[DevSecOps Live] DevSecOps: Challenges and Opportunities

1. DEVSECOPS CHALLENGES & OPPORTUNITIES MOHAN YELNADU

2. P. P. T • • QUALITY • PRAGMATIC • • OPEN • ACCOMMODATING • • RIGHT SET • SUIT MY REQUIREMENTS People Tools Process

3. PEOPLE • SMALL BUT SMART • CAN ACHIEVE A LOT • • • • • • SAVVY • CHANGE THE LANGUAGE • BUSINESS RISKS

4. APPSEC TOOLS • • MAKE OR BREAK • COE, TEAM WITH CURIOSITY.. • • • • • GO FOR POC/LISTEN TO EXPERTS IN THE FIELD

5. APPSEC TOOL GUIDANCE • • • • • • • • • • • • • • • • • • • •

6. PROCESS • • • • S • S • S • • EARLY, EFFORTLESS, AND CONSTANT FEEDBACK

7. EXAMPLE SAST – Static Application Security Testing OSS – Open Source Software Security CSec – Container Security DAST – Dynamic Application Security Testing

8. • SMOOTH ONBOARDING • AUTOMATE WHAT YOU CAN • IMPROVING TOOL ADOPTION • ROLLOUT STRATEGY • MANAGING CRITICAL ISSUES • MAKING IT WORK FOR SOC • PRODUCTION MONITORING • TAILORED CONFIGURATION • DO THE RIGHT THING • PRAGMATIC HYGIENE • MANAGING ZERO DAYS

9. SMOOTH ONBOARDING • AUTOMATED ONBOARDING ON SECURITY TOOLS • • • HEARD THE TOOL NAME, & ONBOARDED

10. AUTOMATE WHAT YOU CAN O N B OA R D I N G S C A N N I N G T R I AG E B U I L D B R EA K E R I S S U E M A N AG E M E N T

11. TRIAGE Scan Raise Triage Request Analyze Findings Fix True issues False Positives Analyze Triage Issues (If required meet developers) True issues False Positives Ignore/Not Applicable Developer AppSec SME

12. BUILDBREAKER: Pre-process Build Security Scan Code Quality Scan BuildBreaker PROD Example BitBucket Artifactory Source Code Build Artefact No-Go Go BuildBreaker Example: • No critical security issues in production build

13. IMPROVING TOOL ADOPTION Allow developers to Get used to the Tools‘‘ ’’ Give enough notice while enabling BuildBreakers/Gating‘‘ ’’ Create Ecosystem: FAQs, Documentation, Demos, Videos ‘‘ ’’ Give as many Live Demos as possible, share about new Tools & Processes ‘‘ ’’

14. ROLLOUT STRATEGY Break Build: In Stages‘‘ ’’ Handholding in False Positive Analysis: Triage & Guidance‘‘ ’’ Dispensation Management: Logging & Validity‘‘ ’’

15. MANAGING CRITICAL ISSUES • • LEVEL 10/CRITICAL • IDENTIFICATION • • FOLLOW-UP • Developers DO NOT realise the Gravity of Level 10 OSS Issues Self-Expérience J ‘‘ ’’

16. • • • • MAPPING APP WITH RIGHT STAKEHOLDERS IN DASHBOARD WORKING WITH SOC

17. PRODUCTION MONITORING • MONITORING • • NIGHTLY • ALERT Effective PROD Monitoring saved a huge effort! Self-Expérience J ‘‘ ’’

18. TAILORED CONFIGURATION • • • • DISPENSATION • LOGGING • CREATE DEVELOPER

19. DO THE RIGHT THING • • UPLOAD LIBRARY AND ANALYSE • BROWSER PLUGIN TO SCAN • IDE PLUGIN TO ENABLE LOCAL SCANS

20. PRAGMATIC HYGIENE • UPGRADING THE TOOLS TO LATEST VERSIONS • NEW FEATURES INNOVATIONS • ANALYSE IN TEST ENVIRONMENT 01 03 05 04 02

21. MANAGING ZERO DAYS • EYES AND EARS OPEN ZERO DAYS: • YOUR LIBRARIES TOOLS • • WAF • CONSTANT TOUCH WITH VENDOR • EVER READY TO ACT THE SHOW MUST GO ON!

22. IMPORTANT : SECRETS MANAGEMENT • • • •

23. THANK YOU! MOHAN YELNADU @monkelephant https://www.linkedin.com/in/mohanyelnadu

[DevSecOps Live] DevSecOps: Challenges and Opportunities

Esté a ler uma amostra.

Confira estes a seguir

[DevSecOps Live] DevSecOps: Challenges and Opportunities

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a [DevSecOps Live] DevSecOps: Challenges and Opportunities (20)

Mais de Mohammed A. Imran (14)

Mais recentes (20)