Shifting Security Left - The Innovation of DevSecOps

DevSecOps uses application security practices that have been around for a while. The innovation of DevSecOps is incorporating security into the daily workflow of the team rather than leaving them to the end of a release like many legacy processes do. Shifting security left is made possible by the ability to automate many aspects of security testing and verification. DevSecOps leverages DevOps practices to make application security a first-class citizen in the practices of modern software product development. DevSecOps starts with a culture change mindset of cross-functional teams creating software through collaboration and fast feedback cycles.

The security in DevSecOps starts before the code is written by using techniques like threat modeling and risk analysis to help figure out who might want to attack you and how they might do that. This often ignored security practice can be enabled by following the DevSecOps practices of having a cross-functional team involved in the process from the beginning, including security professionals.

Next, DevSecOps maps application security practices into the build pipeline for a project in order to provide quick feedback about the security posture for any change made to the software. By using automation to allow the team to move quickly while maintaining confidence in the health of the code base, DevSecOps extends that health check to include application security checks. While automation can be used to make security data collection easier it is important to understand what security practices still require a human being.

This talk focuses on how, when, and where practices should be incorporated into a build pipeline to get the most value out of your security practices through automation. It explores what manual security work still needs to be done by a person and how to maximize value while minimizing the effort of human beings.

 
 

Outline/Structure of the Talk

This talk focuses on these areas:

  1. How DevSecOps builds on DevOps
  2. Security before the code is written
  3. How and where to put security testing into a pipeline including:
    1. Static Application Security Testing (SAST)
    2. Software Composition Analysis (SCA)
    3. Dynamic Application Security Testing (DAST)
  4. Advanced techniques which will be mainstream in 5 years:
    1. Interactive Application Security Testing (IAST)
    2. Hybrid Application Security Testing (HAST)
    3. Runtime Application Self-Protection (RASP)
  5. Operational Security in a DevSecOps world
  6. Q&A

Learning Outcome

Learn how DevSecOps uses both security and DevOps practices to make applications more secure.

Learn how to map security practices into a build pipeline to maximize feedback.

Learn how automation can help make security data collection easier and where a human being will still need to spend time on security practices.

Overview of what the DevSecOps world view is from product vision to operational application security.

Target Audience

People who are interested in how Application Security Practices work within DevOps

Prerequisites for Attendees

Participants should be familiar with DevOps and CI/CD automation. Knowledge of application security practices will be helpful but not required.

schedule Submitted 1 month ago

Public Feedback

comment Suggest improvements to the Speaker

  • Liked Max Saperstone
    keyboard_arrow_down

    Max Saperstone - Building Confidence In Your Automated Tests

    45 Mins
    Keynote
    Beginner

    The growth of automation testing in today’s software development organizations is changing the the way we test applications. Software development practices have matured over the last 30 years, to include all forms of testing to verify software quality. In the last ten years, there has been a huge spike in the adoption of automated tests, effectively replacing some of these manual testing practices, and supplementing many traditional testing activities. Many parts of the software development industry, however, are wary of replacing manual testing with automated testing. Not only is there often a lack of confidence in the automation tests, many see automated testing as fragile, unmaintainable, and ultimately, something delivering a low return on investment. Max believes that by employing mature software development techniques, we can achieve robust, maintainable, tests, that deliver confidence of the application under test. In addition to discussing how to structure automated tests that are cleaner, more maintainable and efficient, developer testing, and deployment techniques can be used to programmatically verify test correctness. Drawing on his experiences building test automation, test frameworks and advising organizations to adopt test automation, Max will walk us through how to mature your test automation practices.

  • Liked Gene Gotimer
    keyboard_arrow_down

    Gene Gotimer - Get to Green: How to safely refactor legacy code

    45 Mins
    Talk
    Intermediate

    For many of us, legacy code is a fact of life. Code without tests -- no safe way to make changes, no safety net, no hope of untangling the web of accumulated ugliness, an incomplete understanding (or less) of how it really behaves. And your next set of changes is just going to add to the garbage pile and make it worse. You need tests so you can safely make changes, but you can't add tests without changing the code. It is a chicken-and-egg problem.

