DevSecOps What Why and How?

A presentation at Black Hat USA in in Las Vegas, NV, USA by Anant Shrivastava

Security is often added towards the end, in a typical DevOps cycle through a manual/automated review. However, with DevSecOps, security can be injected at every stage of a DevOps pipeline in an automated fashion. Having a DevSecOps pipeline enables an organization to:

  • Create a security culture amongst the already integrated “DevOps” team.
  • Find and fix security bugs as early as possible in the SDLC .
  • Promote the philosophy “security is everyone’s problem” by creating Security champions within the organization.
  • Integrate all security software centrally and utilize the results more effectively.
  • Measure and shrink the attack surface.

In this talk, we shall focus on how a DevOps pipeline can easily be metamorphosed into a DevSecOps and the benefits which can be achieved with this transformation. The talk (assisted with various demos) will focus on developing a DevSecOps pipeline using free/open-source tools in various deployment platforms, i.e. on-premise, cloud native and hybrid scenarios. We will then dive into cultural aspects of DevSecOps and the changes needed to get tangible benefits. The talk will also present various case studies on how critical bugs and security breaches affecting popular software and applications could have been prevented using a simple DevSecOps approach.

Video

Resources

The following resources were mentioned during the presentation or are useful additional information.

Buzz and feedback

Here’s what was said about this presentation on Twitter.