Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DevSecOps: Delivering secure software at speed ...
Search
Evandro Mohr
June 08, 2019
Technology
330
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
DevSecOps: Delivering secure software at speed and scale of DevOps
Evandro Mohr
June 08, 2019
More Decks by Evandro Mohr
See All by Evandro Mohr
DevSecOps: Criando uma Cultura shift left
evandromohr
0
180
Trabalhando com Escopo Aberto
evandromohr
1
180
Event-driven architecture
evandromohr
0
230
Hacking your PHP application
evandromohr
0
180
Event-Driven Architecture
evandromohr
1
170
Other Decks in Technology
See All in Technology
Zenoh on Zephyr on LiteX
takasehideki
2
130
Oracle Cloud Infrastructure:2026年6月度サービス・アップデート
oracle4engineer
PRO
1
380
飲食店もAIで。レジ締めやハンディシステムをつくってる話 / Using AI for restaurant management
vtryo
0
200
技術・能力を向上する原理原則 #きのこセッションa #きのこ2026
bash0c7
0
150
アラート調査向けAIエージェントの本番導入とその後/AI Agents for Alert Investigation: Production Deployment and After
taddy_919
1
250
When Platform Engineering Meets GenAI
sucitw
0
200
製造現場での生成AIの活用、およびエージェントAIの実装のあり方、AVEVAの取り組み
iotcomjpadmin
0
180
MySQL & MySQL HeatWave Report - June 2026
freshdaz
0
200
千葉での単身赴任からAWSをやり続け、千葉に戻ってきた話
yama3133
1
130
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
11k
クレデンシャル流出 ― 攻撃 3 時間 vs 復旧 10 時間。この非対称性にどう備えるか
kazzpapa3
3
620
「勝手に広まる」人気 AI エージェントを爆速で作ろう!(AWS Summit Japan 2026講演資料)
minorun365
PRO
10
2.6k
Featured
See All Featured
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
55k
The SEO identity crisis: Don't let AI make you average
varn
0
500
Why You Should Never Use an ORM
jnunemaker
PRO
61
9.9k
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
uxyall
1
1.8k
Claude Code どこまでも/ Claude Code Everywhere
nwiizo
65
56k
Visual Storytelling: How to be a Superhuman Communicator
reverentgeek
2
570
AI Search: Where Are We & What Can We Do About It?
aleyda
0
7.6k
HDC tutorial
michielstock
2
720
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.3k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
A brief & incomplete history of UX Design for the World Wide Web: 1989–2019
jct
2
400
Practical Orchestrator
shlominoach
191
11k
Transcript
DevSecOps Delivering secure software at speed and scale of DevOps.
Evandro Mohr 2 Developer Pilot Professor Photographer
“ “DevOps is not a goal, but a never-ending process
of continual improvement” – Jez Humble 3
4 It’s all about bottlenecks
Chaotic Model 5 Fix Build First steps is SDLC
Waterfall Model 6
Waterfall Model ▪ Long release cycles. ▪ Functional silos ▪
Rigid ▪ Lot of WIP 7
The dawn of Agile 8 ▪ Shorter release cycles ▪
Cross functional teams ▪ Smaller batch sizes
DEV X OPS 9
DEV X OPS 10
DevOps 11
12 DevOps Culture Principles and Practices Processes Automated deployment pipeline
Technologies Supporting tool chain
DevOps Pipeline
How to keep up with security? 14
DevSecOps Integrating security into Agile and DevOps 15
“ “DevSecOps enable organisations to deliver inherently secure software at
DevOps scale and speed.” 16
Security Practice Checklist ✓ Verify for security Early and Often
✓ Parameterize Queries ✓ Encode data ✓ Validate All Inputs ✓ Implement Identity and Authentication Controls ✓ Implement Appropriate Access Controls ✓ Protect Data ✓ Implement Logging and Intrusion Detection ✓ Use security frameworks and libraries ✓ Error and Exception Handling
OWASP Top 10
Security Practice Checklist
DevSecOps
“ 21 DevOps security hooks
DevSecOps Trigger Points ✓ Static scanning during development ✓ Pull-requests:
Static scans of data-flow, semantic and configurational ✓ Integration branch: Dynamic scanning ✓ QA Release Candidate Integration: Dynamic scanning ✓ Production Acceptance: Production-safe dynamic scanning ✓ Post-Production: RASP (Runtime Application Self-Protection), WAF (Web Application Firewalls) both need rules updated.
23 DevSecOps Culture Principles and Practices Processes Automated deployment pipeline
Technologies Supporting tool chain
Culture ▪ Communication and transparency ▪ Blameless postmortem ▪ Continuous
improvement ▪ Everyone is responsible for security ▪ Automate as much as possible ▪ Everything as code
Processes Secure SDLC ▪ Training ▪ Requirements ▪ Architecture &
Design ▪ Coding ▪ Testing ▪ Deployment ▪ Post deployment
Processes Security Pipeline ▪ Assessment of critical resource ▪ Reduce
friction ▪ Increase visibility ▪ Each step repeatable ▪ Drive up dependency
Processes Security Pipeline
Technologies ▪ Requirements ▪ Code: IDE plugins, SAST ▪ Test:
Gauntlt, DAST ▪ Configure: Sec as code ▪ Maintenance: Patch management ▪ Monitor: Auditing, Attack visibility
Questions? 29
Thank you very much for your time 30 You can
find me at: ▪ br.linkedin.com/in/evandromohr ▪ t.me/phpcomrapadura