    So how do you turn legacy code into code you can change confidently? Slowly, one step at a time. Join Gene as he shares his experiences working with a monolithic codebase that was so bad it made national news. He'll go over the steps he and his team used to refactor the code safely by using mocking frameworks, mutation testing, and patience to build an understanding of how the code worked so that they could change it confidently.

    This talk is for anyone that has inherited legacy code that they aren't confident in and wants to make it something they can work on and improve. You'll leave with some tools and techniques that will help you change your legacy code into something maintainable.

  • Liked Craeg K Strong
    keyboard_arrow_down

    Craeg K Strong - Kanban Antipatterns: What You Don’t Know Can Hurt You

    45 Mins
    Workshop/Game
    Beginner

    In this interactive workshop we will examine multiple examples of Antipatterns observed in real-world Kanban boards. In each case we will identify the issues and discuss ways to improve the situation. We will review a number of better alternatives and see how the improvements map to the core principles of Kanban such as visualization, managing flow, and making policies explicit. Brand new to Kanban? Learning by example is a great way to get started! A long-time Kanban veteran? Come to see how many antipatterns you recognize and help firm up our Kanban Antipattern taxonomy and nomenclature!

    Kanban is an extremely versatile and effective Agile method that has seen significant growth in popularity over recent years. Kanban’s flexibility has led to widespread adoption to manage business processes in disparate contexts such as HR, loan processing, drug discovery, and insurance underwriting, in addition to Information Technology. Like snowflakes, no two Kanban boards are alike. The downside to this flexibility is there is no well-known and easily accessible library of patterns for designing effective Kanban boards. Like Apollo engineers, teams are expected to design their board starting from first principles. Unfortunately, sometimes teams get stuck with board designs that may not provide the visibility and insight into their workflow they hope to see. Worse, some designs actually may serve only to obscure the situation. Working within the limitations of an electronic board can exacerbate the problem even further. Is all hope lost? Certainly not!

    Let’s learn more about effective Kanban system design by examining what to avoid and why. Learning by example is effective and fun!

  • 45 Mins
    Workshop/Game
    Beginner

    How do you get people to agree on priorities when they may have different objectives? You may be facing an issue now where stakeholders are pushing against each other in order to get their work done first. What would happen if we could create an open dialog among stakeholders and have them understand different perspectives and focus on the goals of the greater good instead of just their own? Let’s face it, proper prioritization is the difference between writing code and developing valuable solutions.

    In this simulation style workshop, you’ll learn practical methods for bringing stakeholders together and openly discuss their different priorities to agree on what’s most important overall. You will see first hand how a combining group discussion with proven prioritization methods such as Weighted-Shortest Job First and (WSJF) and Must Have, Should Have, Could Have and Won’t Have (MoSCoW) work.

  • 45 Mins
    Talk
    Beginner

    Have you tidied up your personal life with Marie Kondo and are now wondering how to achieve the same effect in your work life? Do you have the feeling that the most valuable product backlog items (PBIs) are getting lost under a mountain of old stories, bugs, and tasks? Maybe you know a change is needed, but feel completely overwhelmed about where to start? If so, join us to learn how to make your product better through the life changing magic of tidying up your backlog.

    We’ll start by exploring the costs of a large, cluttered product backlog and share a short quiz you can use to gauge the current state of your own backlog. Next, we’ll cover how we’ve adapted the KonMari method and introduce five easy steps you can take to get started in your tidying process. We'll share real-life examples along the way, calling out potential pitfalls to avoid (don’t become a storage expert!), and illustrating how story mapping may be the magical backlog equivalent to Kondo’s “vertical folding” technique. By the end of the session, you’ll know the specific next steps to take so that you too can realize the many benefits of a tidied-up product backlog: improved visibility, increased self-organization, and easier decision-making.

