ポストDevOps、これから我々は何をシフトレフトすべきか Abstract: The traditional V-shaped quality assurance of waterfall has been replaced by DevOps and CI/CD. It is clear that fast improvement cycles have contributed to making the code much easier to maintain and higher quality. But why is it that AppSec is still vulnerable to attacks and has yet to mature? Do automated mechanisms contribute to robustness against change? In this talk, I will show what we have learned through our experience of organizing Hardening Project in Japan. I will cover the critical points related to each stage of DevOps to take DevOps to the next stage - they are about risk profile, architecture design of threat response, and operational matter. I hope it will show some challenges that AppSec faces in its further evolution.

1. riotaro@owasp.org
@okdt
OWASP Life-time member
15+ OWASPer
AppSec professional
OWASP Japan

2. Congratulations!

3. The first era of OWASP Documents in Japanese
thanks to Mr. Satoru Takahashi, 2004-2006

4. 2012 OWASP Japan 1st meetup

5. Thank you for all your support!

6. SHIFT LEFT?
By @akiko_pusu, 2017

7. Japanese

8. 2021年
Developers Dislike Security: Ten Frustrations and Resolutions
Chris Romeo, 2021. https://www.youtube.com/watch?v=nN7NH752onk

9. Shift-left analogy
Let's do shift-left for progressive purposes.
Front Loading Retrospective
Kaizen Why 5 times

10. Key factors to succeed SHIFT-LEFT
MUTUAL
UNDERSTANDING
BUSINESS GOAL
& RISKS
KEEP UP TO DATE

11. WASFORUM.jp

13. Hardening Project

16. Started

17. Spy comes…

18. Attackers

19. Attackers are very good at collaboration

20. Incident response

21. Marketplace

23. SCORE BOARD

24. 8-hour competition

26. Softening Day

27. presentations

28. Hardening DX

29. “Kuromame 6”

31. Summary: Key Success factors of SHIFT-LEFT
MUTUAL
UNDERSTANDING
BUSINESS GOAL
& RISKS
KEEP UP TO DATE

32. My idea – “proactive controls”
Be a guardrails.
Discuss the most
effective fixing points
and timing
Study their languages
and environments
Update frequently and
show flexibility
Give reasonable
countermeasures,
even if it is “plan-B”
Teach how developers
can check findings by
themselves.
Have the common
goal and Praise their
success
Have good experience
to collaborate with
different roles.
Join OWASP

33. #シフトレフト powered by OWASP
For your photo!
#shiftleft