The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure Code

•

2 j'aime•812 vues

Security pros have written countless jokes and comics maligning developers' exultant disregard for security and lauding their own long-suffering devotion to repairing reckless dev teams' vulnerable code. Yet, this narrative -- which does nothing to improve application security -- has gone on long enough. This session will help you change the conversation and the trend. You'll learn how to speak developers' language, learn about the real pressures they face in a continuous delivery environment, and discover how to get Dev, Ops, and Security teams aligned and focused on a singular goal.

Logiciels

The Security Pro’s Guide To
DevSecOps
How To Get Developers To Write
Secure Code
@fpmosley3 | /in/franklinmosley |
franklin.mosley@ellucian.com

Destination: DevSecOps
Press Start
DevOps Processes
Automation
Learning

Who Am I?
• Information
Security
Professional
• Reincarnated
Software
Engineer

Is there a reason I wasn’t invited to the party?

50%of developers know security is important but don’t have
enough time to spend on it.
Source: Sonatype 2017 DevSecOps Community Survey: https://www.sonatype.com/2017survey

Risks
Policies
Data
Classification
Standards

User Stories
As a [role], I want to
[desired feature] so that
[value/benefit].

User Stories
As a customer, I want to
ensure my data is protected from
unintentional disclosure so that other
customers or external parties may
not access it.
Acceptance Criteria: Data is segregated by tenant.
Administrators and users must be separated by role to prevent
unauthorized disclosure or alteration.

Collaboration Opportunities
ChatOps
Security Bot

Developers often outnumber AppSec
professionals by
Source: Sonatype 2017 DevSecOps Community Survey: https://www.sonatype.com/2017survey
100 to 1

IASTDASTSAST
DevOps Pipeline
Golden Image Container
TestPackageBuildCode

Testing Challenges
• False Positives
• Long scan times
• Communicating
Findings
• Remediation

Of U.S. computer science programs
1 of the
top 36
requires a security course for graduation
Source: CloudPassage

@fpmosley3 | /in/franklinmosley |
franklin.mosley@ellucian.com

Contenu connexe

Tendances

DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon

DevSecOps : an IntroductionPrashanth B. P.

Introduction to DevSecOpsabhimanyubhogwan

The New Security Playbook: DevSecOpsJames Wickett

2019 DevSecOps Reference ArchitecturesSonatype

DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon

Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS

Securing the container DevOps pipeline by William HenryDevSecCon

DevSecOps: A New Hope for Security in CI/CDFranklin Mosley

A journey from dev ops to devsecopsVeritis Group, Inc

DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon

PIACERE - DevSecOps AutomatedPIACERE

RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype

DevSecOps: Bringing security to the DevOps pipelineAarno Aukia

DevSecOps for you Full StackRon Nixon

DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon

DevSecOps The Evolution of DevOpsMichael Man

The State of DevSecOpsDevOps Indonesia

DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon

The Challenges of Scaling DevSecOpsWhiteSource

Tendances (20)

DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left

DevSecOps : an Introduction

Introduction to DevSecOps

The New Security Playbook: DevSecOps

2019 DevSecOps Reference Architectures

DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases

Benefits of DevSecOps

Securing the container DevOps pipeline by William Henry

DevSecOps: A New Hope for Security in CI/CD

A journey from dev ops to devsecops

DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...

PIACERE - DevSecOps Automated

RSAC DevSecOpsDays 2018 - We are all Equifax

DevSecOps: Bringing security to the DevOps pipeline

DevSecOps for you Full Stack

DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...

DevSecOps The Evolution of DevOps

The State of DevSecOps

DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government

The Challenges of Scaling DevSecOps

Similaire à The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure Code

_Best practices towards a well-polished DevSecOps environment (1).pdfEnov8

Devsec opsVipinYadav257

Final PffrftfftftfffPTprocareer_ppt.pptxpatadiyakevin3

Dev week cloud world conf2021Archana Joshi

Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo

Web Security OverviewNoah Jaehnert

Software MythsRajat Bajaj

DevSecOps with Microsoft TechDarin Morris

Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdfJamesEddie2

DevSecOps Security: Is it Necessary?Enov8

DevOps and the Future of Information SecurityDarin Morris

DevOps and the Future of InfoSecDarin Morris

Ask me anything:A Conversational Interface to Augment Information Security w...Matthew Park

Security Training: Necessary Evil, Waste of Time, or Genius Move?Denim Group

Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24

Vulnerability Analyst interview Questions.pdfinfosec train

How to develop an AppSec culture in your project 99X Technology

Building an AppSec Culture Nirosh Jayaratnam

Girl Geek X Indeed Talks (January 18, 2018)Angie Chang

Samyuktha Javangulasamyuktha javangula

Similaire à The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure Code (20)

_Best practices towards a well-polished DevSecOps environment (1).pdf

Devsec ops

Final PffrftfftftfffPTprocareer_ppt.pptx

Dev week cloud world conf2021

Application Security Testing for Software Engineers: An approach to build sof...

