Navigating the DevSecOps Landscape: Challenges and Opportunities Ali Yazdani OWASP DevSecOps Guideline Project lead 26 April 2019 - By me! 

Readme! ● A Security Engineer - Over 10 years experiences in AppSec in different industry sectors. ● 2016 - Present, OWASP as contributor on projects like MSTG, and Leading DevSecOps Guideline project. ● Now, Principal DevSecOps Engineer @ Scoutbee GmbH 

Introduction - traditional ● In traditional software development, security measures were in the right side! Develop Build Tests Deliver build to staging Deploy to Production Security Checks Security Checks 

DevOps —> DevSecOps ● Amming to fill the gap between Dev - Sec - Ops ● A culture of: ○ Collaboration ○ Shared responsibility ○ Continuous improvement ● People & Processes ● Tools (Technologies) ● Governance 3 Pillars of DevSecOps 

The team story From a technologies point of view, we added some security checks into the CI/CD pipeline. But from a team perspective, we experienced some changes too. 

Still Code/Build Deploy Operation SAST IaC SCA DAST IAST RASP Most potential attack surface Pentest Bug Bounty VDP VA WAF … We have to shift security checks to the left, But the right still needs to be protected. Checks Can cover but can't replace each others. https://www.youtube.com/watch?v=gdsUKphmB3Y 

Some wrong facts! 1. DevSecOps Engineer is DevOps Engineer + Security Engineer 2. By implementing some tools → We have DevSecOps! 3. Since DevSecOps says: Security is responsibility for all then we don’t need a security engineer/consultant/specialist. 4. By Shifting security tests to the left, we have a full secure product! 

Opportunities ● Enhanced Security ● Improved Time to Market ● Reduced Costs ● Increased Customer Satisfaction ● Enhanced Innovation 

Challenges ● Cultural Shift ● Tool Integration ● Resource Allocation ● Data Security ● Regulatory Compliance 

Q&A 

Thanks