SlideShare a Scribd company logo

Seven Deadly Saves To Security With Integrations

S
SBWebinars

The document discusses the integration of security into the software development process through the concept of DevSecOps, emphasizing the importance of addressing security earlier in the development lifecycle. It highlights the need for collaboration between development and security teams, as well as the implementation of various methodologies such as CI/CD and Agile to improve efficiency and reduce costs. The document also outlines the role of Veracode's integrations team in facilitating these security practices within development teams.

Technology
1 of 29
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
© 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.1 DEVSECOPS
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.2 Who are we? Tim Jarrett (@tojarrett) • Over 20 years in software: development, project management, product management & strategy • At Veracode since 2008 • Grammy award winner, Bacon number of 3 Diptesh Shah • Over 15 years experience as a developer and engineering leader • At Veracode since 2017 • Recent Winter Olympics “swept” me into Curling
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.3 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES Why appsec integrations?
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.4 • Continuous Delivery • Shorten feedback loops • Learn quickly DevSecOps: the end of manual security?
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.5 Fix earlier = fix cheaper 0 20 40 60 80 100 120 Design Implementation Testing Maintenance Source: IBM,based on Boehm, 1981/2001
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.6 Avoid rework Code Ship Discover issue Fix and ship again Development process – current state Code Discover issue Fix issue Ship Development process with integrations
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.7 Avoid context switching
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.8 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.9 DevSecOps – Follow the Code
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.10 Code phase 1 Develop 2 Check in Team processes (build, test, agile planning)
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.11 Build phase 1 Get latest check-ins from source control 2 Build and Run Tests Test Failures 3 Stage/ Deploy
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.12 Deploy and Production phase Deployment pipeline Stage/ Deploy Monitor for Incidents Scan for issues in production
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.13 Different development methodologies = different integration approaches Waterfall Agile DevOps 1-4 Releases Per Year 12-24 Releases Per Year 100+ Releases Per Year 50+ people 6-12 people 6-12 people
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.14 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog (tickets) Waterfall to agile: “build and test” Pass? 7 Synchronize No Yes 6 Static Analysis 6 Unit Tests Manual acceptance testing, move to stage, move to prod Nightly/ weekly 5 Build Scheduled Build 3a Manual Testing*
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.15 CI CD 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog DevOps: Protect the Pipeline Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 1a Static Analysis
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.16 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.17 Veracode Integrations Team Focused on delivering integration capabilities with the Veracode platform that enable development teams to “shift security left” and make the idea of “DevSecOps” a reality. • 12 person team; geographically distributed • Responsible for 20+ applications & supporting modules • 75 releases in 2017 (on pace for 144 releases in 2018) • SAFe / Agile Scrum • DevSecOps (evolution continues) • Vested interest in achieving our mission!!
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.18 In The Beginning 3 Build 4 Static Analysis 5 Security Results 2 Check in 1 Develop Backlog Scheduled Build Nightly/ weekly
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.19 Initially Fast Forward to Now Empower Developers – IDE Integration 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 1a Greenlight Static Analysis
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.20 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Automated Assessment – Build Server Integration 6 Static Analysis Nightly/ weekly 5 Build Scheduled Build 1a Greenlight Static Analysis Security Results 7
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.21 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Automated Issue Tracking Nightly/ weekly Scheduled Build 1a Greenlight Static Analysis 6 Static Analysis 5 Build 7 Synchronize
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.22 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Automated Assurance – Fail the Build Pass? 7 Synchronize No Yes 6 Static Analysis 6 Unit Tests Manual acceptance testing, move to stage, move to prod Nightly/ weekly 5 Build Scheduled Build 1a Greenlight Static Analysis
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.23 CI CD 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Continued Assurance Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests Per Check-in 5 Build CI/CD Pipeline 1a Greenlight Static Analysis Manual acceptance testing, move to stage, move to prod
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.24 CI CD 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Continued Assurance – End Goal Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 1a Greenlight Static Analysis
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.25 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES Making it happen
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.26 Relationships • Who is your peer in development / security? • Do you meet with them? • Do you understand each others’ goals? • Are you sympathetic to each others struggles?
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.27 Accountability • Shared between development and security • Part of annual goals for both teams • Measured and reported regularly
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.28 Plan Code Build Test Stage Deploy Monitor Shift Left & Monitor Dynamic Application Security Testing Runtime Application Self Protection Open Source Risk MonitoringStatic Application Security Testing + 3rd Party Risk Analysis Training (eLearning, instructor led, metadata driven) Manual Penetration Testing Red Team Activities Remediation and Mitigation Guidance Secure Code Reviews Threat Modeling Security Grooming Secure Design
© 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.29 © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES. Questions? @tojarrett

