5. IT Organization Profile
Information and Communication Management Division
1. Data and Information
• Statistical and Spatial Data, Information System
2. Infrastructure
• Data Center, Server, Network, Video Conference
3. Information Security
• Security Testing, ISMS
12 IT Employees
6. Development Life Cycle
V1 V3
• Email
• FTP
V2
– No Code Versioning
– No Development Env
– No Automation
7. Development Life Cycle
• Code Repository
• Development Server
• Scheduled Sync*
(DevOps)
V1 V2 V3
– No Automated Security
Testing
– Prod-Dev Difference
problems
8. Development Life Cycle
• Code Versioning
• Continuous Integration
• Automated Security Analysis
(DevSecOps)
V1 V2 V3
14. Collaborative Work
ü Continuous Communication
ü Continuous Feedback
ü Continuous Requirement
ü Continuous Fixes
§ Secure Coding (e.g.OWASP)
§ Coding Standard (e.g. PSR)
§ Release Management
15. What is DevSecOps?
1. Code Repository
2. Runner
3. Code Scanner
Push a new commit
to a branch
trigger
Dev Server
deploy to
Automated Testing and Deployment
Code Scanning
Script
Deployment
Script
19. Lessons Learned
• Some security vulnerabilities can be detected by suitable
tools
• Non-standard coding styles can be detected by the code
analyzer
• There can be a high rate of false positive detection
• The deployment process is quick
• It is important to combine the static analysis with dynamic
testing as some vulnerabilities are not easily detected through
the code analysis