[DevSecOps Live] DevSecOps: Challenges and Opportunities

Apr 16, 20201 like1,632 views

In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities. Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey. He will cover DevSecOps challenges he has faced and how he converted them into opportunities. He will cover the following as part of the session. DevSecOps Challenges. DevSecOps Opportunities. Converting Challenges into Opportunities. Quick wins and lessons learned. … and more useful takeaways!

DEVSECOPS
CHALLENGES & OPPORTUNITIES
MOHAN YELNADU

[DevSecOps Live] DevSecOps: Challenges and Opportunities

P. P. T
•
• QUALITY
• PRAGMATIC
•
• OPEN
• ACCOMMODATING
•
• RIGHT SET
• SUIT MY REQUIREMENTS
People
Tools
Process

PEOPLE
• SMALL BUT SMART
• CAN ACHIEVE A LOT
•
•
•
•
•
• SAVVY
• CHANGE THE LANGUAGE
• BUSINESS RISKS

APPSEC TOOLS
•
• MAKE OR BREAK
• COE, TEAM WITH CURIOSITY..
•
•
•
•
• GO FOR POC/LISTEN TO EXPERTS IN THE FIELD

APPSEC TOOL GUIDANCE
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•

PROCESS
•
•
•
• S
• S
• S
•
• EARLY, EFFORTLESS, AND CONSTANT FEEDBACK

EXAMPLE
SAST – Static Application Security Testing OSS – Open Source Software Security CSec – Container Security DAST – Dynamic Application Security Testing

• SMOOTH ONBOARDING
• AUTOMATE WHAT YOU CAN
• IMPROVING TOOL ADOPTION
• ROLLOUT STRATEGY
• MANAGING CRITICAL ISSUES
• MAKING IT WORK FOR SOC
• PRODUCTION MONITORING
• TAILORED CONFIGURATION
• DO THE RIGHT THING
• PRAGMATIC HYGIENE
• MANAGING ZERO DAYS

SMOOTH ONBOARDING
• AUTOMATED ONBOARDING ON SECURITY TOOLS
•
•
• HEARD THE TOOL NAME, & ONBOARDED

AUTOMATE WHAT YOU CAN
O N B OA R D I N G S C A N N I N G T R I AG E B U I L D B R EA K E R
I S S U E M A N AG E M E N T

TRIAGE
Scan
Raise Triage
Request
Analyze
Findings
Fix
True
issues
False
Positives
Analyze Triage
Issues (If
required meet
developers)
True
issues
False
Positives
Ignore/Not
Applicable
Developer AppSec SME

BUILDBREAKER:
Pre-process Build
Security Scan
Code Quality
Scan
BuildBreaker
PROD
Example
BitBucket Artifactory
Source
Code
Build
Artefact
No-Go
Go
BuildBreaker Example:
• No critical security issues in production build

IMPROVING TOOL ADOPTION
Allow developers to Get
used to the Tools‘‘
’’
Give enough notice while
enabling BuildBreakers/Gating‘‘
’’
Create Ecosystem: FAQs,
Documentation, Demos,
Videos
‘‘
’’
Give as many Live Demos as
possible, share about new Tools
& Processes
‘‘
’’

ROLLOUT STRATEGY
Break Build:
In Stages‘‘
’’
Handholding in
False Positive Analysis:
Triage & Guidance‘‘
’’
Dispensation
Management:
Logging & Validity‘‘
’’

MANAGING CRITICAL ISSUES
•
• LEVEL 10/CRITICAL
• IDENTIFICATION
•
• FOLLOW-UP
•
Developers DO NOT
realise the Gravity of
Level 10 OSS Issues
Self-Expérience
J
‘‘
’’

•
•
•
• MAPPING APP WITH RIGHT STAKEHOLDERS IN
DASHBOARD
WORKING WITH SOC

PRODUCTION MONITORING
• MONITORING
•
• NIGHTLY
• ALERT
Effective PROD
Monitoring saved a
huge effort!
Self-Expérience
J
‘‘
’’

TAILORED CONFIGURATION
•
•
•
• DISPENSATION
• LOGGING
• CREATE DEVELOPER

DO THE RIGHT THING
•
• UPLOAD LIBRARY AND ANALYSE
• BROWSER PLUGIN TO SCAN
• IDE PLUGIN TO ENABLE LOCAL SCANS

PRAGMATIC HYGIENE
• UPGRADING THE TOOLS TO LATEST VERSIONS
• NEW FEATURES INNOVATIONS
• ANALYSE IN TEST ENVIRONMENT
01
03
05
04
02

MANAGING ZERO DAYS
• EYES AND EARS OPEN ZERO DAYS:
• YOUR LIBRARIES TOOLS
•
• WAF
• CONSTANT TOUCH WITH VENDOR
• EVER READY TO ACT
THE SHOW MUST GO ON!

THANK YOU!
MOHAN YELNADU
@monkelephant
https://www.linkedin.com/in/mohanyelnadu

Yohanes Syailendra discusses DevSecOps implementation at DKATALIS, an Indonesian company. Some key points: 1. DevSecOps shifts security left to earlier stages of development to find and fix vulnerabilities sooner. This allows for faster development times and more secure applications. 2. At DKATALIS, DevSecOps includes threat modeling, static application security testing (SAST), dynamic application security testing (DAST), infrastructure as code scanning, and container security throughout the development pipeline. 3. A successful DevSecOps implementation requires changing culture, processes, and architecture to establish security as a shared responsibility across development and security teams. Automation is also important to scale practices

DevOps to DevSecOps Journey..Siddharth Joshi

DevSecOps What Why and HowNotSoSecure Global Services

This document discusses DevSecOps, including what it is, why it is needed, and how to implement it. DevSecOps aims to integrate security into development tools and processes to promote a "secure by default" culture. It is needed because traditional security approaches cannot keep up with the rapid pace of DevOps. Implementing DevSecOps involves automating security checks and tests into the development pipeline and promoting collaboration between development, security, and operations teams. The document provides examples of tools that can be used and case studies of DevSecOps implementations.