  • Liked Cherie Silas
    keyboard_arrow_down

    Cherie Silas / Chester Jackson - Coaching Change with Moving Motivators

    45 Mins
    Workshop/Game
    Beginner

    Presentation Overview: (What is the “message”? What key points will you make?)

    Change is hard – Staying motivated during change is even harder! But you can help your teams identify what things about the change are working for them and what they need to do to make small shifts that can keep them motivated.

    Is your team or team member facing a big change decision? Moving Motivators can help you identify the best choice by looking at how the factors in the change impact your long term motivation.

    Learn to discover and prioritize your motivators so you will understand how change today might impact you in the long run. See which choice is better when there are multiple options. Make conscious trade off decisions in a logical way with long term thinking in mind.

  • Liked Noah Wolfe
    keyboard_arrow_down

    Noah Wolfe - Neil Armstrong's Lessons for Project Management: Lessons in Agile from NASA's Space Race

    45 Mins
    Case Study
    Beginner

    When a government project is not going well and you're caught up in compliance, reporting, and procedure the work can feel like a grind. What is often forgotten is that one of the greatest accomplishments in human history - landing a person on the Moon - was a U.S. Federal government project. How was that accomplished?

    Today agile and Scrum are all the rage. NASA pulled off that mission long before iterative design, user testing, and demos were key components of modern technology development. Landing on the Moon was achieved without agile! ...Or was it?

    When humanity was figuring out the very dangerous work of launching ourselves into space the U.S. space program used basic agile principles to develop the most cutting edge, unprecedented technology in human history. NASA's space programs from Mercury to Gemini to Apollo are textbook examples of the principals that should guide any modern technology development... from government websites to large enterprise software.

  • Liked Robert Reed
    keyboard_arrow_down

    Robert Reed - Breaking Down Scrum Values With Martial Arts

    Robert Reed
    Robert Reed
    Agile Coach
    American Electric Power
    schedule 1 month ago
    Sold Out!
    45 Mins
    Talk
    Beginner
    **Warning** - You may need safety glasses... there will be kicks, punches, boards breaking and splinters flying... with a grand finale you may never forget!!
    The Scrum framework is meaningless without the Scrum values. The five values; focus, openness, courage, commitment, and respect are at the core of Scrum. These values are extremely important yet challenging for individuals and teams to embrace and live by day to day while on their agile journey. Everyone knows what these words mean, but without gaining a deeper understanding it will be difficult to truly see the value they bring to individuals, teams and organizations.
    In this session we will talk through each of the five Scrum values while tying into examples from the TaeKwonDo martial art. By understanding the Scrum values through a martial arts lens, you will be able to explain why these values are so important and what you and your teams can accomplish by living these values!
  • Liked Max Saperstone
    keyboard_arrow_down

    Max Saperstone - Getting to Continuous Testing

    45 Mins
    Case Study
    Beginner

    Max will tell the story of how a healthcare company striving to get to continuous releases built up their automation to secure confidence in regular releases. Initially, as no test automation existed, Max was able to take a greenfield test automation opportunity, and in the span of 12 months, develop over 2000 test cases. A testing pipeline was created to verify the integrity of the automated test cases, and to build docker containers for simple execution of the tests. These containers could then be simply re-used by developers and the DevOps team to verify the application. Max will walk through the feedback loop created, which allowed verification of the application go from hours to minutes.

    Max will discuss what processes and paths were taken to achieve continuous testing on this project. While he will cover the tools used and why they were chosen, the main focus will be on the HOW and WHY certain patterns and activities were performed. These choices were critical to achieving continuous testing, rather than just good testing coverage in CI or CD, even allowing a push left for performance and security. Additionally, some time will be spent on the organizational and culture changes that occured, and how he was able to accomplish this push for adoption in an organization that resisted automation, and had major quality problems.

