SlideShare uma empresa Scribd logo

Shifting Security Left - The Innovation of DevSecOps - AgileDC

Tom Stiehm
Tom Stiehm

Shifting AppSec practices left allows development teams to reduce risk and reduce the likelihood of getting exploited by a security defect.

Tecnologia
1 de 19
Baixar para ler offline
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 1@ThomasStiehm #AgileDC Agility. Security. Delivered. Shifting Security Left The Innovation of DevSecOps Tom Stiehm @ThomasStiehm
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 2@ThomasStiehm #AgileDC About Coveros • Services • Agile Transformations & Coaching • Agile Software Development • Agile Testing & Automation • DevOps Implementations • DevSecOps Integrations • Agile, DevOps, DevSecOps Security, Testing Training • Open Source Products • SecureCI – DevSecOps toolchain • Selenified – Agile test framework Coveros helps organizations accelerate software delivery using agile and DevOps methods 2
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 3@ThomasStiehm #AgileDC Why should you care about security? To reduce the likelihood of becoming the next:
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 4@ThomasStiehm #AgileDC Shifting Security Left •Shifting Left is taking a practice or process done late in development and doing it earlier. •Shifting Security Left is doing security testing, analysis, and remediation during development, iteratively. Usually automating data collection to make it faster and cheaper. •The net result is making security practices part of the daily workflow of the development team.
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 5@ThomasStiehm #AgileDC Why Shift Security Left? Application Security is hard, error prone, and expensive. It is often made harder by trying to shoehorn it into the end of a release. Shifting Left allows the teams to deal with security issues early and often: •Reducing Risk •Reducing Cost •Leads to fewer errors •Results in fewer security compromises
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 6@ThomasStiehm #AgileDC How DevSecOps builds on DevOps DevSecOps is a practice that rose from DevOps that includes information technology security as a fundamental aspect in all the stages of software development. -- Wikipedia DevSecOps builds on DevOps by leveraging collaboration and feedback to address security concerns throughout the software development life cycle.
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 7@ThomasStiehm #AgileDC Legacy Security Practices The Focus is on testing at the end.
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 8@ThomasStiehm #AgileDC Security before the code is written Be proactive: •Architect and design security in from the start based on threat analysis. •Include security in your pipeline from the start. •Take time to analyze and remediate AppSec findings. Why? •Your software has security defects in it. •Testing security into software at the end doesn’t work. •Relying on network and OS security to protect applications doesn’t work. •Ignoring security concerns doesn’t work.
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 9@ThomasStiehm #AgileDC Shifting Left includes reacting to the feedback on a regular basis. Security Practices in DevSecOps
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 10@ThomasStiehm #AgileDC Where to Start •SCA - Install Software Composition Analysis •Expand existing CI/CD processes to scan your application dependencies •SAST - Start with Static Application Security Testing •Quick to integration into a build pipeline •Leverages existing CI/CD assets •DAST - Next integrate Dynamic Application Security Testing •Could be as simple as adding a DAST proxy to your existing automated or manual testing environment •Expand into using the automated aspects of DAST tools
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 11@ThomasStiehm #AgileDC What to do next •Security Testing – Testing the security features of your software •Security Test Automation - Using test automation tools like Selenium or Cucumber •Penetration Testing – Human beings evaluating the security of your software with the aid of tools •Threat Analysis – Understand who will attack you, why, and how •Infrastructure Analysis Scanning & Testing – Securing your OS and Server Software