DEVSECOPS.pptxMohammadSaif904342

2019 DevSecOps Reference ArchitecturesSonatype

Introduction to DevSecOpsSetu Parimi

An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future. Agenda: -DevSecOps Introduction -Key Challenges, Recommendations -DevSecOps Analysis -DevSecOps Core Practices -DevSecOps pipeline for Application & Infrastructure Security -DevSecOps Security Tools Selection Tips -DevSecOps Implementation Strategy -DevSecOps Final Checklist

DevSecOps and the CI/CD PipelineJames Wickett

All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table. Presented at OWASP NoVA, Sept 25th, 2018

DevSecOps in Baby StepsPriyanka Aash

Introduction to DevSecOpsabhimanyubhogwan

Link to Youtube video: https://youtu.be/-awH_CC4DLo You can contact me at [email protected] My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/ Basic Introduction to DevSecOps concept Why What and How for DevSecOps Basic intro for Threat Modeling Basic Intro for Security Champions 3 pillars of DevSecOps 6 important components of a DevSecOps approach DevSecOps Security Best Practices How to integrate security in CI/CD pipeline

DevSecOps Basics with Azure Pipelines Abdul_Mujeeb

This document discusses DevSecOps, which integrates security practices into DevOps workflows to securely develop software through continuous integration and delivery. It outlines the basic DevOps process using Azure Pipelines for CI/CD and defines DevSecOps. The document then discusses challenges with security, benefits of DevSecOps for businesses, and common tools used, before concluding with an example DevSecOps demo using Azure Pipelines with security scans at various stages.

Demystifying DevSecOpsArchana Joshi

This document discusses DevSecOps, which involves infusing security practices into the development lifecycle to enable faster release cycles while maintaining security. It notes that over 53,000 cybersecurity incidents occurred in India in 2017. Implementing DevSecOps requires changes across an organization's people, processes, tools, and governance to embed security responsibilities across all teams. The typical DevSecOps pipeline shifts security left through activities like threat modeling, security testing, and monitoring throughout the development lifecycle.

Practical DevSecOps Course - Part 1Mohammed A. Imran

The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them. More details here - https://www.practical-devsecops.com/

DevSecOps 101Narudom Roongsiriwong, CISSP

Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations. This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.

DevSecOpsCheah Eng Soon

DEVSECOPS: Coding DevSecOps journeyJason Suttie

DevSecOps Singapore introductionStefan Streichsbier

The document announces events from DevSecOps Singapore to bring together developers, operations, and security professionals. It describes monthly meetups for talks and networking, workshops over 4 months on integrating security testing into the SDLC, and an annual conference in 2017. It provides announcements for the workshops and conference and calls for speakers, office space, and volunteers to help build the community.

DevSecOps: Taking a DevOps Approach to SecurityAlert Logic

DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services

This document discusses DevSecOps, including what it is, why it is needed, and how to implement it. DevSecOps aims to integrate security tools and a security-focused culture into the development lifecycle. It allows security to keep pace with rapid development. The document outlines how to incorporate security checks at various stages of the development pipeline from pre-commit hooks to monitoring in production. It provides examples of tools that can be used and discusses cultural and process aspects of DevSecOps implementation.

Practical DevSecOps - Arief Karfiantoidsecconf

This document discusses practical DevSecOps. It begins with an agenda and introduction of the presenter. It then describes the presenter's work background and organization. The document outlines the development lifecycle, from no versioning or automation to introducing versioning, continuous integration, and automated security analysis. It discusses competing priorities between business, development, security, and operations. The rest of the document covers why automation is important, what DevOps and DevSecOps are, an example GitLab CI configuration, lessons learned, and concludes by thanking the audience.

How to Get Started with DevSecOpsCYBRIC

"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io

Slide DevSecOps Microservices Hendri Karisma

The document discusses best practices for implementing DevSecOps for microservices architectures. It begins by defining microservices and explaining their advantages over monolithic architectures. It then covers challenges of microservices including communication between services, databases, testing, and deployment. The document recommends using a choreography pattern for asynchronous communication between loosely coupled services. It provides examples of event-driven architectures and deploying to Kubernetes. It also discusses technologies like Jenkins, Docker, Kubernetes, SonarQube, and Trivy that can help support continuous integration, deployment, and security in DevSecOps pipelines.

ABN AMRO DevSecOps JourneyDerek E. Weeks

This document summarizes ABN AMRO's DevSecOps journey and initiatives. It discusses their implementation of continuous integration and delivery pipelines to improve software quality, reduce lead times, and increase developer productivity. It also covers their work to incorporate security practices like open source software management, container security, and credentials management into the development lifecycle through techniques like dependency scanning, security profiling, and a centralized secrets store. The presentation provides status updates on these efforts and outlines next steps to further mature ABN AMRO's DevSecOps capabilities.