  • Liked Zack Ayers
    keyboard_arrow_down

    Zack Ayers / Matt Acors - Andon Cords in Development Teams: Our Experience of Driving Continuous Learning through a Culture of Experimentation

    45 Mins
    Talk
    Beginner

    Summary

    In this session, you’ll learn about one team’s struggle to improve collaboration and how they sought to shorten cycle time by carefully crafting an experiment with an Andon Cord. The Andon Cord is a Toyota innovation designed to empower front-line employees to recognize issues, initiate a stoppage of work, and work together as a team to quickly identify a path forward. The emergency cable strung above assembly lines became a symbol of the Toyota Way, and has widely been copied throughout the auto industry and beyond.

    You’ll be introduced to metrics that show a surprising correlation between collaboration through Andon Cord pulls and Cycle Time!

  • Liked David Laribee
    keyboard_arrow_down

    David Laribee / Arushi Bhardwaj - Introducing the Dojo Model: Experiences from the Industry and within Fannie Mae

    45 Mins
    Experience Report
    Intermediate

    The Dojo movement is growing in popularity as an approach that helps enterprises transform into world-class product development organizations. Dojos represent a departure from the classic agile focus on delivery, bringing learning and a product mindset to the forefront.

    We'll share the emerging Dojo model by way of specific examples and mini-case studies. You will see how Dojos have taken shape at Fannie Mae and other large companies in the last several years. Think of this as a tour of the Dojo for two, main audiences: teams and leaders. Attendees will leave understanding how Dojos can benefit their group, portfolio, and/or organization.

  • Liked Richard Mills
    keyboard_arrow_down

    Richard Mills - DevOps Patterns to Enable Success with Microservices

    Richard Mills
    Richard Mills
    DevOps Solution Lead
    Coveros, Inc.
    schedule 2 months ago
    Sold Out!
    45 Mins
    Talk
    Intermediate

    DevOps can help you dig out of the problem you created for yourself: you spent your lunch period reading the interwebs, drank the kool-aid, and decided to embrace the utopia of microservices to solve all your fragile legacy monolithic code issues and allow you to release small independent changes into production. What you didn't realize is that you've translated an early-lifecycle code architecture problem into a late-lifecycle release management and quality assessment nightmare.

    This microservice thing has not provided the nirvana you expected. You ended up with:

    • a set of federated services that have hidden dependencies
    • independent applications maintained by teams that don't talk to each other
    • inability figure out which versions work together in your test environments, much less production
    • the need to test that your still-monolithic system works in pieces and as a whole

    You discover that this looks suspiciously like a DevOps problem and your pipeline is critical to your success.

    Someone once said to me "if you are building microservices without DevOps, you've already failed." I've learned that the integration problems created by independent microservices require a high level of automation with a pipeline that works independently of each service and can detect changes that break other services. The pipeline needs to facilitate communication between teams and assess which changes and versions work with each other.

    In this talk, I highlight the important things you need to succeed with microservices and avoid some of the common problems. Participants will leave with some new ideas on what they might be doing wrong in their current microservice-based project and/or anticipate what's going to go wrong if they are just getting started.

  • Liked Glenn Buckholz
    keyboard_arrow_down

    Glenn Buckholz - Moving Your Pipeline to Kubernetes, Things I Wish People Had Told Me

    Glenn Buckholz
    Glenn Buckholz
    Technical Manager
    Coveros
    schedule 1 month ago
    Sold Out!
    45 Mins
    Case Study
    Intermediate

    Kubernetes married with a cloud provider elastic, highly available infrastructure. Many CI engines today (Jenkins, Bamboo, Gitlab, CircleCI), provide native integration with kubernetes so that your build and deploy workload can be elastically executed. This allows your pipeline to meet the needs of your schedule, be it the 4pm pile on to commit code before going home, the mad rush to get a hot fix to production, or the surge of an unexpected customer ask. Gone are the days of the build queue growing and you CI engine collapsing under the weight of a hundred build requests. In order for a pipeline to leverage this capacity changes must be made to the pipeline architecture. Tools must be dockerized, the ephemeral nature of running docker must be considered, kubernetes specifications or helm charts must be generated for the application, automated testing must be adapted to work in the new architecture, and then there is the database. Each one of these issues, plus many others I’ve missed contained unfortunate, unforeseen pitfalls that translated in schedule delays. Join Glenn as he helps you short circuit the pitfalls of migrating to kubernetes off of your static in-elastic virtual infrastructure.

