Five Keys to Building AppSec into DevOps Chris Wysopal Redev Boston August 8 th 2017 Applications are riskier than ever Majority of internally developed applications fail OWASP ID: 730840
Download Presentation The PPT/PDF document "Your Chance to Get It Right" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Your Chance to Get It RightFive Keys to Building AppSec into DevOps
Chris Wysopal
Redev
Boston
–
August 8
th
, 2017Slide2
Applications are riskier than everSlide3
Majority of internally developed applications fail OWASPSlide4
DevOps enables competitivenessSlide5
Why Security is EssentialSlide6
5 steps to achieving secure DevOpsSlide7
Automate Security In
Automated
testing
Static Analysis
Software Composition Analysis
Interactive
Dynamic Analysis
Invoke via APIs from your build and release
pipeline
Still do penetration testing, but don’t gate the release on it!Slide8
2. Fail QuicklySlide9
A pipeline example
Code commit
Code commit
Code commit
Code commit
Pre-check in review
mainline
Pre-submit verification
Pass; commit
to master
Fail
Submit verification
Full verification
Release candidateSlide10
3. No false alarmsSlide11
4. Build security champions
Build security championsSlide12
Keep operational visibility Slide13
Where should you secure DevOps?Slide14
Which of your applications will pass through a CI/CD pipeline?What tolerance do you have for “false alarms” (FPs) that is integrated into your DevOps practice?Are you using Microservices?
Conversation starters (1)Slide15
How do you plan to monitor your operational applications for security attacks?How do you plan to bring security expertise into the DevOps team?
Conversation starters (2)Slide16
Train beyond your walls
Get smart on DevOps