Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
1 like280 views
The document outlines five key principles for integrating security into DevOps, focusing on automation, quick failure integration, accurate alerts, building security champions, and maintaining operational visibility. It emphasizes a cultural shift in organizations towards high-velocity software development while addressing security challenges. Ultimately, the approach aims to minimize organizational risks without compromising development speed.
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
- 1. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES1 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES Five Principles For Securing DevOps Colin Domoney Senior Principal Transformation Consultant CA Technologies
- 2. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES2 Colin Domoney • Senior Principal Transformation Consultant • Offering coaching, collaboration and technical solutions to organization’s who need an impactful transformation to advance DevOps with optimised flow and security • At the forefront of CA Veracode’s product and innovation strategy, particularly in helping ensure the challenges of DevOps are met • Led a large scale application security program in a multinational investment bank where he was responsible for the deployment and operation of the Veracode service. Over 1,000 applications were assessed and remediated in a few years using very limited human resources. colin.domoney@ca.com @colindomoney
- 3. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES3 Defining DevOps “DevOps is a cultural and professional movement, focused on how we build and operate high velocity organizations, born from the experiences of its practitioners.” - Nathan Harvey (Chef)
- 4. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES4 The ‘Three Ways’ of DevOps
- 5. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES5 DevOps, a new model for software development, is transforming the way the world creates software. Despite its substantial organizational, cultural and technological requirements, this new way of organizing development and IT operations work is spreading rapidly. The DevOps Difference
- 6. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES6 DevOps is built on Agile Security
- 7. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES7 “Shift Left”: Securing DevOps • Goal: Minimize organization risk without slowing down development • Changing how security operates within an organization Security
- 8. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES8 Five Principles for Integrating Security into DevOps 1 Automate Security In DevOps Pipeline2 Integrate to “Fail Quickly” 3 No false alarms 4 Build security champions Development 5 Keep operational visibility Production
- 9. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES9 Principle #1: Automate Security In • Automate from Day 1 • Integrate into common development tools – IDE – Build Systems – Bug Tracking – GRC • Leverage comprehensive APIs • Integrate testing results within development backlogs
- 10. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES10 Principle #2: Integrate to Fail Quickly • Education that delivers cost savings – Inform development early • Two Phased approach – Consistent frequency (part of pipeline) – Development being proactive (testing outside of the pipeline) • AppSec must be a partnership – security defines the acceptable security quality level – developers implement continuous testing to address issues as they appear Development Operations Both failures create notifications within the backlog
- 11. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES11 Principle #3: No False Alarms • Too many false positives will frustrate development and security • Technology will end up being ignored • Action oriented and accurate findings are important • In CI/CD a failure may cause the entire pipeline to stop • Delays could yield lost revenue for the whole organization • Need to provide both maximum coverage for finding critical flaws while tuning out the noise of low-level issues
- 12. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES12 Principle #4: Build Security Champions • Eyes and ears of Security • Specialized training • Basic security concepts • Threat modeling • Grooming guidelines • Secure code review training • Security controls • Capture the Flag Exercises • Escalate when necessary
- 13. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES13 Principle #5: Keep Operational Visibility • Security doesn't stop once a release candidate has made it to production • Cultural decision to determine where to test – Pre production vs production • Business may decide to bypass security checks to move faster • Misconfigured pipelines are possible • Runtime environments are always changing
- 14. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES14 Integrating Security Into DevOps Questions to Ask!
- 15. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES15 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES CA Veracode’s Approach
- 16. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES17 DevSecOps: Uniting Development and Security
- 17. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES18 CA Veracode Platform: Security Throughout the SDLC Code Commit Build Test Release Deploy Operate CA Veracode Greenlight CA Veracode Static Analysis CA Veracode Web Application Scanning CA Veracode Runtime Protection CA Veracode Software Composition Analysis CA Veracode Integrations, APIs CA Veracode eLearning Code RepositoriesIDEs GRCs SIEMs WAFs Security Assurance Operational SecurityDevelopment Integration Bug Tracking Build and Deploy Systems Veracode Program Management and Services