From DevSecOps Days at RSA Conference SF 2018 Abstract What is DevSecOps? It is not one thing, but multiple journeys integrally embedded together - DevOps, Security, Agile*, Cloud, Containers, CI/CD, and many more. So aligning to DevSecOps IS daunting, and IS many changes all at once - a scary journey with so many unknowns. How can security approaches & paradigms scale to match the velocity of software development & cloud-based operations? the adaptability & flexibility of agile and containerization? the automation of CI/CD and API-driven configuration? How will updating your security mindset to integrate with DevOps help your business win? Evolving your security mindset will help you embrace and succeed with DevSecOps About Bankim Tejani Bankim Tejani an an innovative security leader who has spent over 20 years developing software, conducting security research, assessing applications’ security, training developers and security professionals, and consulting to improve security within the SDLC. He has worked witth various sectors including financial services, insurance, test & measurement, government, startups, cloud technologies, software security, and more. Bankim is presently building security in at Under Armour Connected Fitness, while also an active member of Austin’s OWASP Chapter and conference organizer for LASCON (Lonestar Application Security Conference).

1. Evolving Your Security
Mindset
Bankim Tejani
Under Armour / OWASP Austin

2. About Me

3. Operations

5. Process

8. Security

12. Evolve Mindset
Assessment &
Remediation
Integrated
Actionability

15. Integrate
• Plan – Security at the table
• Create – Secure coding
• Verify – Security unit testing
• Package/build – Security built in, patched
• Release/deploy – Security verified on deploy
• Configure – Secure config by default
• Monitor – Metrics, logs, useful data

16. DevOps Centric Security
• Patch continuously – improve what breaks
• Security unit testing – FAIL builds
• Static code analysis – FAIL builds
• Security testing on deploy – FAIL deploys
• Embrace chaos to build reslience
Create immediately actionable findings

17. Trust
• Must establish trust
• Listening
• Empathy
• FUD kills trust
• Demonstrate competence
• Blame-free retrospectives / RCA

20. Think Atomically
• Break things down to the most basic smallest
finding to correlate to the smallest action
– i.e. an ”atom”

21. Static Code Analysis

22. Static Code Analysis
• Fail the build!
• But don’t cry wolf
• Incremental improvement
• 1-5 issues per sprint
• Except critical categories (i.e. SQLi, XSS)
• Allow for varying team maturity

23. Reduce WIP
• Vulnerability management = WIP
• Find the constraints
• Empower people to innovate around
constraints
• Make adopting the secure way easier & faster
• Move fast and break things

25. Security Opportunities
• Secure by default
• Automate asset management
• Software defined security
• Tag, tag, tag
• Transparency
• Publish, test, observe, adjust, iterate

26. Take Aways
• Model for approaching DevSecOps
• Build trust with DevOps teammates
• Think atomically
• Operate at scale, automate
• Integrate security into pipelines
• DevSecOps creates new opportunities

27. Evolving Your Security
Mindset