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 12@ThomasStiehm #AgileDC Advanced DevSecOps Techniques •IAST - Interactive Application Security Testing is technique for detecting security vulnerabilities in a running application •RASP - Runtime Application Self-Protection building on the same technology base as IAST by providing a facility to react to a detected vulnerability as it is exploited, e.g. terminating the session •HAST - Hybrid Application Security Testing uses DAST with IAST to find vulnerabilities
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 13@ThomasStiehm #AgileDC Operational Security •Security Information and Event Management (SIEM) •Infrastructure Analysis Scanning & Testing •Encrypting Data at Rest •Encrypting Data in all Network Channels
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 14@ThomasStiehm #AgileDC Secure practices in a pipeline
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 15@ThomasStiehm #AgileDC Culture Shift Goal Mindset: “Everyone is responsible for security.” Three things to try when changing culture: 1. Build a Knowledge base 2. Promote Openness 3. Create Cybersecurity Champions Need to experiment to find what works for your specific organization.
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 16@ThomasStiehm #AgileDC DevSecOps Benefits •Faster vulnerability detection and mitigation •Always-known security posture •Less security-based risk •Smaller chance of getting exploited •Reduced cost of fixing AppSec bugs •Avoidance of publicity for getting pwned •Able to recover from security incidents faster
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 17@ThomasStiehm #AgileDC Wrap UP #Coveros5 •Starting to Shift Left is more important then what practices you start with •Greenfield start with Threat Analysis and build security in •Legacy or brownfield start with SCA (or SAST or DAST) •Iteratively add more security practices into your process •Iteratively add more security to your build pipeline
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 18@ThomasStiehm #AgileDC Periodic Table of DevOps Tools En Os Fm Os Pd Pd Fm En En En Fm Os En Os Pd Os Fm Fm Fm Fm Pd En En Os Fr Os Fr Os Pd Fr Fr Fr Os Fm Fm Fr Os Fm Os En Fm Fm Pd Pd En En Fm En En En Os Fm En Fr Os Os Os Os En En En Fm En Os En En Os En En Os Pd Os Os En Os Os En En Pd En Fm Fm Pd Pd Pd En Os En Pd Pd Fm Os Fm En Fm Pd Pd En Pd Os Os En En Os Fm Fm Pd Pd Os Os En Os Os Fm En En Pd Os Os En 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 3 4 5 6 7 8 9 10 1 2 11 12 13 14 15 16 17 18 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 Cw Sv Gh Gl At Nx Bb Dp Db Dt Rg Fw Pf Jn Ba Tr Cr Cs Vs Tc Cb XLi Sw Fn Se Ga Cu Ki Jr Ju Jm Tn Mc Nr Tl Ka Ja Tt Lo Dt Sk Su Sl Pe Mf Dd St Ch An Pu Sa Ad Cn Tf Ru Pa Ce El Ry XLd Oc Cd Eb Ni Ac Ud Go Ec Ca Zb Og Ku Dk XLr Ms Ra De Zn Pd Cc Ur Aws Gke Aks Ae Cx Sn Pr Af Az Om Rk Cf Sg Tw Al Ld Gc Cp Sp Hm Bd Ck Os Ic Op Cy Ir Aw Sr Vc Ps Fd Sg Sp It Mg Ls Hv Ff GitLab GitHub Subversion ISPW Artifactory Nexus BitBucket Datical DBMaestro Delphix Redgate Flyway Perforce FitNesse Selenium Gatling Cucumber Kibana Jira JUnit JMeter TestNG Mocha Trello New Relic Karma Jasmine Tricentis Tosca Locust.io Slack Dynatrace SoapUI Sauce Labs Perfecto Micro Focus UFT Stride Datadog Chef Ansible Puppet Salt CollabNet VersionOne AppDynamics Terraform Rudder Packer CFEngine Remedy ElasticSearch XebiaLabs XL Deploy Octopus Deploy AWS CodeDeploy ElasticBox Nagios Agile Central UrbanCode Deploy GoCD ElectricCloud CA Automic Zabbix OpsGenie Kubernetes Mesos Rancher Docker Enterprise Docker XebiaLabs XL Release Zenoss Pagerduty CA CD Director GKE AKS AWS ECS UrbanCode Release AWS Checkmarx SAST Snort Plutora Release OpenMake Rkt Codefresh Azure Functions Azure Signal Sciences Tripwire Alibaba Cloud AWS CodePipeline Spinnaker Helm Lambda Google Cloud BlackDuck CyberArk OpenStack Cloud Foundry Iron.io Apache OpenWhisk IBM Cloud OpenShift SonarQube Veracode Fluentd Prometheus Sumo Logic Splunk ITRS Moogsoft Logstash HashiCorp Vault Fortify SCA Jenkins Bamboo Travis CI Circle CI Codeship VSTS TeamCity AWS CodeBuild XebiaLabs XL Impact ServiceNow Deployment AIOps Cloud Release Orchestration Containers Configuration Testing Continuous Integration Database Automation Source Control Mgmt. Collaboration Security Monitoring AnalyticsOs Open Source Fr Free Fm Freemium Pd Paid En Enterprise PERIODIC TABLE OF DEVOPS TOOLS (V3) https://xebialabs.com/periodic-table-of-devops-tools/
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 19@ThomasStiehm #AgileDC Questions? @thomasstiehm • Join me on the TechWell Hub • https://hub.techwell.com/ • #devops

