Recommandé
Recommandé
Contenu connexe
Similaire à Automating Security with DevSecOps
Similaire à Automating Security with DevSecOps (20)
Plus de DJ Schleen
Plus de DJ Schleen (6)
Dernier
Dernier (20)
Automating Security with DevSecOps
- 1. Automating Security with DevSecOps DJ Schleen, DevSecOps Evangelist and Security Architect March 20, 2018 ©2018 CVS Health and/or one of its affiliates
- 2. Disclaimer ©2018 CVS Health and/or one of its affiliates. 2 Portions of this presentation are discussions from “Heritage Aetna”, and do not necessarily reflect the views of CVS Health or its affiliates.
- 3. About CVS Health At a Glance • Revenues $54.3b (Q4 2018) • 9900+ Retail Locations in 49 States, the District of Columbia, Puerto Rico, and Brazil • 22M medical benefit members • 295K+ colleagues • 5M customers per day • Acquisition of Aetna completed November 28, 2018 ©2018 CVS Health and/or one of its affiliates HEADQUARTERS – WOONSOCKET, RI 3
- 4. Three Pillars – The Core of DevSecOps 4©2018 CVS Health and/or one of its affiliates
- 5. 5 Source: enter source copy and/or notes in this live text box Text will wrap up from bottom of text box. Do not resize or reposition this text box. Culture ©2018 CVS Health and/or one of its affiliates
- 6. 6 Technique ©2018 CVS Health and/or one of its affiliates
- 7. 7 Tools ©2018 CVS Health and/or one of its affiliates
- 8. Security Controls 8©2018 CVS Health and/or one of its affiliates
- 9. 9 OSSM Open Source Software Management ©2018 CVS Health and/or one of its affiliates
- 10. 10 550 650 750 850 950 1050 1150 1250 1350 1450 1550 2016 Apr May June July Aug Sep Oct Nov Dec 2017 Feb Mar Apr May June July Aug Sep Oct Nov Dec 2018 Feb ©2018 CVS Health and/or one of its affiliates
- 11. 11 Visibility. ©2018 CVS Health and/or one of its affiliates
- 12. 1212 CVA Container Vulnerability Analysis ©2018 CVS Health and/or one of its affiliates
- 14. ©2018 CVS Health and/or one of its affiliates. 14 Don’t pin versions. DON’T DO IT
- 15. ©2018 CVS Health and/or one of its affiliates. 15 Know your Enemy
- 16. 1616 DAST Dynamic Analysis and Security Testing ©2018 CVS Health and/or one of its affiliates
- 17. 1717 SAST Static Analysis and Security Testing ©2018 CVS Health and/or one of its affiliates
- 18. Integrating Technology 18©2018 CVS Health and/or one of its affiliates
- 19. ©2018 CVS Health and/or one of its affiliates. 19 MASTER
- 20. 20 SCM Work Item Ethical Hacking Binary Scramble Build Change DAST Acceptance Container Vulnerability Scanning (continuous) Duration: Minutes to Hours Information Gathering: Constant Threat Model Architecture Design Code Infrastructure Code Application Automated Tests OSSM Staging Release Container Cycling Unit Testing Packaging SAST ALM RASP Vulnerability Consolidation Data Analysis and Security Modeling SAST DAST Container Vulnerability Scanning Registry Product Owner SOC Development Registry OSSM @djschleen
- 21. Measure. Everything. 21©2018 CVS Health and/or one of its affiliates
- 22. ©2018 CVS Health and/or one of its affiliates. 22 Module Score (750-1000) Defect Density (< 0.006) – Value??? % of Security Related Work Items (< 15%) Security Build Time Delay (< 5 min execution) Security Failed Builds / Security Drag (< 5%) Security Defect Escape Rate (< 10 %)
- 23. Challenges 23©2018 CVS Health and/or one of its affiliates
- 24. ©2018 CVS Health and/or one of its affiliates. "Don't be afraid to fail. Don't waste energy trying to cover up failure. Learn from your failures and go on to the next challenge. It's OK to fail. If you're not failing, you're not growing." H. Stanley Judd
- 25. Thank You DJ Schleen DevSecOps Evangelist and Security Architect Integrated Global Security and Resilience ©2018 CVS Health and/or one of its affiliates: 25 @djschleen