More Related Content

PDF
Moving to Open-Source Tools - How to Increase Performance Test Coverage Throu...
CA Technologies
 
PDF
Testing in an Agile World: The Current State and Future Possibilities
TechWell
 
PDF
Testing in a Continuous Delivery Pipeline: Faster, Better, Cheaper
TechWell
 
PDF
Software Defect Prevention via Continuous Inspection
Josh Gough
 
PDF
Leading the Transformation: Stories from the Trenches
DevOps.com
 
PPTX
Testing in a DevOps team
Laurent PY
 
PDF
Continuous Delivery Pipelines: Metrics, Myths, and Milestones
DevOps.com
 
PPTX
DevOps presentation at gemeente Rotterdam
Miel Donkers
 
Moving to Open-Source Tools - How to Increase Performance Test Coverage Throu...
CA Technologies
 
Testing in an Agile World: The Current State and Future Possibilities
TechWell
 
Testing in a Continuous Delivery Pipeline: Faster, Better, Cheaper
TechWell
 
Software Defect Prevention via Continuous Inspection
Josh Gough
 
Leading the Transformation: Stories from the Trenches
DevOps.com
 
Testing in a DevOps team
Laurent PY
 
Continuous Delivery Pipelines: Metrics, Myths, and Milestones
DevOps.com
 
DevOps presentation at gemeente Rotterdam
Miel Donkers
 

What's hot (20)

PDF
DevOps+ to Leverage Software Development
DOCOMO Innovations, Inc.
 
PPTX
Angelique henry performance non regression
🎸 Angélique Jard 🎸
 
PPTX
Get Ready for Changes To Load Testing
SOASTA
 
PDF
How to Measure Agility Project Success in Business Terms
Ethan Ram
 
PDF
How a Mortgage Company is Transforming Their Business with Continuous Delivery
XebiaLabs
 
PPT
Agile vs Waterfall From A Tester's Eyes by Shweta Parashar & Abhishek Agrawal
Xebia IT Architects
 
PDF
Performance Testing in Agile and DevOps Environments
TechWell
 
PPT
Agile Load Testing In The Real World
SOASTA
 
PDF
Testing in the new world-bug prevention vs. bug detection
Michael Palotas
 
PDF
Solve Everyday IT Problems with DevOps
Josiah Renaudin
 
PPTX
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Serena Software
 
PPTX
ApexUnit: Open source test framework for apex
Vamshidhar Gandham
 
PDF
How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...
Jennifer Finney
 
PDF
Requirements Management applied in an agile Project Environment
Association for Project Management
 
PPTX
Augury's Journey Towards CD by Assaf Mizrachi
AgileSparks
 
PDF
Top 5 Considerations for DevOps Success in 2018
DevOps.com
 
PDF
ITIL® Release, Control and Validation
mitchell burner
 
PPTX
Salesforce – Proven Platform Development with DevOps & Agile
Sai Jithesh ☁️
 
PPTX
What's the State of Agile Software Development?
VersionOne
 
PPTX
Testing In Production (TiP) Advances with Big Data & the Cloud
SOASTA
 
DevOps+ to Leverage Software Development
DOCOMO Innovations, Inc.
 