Web Security Overview

Software Myths

DevSecOps with Microsoft Tech

Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdf

DevSecOps Security: Is it Necessary?

DevOps and the Future of Information Security

DevOps and the Future of InfoSec

Ask me anything:A Conversational Interface to Augment Information Security w...

Security Training: Necessary Evil, Waste of Time, or Genius Move?

Outpost24 webinar: Turning DevOps and security into DevSecOps

Vulnerability Analyst interview Questions.pdf

How to develop an AppSec culture in your project

Building an AppSec Culture

Girl Geek X Indeed Talks (January 18, 2018)

Samyuktha Javangula

Dernier

Effectively Troubleshoot 9 Types of OutOfMemoryErrorTier1 app

Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions

Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...OnePlan Solutions

eSoftTools IMAP Backup Software and migration toolsosttopstonverter

UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz

Large Language Models for Test Case Evolution and RepairLionel Briand

Powering Real-Time Decisions with Continuous Data StreamsSafe Software

Osi security architecture in network.pptxVinzoCenzo

2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdfAndrey Devyatkin

The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp

Post Quantum Cryptography – The Impact on Identityteam-WIBU

OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan

Understanding Flamingo - DeepMind's VLM Architecturerahul_net

Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp

Precise and Complete Requirements? An Elusive GoalLionel Briand

Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea

Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1

JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver

Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfRTS corp

VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics

Dernier (20)

Effectively Troubleshoot 9 Types of OutOfMemoryError

Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...

Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...

eSoftTools IMAP Backup Software and migration tools

UI5ers live - Custom Controls wrapping 3rd-party libs.pptx

Large Language Models for Test Case Evolution and Repair

Powering Real-Time Decisions with Continuous Data Streams

Osi security architecture in network.pptx

2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf

The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx

Post Quantum Cryptography – The Impact on Identity

OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording

Understanding Flamingo - DeepMind's VLM Architecture

Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx

Precise and Complete Requirements? An Elusive Goal

Keeping your build tool updated in a multi repository world

Amazon Bedrock in Action - presentation of the Bedrock's capabilities

JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...

Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf

VictoriaMetrics Q1 Meet Up '24 - Community & News Update

The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure Code

1. The Security Pro’s Guide To DevSecOps How To Get Developers To Write Secure Code @fpmosley3 | /in/franklinmosley | franklin.mosley@ellucian.com

3. Destination: DevSecOps Press Start DevOps Processes Automation Learning

4. Who Am I? • Information Security Professional • Reincarnated Software Engineer

5. Traditional

6. Today

7. DevOps Cycle

8. Is there a reason I wasn’t invited to the party?

9. IT Operations

10. Developers

11. Security

12. Poll Question #1

13. 50%of developers know security is important but don’t have enough time to spend on it. Source: Sonatype 2017 DevSecOps Community Survey: https://www.sonatype.com/2017survey

14. Press Start

15.

16. Risks Policies Data Classification Standards

17. DevOps Processes

18. Poll Question #2

19. What methodologies do your devs use?

20. User Stories As a [role], I want to [desired feature] so that [value/benefit].

21. User Stories As a customer, I want to ensure my data is protected from unintentional disclosure so that other customers or external parties may not access it. Acceptance Criteria: Data is segregated by tenant. Administrators and users must be separated by role to prevent unauthorized disclosure or alteration.

22. How do they collaborate?

23. Collaboration Opportunities ChatOps Security Bot

24. Developers often outnumber AppSec professionals by Source: Sonatype 2017 DevSecOps Community Survey: https://www.sonatype.com/2017survey 100 to 1

25. What is a Security Champion?

26. Automation Ahead

27. IASTDASTSAST DevOps Pipeline Golden Image Container TestPackageBuildCode

28.

29. Poll Question #3

30. Testing Challenges • False Positives • Long scan times • Communicating Findings • Remediation

31. Measurement

32. Dashboard

33.

34. Of U.S. computer science programs 1 of the top 36 requires a security course for graduation Source: CloudPassage

35. Computer-Based Training

36. Lunch & Learn

37. Gamification

38. DevSecOps

39. @fpmosley3 | /in/franklinmosley | franklin.mosley@ellucian.com

The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure Code

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure Code

Similaire à The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure Code (20)

Dernier

Dernier (20)

The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure Code