DevOps
● 60% access to Internet
Revolution #4
● Merging physical, digital,
and biological worlds
● Quantum Computing
● Robotics
● Artificial Intelligence
The industrial revolutions

Focus on Applications
● DevOps
● Containers
● Smart Everything (IoT)
● Rust, Kotlin, Elixir, Swift
1990-1999
● Waterfall
● Public access to the Internet
● Personal computers
● Java, Python, Ruby, JavaScript1990-1999
● 1991: First version of AntiVirus
● 1994: Hack $10 million from Citibank
● 1995: Arrest of Kevin Mitnick
● 1996: Smashing the stack for fun and profit
● 1999: Hundreds of advisories for Windows
2000-2009
● Agile
● Cloud Computing
● Smart phones
● C#, Scala, PowerShell, Go
2010-2020
2000-2009
● 2001: Code Red Worm
● 2003: First Static Analysis Tools
● 2004: Microsoft SDL Version 1
● 2006/8: Building Security In/BSIMM
● 2009: Conficker Worm
2010-2020
● 2010: Operation Aurora/Stuxnet
● 2013: 65M records hacked from Tumblr
● 2016: $101M stolen from Bangladesh Bank
● 2017+: Data breaches Equifax, LinkedIn, ...
01
02
03
04
05
06
Security vs. Software
Focus on Operating System
Focus on Network Services

Present State: Software Engineering
A lot has happened in the past and software development has evolved by leveraging the principles of lean
manufacturing and iterative & incremental software processes.
● Slow release cycles (quarters)
● Manual Deployments
● Only code is version controlled
● Strict separation of teams (dev/ops/sec)
● Monolithic Architecture
● Lack of visibility
● Fast release cycles (<days)
● Automatic CI/CD Pipelines
● Everything is version controlled (IaC, etc)
● Cross functional teams (dev/ops/sec)
● Microservice Architecture
● Full Stack Visibility

Present State: Security Engineering
Security has evolved a lot as well from existing security testing techniques, to the required skills, to the
mindset of how security can support the business.
● Department of No
● One-off security scans
● Security test at the end
● Waiting for issue reports
● Pentesting mindset
● Business Enabler
● Continuous security scanning
● Upfront security analysis
● Proactive vulnerability detection
● Security Engineering mindset

Present State: Challenges
Feedback Time
Many existing security tools take a long time to
scan and as such can’t easily be implemented
in CI/CD pipelines. Nightly scans are still a
thing.
Find vs Fix
The main problem is that most applications
(especially legacy ones), have many security
vulnerabilities when they first get tested.
Knowing that there are vulns is good, but fixing
them would take a lot of time.
Fragmentation
Many solutions out there only provide part of
the picture, which results in needing different
dashboards and unify different data sources to
get actionable visibility. Which is a pain for
managers, security engineers, and developers.
Security Noise
Security tools are traditionally designed for
security engineers and as such aim to provide
a lot of results to catch anything that’s possibly
a vulnerability. Which causes a lot of noise and
tends to result in outputs being ignored.
Integration
Many existing tools work stand alone and
don’t integrate well into the development
workflows. Dropping tools into a CI/CD
pipeline, takes a lot of effort to maintain and
rollout org-wide and is typically not enough.
Testing Techniques
There are a lot of security testing techniques
available these days. SAST. SCA, CCA, DAST,
IAST, RASP, VA, Cloud it is very difficult for
organizations to understand what these do
and how to use them.

There are several tools out
there now completely
open source, that in some
cases even outperform
some existing enterprise
security solutions. It is
easier to develop tools
now than 15 years ago.
Harder to justify the price.
Many of the “leading”
software security tools
have been founded over
15 years ago, and a lot of
intellectual property has
been created for a
different era.
Legacy IP
Present State: Inconvenient Truths
Acquisition Grown Increased Pressure Wrong Audience
Most security companies
have started with one
scanning technique and
then with success
acquired more companies
with more techniques,
which have been patched
together.
The traditional software
security tools have been
developed for security
experts, are difficult to
use, very noisy and often
hard to use in CI/CD
pipelines.