The State of DevSecOpsDevOps Indonesia

The document discusses the rise of DevSecOps and its importance for software development. It notes that existing security solutions are no longer adequate due to the speed of modern development, and that security has become a bottleneck. DevSecOps aims to integrate security practices into development workflows to enable continuous and real-time security. It outlines how security responsibilities have evolved from separate teams to being shared among developers, and how tools have progressed from periodic testing to continuous monitoring and automation. The document argues that DevSecOps is necessary now given the costs of data breaches and risks of vulnerabilities in open source components.

Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran

DevSecOpsJoel Divekar

This document discusses DevSecOps and provides information about integrating security practices into the DevOps process. It describes how DevSecOps improves upon traditional DevOps by adding security checks to code, containers, and infrastructure. These checks help detect vulnerabilities, sensitive information, and non-compliance before code is deployed. The document also introduces the open-source auditing tool Lynis, which scans servers to identify vulnerabilities and compliance issues across the operating system, network settings, authentication methods, and more.

What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...Edureka!

***** DevOps Masters Program : https://www.edureka.co/masters-progra... ***** This DevOps tutorial takes you through what is DevOps all about and basic concepts of DevOps and DevOps Tools. This DevOps tutorial is ideal for beginners to get started with DevOps. Check our complete DevOps playlist here: http://goo.gl/O2vo13 DevOps Tutorial Blog Series: https://goo.gl/P0zAfF

The What, Why, and How of DevSecOpsCprime

The document discusses the principles and practices of DevSecOps. It begins with an agenda that covers DevSecOps prerequisites, foundations, roles and responsibilities, and practical tips. It discusses concepts like shifting security left, continuous integration/delivery pipelines, and the importance of collaboration across roles. It provides overviews of risk management, static and dynamic testing, feature toggles, and recommends DevSecOps training and tools from Cprime. The presentation aims to help organizations adopt DevSecOps practices to improve security and deployment processes.

SDLC & DevSecOpsIrina Kostina

The document discusses security best practices across the software development lifecycle (SDLC). It covers: - The Microsoft Security Development Lifecycle (SDL) methodology which includes activities like threat modeling, security testing, using approved tools and cryptography standards, managing third-party components, and establishing an incident response process. - Static and dynamic application security testing (SAST and DAST) - SAST analyzes source code for vulnerabilities while DAST tests running applications. Both have tradeoffs in terms of when issues are found, expenses to fix, and what types of vulnerabilities are discovered. - DevSecOps practices like integrating security activities into each stage of development through techniques like incremental threat modeling, automated testing, and continuous

Continuous delivery is more than dev opsAgile Montréal

More Related Content

What's hot (20)

DevSecOps in Baby StepsPriyanka Aash

Introduction to DevSecOpsabhimanyubhogwan

DevSecOps Basics with Azure Pipelines Abdul_Mujeeb

Demystifying DevSecOpsArchana Joshi

Practical DevSecOps Course - Part 1Mohammed A. Imran

DevSecOps 101Narudom Roongsiriwong, CISSP

DevSecOpsCheah Eng Soon

DEVSECOPS: Coding DevSecOps journeyJason Suttie

DevSecOps Singapore introductionStefan Streichsbier

DevSecOps: Taking a DevOps Approach to SecurityAlert Logic

DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services

Practical DevSecOps - Arief Karfiantoidsecconf

How to Get Started with DevSecOpsCYBRIC

Slide DevSecOps Microservices Hendri Karisma

ABN AMRO DevSecOps JourneyDerek E. Weeks

The State of DevSecOpsDevOps Indonesia

Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran

DevSecOpsJoel Divekar

What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...Edureka!

The What, Why, and How of DevSecOpsCprime

DevSecOps in Baby StepsPriyanka Aash

Introduction to DevSecOpsabhimanyubhogwan

DevSecOps Basics with Azure Pipelines Abdul_Mujeeb

Demystifying DevSecOpsArchana Joshi

Practical DevSecOps Course - Part 1Mohammed A. Imran

DevSecOps 101Narudom Roongsiriwong, CISSP

DevSecOpsCheah Eng Soon

DEVSECOPS: Coding DevSecOps journeyJason Suttie

DevSecOps Singapore introductionStefan Streichsbier

DevSecOps: Taking a DevOps Approach to SecurityAlert Logic

DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services

Practical DevSecOps - Arief Karfiantoidsecconf

How to Get Started with DevSecOpsCYBRIC

Slide DevSecOps Microservices Hendri Karisma

ABN AMRO DevSecOps JourneyDerek E. Weeks

The State of DevSecOpsDevOps Indonesia

Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran

DevSecOpsJoel Divekar

What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...Edureka!

The What, Why, and How of DevSecOpsCprime

Similar to [DevSecOps Live] DevSecOps: Challenges and Opportunities (20)

SDLC & DevSecOpsIrina Kostina

Continuous delivery is more than dev opsAgile Montréal

ProdSec: A Technical ApproachJeremy Brown

What happens when a company either doesn’t fully empower the Security team, or have one at all? Stuff like Goto fail, Equifax, unsandboxed AVs and infinite other buzz, or yet to be buzzed, words describe failures of not adequately protecting customers or services they rely on. Having a solid security team enables a company to set a bar, ensure security exists within the design, insert tooling at various stages of the process and continuously iterate on such results. Working with the folks building the products to give them solutions instead of just problems allows one to scale, earn trust and most importantly be effective and actually ship. There’s a whole security industry out there with folks wearing every which hat you can think of. They have influence and the ability to find a bug one day and disclose it the next, so companies must adapt both engineering practices and perspectives in order to ‘navigate the waters of reality’ and not just hope one doesn’t take a look at their product. Having processes in place that reduce attack surface, automate testing and set a minimum bar can reduce bugs therefore randomization for devs therefore cost of patching and create a culture where security makes more sense as it demonstratively solves problems. Nvidia is evolving in this space. Focused on the role of product security, I’ll go through the various components of a security team and how they each interact and complement each other, commodity and niche tooling as well as how relationships across organizations can give one an edge in this area. This talk balances the perspective of security engineers working within a large company with the independent nature of how things work in the industry. Attendees will walk away with a breadth of knowledge, an inside view of the technical workings, tooling and intricacies of finding and fixing bugs and finding balance within a product-first world.

