Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Navigating the DevSecOps Landscape: Challenges ...

Ali Yazdani
January 19, 2025
0
2

Navigating the DevSecOps Landscape: Challenges and Opportunities

At the OWASP Berlin Meetup, Ali Yazdani delivered a talk titled "Navigating the DevSecOps Landscape: Challenges and Opportunities", highlighting the transition from traditional software development to a DevSecOps culture. He emphasized the importance of collaboration, shared responsibility, and continuous improvement across Development, Security, and Operations. The talk addressed the integration of security checks throughout the CI/CD pipeline while maintaining robust defenses on the operational side. Dispelling common misconceptions, Ali stressed that DevSecOps requires more than just tools or role merging—it necessitates cultural shifts, effective governance, and specialized expertise. He also explored the benefits of DevSecOps, such as enhanced security and innovation, alongside challenges like tool integration and regulatory compliance.

Ali Yazdani

January 19, 2025
Tweet

More Decks by Ali Yazdani

See All by Ali Yazdani
Real-world Threat Modeling
aliyazdani
0
4
DevSecOps Culture
aliyazdani
0
2
Secure Software Ecosystem
aliyazdani
0
44

Featured

See All Featured
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
960
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
173
51k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
YesSQL, Process and Tooling at Scale
rocio
170
14k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Raft: Consensus for Rubyists
vanstee
137
6.7k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
45
2.3k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
3
360
Making Projects Easy
brettharned
116
6k
VelocityConf: Rendering Performance Case Studies
addyosmani
327
24k
The Pragmatic Product Professional
lauravandoore
32
6.4k

Transcript

  1. Navigating the DevSecOps Landscape: Challenges and Opportunities Ali Yazdani OWASP

    DevSecOps Guideline Project lead 26 April 2019 - By me!

  2. Readme! • A Security Engineer - Over 10 years experiences

    in AppSec in different industry sectors. • 2016 - Present, OWASP as contributor on projects like MSTG, and Leading DevSecOps Guideline project. • Now, Principal DevSecOps Engineer @ Scoutbee GmbH

  3. Introduction - traditional • In traditional software development, security measures

    were in the right side! Develop Build Tests Deliver build to staging Deploy to Production Security Checks Security Checks

  4. DevOps —> DevSecOps • Amming to fill the gap between

    Dev - Sec - Ops • A culture of: ◦ Collaboration ◦ Shared responsibility ◦ Continuous improvement • People & Processes • Tools (Technologies) • Governance 3 Pillars of DevSecOps

  5. The team story From a technologies point of view, we

    added some security checks into the CI/CD pipeline. But from a team perspective, we experienced some changes too.

  6. Still Code/Build Deploy Operation SAST IaC SCA DAST IAST RASP

    Most potential attack surface Pentest Bug Bounty VDP VA WAF … We have to shift security checks to the left, But the right still needs to be protected. Checks Can cover but can't replace each others. https://www.youtube.com/watch?v=gdsUKphmB3Y

  7. Some wrong facts! 1. DevSecOps Engineer is DevOps Engineer +

    Security Engineer 2. By implementing some tools → We have DevSecOps! 3. Since DevSecOps says: Security is responsibility for all then we don’t need a security engineer/consultant/specialist. 4. By Shifting security tests to the left, we have a full secure product!

  8. Opportunities • Enhanced Security • Improved Time to Market •

    Reduced Costs • Increased Customer Satisfaction • Enhanced Innovation

  9. Challenges • Cultural Shift • Tool Integration • Resource Allocation

    • Data Security • Regulatory Compliance

  10. Q&A

  11. Thanks