Present State: A Ray of Hope?
https://twitter.com/dcuthbert/status/1286226224172404738?s=20

The promise
● Simple, customizable, and fast static analysis tool
for finding bugs
● Runs offline on uncompiled code in CI, at
pre-commit, or in the editor
● Company and community backed
The idea is indeed interesting, create a kind of smart
grep that allows you to create rules in an easy way,
then open it up for the community, et voila. SAST for
everyone. Suddenly much of the IP of these
“dinosaurs” has lost a lot of value, because now
there is a good solution that’s available for free.
Present State: CodeQL & SemGrep
A Silver Bullet?
● Many concerns not addressed by this
○ Other security testing techniques
○ Curation of rules
○ Rollout and Orchestration
Let’s say a perfect SAST solution is available for
everyone, would that solve all problems?
One of the main issues remains:
Find vs. Fix

The Future
There comes a point where we need to stop just pulling
people out of the river. We need to go upstream and find
out why they’re falling in. - Bishop Desmond Tutu

Goals that need to be achieved
● Smart Security Scanning
● Unify all security testing techniques
● Native Integration
● Continuous Verification
● Auto-fixing of issues
● Security for developers
● Security available for all

Smart Security Scanning
Data science is eating the world
● Rules are a great foundation
○ Leverage crowd to mark issues
● Findings data-set has to be verified
○ Leverage crowd to verify issues
● Identify issues by “understanding code”
○ With high levels of accuracy

All in One
Stand on the shoulders of giants
● Adding a layer of abstraction
○ True tight unification of all solutions
● Ability to cross reference issues
○ Based on different scanning techniques
● Central Storage of all data
○ Used for data science

Native integration
DevSecOps Native
● Tools should understand all events
○ Code, Runtime, Infrastructure
● No more pipelines that do different things
○ Standardized and fully managed
● Vulnerability lifecycle has to be clear
○ Created, changed, fixed, re-introduced

Continuous verification
Scanning is not enough
● Continuously ensure a known safe state
○ Covering all security aspects
● Continuous verification against standards
○ PCI, HIPAA, ASVS, etc
● Provide instant security feedback
○ Whenever anything fails

Auto-Fixing Vulnerabilities
Finding is not enough
● Even finding and fixing all new issues
○ Doesn’t really reduce the risk
● Real labor is fixing all issues
○ For each vulnerability class
● Implement controls to prevent it in the future
○ Thus sustainably eradicating issues
Auto-fixing at scale
● Provide just in time training on the issue
○ Leverage gamification to fix more issues
● Leverage data science to fix issues
○ Can be a hybrid approach
● Rely on secure by default frameworks
○ Over others that are less opinionated

Empower Developers
Focus on the right audience
● Standardize security issues
○ Which ones are important and why
● Focus on the right risk context
○ Security risk is not equal for every app
● Make it easy to understand and fix issues
○ Shouldn’t take a security PhD to get it

Security For All
Make Security Accessible
● There is no security training in schools
○ Should take civil engineering approach
● Security is not affordable to everyone
○ Open source software vulnerabilities

The 3 Core Takeaways
01
02
03
Security Practices
Security practices have evolved a lot, but overall there has not been a
clear downward trend in vulnerabilities being fixed.
Data Science
Data science will completely change the way security is going to look in
the future resulting in a paradigm shift.
The Future of DevSecOps
Will be a very bright one. Smart, all-in-one security testing technologies,
that are tightly integrated into developer workflows will provide
continuous verification, auto-fixing and be available to everyone.

Who wants a virtual goody bag?
Consisting of:
• GuardRails coupon code
• Links to awesome security lists
• Developer trainings
• List of great security tools
• Security Page templates
• Free digital copy of my book
• … and more
Then send an email to:
iwant@guardrails.io