Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps Lessons Learned – How to Shift Left &...

DevSecOps Lessons Learned – How to Shift Left & Shift Right?

Live at Spring ONUG 2023

Panel with Matt Tesauro and Dan Cornell.

As organizations adopt DevOps practices, the need for “security as code” becomes paramount. This session will explore the concept of integrating security into the software development process, with a focus on how to automate the protection of networks through code. Attendees will learn about the benefits of implementing security as code, including increased speed and efficiency, as well as improved collaboration between security and development teams. We will discuss different tools and techniques for automating security, such as using infrastructure as code, vulnerability scanning and penetration testing. The session will also cover best practices for integrating security as code into the software development lifecycle. We will also discuss how to create a culture of security within the organization to ensure that security is integrated into the entire software development process. Whether you’re a network administrator, developer, or security professional, this session will give you the knowledge and skills you need to take your organization’s security to the next level.

Session Outline:
-Overview of the current state of security in DevOps and the importance of incorporating security into the development process
-Discussion of the challenges and best practices for integrating security into the DevOps process
-Examples of how to automate security testing and implement security controls in code
-Q&A session for attendees to ask questions and discuss specific challenges they are facing in their own organizations

Target Audience:
This session is targeted towards IT professionals, DevOps practitioners, security professionals and managers who are interested in learning more about how to integrate security into the DevOps process and improve the overall security of their organization. Attendees should have a basic understanding of DevOps and security concepts.

James Wickett

May 17, 2023
Tweet

More Decks by James Wickett

Other Decks in Programming

Transcript

  1. DEVSECOPS LESSONS LEARNED: HOW TO SHIFT LEFT (AND RIGHT) ONUG

    Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  2. DAN CORNELL - @DANIELCORNELL MATT TESAURO - @MATT_TESAURO MODERATOR: JAMES

    @WICKETT ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  3. 74% of security professionals said they have either shifted security

    left or plan to in the next 3 years. DevSecOps GitLab 2023 Report ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  4. A DEVELOPER THINKS > Why are there so many security

    tickets? > What does this scanner mean? > Is every security issue important? ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  5. 4 PHASES TO ADOPTING SHIFT LEFT > Attest we passed

    compliance > Avoid not in scope > Abdicate devs' job, not mine > Automate $ curl devops/sec.sh | bash ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  6. SHIFT LEFT DEFINED Offload and outsource security work to developers

    ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  7. SHIFT RIGHT DEFINED Offload an outsource security to general public

    through bug bounties ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  8. SHIFT LEFT + SHIFT RIGHT = FREE TIME? ONUG Spring

    2023 - @danielcornell :: @matt_tesauro :: @wickett
  9. WHAT APPROACHES TO SHIFTING LEFT WORK? ONUG Spring 2023 -

    @danielcornell :: @matt_tesauro :: @wickett
  10. WHAT APPROACHES DO YOU SEE WORK FOR SHIFTING RIGHT? ONUG

    Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  11. IN A SECURITY AS CODE WORLDVIEW, WHAT DOES DEV/SEC COLLABORATION

    LOOK LIKE? ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  12. DEVS TO OPS TO SEC 100 TO 10 TO 1

    ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  13. WHAT ARE THE KEY SUCCESS FACTORS TO SECURITY AS CODE?

    ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  14. HOW CAN ORGANIZATIONS INTEGRATE SECURITY AS CODE? ONUG Spring 2023

    - @danielcornell :: @matt_tesauro :: @wickett
  15. WHAT TOOLS ARE YOUR GO-TO WHEN PEOPLE WANT TO SHIFT

    LEFT? ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  16. WHERE DOES AI FACTOR IN EITHER SHIFT? IS IT BOTH?

    ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  17. Companies are spending a great deal on security, but we

    read of massive computer-related attacks. Clearly something is wrong. The root of the problem is twofold: we’re protecting (and spending money on protecting) the wrong things, and we’re hurting productivity in the process. — Steven Bellovin ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  18. many security teams work with a worldview where their goal

    is to inhibit change as much as possible ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  19. A DEVSECOPS HAIKU In the cyber sphere, Security whispers clear,

    DevSecOps is near. -ChatGPT ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  20. Years of teaching developers to not use eval() will probably

    come to naught with a whole new series of code injection bugs in AI apps — Abhay Bhargav ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  21. SECURITY CHAMPION PROGRAMS ARE BROKEN IN MOST ORGS ONUG Spring

    2023 - @danielcornell :: @matt_tesauro :: @wickett
  22. APPSEC TOOLS ARE STILL JUST FOR SECURITY PROS ONUG Spring

    2023 - @danielcornell :: @matt_tesauro :: @wickett
  23. THE APPLICATION IS THE NEW PERIMETER ONUG Spring 2023 -

    @danielcornell :: @matt_tesauro :: @wickett
  24. AI/ML IS THE ANSWER TO APPSEC AND SECURITY AT LARGE

    ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett
  25. THE OWASP TOP 10 WILL STILL BE RELEVANT IN 20

    MORE YEARS ONUG Spring 2023 - @danielcornell :: @matt_tesauro :: @wickett