Checkmarx, profile picture
Uploaded byCheckmarx
PPTX, PDF9,145 views

DevOps & Security: Here & Now

The document outlines the integration of security into the DevOps process, emphasizing the need for a new secure software development lifecycle (SDLC) approach. Key steps include planning for security, engaging developers, automating processes, and using traditional security tools wisely. It concludes that security should not be compromised as DevOps continues to evolve rapidly.

Technology
Related topics:
Application Security
In this document
Powered by AI
See More

Overview of DevOps, emphasis on integrating security into the DevOps lifecycle.

Analysis of traditional web application security controls and their limitations in a DevOps environment.

Outline of a new secure Software Development Life Cycle (SDLC) approach with practical steps.

The importance of automating security processes within continuous deployment methodologies.

Recommendations to leverage traditional security tools wisely alongside modern practices.

Recap of the presentation emphasizing immediate action points for integrating security in DevOps.

Invitation for questions and thank you note from the speaker.

Embed presentation

Downloaded 160 times
DevOps and Security: It’s Happening. Right Now. Helen Bravo Director of Product Management at Checkmarx Helen.bravo@checkmarx.com
Agenda • Intro to DevOps • Integrating security within DevOps – Problems with traditional controls – Steps to DevOps security
What is DevOps About? An unstoppable deployment process … in small chunks of time
DevOps is Happening Companies that have adopted DevOps
Can TRADITIONAL web application security controls fit in… … a DevOps environment?!
Traditional Web Application Security Controls • Penetration Testing • WAF (Web Application Firewall) • Code Analysis
Penetration Testing- Takes Time!
Penetration Testing – 300 pages report – 3 weeks assessment time – 2 weeks to get it into development
Web Application Firewall (WAF) Thinking Continuous Deployment? Think Continuous Configuration!
Code Analysis • Setup time • Running time • Analysis time … just too slow!
… Do Nothing?
Required: A New Secure SDLC Approach
Step by Step
Step 1: Plan for Security
Step 1: Plan for Security • Identify unsecured APIs and frameworks • Map security sensitive code portions. E.g. password changes mechanism, user authentication mechanism. • Anticipate regulatory problems, plan for it.
Step 2: Engage the Developers. And Be Engaged
Step 2: Engage the Developers. And Be Engaged • Connect developers to security – Going to OWASP? Bring a developer with you! • Is your house on fire? Share the details with your developers. • Have an open door approach • Set up an online collaboration platform E.g. Jive, Confluence etc.
Step 3: Arm the Developers
Step 3: Arm the Developer • Secure frameworks: – Use a secure framework such as Spring Security, JAAS, Apache Shiro, Symfony2 – ESAPI is a very useful OWASP security framework • SCA tools that can provide security feedback on pre-commit stage. – Rapid response – Small chunks
Step 3: Automate the Process
Step 3: Automate the Process • Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) – SAST – DAST • Fail the build if security does not pass the bar.
Continuous Deployment Unit Tests Develop Code Commit Source Control Build Trigger Deploy to Test Env Report & Notify Publish to release repository Deploy to Production
Security within Continuous Deployment Tests Develop Code Commit Source Control Build Trigger Deploy to Test Env SCA Test Publish to Automatic Report release security repository & test Notify Deploy to Production
Step 5: Use Old Tools Wisely
Step 5: Use Old Tools Wisely • Periodic pen testing • WAF on main functions • Code review for security sensitive code portions.
Summary
Summary • DevOps is happening. Right Now. – During the time of this talk, Amazon has released 75 features and bug fixes. • Security should not be compromised • Don’t be overwhelmed. Start small
The 3 Takeaways 1. Plan from the ground 2. Engage with your developers 3. Integrate security into automatic build process.
Questions?
Thank you Helen.bravo@checkmarx.com

More Related Content

PDF
Security Process in DevSecOps
byOpsta
 
PDF
DevSecOps - The big picture
byDevSecOpsSg
 
PDF
2019 DevSecOps Reference Architectures
bySonatype
 
PPTX
Devops architecture
byOjasvi Jagtap
 
PDF
Dense Retrieval with Apache Solr Neural Search.pdf
bySease
 
PPTX
DevOps Introduction
byRobert Sell
 
PDF
Introduction to Vault
byKnoldus Inc.
 
PPSX
Big Data Redis Mongodb Dynamodb Sharding
byAraf Karsh Hamid
 
Security Process in DevSecOps
byOpsta
 
DevSecOps - The big picture
byDevSecOpsSg
 
2019 DevSecOps Reference Architectures
bySonatype
 
Devops architecture
byOjasvi Jagtap
 
Dense Retrieval with Apache Solr Neural Search.pdf
bySease
 
DevOps Introduction
byRobert Sell
 
Introduction to Vault
byKnoldus Inc.
 