[OPD 2019] Governance as a missing part of IT security architectureOWASP

The document discusses how governance is a missing part of IT security architecture. It proposes that security architecture should include technology, processes, and organization/people, similar to how Gartner describes the components of overall IT architecture. It presents capabilities maturity models and the secure development lifecycle as ways to incorporate governance into the design, development, testing, and operations of technology to ensure security is considered throughout the IT process.

Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...Scrum Bangalore

The document discusses the evolving role of software testers and the benefits of testers becoming software development engineers in test (SDETs). It argues that testers should expand their skills from just testing to also include activities like programming, test automation, and code reviews. This will allow testers to find defects earlier and help reduce test cycle times. It outlines a path for testers to transition to SDETs by improving their technical skills and provides examples of how SDETs have contributed value in various organizations.

CodeOne 2018 - Better software, faster: principles of Continuous Delivery and...Bert Jan Schrijver

This document discusses principles of Continuous Delivery and DevOps. It defines Continuous Integration, Continuous Delivery, and Continuous Deployment, and explains that the goal of Continuous Delivery is to have software ready for release at any time by building and testing frequently. The document also discusses that DevOps aims to have development and operations work together throughout the software lifecycle. It provides ingredients for successful Continuous Delivery including culture, automation, and monitoring.

Tune Agile Test Strategies to Project and Product MaturityTechWell

For optimum results, you need to tune agile project's test strategies to fit the different stages of project and product maturity. Testing tasks and activities should be lean enough to avoid unnecessary bottlenecks and robust enough to meet your testing goals. Exploring what "quality" means for various stakeholder groups, Anna Royzman describes testing methods and styles that fit best along the maturity continuum. Anna shares her insights on strategic ways to use test automation, when and how to leverage exploratory testing as a team activity, ways to prepare for live pilots and demos of the real product, approaches to refine test coverage based on customer feedback, and techniques for designing a production "safety net" suite of automated tests. Leave with a better understanding of how to satisfy your stakeholders’ needs for quality-and a roadmap for tuning your agile test strategies.

DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon

This document discusses how security practices need to shift left to keep up with faster development processes. It suggests that security teams should establish a baseline of their processes, continuously assess findings and provide feedback, and automate testing as much as possible. This will help integrate security earlier in development cycles. It also addresses how security tools need to change to support faster development by making scans nearly instantaneous and improving the user experience. Automating security policies and configurations is important as applications move to microservices architectures. Overall it argues for more collaboration between security and development teams.

Metrics-driven Continuous DeliveryAndrew Phillips

1. The document discusses metrics-driven continuous delivery and focuses on using metrics throughout the development and delivery process. 2. It emphasizes using architectural metrics in addition to functional metrics to help determine if a new version is likely to cause catastrophic failures before deploying to production. 3. It also argues that the concept of continuous delivery pipelines should extend beyond production deployments to help evaluate user experience and gain feedback on new features beyond just technical metrics.

DevoxxUK 2019 - Better software, faster.Bert Jan Schrijver

This document discusses principles of continuous delivery and DevOps. It defines continuous integration, continuous delivery, and continuous deployment, and explains that the goal of these practices is to reliably and repeatedly deploy software updates. The document outlines ingredients for successful continuous delivery, including building quality in, keeping everything in version control, automating processes, and ensuring everybody is responsible for software delivery. It also discusses DevOps and why organizations adopt continuous delivery and DevOps practices like reducing errors, empowering teams, and increasing deployment flexibility.

Ben Walters - Creating Customer Value With Agile Testing - EuroSTAR 2011TEST Huddle

OpenValue Vienna meetup september 2020 - Better software, faster: Principles ...Bert Jan Schrijver

The document discusses principles of continuous delivery and DevOps. It defines continuous delivery, continuous integration, and DevOps. The goal of continuous delivery is to have software ready for release at any time by building and testing it frequently. DevOps aims to have development and operations teams work together throughout the software lifecycle. The document outlines ingredients for successful continuous delivery like automated testing, version control, and building quality in from the start. It also discusses patterns and anti-patterns for continuous delivery and DevOps.

Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro

Owasp tdssnyff

Test-driven security involves writing security-focused test cases to test for vulnerabilities during the development process. This helps enable continuous deployment by ensuring new code does not introduce security bugs. The key aspects discussed are: 1) Having developers or security experts write test cases to validate common vulnerabilities like authentication failures, input validation, and authorization checks. 2) Involving non-technical team members like project managers in writing test cases using plain language to specify scenarios. 3) Integrating security testing into continuous integration pipelines to automatically catch issues during code reviews.

Rethinking the Role of TestersPaul Gerrard

This document discusses the need to rethink the role of testers in agile and structured projects. It argues that changes in business demands and development practices are squeezing testers and that many current testing roles and skills may disappear. Specifically, it predicts that half of onshore testing roles will be eliminated in 5 years. It recommends testers focus on more strategic roles like business analysis, requirements management, and assurance rather than traditional testing tasks.

