Professional Documents
Culture Documents
A Journey To Secure Devops: Pete Chestna, Director of Developer Engagement Veracode, Inc
A Journey To Secure Devops: Pete Chestna, Director of Developer Engagement Veracode, Inc
Secure DevOps
Pete Chestna, Director of Developer Engagement
Veracode, Inc
Felt like…
Management Individual
• Leading change • Uncertainty/fear/anger
• Organizational • Organizational
– Breaking the silos – New manager
– New specialties – New team/peers
Looked like…
Waterfall
Agile
DevOps
Finding anything
late creates a
cycle of waste
• Text documents
• Requirements
• Architecture
• Designs
• Test plans
• Manual tests
• Manual deploy
• Shell scripts
•© 2016SQL scripts
VERACODE INC. 10
Waterfall - Security
Unpredictable
Mostly manual
amount of work
Dev/QA
IT Dept
OPS
Security
© 2016 VERACODE INC. 14
Agile – Technology Initially
5 4
Security Static
Results Analysis
Security
Results 3
Agile
Build
Backlog
1 2
Static
Synchronize
Analysis
3
Agile
Static
Backlog Analysis
1 2 5
Build
Develop Build
& Test
4
Nightly
Check in
© 2016 VERACODE INC. 17
Agile – Security is not limited to
automation of static analysis!
Security Security as
Security Grooming part of the
Champions (Requirements Definition of
Review) Done
Pre-
Productions
Dynamic
© 2016 VERACODE INC.
Analysis 18
Agile –
Culture clash with OPS and Security
3
CD
6 6 7
1 2 5 8 8
Per
Stage
4
Check-in then
CI/CD Pass? Prod
Check in
Pipeline Yes
© 2016 VERACODE INC. 26
DevOps – Pervasive Security
Plan Code Build Test Stage Deploy Monitor
Training
(eLearning, instructor led, metadata driven)
Runtime Application
Self Protection
Threat Modeling
Remediation and Mitigation Guidance Manual Penetration Testing
Security Grooming
Secure Code Reviews Red Team Activities
Secure Design
• Project Purina
Empathy • We have been where our customers are
going
© 2016 VERACODE INC. 28
Thank You!