Big Data Redis Mongodb Dynamodb Sharding
byAraf Karsh Hamid
 

What's hot

PPTX
Introduction to DevOps
byHawkman Academy
 
PPTX
Platform engineering 101
bySander Knape
 
PPTX
What Is Apache Spark? | Introduction To Apache Spark | Apache Spark Tutorial ...
bySimplilearn
 
PDF
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PDF
The story of SonarQube told to a DevOps Engineer
byManu Pk
 
PDF
Introduction to apache spark
byAakashdata
 
PDF
DevOps - A Gentle Introduction
byCodeOps Technologies LLP
 
PDF
DevOps overview 2019-04-13 Nelkinda April Meetup
byShweta Sadawarte
 
PDF
Kafka streams windowing behind the curtain
byconfluent
 
PPTX
Introducing DevOps
byNishanth K Hydru
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PDF
Combining logs, metrics, and traces for unified observability
byElasticsearch
 
PPTX
AWS API Gateway
byMuhammed YALÇIN
 
PDF
Demystifying DevSecOps
byArchana Joshi
 
PDF
Ceph Block Devices: A Deep Dive
byRed_Hat_Storage
 
PDF
Roles and Responsibilities of a DevOps Engineer
byZaranTech LLC
 
PPTX
Docker Swarm for Beginner
byShahzad Masud
 
PPTX
Applications Performance Monitoring with Applications Manager part 1
byManageEngine, Zoho Corporation
 
PPTX
Hadoop Architecture | HDFS Architecture | Hadoop Architecture Tutorial | HDFS...
bySimplilearn
 
Introduction to DevOps
byHawkman Academy
 
Platform engineering 101
bySander Knape
 
What Is Apache Spark? | Introduction To Apache Spark | Apache Spark Tutorial ...
bySimplilearn
 
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
The story of SonarQube told to a DevOps Engineer
byManu Pk
 
Introduction to apache spark
byAakashdata
 
DevOps - A Gentle Introduction
byCodeOps Technologies LLP
 
DevOps overview 2019-04-13 Nelkinda April Meetup
byShweta Sadawarte
 
Kafka streams windowing behind the curtain
byconfluent
 
Introducing DevOps
byNishanth K Hydru
 
DevSecOps in Baby Steps
byPriyanka Aash
 
Combining logs, metrics, and traces for unified observability
byElasticsearch
 
AWS API Gateway
byMuhammed YALÇIN
 
Demystifying DevSecOps
byArchana Joshi
 
Ceph Block Devices: A Deep Dive
byRed_Hat_Storage
 
Roles and Responsibilities of a DevOps Engineer
byZaranTech LLC
 
Docker Swarm for Beginner
byShahzad Masud
 
Applications Performance Monitoring with Applications Manager part 1
byManageEngine, Zoho Corporation
 
Hadoop Architecture | HDFS Architecture | Hadoop Architecture Tutorial | HDFS...
bySimplilearn
 

Viewers also liked

PDF
Application Security Guide for Beginners
byCheckmarx
 
PPTX
Implementing an Application Security Pipeline in Jenkins
bySuman Sourav
 
PDF
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
PDF
Devops security-An Insight into Secure-SDLC
bySuman Sourav
 
PDF
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
byDevOpsDays Tel Aviv
 
PDF
A Successful SAST Tool Implementation
byCheckmarx
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
byAchim D. Brucker
 
PDF
Happy New Year!
byCheckmarx
 
PDF
Application Security Management with ThreadFix
byVirtual Forge
 
PPTX
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
PPTX
Graph Visualization - OWASP NYC Chapter
byCheckmarx
 
PDF
[ITAS.VN]CxSuite Enterprise Edition
byITAS VIETNAM
 
Application Security Guide for Beginners
byCheckmarx
 
Implementing an Application Security Pipeline in Jenkins
bySuman Sourav
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
Devops security-An Insight into Secure-SDLC
bySuman Sourav
 
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
byDevOpsDays Tel Aviv
 
A Successful SAST Tool Implementation
byCheckmarx
 
DevSecOps in Baby Steps
byPriyanka Aash
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
byAchim D. Brucker
 
Happy New Year!
byCheckmarx
 
Application Security Management with ThreadFix
byVirtual Forge
 
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
Graph Visualization - OWASP NYC Chapter
byCheckmarx
 
[ITAS.VN]CxSuite Enterprise Edition
byITAS VIETNAM
 

Similar to DevOps & Security: Here & Now

PPTX
Dev opsandsecurity owasp
byHelen Bravo
 
PPTX
You Build It, You Secure It: Introduction to DevSecOps
bySumo Logic
 
PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PDF
Scale security for a dollar or less
byMohammed A. Imran
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
PDF
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
PPTX
AddingtheSecToDevOpsBSides (1).pptx for Bsides Nairobi 22 with Joylynn Kirui
byellan12
 
PPTX
DevSecOps and Drupal: Securing your applications in a modern IT landscape
byWill Hall
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PPTX
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
PPTX
DevSecOps : an Introduction
byPrashanth B. P.
 
