SlideShare a Scribd company logo

A Secure DevOps Journey

Sonatype , profile picture
Sonatype

The document outlines Veracode's transition from traditional development methodologies to a secure DevOps approach, detailing the evolution from waterfall to agile and finally to DevOps. It emphasizes the importance of cultural changes, automation, and integrated security practices throughout this journey. The presentation also highlights the challenges faced and the need for continuous improvement in the organization's processes and technologies.

Software
Related topics:
security-policy Blue Team Red Team
1 of 30
Downloaded 93 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
November 15, 2016 A Secure DevOps Journey Peter Chestna, Director of Developer Engagement, Veracode
November 15, 2016
• Development methodologies used at Veracode – Waterfall, Agile, DevOps – People – Process – Technology – Security • Veracode’s journey – What did we change – What were the results Goals
• 2006 – Veracode founded/Waterfall • 2012 – Agile • 2013 – Purina • 2014 – Microservices • 2015 - DevOps Veracode Timeline
Felt like… Transformation – People/Org/Culture Management • Leading change • Organizational • Breaking the silos • New specialties • New skills – care & feeding • New expectations Individual • Uncertainty/fear/anger • Organizational • New manager • New team/peers • New skills – X-functional • New expectations
Looked like… Transformation - Process Most of the change occurred in Agile • Waterfall -> Agile was revolutionary • Agile -> DevOps was evolutionary • Like the Monty Python theory of dinosaurs
Waterfall Transformation - Technology Agile DevOps Not as big of a difference between stages Just more and more automation
There was Waterfall In the beginning…
Waterfall - Process Finding anything late creates a cycle of waste
O p e r a t i o n s S e c u r i t y Q u a l i t y D e v e l o p m e n t A r c h i t e c t u r e R e q u i r e m e n t s Waterfall - People
• Gantt charts • Text documents • Requirements • Architecture • Designs • Test plans • Manual tests • Manual deploy • Shell scripts • SQL cripts Waterfall - Technology Old School
Waterfall - Security Occurred during testing cycle Back end of process Mostly manual Unpredictable amount of work
Coming of Age: Agile
Agile - Process Copyright 2005, Mountain Goat Software
Agile - People Dev/QA ITDept OPS Org Security
Agile – Technology Initially
Agile – Security – Early Days 3 Build 4 Static Analysis Hardening Sprint 5 Security Results Security Results 2 Check in 1 Develop Agile Backlog
1 Develop 6 Static Analysis 7 Synchronize 4 Check in Static Analysis 3 Build & Test 2 Agile Backlog Agile – Security – Automated and Integrated 5 Build Nightly
Agile – Security is not limited to automation of static analysis! Security Champions Security Grooming (Requirements Review) Security as part of the Definition of Done Threat Modeling Secure Code Review Pen Testing Pre-Productions Dynamic Analysis
Agile - Culture clash between Dev, OPS and Security
We Have Arrived: DevOps
DevOps - Process
DevOps - People Break the Silos Reorganize Change the Culture
DevOps - Technology Automate! Automate! Automate! Feature switching for controlled rollout Rolling upgrades Zero downtime Make incremental changes
DevOps - Security
1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog DevOps – Security – Integrated into CD Pipeline Pass? 7 Synchronize No Yes 7 Deploy to Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Prod Per Check-in 5 Build CD Pipeline
Training (eLearning, instructor led, metadata driven) Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration Testing Red Team Activities Runtime Application Self Protection Dynamic Application Security Testing Plan Code Build Test Stage Deploy Monitor Threat Modeling Security Grooming Secure Design DevOps – Pervasive Security
This Is Our Journey • Revolution at the micro level • Evolution at the macro level Innovation • Always constructively dissatisfied • Hypothesize, prototype, measure • Sharpen the saw Continuous Improvement
November 15, 2016
Thank You w w w . v e r a c o d e . c o m @PeteChestna

More Related Content

PPTX
SecDevOps: The New Black of IT
CloudPassage
 
PDF
Ast in CI/CD by Ofer Maor
DevSecCon
 
PDF
DevSecOps - Building Rugged Software
SeniorStoryteller
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
PPTX
DevOps & Security: Here & Now
Checkmarx
 
PDF
Integrating DevOps and Security
Stijn Muylle
 
KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
PDF
Continuous Security Testing - DevSecCon
Stephen de Vries
 
SecDevOps: The New Black of IT
CloudPassage
 
Ast in CI/CD by Ofer Maor
DevSecCon
 
DevSecOps - Building Rugged Software
SeniorStoryteller
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
DevOps & Security: Here & Now
Checkmarx
 
Integrating DevOps and Security
Stijn Muylle
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
Continuous Security Testing - DevSecCon
Stephen de Vries
 

What's hot (20)

PDF
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
DevSecOpsSg
 
PPTX
DevSecOps
Cheah Eng Soon
 
PDF
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
PDF
DevSecOps - The big picture
DevSecOpsSg
 
PPTX
Automating security tests for Continuous Integration
Stephen de Vries
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
PDF
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PDF
Merging Security with DevOps - An AppSec Perspective
Abhay Bhargav
 