Recomendados

Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceTom Stiehm
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev opsTom Stiehm
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentTom Stiehm
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 

Recomendados

Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceTom Stiehm
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev opsTom Stiehm
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentTom Stiehm
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...SeniorStoryteller
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenSeniorStoryteller
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
Lessons learned from Detroit to Deming by Derek Weeks
Lessons learned from Detroit to Deming by Derek WeeksLessons learned from Detroit to Deming by Derek Weeks
Lessons learned from Detroit to Deming by Derek WeeksDevSecCon
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceWhiteSource
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019 It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019 Amazon Web Services
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Synopsys Software Integrity Group
 

Mais conteúdo relacionado

Mais procurados

Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...SeniorStoryteller
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenSeniorStoryteller
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
Lessons learned from Detroit to Deming by Derek Weeks
Lessons learned from Detroit to Deming by Derek WeeksLessons learned from Detroit to Deming by Derek Weeks
Lessons learned from Detroit to Deming by Derek WeeksDevSecCon
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceWhiteSource
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 

Mais procurados (20)

Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
Lessons learned from Detroit to Deming by Derek Weeks
Lessons learned from Detroit to Deming by Derek WeeksLessons learned from Detroit to Deming by Derek Weeks
Lessons learned from Detroit to Deming by Derek Weeks
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With Confidence
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 

Semelhante a Shifting Security Left - The Innovation of DevSecOps - AgileDC

It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019 It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019 Amazon Web Services
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Software Integrity Group
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program Denim Group
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 Amazon Web Services
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...
Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...
Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...Amazon Web Services
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineTechWell
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Jason Jolley
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOpsGene Gotimer
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...CA Technologies
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 

Semelhante a Shifting Security Left - The Innovation of DevSecOps - AgileDC (20)

It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019 It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...
Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...
Innovating Government: Building a Culture of DevSecOps for Rapid and Secure M...
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery Pipeline
 
Devsec ops
Devsec opsDevsec ops
Devsec ops
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!
 
Security and Data Breach
Security and Data BreachSecurity and Data Breach
Security and Data Breach
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOps
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 

Último

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Último (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Shifting Security Left - The Innovation of DevSecOps - AgileDC

