Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DevSecOps: Delivering secure software at speed ...
Search
Evandro Mohr
June 08, 2019
Technology
330
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
DevSecOps: Delivering secure software at speed and scale of DevOps
Evandro Mohr
June 08, 2019
More Decks by Evandro Mohr
See All by Evandro Mohr
DevSecOps: Criando uma Cultura shift left
evandromohr
0
180
Trabalhando com Escopo Aberto
evandromohr
1
180
Event-driven architecture
evandromohr
0
230
Hacking your PHP application
evandromohr
0
180
Event-Driven Architecture
evandromohr
1
170
Other Decks in Technology
See All in Technology
トークン最適化のためのユーザーストーリー分析 / User Story Analysis for Token Optimization
oomatomo
0
130
AI時代における最適なQA組織の作り方
ymty
3
170
AIエージェントとPhysical AIが拓く製造業の変革(ハノーバーメッセリキャップ)
iotcomjpadmin
0
170
「ビジネスがわかるエンジニア」とは何か?
ryooob
0
380
[AWS Summit Japan 2026]迷っているあなたへ_小さな一歩が、やがて自分を助けてくれる
sh_fk2
2
430
「軸足」は 固定しなくていい - 熱量と強みで描く、しなやかなキャリアの形
kakehashi
PRO
1
290
WebGIS AI Agentの紹介
_shimizu
0
590
製造現場での生成AIの活用、およびエージェントAIの実装のあり方、AVEVAの取り組み
iotcomjpadmin
0
180
AI Agentをシステムに組み込む前にゆるく向き合ってみる
hayama17
0
170
SRE歴2ヶ月でも開発6年の知見を活かして、チームで止まっていた環境改善を前に進めた話
a_ono
0
110
AIチャットの改善から見えた、良いAI体験とは / What Constitutes a Good AI Experience: Insights from Improving AI Chat
kubode
0
130
PostgreSQL 19 新機能概要 OSC Hokkaido 2026
nori_shinoda
0
260
Featured
See All Featured
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
49
10k
Un-Boring Meetings
codingconduct
0
320
Optimizing for Happiness
mojombo
378
71k
What does AI have to do with Human Rights?
axbom
PRO
1
2.2k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
32
2.9k
Building the Perfect Custom Keyboard
takai
2
800
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
67
55k
Code Reviewing Like a Champion
maltzj
528
40k
From π to Pie charts
rasagy
0
220
Producing Creativity
orderedlist
PRO
348
40k
How to Align SEO within the Product Triangle To Get Buy-In & Support - #RIMC
aleyda
2
1.6k
Build The Right Thing And Hit Your Dates
maggiecrowley
39
3.2k
Transcript
DevSecOps Delivering secure software at speed and scale of DevOps.
Evandro Mohr 2 Developer Pilot Professor Photographer
“ “DevOps is not a goal, but a never-ending process
of continual improvement” – Jez Humble 3
4 It’s all about bottlenecks
Chaotic Model 5 Fix Build First steps is SDLC
Waterfall Model 6
Waterfall Model ▪ Long release cycles. ▪ Functional silos ▪
Rigid ▪ Lot of WIP 7
The dawn of Agile 8 ▪ Shorter release cycles ▪
Cross functional teams ▪ Smaller batch sizes
DEV X OPS 9
DEV X OPS 10
DevOps 11
12 DevOps Culture Principles and Practices Processes Automated deployment pipeline
Technologies Supporting tool chain
DevOps Pipeline
How to keep up with security? 14
DevSecOps Integrating security into Agile and DevOps 15
“ “DevSecOps enable organisations to deliver inherently secure software at
DevOps scale and speed.” 16
Security Practice Checklist ✓ Verify for security Early and Often
✓ Parameterize Queries ✓ Encode data ✓ Validate All Inputs ✓ Implement Identity and Authentication Controls ✓ Implement Appropriate Access Controls ✓ Protect Data ✓ Implement Logging and Intrusion Detection ✓ Use security frameworks and libraries ✓ Error and Exception Handling
OWASP Top 10
Security Practice Checklist
DevSecOps
“ 21 DevOps security hooks
DevSecOps Trigger Points ✓ Static scanning during development ✓ Pull-requests:
Static scans of data-flow, semantic and configurational ✓ Integration branch: Dynamic scanning ✓ QA Release Candidate Integration: Dynamic scanning ✓ Production Acceptance: Production-safe dynamic scanning ✓ Post-Production: RASP (Runtime Application Self-Protection), WAF (Web Application Firewalls) both need rules updated.
23 DevSecOps Culture Principles and Practices Processes Automated deployment pipeline
Technologies Supporting tool chain
Culture ▪ Communication and transparency ▪ Blameless postmortem ▪ Continuous
improvement ▪ Everyone is responsible for security ▪ Automate as much as possible ▪ Everything as code
Processes Secure SDLC ▪ Training ▪ Requirements ▪ Architecture &
Design ▪ Coding ▪ Testing ▪ Deployment ▪ Post deployment
Processes Security Pipeline ▪ Assessment of critical resource ▪ Reduce
friction ▪ Increase visibility ▪ Each step repeatable ▪ Drive up dependency
Processes Security Pipeline
Technologies ▪ Requirements ▪ Code: IDE plugins, SAST ▪ Test:
Gauntlt, DAST ▪ Configure: Sec as code ▪ Maintenance: Patch management ▪ Monitor: Auditing, Attack visibility
Questions? 29
Thank you very much for your time 30 You can
find me at: ▪ br.linkedin.com/in/evandromohr ▪ t.me/phpcomrapadura