Angelique henry performance non regression
🎸 Angélique Jard 🎸
 
Get Ready for Changes To Load Testing
SOASTA
 
How to Measure Agility Project Success in Business Terms
Ethan Ram
 
How a Mortgage Company is Transforming Their Business with Continuous Delivery
XebiaLabs
 
Agile vs Waterfall From A Tester's Eyes by Shweta Parashar & Abhishek Agrawal
Xebia IT Architects
 
Performance Testing in Agile and DevOps Environments
TechWell
 
Agile Load Testing In The Real World
SOASTA
 
Testing in the new world-bug prevention vs. bug detection
Michael Palotas
 
Solve Everyday IT Problems with DevOps
Josiah Renaudin
 
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Serena Software
 
ApexUnit: Open source test framework for apex
Vamshidhar Gandham
 
How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...
Jennifer Finney
 
Requirements Management applied in an agile Project Environment
Association for Project Management
 
Augury's Journey Towards CD by Assaf Mizrachi
AgileSparks
 
Top 5 Considerations for DevOps Success in 2018
DevOps.com
 
ITIL® Release, Control and Validation
mitchell burner
 
Salesforce – Proven Platform Development with DevOps & Agile
Sai Jithesh ☁️
 
What's the State of Agile Software Development?
VersionOne
 
Testing In Production (TiP) Advances with Big Data & the Cloud
SOASTA
 
Ad

Similar to Seven Deadly Saves To Security With Integrations (20)

PDF
Implementing Continuous Integration to Improve Software Quality
Rocket Software
 
PDF
Extend Agile and DevOps Practices Across Hybrid IT
DevOps.com
 
PPTX
A Deep Dive Into Comprehensive Citrix & VDI Monitoring with eG Enterprise
eG Innovations
 
PDF
Case Study: Citrix Adopts DevOps Principles to Gain Efficiency and Speed Soft...
CA Technologies
 
PDF
Components of CI/CD in DevOps
sunil173422
 
PDF
Software Quality as a Competitive Differentiator
DevOps.com
 
PDF
DevOps Continuous Integration & Delivery - A Whitepaper by RapidValue
RapidValue
 
PPTX
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
CA Technologies
 
PDF
Full Spectrum Engineering – The New Full-stack
Deborah Schalm
 
PDF
DevOps at TestausOSY 20june2017
Jouni Jätyri
 
PDF
Shifting Left…AND Right to Ensure Full Application Security Coverage
DevOps.com
 
PDF
Developing a Testing Strategy for DevOps Success
DevOps.com
 
PDF
This is How We Accelerate with Quality Engineering - Codacy Webinar
Antoine Craske
 
PDF
Agile and Stage-Gate - Getting it Right
Stage-Gate International
 
PDF
Enterprise Monitoring 2018: Converged Application & Infrastructure Monitoring...
eG Innovations
 
PDF
Case Study: SunTrust’s Next Gen QA and Release Services Transformation Journey
CA Technologies
 
PDF
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
PDF
Use Layered Model-Based Requirements to Achieve Continuous Testing
TechWell
 
PDF
Software Quality as a Competitive Differentiator
DevOps.com
 
PDF
Software Quality as a Competitive Differentiator
DevOps.com
 
Implementing Continuous Integration to Improve Software Quality
Rocket Software
 
Extend Agile and DevOps Practices Across Hybrid IT
DevOps.com
 
A Deep Dive Into Comprehensive Citrix & VDI Monitoring with eG Enterprise
eG Innovations
 
Case Study: Citrix Adopts DevOps Principles to Gain Efficiency and Speed Soft...
CA Technologies
 
Components of CI/CD in DevOps
sunil173422
 
Software Quality as a Competitive Differentiator
DevOps.com
 
DevOps Continuous Integration & Delivery - A Whitepaper by RapidValue
RapidValue
 
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
CA Technologies
 
Full Spectrum Engineering – The New Full-stack
Deborah Schalm
 
DevOps at TestausOSY 20june2017
Jouni Jätyri
 
Shifting Left…AND Right to Ensure Full Application Security Coverage
DevOps.com
 
Developing a Testing Strategy for DevOps Success
DevOps.com
 
This is How We Accelerate with Quality Engineering - Codacy Webinar
Antoine Craske
 