  • 1. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 1@ThomasStiehm #AgileDC Agility. Security. Delivered. Shifting Security Left The Innovation of DevSecOps Tom Stiehm @ThomasStiehm
  • 2. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 2@ThomasStiehm #AgileDC About Coveros • Services • Agile Transformations & Coaching • Agile Software Development • Agile Testing & Automation • DevOps Implementations • DevSecOps Integrations • Agile, DevOps, DevSecOps Security, Testing Training • Open Source Products • SecureCI – DevSecOps toolchain • Selenified – Agile test framework Coveros helps organizations accelerate software delivery using agile and DevOps methods 2
  • 3. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 3@ThomasStiehm #AgileDC Why should you care about security? To reduce the likelihood of becoming the next:
  • 4. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 4@ThomasStiehm #AgileDC Shifting Security Left •Shifting Left is taking a practice or process done late in development and doing it earlier. •Shifting Security Left is doing security testing, analysis, and remediation during development, iteratively. Usually automating data collection to make it faster and cheaper. •The net result is making security practices part of the daily workflow of the development team.
  • 5. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 5@ThomasStiehm #AgileDC Why Shift Security Left? Application Security is hard, error prone, and expensive. It is often made harder by trying to shoehorn it into the end of a release. Shifting Left allows the teams to deal with security issues early and often: •Reducing Risk •Reducing Cost •Leads to fewer errors •Results in fewer security compromises
  • 6. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 6@ThomasStiehm #AgileDC How DevSecOps builds on DevOps DevSecOps is a practice that rose from DevOps that includes information technology security as a fundamental aspect in all the stages of software development. -- Wikipedia DevSecOps builds on DevOps by leveraging collaboration and feedback to address security concerns throughout the software development life cycle.
  • 7. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 7@ThomasStiehm #AgileDC Legacy Security Practices The Focus is on testing at the end.
  • 8. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 8@ThomasStiehm #AgileDC Security before the code is written Be proactive: •Architect and design security in from the start based on threat analysis. •Include security in your pipeline from the start. •Take time to analyze and remediate AppSec findings. Why? •Your software has security defects in it. •Testing security into software at the end doesn’t work. •Relying on network and OS security to protect applications doesn’t work. •Ignoring security concerns doesn’t work.
  • 9. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 9@ThomasStiehm #AgileDC Shifting Left includes reacting to the feedback on a regular basis. Security Practices in DevSecOps
  • 10. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 10@ThomasStiehm #AgileDC Where to Start •SCA - Install Software Composition Analysis •Expand existing CI/CD processes to scan your application dependencies •SAST - Start with Static Application Security Testing •Quick to integration into a build pipeline •Leverages existing CI/CD assets •DAST - Next integrate Dynamic Application Security Testing •Could be as simple as adding a DAST proxy to your existing automated or manual testing environment •Expand into using the automated aspects of DAST tools
  • 11. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 11@ThomasStiehm #AgileDC What to do next •Security Testing – Testing the security features of your software •Security Test Automation - Using test automation tools like Selenium or Cucumber •Penetration Testing – Human beings evaluating the security of your software with the aid of tools •Threat Analysis – Understand who will attack you, why, and how •Infrastructure Analysis Scanning & Testing – Securing your OS and Server Software
  • 12. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 12@ThomasStiehm #AgileDC Advanced DevSecOps Techniques •IAST - Interactive Application Security Testing is technique for detecting security vulnerabilities in a running application •RASP - Runtime Application Self-Protection building on the same technology base as IAST by providing a facility to react to a detected vulnerability as it is exploited, e.g. terminating the session •HAST - Hybrid Application Security Testing uses DAST with IAST to find vulnerabilities
