Location: 19th Floor
Implementing DevSecOps practices in an environment with legacy technical debt is not widely discussed. DevSecOps practices are difficult to get off the ground in an environment of heavy technical debt because of the changes required in culture, technology and education. Without automation of security, there is no hope for security teams to keep alongside development velocity. We believe that providing security services to the organization, combined with defined, flexible processes and making security transparent to engineering ensures a high success rate. This talk will focus on areas of our success as we moved from a “scanning team” to a DevSecOps model.
Audience attending this session will take away some key principles that will help them build a robust Product Security Program:
Quick integration of security testing into CICD pipelines: We developed a container-based plug n play solution that integrates basic security tools into the build process. The support structure built around this includes robust reporting, tracking, policies and governance. The advantage of this model was that we could quickly integrate with a development team and start giving them actionable results on the first day.
Integration of Product Security and SecOps to build applications that can defend themselves: As the infrastructure fades into the background, all of a Product’s risk is concentrated in the application layer. Then it becomes important that applications are able to take quick actions themselves without waiting for a SecOps analyst to detect problems. We will present a few threat cases we have developed and automated to help applications defend itself.