Agile and Stage-Gate - Getting it Right
Stage-Gate International
 
Enterprise Monitoring 2018: Converged Application & Infrastructure Monitoring...
eG Innovations
 
Case Study: SunTrust’s Next Gen QA and Release Services Transformation Journey
CA Technologies
 
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
Use Layered Model-Based Requirements to Achieve Continuous Testing
TechWell
 
Software Quality as a Competitive Differentiator
DevOps.com
 
Software Quality as a Competitive Differentiator
DevOps.com
 
Ad

More from SBWebinars (20)

PDF
Securing Mobile Apps, From the Inside Out
SBWebinars
 
PPTX
SAP Concur’s Cloud Journey
SBWebinars
 
PDF
Top Cybersecurity Threats and How SIEM Protects Against Them
SBWebinars
 
PPTX
Software-Defined Segmentation Done Easily, Quickly and Right
SBWebinars
 
PDF
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
SBWebinars
 
PDF
Taking Open Source Security to the Next Level
SBWebinars
 
PPTX
The Next Generation of Application Security
SBWebinars
 
PDF
You're Bleeding. Exposing the Attack Surface in your Supply Chain
SBWebinars
 
PDF
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
SBWebinars
 
PDF
Top 10 Threats to Cloud Security
SBWebinars
 
PDF
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 
PDF
Reduce the Burden Of Managing SAP With Enterprise Identity Management
SBWebinars
 
PDF
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
PDF
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
SBWebinars
 
PDF
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
PDF
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
SBWebinars
 
PDF
The State of Open Source Vulnerabilities Management
SBWebinars
 
PDF
Flow Metrics: What They Are & Why You Need Them
SBWebinars
 
PDF
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
SBWebinars
 
PDF
Building Blocks of Secure Development: How to Make Open Source Work for You
SBWebinars
 
Securing Mobile Apps, From the Inside Out
SBWebinars
 
SAP Concur’s Cloud Journey
SBWebinars
 
Top Cybersecurity Threats and How SIEM Protects Against Them
SBWebinars
 
Software-Defined Segmentation Done Easily, Quickly and Right
SBWebinars
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
SBWebinars
 
Taking Open Source Security to the Next Level
SBWebinars
 
The Next Generation of Application Security
SBWebinars
 
You're Bleeding. Exposing the Attack Surface in your Supply Chain
SBWebinars
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
SBWebinars
 
Top 10 Threats to Cloud Security
SBWebinars
 
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 
Reduce the Burden Of Managing SAP With Enterprise Identity Management
SBWebinars
 
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
SBWebinars
 
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
SBWebinars
 
The State of Open Source Vulnerabilities Management
SBWebinars
 
Flow Metrics: What They Are & Why You Need Them
SBWebinars
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
SBWebinars
 
Building Blocks of Secure Development: How to Make Open Source Work for You
SBWebinars
 

Recently uploaded (20)

PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Encapsulation theory and applications.pdf
gurumoop
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 