  • Liked Thomas Stiehm
    keyboard_arrow_down

    Thomas Stiehm - Continuous Build and other DevOps anti-patterns, and how to overcome them

    Thomas Stiehm
    Thomas Stiehm
    CTO
    Coveros, Inc.
    schedule 1 month ago
    Sold Out!
    45 Mins
    Talk
    Beginner

    Continuous Build is an anti-pattern that I have often seen where a team will have what they call Continuous Integration (CI) in place but it only builds the code, there are no tests or static analysis run. Certainly, this is better not building but it leaves a lot of health check information on the table that is considered part of CI. Without this information, you can never really gain the confidence that your build is healthy. The whole goal of CI is to feel that your build is healthy so not tests and analysis means you aren’t going CI.

    Just like CI, other DevOps practices can be hard to understand, implement, and get right. Even with the best of intentions, we make mistakes or misinterpret the implementation of a technique. Learn how to spot common DevOps anti-patterns and how to correct them. These patterns include

    1. Continuous Build - CI without tests isn’t CI
    2. Turn the unit tests off to build the release
    3. Don’t automate that, it is my job
    4. Different build process for developers and high environments
    5. Different deployment process for developers, test environments and/or production
    6. Not having a production-like environment to test in before production
    7. Saving performance testing for the end of the release
    8. Saving security testing for the end of the release
    9. Never asking the users about the software
    10. Only automating build and deployment, not testing
    11. Not having retrospective
    12. Restricting retrospectives to only the development part of the process
    13. Running analysis and never looking at or acting on the findings
    14. Reduce coverage or static analysis gates to get a build to pass

    We have all experienced a time where we wanted to believe we could make an anti-pattern work but it never does. It is better to learn how to spot these and how to correct them than it is to try to keep tweaking a broken process hoping this time it will be better.

  • Liked Thomas Stiehm
    keyboard_arrow_down

    Thomas Stiehm - Nobody Cares about Security and What DevSecOps is doing about it

    Thomas Stiehm
    Thomas Stiehm
    CTO
    Coveros, Inc.
    schedule 1 month ago
    Sold Out!
    45 Mins
    Talk
    Beginner

    Application security is the poster child for third-class citizens in the software development world (behind Quality Assurance). DevSecOps is trying to turn that around and get more people, teams, and companies to care about security as our online and real-world lives become more intertwined.

    Application security has a bad reputation with many people. It comes into the development process late and demands a lot. Who wants to deal with that? We have actual business value to get out the door. “Those things” won’t happen anyway. And when “those things” do happen, it will just become an exercise in finger-pointing and blame. Security is an ugly affair that no one wants a part of.

    DevSecOps is a movement within the DevOps and Security worlds to reverse this decades-long drama by getting the people creating and updating software to build security practices into their process from the beginning, even before the code is written. This allows security professionals to become the evangelist of security practices where they can help the teams adopt practices and teach them how to use the tools to resolve issues themselves. No longer dependent on the specialists the teams can address security findings as they are found and make the workload manageable by spreading it across their implementation cycles-- proactively, not reactively.

    Attendees will leave with an understanding of how to map security concepts onto a delivery pipeline, how to “sell” security concepts to stakeholders, and how automation makes it easier to gather security data and act upon it. Learn what is needed to get started with DevSecOps so that you can start creating secure software today.