PDF
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon
 
PDF
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon
 
PPTX
DevSecOps OWASP
Priyanka Raghavan
 
PDF
Security in a Continuous Delivery World
Dinis Cruz
 
PPTX
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
PDF
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
PPTX
DevSecOps - It can change your life (cycle)
Qualitest
 
PPTX
Security Testing for Containerized Applications
Soluto
 
PDF
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
PDF
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
 
PPTX
Owasp glue
Soluto
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
DevSecOpsSg
 
DevSecOps
Cheah Eng Soon
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
DevSecOps - The big picture
DevSecOpsSg
 
Automating security tests for Continuous Integration
Stephen de Vries
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Merging Security with DevOps - An AppSec Perspective
Abhay Bhargav
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon
 
DevSecOps OWASP
Priyanka Raghavan
 
Security in a Continuous Delivery World
Dinis Cruz
 
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
DevSecOps - It can change your life (cycle)
Qualitest
 
Security Testing for Containerized Applications
Soluto
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
 
Owasp glue
Soluto
 
Ad

Similar to A Secure DevOps Journey (20)

PDF
A Secure DevOps Journey
Veracode
 
PDF
Devops: Security's big opportunity by Peter Chestna
DevSecCon
 
PPTX
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
PPTX
DevOps: Security's Big Opportunity
Timothy Jarrett
 
PPTX
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
PPTX
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24
 
PPTX
How to get the best out of DevSecOps - a developers perspective
Colin Domoney
 
PPTX
DevOps Engineering.pptx
AbalBoot
 
PDF
DevSecOps and the CI/CD Pipeline
James Wickett
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
PPTX
Experiences Bringing CD to a DoD Project
Gene Gotimer
 
PPTX
My journey from Fragile, to Agile and now DevOps
Jason Man
 
PDF
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
PDF
Agile Experiences
Diego Pacheco
 
PDF
Introduction to DevOps slides.pdf
BoreVishnusai
 
PDF
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
PDF
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
PDF
A journey into Application Security
Christian Martorella
 
PDF
Gartner starting and scaling dev ops
Tapabrata Pal
 
PDF
Seven Deadly Saves To Security With Integrations
SBWebinars
 
A Secure DevOps Journey
Veracode
 
Devops: Security's big opportunity by Peter Chestna
DevSecCon
 
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
DevOps: Security's Big Opportunity
Timothy Jarrett
 
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24
 
How to get the best out of DevSecOps - a developers perspective
Colin Domoney
 
DevOps Engineering.pptx
AbalBoot
 
DevSecOps and the CI/CD Pipeline
James Wickett
 
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
Experiences Bringing CD to a DoD Project
Gene Gotimer
 
My journey from Fragile, to Agile and now DevOps
Jason Man
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
Agile Experiences
Diego Pacheco
 
Introduction to DevOps slides.pdf
BoreVishnusai
 
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
A journey into Application Security
Christian Martorella
 
Gartner starting and scaling dev ops
Tapabrata Pal
 
Seven Deadly Saves To Security With Integrations
SBWebinars
 
Ad

More from Sonatype (20)

PPTX
DevOps Days Columbus - Derek Weeks - 2019
Sonatype
 
PDF
2019 DevSecOps Reference Architectures
Sonatype
 
PDF
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 
PPTX
DevSecOps reference architectures 2018
Sonatype
 
PDF
30+ Nexus Integrations to Accelerate DevOps
Sonatype
 
PDF
2017 DevSecOps Survey
Sonatype
 
PPTX
Starting and Scaling DevOps In the Enterprise
Sonatype
 
PPTX
DevOps Friendly Doc Publishing for APIs & Microservices
Sonatype
 
PDF
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Sonatype
 
PPTX
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
PDF
Serverless and the Way Forward
Sonatype
 
PDF
A Small Association's Journey to DevOps w/ Edward Ruiz
Sonatype
 
PDF
What's My Security Policy Doing to My Help Desk w/ Chris Swan
Sonatype
 
PDF
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Sonatype
 
PDF
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Sonatype
 
PDF
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
PDF
System Hardening Using Ansible
Sonatype
 
PDF
There is No Server: Immutable Infrastructure and Serverless Architecture
Sonatype
 
PDF
Getting out of the Job Jungle with Jenkins
Sonatype
 
PDF
Modern Infrastructure Automation
Sonatype
 
DevOps Days Columbus - Derek Weeks - 2019
Sonatype
 
2019 DevSecOps Reference Architectures
Sonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 
DevSecOps reference architectures 2018
Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
Sonatype
 
2017 DevSecOps Survey
Sonatype
 
Starting and Scaling DevOps In the Enterprise
Sonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
Sonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Sonatype
 
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
Serverless and the Way Forward
Sonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
Sonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
Sonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Sonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Sonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
System Hardening Using Ansible
Sonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
Sonatype
 
Getting out of the Job Jungle with Jenkins
Sonatype
 
Modern Infrastructure Automation
Sonatype
 

Recently uploaded (20)

PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
System and Network Administration Chapter 2
jaramharo
 
Introduction Database Management System for Course Database
ReinertYosua
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Introduction to Artificial Intelligence
lohedi9363
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 

A Secure DevOps Journey