Seven Deadly Saves To Security With Integrations

  • 1. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.1 DEVSECOPS
  • 2. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.2 Who are we? Tim Jarrett (@tojarrett) • Over 20 years in software: development, project management, product management & strategy • At Veracode since 2008 • Grammy award winner, Bacon number of 3 Diptesh Shah • Over 15 years experience as a developer and engineering leader • At Veracode since 2017 • Recent Winter Olympics “swept” me into Curling
  • 3. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.3 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES Why appsec integrations?
  • 4. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.4 • Continuous Delivery • Shorten feedback loops • Learn quickly DevSecOps: the end of manual security?
  • 5. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.5 Fix earlier = fix cheaper 0 20 40 60 80 100 120 Design Implementation Testing Maintenance Source: IBM,based on Boehm, 1981/2001
  • 6. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.6 Avoid rework Code Ship Discover issue Fix and ship again Development process – current state Code Discover issue Fix issue Ship Development process with integrations
  • 7. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.7 Avoid context switching
  • 8. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.8 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
  • 9. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.9 DevSecOps – Follow the Code
  • 10. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.10 Code phase 1 Develop 2 Check in Team processes (build, test, agile planning)
  • 11. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.11 Build phase 1 Get latest check-ins from source control 2 Build and Run Tests Test Failures 3 Stage/ Deploy
  • 12. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.12 Deploy and Production phase Deployment pipeline Stage/ Deploy Monitor for Incidents Scan for issues in production
  • 13. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.13 Different development methodologies = different integration approaches Waterfall Agile DevOps 1-4 Releases Per Year 12-24 Releases Per Year 100+ Releases Per Year 50+ people 6-12 people 6-12 people
  • 14. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.14 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog (tickets) Waterfall to agile: “build and test” Pass? 7 Synchronize No Yes 6 Static Analysis 6 Unit Tests Manual acceptance testing, move to stage, move to prod Nightly/ weekly 5 Build Scheduled Build 3a Manual Testing*
  • 15. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.15 CI CD 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog DevOps: Protect the Pipeline Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 1a Static Analysis
  • 16. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.16 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
  • 17. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.17 Veracode Integrations Team Focused on delivering integration capabilities with the Veracode platform that enable development teams to “shift security left” and make the idea of “DevSecOps” a reality. • 12 person team; geographically distributed • Responsible for 20+ applications & supporting modules • 75 releases in 2017 (on pace for 144 releases in 2018) • SAFe / Agile Scrum • DevSecOps (evolution continues) • Vested interest in achieving our mission!!
  • 18. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.18 In The Beginning 3 Build 4 Static Analysis 5 Security Results 2 Check in 1 Develop Backlog Scheduled Build Nightly/ weekly
  • 19. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.19 Initially Fast Forward to Now Empower Developers – IDE Integration 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 1a Greenlight Static Analysis
  • 20. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.20 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Automated Assessment – Build Server Integration 6 Static Analysis Nightly/ weekly 5 Build Scheduled Build 1a Greenlight Static Analysis Security Results 7
  • 21. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.21 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Automated Issue Tracking Nightly/ weekly Scheduled Build 1a Greenlight Static Analysis 6 Static Analysis 5 Build 7 Synchronize
  • 22. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.22 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Automated Assurance – Fail the Build Pass? 7 Synchronize No Yes 6 Static Analysis 6 Unit Tests Manual acceptance testing, move to stage, move to prod Nightly/ weekly 5 Build Scheduled Build 1a Greenlight Static Analysis
  • 23. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.23 CI CD 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Continued Assurance Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests Per Check-in 5 Build CI/CD Pipeline 1a Greenlight Static Analysis Manual acceptance testing, move to stage, move to prod
  • 24. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.24 CI CD 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Continued Assurance – End Goal Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 1a Greenlight Static Analysis
  • 25. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.25 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES Making it happen
  • 26. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.26 Relationships • Who is your peer in development / security? • Do you meet with them? • Do you understand each others’ goals? • Are you sympathetic to each others struggles?
  • 27. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.27 Accountability • Shared between development and security • Part of annual goals for both teams • Measured and reported regularly
  • 28. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.28 Plan Code Build Test Stage Deploy Monitor Shift Left & Monitor Dynamic Application Security Testing Runtime Application Self Protection Open Source Risk MonitoringStatic Application Security Testing + 3rd Party Risk Analysis Training (eLearning, instructor led, metadata driven) Manual Penetration Testing Red Team Activities Remediation and Mitigation Guidance Secure Code Reviews Threat Modeling Security Grooming Secure Design
  • 29. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.29 © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES. Questions? @tojarrett