Devoxx Belgium 2019 - Better software, faster: Principles of Continuous Deliv...Bert Jan Schrijver

This document discusses principles of continuous delivery and DevOps. It defines continuous integration, continuous delivery, and continuous deployment. The goal of continuous delivery is to have software ready for release at any time by building and testing frequently. DevOps aims to have development and operations teams work together throughout the software lifecycle. The document provides principles and ingredients for continuous delivery, including automating processes, keeping everything in version control, and continuous improvement. It also discusses patterns and anti-patterns for continuous delivery.

AmsterdamJUG September 2019 - Better software, faster: Principles of Continuo...Bert Jan Schrijver

This document discusses principles of Continuous Delivery (CD) and DevOps. It defines CD, Continuous Integration, and Continuous Deployment. The goal of CD is to have a repeatable, reliable process for releasing software. Key principles of CD include keeping everything in version control, continuous improvement, and automating processes. Ingredients for successful CD include culture/organization, design/architecture, testing/verification, building/deploying, and information/reporting. CD is enabled by DevOps, where developers and operations work together throughout the software development lifecycle. The document provides examples of CD patterns and anti-patterns and encourages starting with small improvements.

AppSec in an Agile WorldDavid Lindner

In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.

Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam

This document discusses succeeding in the marriage of cybersecurity and DevOps. It outlines five keys to a successful marriage: 1) establish a common process framework; 2) commit to collaboration; 3) design for security from inception; 4) strive to automate security processes; and 5) continuously learn and innovate. The document provides examples of how tools like Espial can help automate and integrate security testing into the development pipeline to enable continuous detection and faster remediation of vulnerabilities.

Den Bosch Java User Group April 2020 - Better software, faster - Principles o...Bert Jan Schrijver

This document discusses principles of Continuous Delivery and DevOps. It defines key terms like Continuous Integration, Continuous Delivery, and DevOps. The document explains that the goal of Continuous Delivery is to have working software in production. It outlines ingredients for Continuous Delivery like culture, automation, and testing. It also discusses patterns and anti-patterns and provides guidance on getting started with Continuous Delivery.

SDLC & DevSecOpsIrina Kostina

Continuous delivery is more than dev opsAgile Montréal

ProdSec: A Technical ApproachJeremy Brown

[OPD 2019] Governance as a missing part of IT security architectureOWASP

Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...Scrum Bangalore

CodeOne 2018 - Better software, faster: principles of Continuous Delivery and...Bert Jan Schrijver

Tune Agile Test Strategies to Project and Product MaturityTechWell

DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon

Metrics-driven Continuous DeliveryAndrew Phillips

DevoxxUK 2019 - Better software, faster.Bert Jan Schrijver

Ben Walters - Creating Customer Value With Agile Testing - EuroSTAR 2011TEST Huddle

OpenValue Vienna meetup september 2020 - Better software, faster: Principles ...Bert Jan Schrijver

Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro

Owasp tdssnyff

Rethinking the Role of TestersPaul Gerrard

Devoxx Belgium 2019 - Better software, faster: Principles of Continuous Deliv...Bert Jan Schrijver

AmsterdamJUG September 2019 - Better software, faster: Principles of Continuo...Bert Jan Schrijver

AppSec in an Agile WorldDavid Lindner

Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam

Den Bosch Java User Group April 2020 - Better software, faster - Principles o...Bert Jan Schrijver

More from Mohammed A. Imran (13)

Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran

In Practical DevSecOps - DevSecOps Live online meetup, you’ll learn Automating security tests using Selenium and OWASP ZAP. Join Srinivas, Red Team Member at Banking Industry, also Offensive Security Certified Professional(OSCP) and Offensive Security Certified Expert(OSCE. He will cover Automating security tests using Selenium and OWASP ZAP. In this intriguing meetup, you will learn: 1. Introduction to automated vulnerability scans and their limitations. 2. A short introduction to how functional tests can be useful in performing robust security tests. 3. Introduction to selenium and OWASP ZAP 4. Proxying selenium tests through OWASP ZAP 5. Invoking authenticated active scans using OWASP ZAP 6. Obtaining scan reports … and more useful takeaways!

Strengthen and Scale Security for a dollar or lessMohammed A. Imran

Scale security for a dollar or lessMohammed A. Imran

Security is tough and is even tougher to do, in complex environments with lots of dependencies and monolithic architecture. With emergence of Microservice architecture, security has become a bit easier however it introduces its own set of security challenges. This talk will showcase how we can leverage DevSecOps techniques to secure APIs/Microservices using free and open source software. We will also discuss how emerging technologies like Docker, Kubernetes, Clair, ansible, consul, vault, etc., can be used to scale/strengthen the security program for free. More details here - https://www.practical-devsecops.com/

In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran

In graph we trust: Microservices, GraphQL and security challenges - Mohammed A. Imran Microservices, RESTful and API-first architectures are rage these days and rightfully so, they solve some of the challenges of modern application development. Microservices enable organisations in shipping code to production faster and is accomplished by dividing big monolithic applications into smaller but specialised applications. Though they provide great benefits, they are difficult to debug and secure in complex environments (different API versions, multiple API calls and frontend/backend gaps etc.,). GraphQL provides a powerful way to solve some of these challenges but with great power, comes great responsibility. GraphQL reduces the attack surface drastically(thanks to LangSec) but there are still many things which can go wrong. This talk will cover the risks associated with GraphQL, challenges and solutions, which help in implementing Secure GraphQL based APIs. We will start off with introduction to GraphQL and its benefits. We then discuss the difficulty in securing these applications and why traditional security scanners don’t work with them. At last, we will cover solutions which help in securing these API by shifting left in DevOps pipeline. We will cover the following as part of this presentation: GraphQL use cases and how unicorns use them Benefits and security challenges with GraphQL Authentication and Authorisation Resource exhaustion Backend complexities with microservices Need for tweaking conventional DevSecOps tools for security assurance Security solutions which works with GraphQL

