DevSecOps Culture Ali Yazdani OWASP DevSecOps Guideline Project lead 

Readme! ● A Security Engineer - over 10 years experiences in AppSec in different industry sectors. ● 2016 - Present, OWASP as contributor on projects like MSTG, and Leading DevSecOps Guideline project. ● Now, Senior DevSecOps Engineer @ Scoutbee GmbH 

Introduction - traditional ● In traditional software development, security measures were in the right side! Develop Build Tests Deliver build to staging Deploy to Production Security Checks Security Checks 

Introduction - DevSecOps advent Code/Build Deploy Operation SAST IaC SCA DAST IAST RASP ● Amming to fill the gap between Dev - Sec - Ops ● By promoting a culture of: ○ Collaboration ○ Shared responsibility ○ Continuous improvement DevOps process + Security checks → DevSecOps 

Introduction - The team story From a technologies point of view, we added some security checks into the dev pipeline. But from a team perspective, we experienced changes too. 

But, It’s not enough! Code/Build Deploy Operation SAST IaC SCA DAST IAST RASP Most potential attack surface Pentest Bug Bounty VDP VA WAF … We have to shift security checks to the left, But the right still needs to be protected. Phases Can cover but can't replace each others. 

Some wrong facts! 1. DevSecOps Engineer is DevOps Engineer + Security Engineer 2. By implementing some tools → We have DevSecOps! 3. Since DevSecOps says: Security is responsibility for all then we don’t need a security engineer/consultant/specialist. 4. By Shifting security tests to the left, we have a full secure product! 

Pillars of DevSecOps ● People & Processes ● Tools (Technologies) ● Governance A lot of talks about tools but what about others? 

People & Processes ● The important part, it enables others to function properly ● At the beginning, Moving to DevSecOps increasing security team workload!! ● Traditionally: ○ Development -> fast delivery ○ Security -> application security ○ Operations -> stability ● DevSecOps: Delivering secure and stable software quickly. This means that everyone has an equal stake in all these three objectives and uses their expertise to support each other. 

People & Processes - 2nd Now; we have a shared-responsibility model → Update our processes Defining and establishing processes to promote: - Clear communication - Transparent development - Active collaboration. Processes will help people to stay involved! Topics to cover here: ● Shape the team (Security Champions) ● Training ○ Secure coding ○ Threat Modeling workshop ○ … ● Awearnace 

Technologies ● Let’s make processes more practical! ● Automation is a key. ● Tools help us to: ○ Reducing efforts for the tests ○ Increasing accuracy ○ Repeating the tests 

Technologies - Example Secret Scanning: ● The secrets should not be hard coded. ● The secrets should not be unencrypted. ● The secrets should not be stored in the source code. ● The code history does not contain any secrets. 

Governance Having a system of governance enables us to: ● Keep track of our progress, assess our successes, and pinpoint any challenges. ● Identify any areas of improvement or potential shortcomings. ● Visualize the outcomes and compare them to the expected impacts. Topics to cover here: ● Compliance Audit/Check ○ Policy as Code ○ Security Benchmarking ○ Security Standards (ISO, SOC2, …) ● Data Protection ● Visualisation ○ Tracking maturities ○ Monitoring 

Challenges and Mitigations ● Overcoming Cultural Resistance Organizations should prioritize active collaboration and communication between all stakeholders, to ensure the same sense of ownership for the DevSecOps initiatives. Time to show the benefits of DevSecOps: ○ Faster time-to-market ○ Improving security ○ Reducing vulnerabilities ● Seamless Tool Integration ○ Continuous monitoring and improvement of security tooling ● Addressing Compliance and Regulations ○ in the development process to avoid delays and non-compliance issues later on. 

Conclusion ● The DevSecOps journey, is a long-term investment! ● The good implementation makes it a cost-reduction activity. ● Shifting to the left → Catching issues as fast as possible. But not whole things that we can do. 

Thanks