  • 13. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 13@ThomasStiehm #AgileDC Operational Security •Security Information and Event Management (SIEM) •Infrastructure Analysis Scanning & Testing •Encrypting Data at Rest •Encrypting Data in all Network Channels
  • 14. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 14@ThomasStiehm #AgileDC Secure practices in a pipeline
  • 15. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 15@ThomasStiehm #AgileDC Culture Shift Goal Mindset: “Everyone is responsible for security.” Three things to try when changing culture: 1. Build a Knowledge base 2. Promote Openness 3. Create Cybersecurity Champions Need to experiment to find what works for your specific organization.
  • 16. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 16@ThomasStiehm #AgileDC DevSecOps Benefits •Faster vulnerability detection and mitigation •Always-known security posture •Less security-based risk •Smaller chance of getting exploited •Reduced cost of fixing AppSec bugs •Avoidance of publicity for getting pwned •Able to recover from security incidents faster
  • 17. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 17@ThomasStiehm #AgileDC Wrap UP #Coveros5 •Starting to Shift Left is more important then what practices you start with •Greenfield start with Threat Analysis and build security in •Legacy or brownfield start with SCA (or SAST or DAST) •Iteratively add more security practices into your process •Iteratively add more security to your build pipeline
  • 18. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 18@ThomasStiehm #AgileDC Periodic Table of DevOps Tools En Os Fm Os Pd Pd Fm En En En Fm Os En Os Pd Os Fm Fm Fm Fm Pd En En Os Fr Os Fr Os Pd Fr Fr Fr Os Fm Fm Fr Os Fm Os En Fm Fm Pd Pd En En Fm En En En Os Fm En Fr Os Os Os Os En En En Fm En Os En En Os En En Os Pd Os Os En Os Os En En Pd En Fm Fm Pd Pd Pd En Os En Pd Pd Fm Os Fm En Fm Pd Pd En Pd Os Os En En Os Fm Fm Pd Pd Os Os En Os Os Fm En En Pd Os Os En 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 3 4 5 6 7 8 9 10 1 2 11 12 13 14 15 16 17 18 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 Cw Sv Gh Gl At Nx Bb Dp Db Dt Rg Fw Pf Jn Ba Tr Cr Cs Vs Tc Cb XLi Sw Fn Se Ga Cu Ki Jr Ju Jm Tn Mc Nr Tl Ka Ja Tt Lo Dt Sk Su Sl Pe Mf Dd St Ch An Pu Sa Ad Cn Tf Ru Pa Ce El Ry XLd Oc Cd Eb Ni Ac Ud Go Ec Ca Zb Og Ku Dk XLr Ms Ra De Zn Pd Cc Ur Aws Gke Aks Ae Cx Sn Pr Af Az Om Rk Cf Sg Tw Al Ld Gc Cp Sp Hm Bd Ck Os Ic Op Cy Ir Aw Sr Vc Ps Fd Sg Sp It Mg Ls Hv Ff GitLab GitHub Subversion ISPW Artifactory Nexus BitBucket Datical DBMaestro Delphix Redgate Flyway Perforce FitNesse Selenium Gatling Cucumber Kibana Jira JUnit JMeter TestNG Mocha Trello New Relic Karma Jasmine Tricentis Tosca Locust.io Slack Dynatrace SoapUI Sauce Labs Perfecto Micro Focus UFT Stride Datadog Chef Ansible Puppet Salt CollabNet VersionOne AppDynamics Terraform Rudder Packer CFEngine Remedy ElasticSearch XebiaLabs XL Deploy Octopus Deploy AWS CodeDeploy ElasticBox Nagios Agile Central UrbanCode Deploy GoCD ElectricCloud CA Automic Zabbix OpsGenie Kubernetes Mesos Rancher Docker Enterprise Docker XebiaLabs XL Release Zenoss Pagerduty CA CD Director GKE AKS AWS ECS UrbanCode Release AWS Checkmarx SAST Snort Plutora Release OpenMake Rkt Codefresh Azure Functions Azure Signal Sciences Tripwire Alibaba Cloud AWS CodePipeline Spinnaker Helm Lambda Google Cloud BlackDuck CyberArk OpenStack Cloud Foundry Iron.io Apache OpenWhisk IBM Cloud OpenShift SonarQube Veracode Fluentd Prometheus Sumo Logic Splunk ITRS Moogsoft Logstash HashiCorp Vault Fortify SCA Jenkins Bamboo Travis CI Circle CI Codeship VSTS TeamCity AWS CodeBuild XebiaLabs XL Impact ServiceNow Deployment AIOps Cloud Release Orchestration Containers Configuration Testing Continuous Integration Database Automation Source Control Mgmt. Collaboration Security Monitoring AnalyticsOs Open Source Fr Free Fm Freemium Pd Paid En Enterprise PERIODIC TABLE OF DEVOPS TOOLS (V3) https://xebialabs.com/periodic-table-of-devops-tools/
  • 19. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 19@ThomasStiehm #AgileDC Questions? @thomasstiehm • Join me on the TechWell Hub • https://hub.techwell.com/ • #devops