Null Singapore 2015 accomplishmentsMohammed A. Imran

Exploit development 101 - Part 1 - Null SingaporeMohammed A. Imran

Null Singapore Introduction Mohammed A. Imran

NullOpenSecurity is an active open security community that brings together penetration testers, security managers, security admins, and ninjas. The community aims to make the internet a more secure place. It hosts monthly meetups to discuss security topics. It also organizes hands-on hacking and security workshops throughout the year. The community provides opportunities for learning, networking, and getting involved in the security industry. Members get discounts on the annual security conference and can speak at events. The summary aims to introduce the key aspects and goals of the NullOpenSecurity community.

Pentesting RESTful webservicesMohammed A. Imran

Cross site scripting attacks and defensesMohammed A. Imran

Cross-site scripting (XSS) is an injection attack where malicious scripts are injected into otherwise trusted sites. There are three main types of XSS attacks: reflected XSS occurs via URLs, stored XSS occurs when scripts are stored in a database and delivered to users, and DOM-based XSS modifies the DOM environment. XSS attacks can lead to issues like session hijacking, phishing, and port scanning. Developers can prevent XSS by validating and encoding untrusted data, and using HTTP-only and secure flags for cookies.

Assembly language part IMohammed A. Imran

How to secure web applicationsMohammed A. Imran

About Null open security communityMohammed A. Imran

How to find Zero day vulnerabilitiesMohammed A. Imran

This document provides an overview of zero-day vulnerabilities and techniques for discovering them, including source code auditing and fuzzing. It discusses identifying entry points, input validations, and vulnerable functions by analyzing source code. Fuzzing is introduced as providing invalid or unexpected data to test for crashes or failures. Common fuzzing methods and the fuzzing lifecycle are outlined. Specific tools for source code auditing like RIPS and fuzzing like JBroFuzz are also mentioned.

Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran

Strengthen and Scale Security for a dollar or lessMohammed A. Imran

Scale security for a dollar or lessMohammed A. Imran

In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran

Null Singapore 2015 accomplishmentsMohammed A. Imran

Exploit development 101 - Part 1 - Null SingaporeMohammed A. Imran

Null Singapore Introduction Mohammed A. Imran

Pentesting RESTful webservicesMohammed A. Imran

Cross site scripting attacks and defensesMohammed A. Imran

Assembly language part IMohammed A. Imran

How to secure web applicationsMohammed A. Imran

About Null open security communityMohammed A. Imran

How to find Zero day vulnerabilitiesMohammed A. Imran

Recently uploaded (20)

Odoo Inventory Rules and Routes v17 - Odoo SlidesCeline George

2541William_McCollough_DigitalDetox.docxcontactwilliamm2546

Operations Management (Dr. Abdulfatah Salem).pdfArab Academy for Science, Technology and Maritime Transport

pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulsesushreesangita003

Social Problem-Unemployment .pptx notes for Physiotherapy StudentsDrNidhiAgarwal

Unemployment is a major social problem, by which not only rural population have suffered but also urban population are suffered while they are literate having good qualification.The evil consequences like poverty, frustration, revolution result in crimes and social disorganization. Therefore, it is necessary that all efforts be made to have maximum. employment facilities. The Government of India has already announced that the question of payment of unemployment allowance cannot be considered in India

Metamorphosis: Life's Transformative JourneyArshad Shaikh

Handling Multiple Choice Responses: Fortune Effiong.pptxAuthorAIDNationalRes

Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...Library Association of Ireland

One Hot encoding a revolution in Machine learningmomer9505

How to Subscribe Newsletter From Odoo 18 WebsiteCeline George

The ever evoilving world of science /7th class science curiosity /samyans aca...Sandeep Swamy

The Ever-Evolving World of Science Welcome to Grade 7 Science4not just a textbook with facts, but an invitation to question, experiment, and explore the beautiful world we live in. From tiny cells inside a leaf to the movement of celestial bodies, from household materials to underground water flows, this journey will challenge your thinking and expand your knowledge. Notice something special about this book? The page numbers follow the playful flight of a butterfly and a soaring paper plane! Just as these objects take flight, learning soars when curiosity leads the way. Simple observations, like paper planes, have inspired scientific explorations throughout history.

Understanding P–N Junction Semiconductors: A Beginner’s GuideGS Virdi

Dive into the fundamentals of P–N junctions, the heart of every diode and semiconductor device. In this concise presentation, Dr. G.S. Virdi (Former Chief Scientist, CSIR-CEERI Pilani) covers: What Is a P–N Junction? Learn how P-type and N-type materials join to create a diode. Depletion Region & Biasing: See how forward and reverse bias shape the voltage–current behavior. V–I Characteristics: Understand the curve that defines diode operation. Real-World Uses: Discover common applications in rectifiers, signal clipping, and more. Ideal for electronics students, hobbyists, and engineers seeking a clear, practical introduction to P–N junction semiconductors.

