Building Security into your Continuous Delivery pipelines

Functional testing has gone through a paradigm shift from an afterthought in the waterfall model to being Agile and moved early and testing often as possible by the shift-left process. We strive to get feedback early, often and continuously. However, application security has been mostly an afterthought still, and awaits for 'vulnerability assessment' and 'penetration testing' towards the end of the app life cycle, just before releasing.

Including Security as a part of your DevOps process is a revolutionary shift, and it carries 3 main aspects - culture, process, and tools.

In this talk, we will focus on the ‘tools’ aspect, especially in a CI/CD pipeline. And a demonstration of setting up a build pipeline, with the ideal layers at which security testing should be added. There are vast open communities which strive towards bringing security to everyone's hands, and thus make the digital space safe. Thanks to them, and the ever-growing need of defensive security, there are a lot of tools available which a developer/QA can put in their pipelines to get appropriate feedback. I will share my experience in analyzing the diverse sets of such tools, what they do, why they are important, and by what parameters should you measure the right tool for your project.

The categories we will talk about will include SAST, DAST, Dependency checking, Container scanning, and Secret scanning.

 
 

Outline/Structure of the Talk

In this talk, we will cover the following:

  • A brief introduction to Security in Devops -DevSecOps (10 mins)
  • Overview of a secure pipeline (10 mins)
  • Automation options and tools (25 mins, i.e. about 5-7 mins )
    • What are they?
    • Talk in details about Static Analysis Security Tools, Dynamic Analysis Security tools, Dependency checker, Secret scanner
    • How do you choose the right tool for your project?
    • Examples and demo

Learning Outcome

  • Introduction to defensive security
  • Overcome the initial barrier of where to start with getting feedback on security
  • Developers/QAs shall learn about tools that will give an exposure towards optimum coverage to build a secure pipeline
  • Understanding of how to choose the right tool for a project context, learning from industry experience

Target Audience

Developers & QA

Prerequisites for Attendees

None

schedule Submitted 3 weeks ago

Public Feedback

comment Suggest improvements to the Speaker