and design • Separate design, build and run • Manual processes • Discreet testing • On-premise (mostly) • Enterprise tools • Etc. DevOps • Work it out as you go • Integrated deployment/run • Automation • Testing as you go • Cloud (mostly) • CI/CD tools • Etc.
do the right thing but still verify • Make data visible, including risks, threats, etc. • Fix it and ship it - no passing the buck • Security cannot be a blocker - realistic, practical security with reasonable trade offs • Security engineers dedicated to DevOps teams
development practices, guidelines, and techniques to help build secure applications. These practices will help shift security earlier into design, coding, and testing.
data in test/dev, including keys • Insecure cloud controls (e.g. unprotected S3 buckets) • Mobile app security (learn from web mistakes) • APIs often lacks strict business logic • Client-side security not adequate • Roll your own crypto…bad idea • Stack overflow and other online sources teach bad habits