Michelle Rumley & Mairéad Mooney, Boole Library, University College Cork. Tra...Library Association of Ireland

YSPH VMOC Special Report - Measles Outbreak Southwest US 5-3-2025.pptxYale School of Public Health - The Virtual Medical Operations Center (VMOC)

A measles outbreak originating in West Texas has been linked to confirmed cases in New Mexico, with additional cases reported in Oklahoma and Kansas. The current case count is 817 from Texas, New Mexico, Oklahoma, and Kansas. 97 individuals have required hospitalization, and 3 deaths, 2 children in Texas and one adult in New Mexico. These fatalities mark the first measles-related deaths in the United States since 2015 and the first pediatric measles death since 2003. The YSPH Virtual Medical Operations Center Briefs (VMOC) were created as a service-learning project by faculty and graduate students at the Yale School of Public Health in response to the 2010 Haiti Earthquake. Each year, the VMOC Briefs are produced by students enrolled in Environmental Health Science Course 581 - Public Health Emergencies: Disaster Planning and Response. These briefs compile diverse information sources – including status reports, maps, news articles, and web content– into a single, easily digestible document that can be widely shared and used interactively. Key features of this report include: - Comprehensive Overview: Provides situation updates, maps, relevant news, and web resources. - Accessibility: Designed for easy reading, wide distribution, and interactive use. - Collaboration: The “unlocked" format enables other responders to share, copy, and adapt seamlessly. The students learn by doing, quickly discovering how and where to find critical information and presenting it in an easily understood manner. CURRENT CASE COUNT: 817 (As of 05/3/2025) • Texas: 688 (+20)(62% of these cases are in Gaines County). • New Mexico: 67 (+1 )(92.4% of the cases are from Eddy County) • Oklahoma: 16 (+1) • Kansas: 46 (32% of the cases are from Gray County) HOSPITALIZATIONS: 97 (+2) • Texas: 89 (+2) - This is 13.02% of all TX cases. • New Mexico: 7 - This is 10.6% of all NM cases. • Kansas: 1 - This is 2.7% of all KS cases. DEATHS: 3 • Texas: 2 – This is 0.31% of all cases • New Mexico: 1 – This is 1.54% of all cases US NATIONAL CASE COUNT: 967 (Confirmed and suspected): INTERNATIONAL SPREAD (As of 4/2/2025) • Mexico – 865 (+58) ‒Chihuahua, Mexico: 844 (+58) cases, 3 hospitalizations, 1 fatality • Canada: 1531 (+270) (This reflects Ontario's Outbreak, which began 11/24) ‒Ontario, Canada – 1243 (+223) cases, 84 hospitalizations. • Europe: 6,814

Exploring-Substances-Acidic-Basic-and-Neutral.pdfSandeep Swamy

Exploring Substances: Acidic, Basic, and Neutral Welcome to the fascinating world of acids and bases! Join siblings Ashwin and Keerthi as they explore the colorful world of substances at their school's National Science Day fair. Their adventure begins with a mysterious white paper that reveals hidden messages when sprayed with a special liquid. In this presentation, we'll discover how different substances can be classified as acidic, basic, or neutral. We'll explore natural indicators like litmus, red rose extract, and turmeric that help us identify these substances through color changes. We'll also learn about neutralization reactions and their applications in our daily lives. by sandeep swamy

How to track Cost and Revenue using Analytic Accounts in odoo Accounting, App...Celine George

Analytic accounts are used to track and manage financial transactions related to specific projects, departments, or business units. They provide detailed insights into costs and revenues at a granular level, independent of the main accounting system. This helps to better understand profitability, performance, and resource allocation, making it easier to make informed financial decisions and strategic planning.

How to Manage Opening & Closing Controls in Odoo 17 POSCeline George

apa-style-referencing-visual-guide-2025.pdfIshika Ghosh

Title: A Quick and Illustrated Guide to APA Style Referencing (7th Edition) This visual and beginner-friendly guide simplifies the APA referencing style (7th edition) for academic writing. Designed especially for commerce students and research beginners, it includes: ✅ Real examples from original research papers ✅ Color-coded diagrams for clarity ✅ Key rules for in-text citation and reference list formatting ✅ Free citation tools like Mendeley & Zotero explained Whether you're writing a college assignment, dissertation, or academic article, this guide will help you cite your sources correctly, confidently, and consistent. Created by: Prof. Ishika Ghosh, Faculty. 📩 For queries or feedback: [email protected]

How to Set warnings for invoicing specific customers in odooCeline George

K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schoolsdogden2

Algebra 1 is often described as a “gateway” class, a pivotal moment that can shape the rest of a student’s K–12 education. Early access is key: successfully completing Algebra 1 in middle school allows students to complete advanced math and science coursework in high school, which research shows lead to higher wages and lower rates of unemployment in adulthood. Learn how The Atlanta Public Schools is using their data to create a more equitable enrollment in middle school Algebra classes.

Odoo Inventory Rules and Routes v17 - Odoo SlidesCeline George

2541William_McCollough_DigitalDetox.docxcontactwilliamm2546

Operations Management (Dr. Abdulfatah Salem).pdfArab Academy for Science, Technology and Maritime Transport

pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulsesushreesangita003

Social Problem-Unemployment .pptx notes for Physiotherapy StudentsDrNidhiAgarwal

Metamorphosis: Life's Transformative JourneyArshad Shaikh

Handling Multiple Choice Responses: Fortune Effiong.pptxAuthorAIDNationalRes

Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...Library Association of Ireland

One Hot encoding a revolution in Machine learningmomer9505

How to Subscribe Newsletter From Odoo 18 WebsiteCeline George

The ever evoilving world of science /7th class science curiosity /samyans aca...Sandeep Swamy