  • Liked Gene Gotimer
    keyboard_arrow_down

    Gene Gotimer - DevOps for Leadership

    45 Mins
    Case Study
    Executive

    Organizations and leaders are often supportive of DevOps, but they don't always understand what DevOps is and what it will change. It isn't a one-size-fits-all issue; different environments need different benefits from a DevOps transformation. Join Gene Gotimer as he shows how to determine what parts of DevOps your organization needs to concentrate on first and how you should define success. This isn’t all strategic, high-level thinking- there is plenty of tactical, “what is the next step?” planning on how to shape your delivery pipeline to work for your situation and organization.

  • Liked Gene Gotimer
    keyboard_arrow_down

    Gene Gotimer - A practical approach to building security in

    45 Mins
    Talk
    Intermediate

    For many of us, legacy code is a fact of life. Code without tests -- no safe way to make changes, no safety net, no hope of untangling the web of accumulated ugliness, an incomplete understanding (or less) of how it really behaves. And your next set of changes is just going to add to the garbage pile and make it worse. You need tests so you can safely make changes, but you can't add tests without changing the code. It is a chicken-and-egg problem.

    So how do you turn legacy code into code you can change confidently? Slowly, one step at a time. Join Gene as he shares his experiences working with a monolithic codebase that was so bad it made national news. He'll go over the steps he and his team used to refactor the code safely by using mocking frameworks, mutation testing, and patience to build an understanding of how the code worked so that they could change it confidently.

    This talk is for anyone that has inherited legacy code that they aren't confident in and wants to make it something they can work on and improve. You'll leave with some tools and techniques that will help you change your legacy code into something maintainable.

  • Liked Dane Weber
    keyboard_arrow_down

    Dane Weber - Undercover Scrum Master

    Dane Weber
    Dane Weber
    Sr. Consultant
    Excella
    schedule 1 week ago
    Sold Out!
    45 Mins
    Experience Report
    Intermediate

    After three years as a Scrum Master and Agile coach, I hit a wall coaching a team that did not want to try popular Agile engineering techniques such as TDD and pair programming. I had become a Scrum Master after four years working on the business analysis and account ownership side of things and could not speak from personal experience about engineering practices. In order to get some first-hand experience and to gain a new perspective, I chose to spend a year or two as a software developer on a Scrum team.

    The experience has been eye-opening. I experienced a tremendous cognitive load working with a wide array of technologies; this pulled my attention away from many of the collaborative and process-oriented activities I cared about as a Scrum Master. I was surprised to feel strong pressure to complete work quickly, cutting corners, even when the Product Owner and Scrum Master were not asking me to. When this pressure was explicit, it usually came from my fellow developers. On the other hand, there is real joy in writing code and seeing a system do something worthwhile that it wasn't doing before. My outlook has changed tremendously and is something I want to share with anyone who works with development teams, especially Scrum Masters and other coaches. I am still enjoying my time as a developer, but I'm looking forward to returning to coaching and incorporating this experience into my approach.

  • Liked David W Kane
    keyboard_arrow_down

    David W Kane - Amend the Agile Manifesto!

    10 Mins
    Lightning Talk
    Intermediate

    We all do it. In fact, I've done it already in this talk description. I've amended to title of the "Manifesto for Agile Software Development" to just "Agile Manifesto," and I suspect most of the you attending AgileDC 2019 have done this as well. In this talk I will argue that this truncation of the title of the Manifesto is more than an abbreviation of convenience, it is a sign that how we use the Manifesto in practice has moved beyond what was stated in the foundational document. For many folks Agile has significant importance and impact beyond software development. Just as our nation's Constitution has been amended over the years, I will propose amendments to the Manifesto in this talk.

  • Liked Joel Tosi
    keyboard_arrow_down

    Joel Tosi - Metrics that Matter - Moving from Easy to Impactful

    Joel Tosi
    Joel Tosi
    Dojo & Co
    schedule 2 months ago
    Sold Out!
    45 Mins
    Talk
    Intermediate

    Metrics are the bane of many organizations, getting fascinated on measurements that don’t matter or can drive improper behaviours. In this session, we walk through a simple grouping for metrics where the groupings not only call out the metrics, but their limits, and help guide to better metrics.