PDF
You build it - Cyber Chicago Keynote
byJohn Willis
 
PPTX
DevSecCon KeyNote London 2015
byShannon Lietz
 
PPTX
DevSecCon Keynote
byShannon Lietz
 
PDF
DevOps or DevSecOps
byMichelangelo van Dam
 
PPTX
Introduction to DevSecOps OWASP Ahmedabad
bykunwaratul hax0r
 
PDF
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
Dev opsandsecurity owasp
byHelen Bravo
 
You Build It, You Secure It: Introduction to DevSecOps
bySumo Logic
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
Scale security for a dollar or less
byMohammed A. Imran
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
AddingtheSecToDevOpsBSides (1).pptx for Bsides Nairobi 22 with Joylynn Kirui
byellan12
 
DevSecOps and Drupal: Securing your applications in a modern IT landscape
byWill Hall
 
Introduction to DevSecOps
byabhimanyubhogwan
 
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
DevSecOps : an Introduction
byPrashanth B. P.
 
You build it - Cyber Chicago Keynote
byJohn Willis
 
DevSecCon KeyNote London 2015
byShannon Lietz
 
DevSecCon Keynote
byShannon Lietz
 
DevOps or DevSecOps
byMichelangelo van Dam
 
Introduction to DevSecOps OWASP Ahmedabad
bykunwaratul hax0r
 
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 

More from Checkmarx

PDF
The Web AppSec How-To: The Defender's Toolbox
byCheckmarx
 
PDF
10 Tips to Keep Your Software a Step Ahead of the Hackers
byCheckmarx
 
PDF
The 5 Biggest Benefits of Source Code Analysis
byCheckmarx
 
PDF
A Platform for Application Risk Intelligence
byCheckmarx
 
PDF
How Virtual Compilation Transforms Static Code Analysis
byCheckmarx
 
PDF
Source Code vs. Binary Code Analysis
byCheckmarx
 
PDF
The App Sec How-To: Choosing a SAST Tool
byCheckmarx
 
PDF
The Security State of The Most Popular WordPress Plug-Ins
byCheckmarx
 
PDF
10 Steps To Secure Agile Development
byCheckmarx
 
The Web AppSec How-To: The Defender's Toolbox
byCheckmarx
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
byCheckmarx
 
The 5 Biggest Benefits of Source Code Analysis
byCheckmarx
 
A Platform for Application Risk Intelligence
byCheckmarx
 
How Virtual Compilation Transforms Static Code Analysis
byCheckmarx
 
Source Code vs. Binary Code Analysis
byCheckmarx
 
The App Sec How-To: Choosing a SAST Tool
byCheckmarx
 
The Security State of The Most Popular WordPress Plug-Ins
byCheckmarx
 
10 Steps To Secure Agile Development
byCheckmarx
 

Recently uploaded

PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
bysleepandremedies
 
PDF
AI Star Keynote on Artificial Intelligence. OnWorld. OffWorld. InWorld
byAlison B. Lowndes
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
bySafe Software
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PDF
HCI and Its Impact on individual quality of life.pdf
byParham Abolghasemi
 
PPTX
TCP/IP Presentation - Information Systems & Operations Management
byadriangallianispetka
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Tracing the Thread: Decoding the Decision-Making Process with GraphRAG
byEnterprise Knowledge
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Transforming SAP® Processes Through Automation: 2026 Trends and Challenges.pdf
byPrecisely
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
Cleveland, OH Developer Group Dec 2, 2025 Slides for December Demos
byLynda Kane
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
bysleepandremedies
 
AI Star Keynote on Artificial Intelligence. OnWorld. OffWorld. InWorld
byAlison B. Lowndes
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
bySafe Software
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
HCI and Its Impact on individual quality of life.pdf
byParham Abolghasemi
 
TCP/IP Presentation - Information Systems & Operations Management
byadriangallianispetka
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Tracing the Thread: Decoding the Decision-Making Process with GraphRAG
byEnterprise Knowledge
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Transforming SAP® Processes Through Automation: 2026 Trends and Challenges.pdf
byPrecisely
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Cleveland, OH Developer Group Dec 2, 2025 Slides for December Demos
byLynda Kane
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 

DevOps & Security: Here & Now