Understanding P–N Junction Semiconductors: A Beginner’s GuideGS Virdi

Michelle Rumley & Mairéad Mooney, Boole Library, University College Cork. Tra...Library Association of Ireland

YSPH VMOC Special Report - Measles Outbreak Southwest US 5-3-2025.pptxYale School of Public Health - The Virtual Medical Operations Center (VMOC)

Exploring-Substances-Acidic-Basic-and-Neutral.pdfSandeep Swamy

How to track Cost and Revenue using Analytic Accounts in odoo Accounting, App...Celine George

How to Manage Opening & Closing Controls in Odoo 17 POSCeline George

apa-style-referencing-visual-guide-2025.pdfIshika Ghosh

How to Set warnings for invoicing specific customers in odooCeline George

K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schoolsdogden2

[DevSecOps Live] DevSecOps: Challenges and Opportunities

1. DEVSECOPS CHALLENGES & OPPORTUNITIES MOHAN YELNADU

3. P. P. T • • QUALITY • PRAGMATIC • • OPEN • ACCOMMODATING • • RIGHT SET • SUIT MY REQUIREMENTS People Tools Process

4. PEOPLE • SMALL BUT SMART • CAN ACHIEVE A LOT • • • • • • SAVVY • CHANGE THE LANGUAGE • BUSINESS RISKS

5. APPSEC TOOLS • • MAKE OR BREAK • COE, TEAM WITH CURIOSITY.. • • • • • GO FOR POC/LISTEN TO EXPERTS IN THE FIELD

6. APPSEC TOOL GUIDANCE • • • • • • • • • • • • • • • • • • • •

7. PROCESS • • • • S • S • S • • EARLY, EFFORTLESS, AND CONSTANT FEEDBACK

8. EXAMPLE SAST – Static Application Security Testing OSS – Open Source Software Security CSec – Container Security DAST – Dynamic Application Security Testing

9. • SMOOTH ONBOARDING • AUTOMATE WHAT YOU CAN • IMPROVING TOOL ADOPTION • ROLLOUT STRATEGY • MANAGING CRITICAL ISSUES • MAKING IT WORK FOR SOC • PRODUCTION MONITORING • TAILORED CONFIGURATION • DO THE RIGHT THING • PRAGMATIC HYGIENE • MANAGING ZERO DAYS

10. SMOOTH ONBOARDING • AUTOMATED ONBOARDING ON SECURITY TOOLS • • • HEARD THE TOOL NAME, & ONBOARDED

11. AUTOMATE WHAT YOU CAN O N B OA R D I N G S C A N N I N G T R I AG E B U I L D B R EA K E R I S S U E M A N AG E M E N T

12. TRIAGE Scan Raise Triage Request Analyze Findings Fix True issues False Positives Analyze Triage Issues (If required meet developers) True issues False Positives Ignore/Not Applicable Developer AppSec SME

13. BUILDBREAKER: Pre-process Build Security Scan Code Quality Scan BuildBreaker PROD Example BitBucket Artifactory Source Code Build Artefact No-Go Go BuildBreaker Example: • No critical security issues in production build

14. IMPROVING TOOL ADOPTION Allow developers to Get used to the Tools‘‘ ’’ Give enough notice while enabling BuildBreakers/Gating‘‘ ’’ Create Ecosystem: FAQs, Documentation, Demos, Videos ‘‘ ’’ Give as many Live Demos as possible, share about new Tools & Processes ‘‘ ’’

15. ROLLOUT STRATEGY Break Build: In Stages‘‘ ’’ Handholding in False Positive Analysis: Triage & Guidance‘‘ ’’ Dispensation Management: Logging & Validity‘‘ ’’

16. MANAGING CRITICAL ISSUES • • LEVEL 10/CRITICAL • IDENTIFICATION • • FOLLOW-UP • Developers DO NOT realise the Gravity of Level 10 OSS Issues Self-Expérience J ‘‘ ’’

17. • • • • MAPPING APP WITH RIGHT STAKEHOLDERS IN DASHBOARD WORKING WITH SOC

18. PRODUCTION MONITORING • MONITORING • • NIGHTLY • ALERT Effective PROD Monitoring saved a huge effort! Self-Expérience J ‘‘ ’’

19. TAILORED CONFIGURATION • • • • DISPENSATION • LOGGING • CREATE DEVELOPER

20. DO THE RIGHT THING • • UPLOAD LIBRARY AND ANALYSE • BROWSER PLUGIN TO SCAN • IDE PLUGIN TO ENABLE LOCAL SCANS

21. PRAGMATIC HYGIENE • UPGRADING THE TOOLS TO LATEST VERSIONS • NEW FEATURES INNOVATIONS • ANALYSE IN TEST ENVIRONMENT 01 03 05 04 02

22. MANAGING ZERO DAYS • EYES AND EARS OPEN ZERO DAYS: • YOUR LIBRARIES TOOLS • • WAF • CONSTANT TOUCH WITH VENDOR • EVER READY TO ACT THE SHOW MUST GO ON!

23. IMPORTANT : SECRETS MANAGEMENT • • • •

25. THANK YOU! MOHAN YELNADU @monkelephant https://www.linkedin.com/in/mohanyelnadu

[DevSecOps Live] DevSecOps: Challenges and Opportunities

Recommended

More Related Content

What's hot (20)

Similar to [DevSecOps Live] DevSecOps: Challenges and Opportunities (20)

More from Mohammed A. Imran (13)

Recently uploaded (20)

[DevSecOps Live] DevSecOps: Challenges and Opportunities