We are at an inflection point in the practice of application security. DevOps, the conjoining of the engineering side of many organizations with IT operations, is a necessity in the age of rapid software innovation. As a case in point, Netflix releases 300 new features a day to stay ahead of fierce competitors like Hulu and Amazon Prime.
A common trait of successful organizations like Netflix is the fact that security needs to be inserted into the entire DevOps process to ensure that it does not get left behind. But how are they doing so?
It starts with a mindset and practicing product security as a shared responsibility. Everyone in the organization, including architects, developers, QA, DevOps and security teams, have an important role to play in the process of shipping secure software products.
In this session, Manish Gupta, CEO and founder of ShiftLeft, will discuss how organizations should insert security in each stage of the modern software development lifecycle. He will break down the stages, the personas involved, and how to leverage each person’s expertise to enhance security without slowing them down.
The “Plan” stage: Here, architects establish requirements such as encryption and data handled by the product. Once these requirements are established, the discussed checks should be performed continuously for every build.
The “Code” and “Build” stages: This is the perfect place to allow developers to ask questions like, “am I using an open source library that makes my application vulnerable,” or “am I encrypting all the important data that my code is dealing with?” The key is to accomplish this with high fidelity within minutes of each build. If not, security becomes a burden -- and abandoned.
The “Test” and “Release” stages: This is where unique security insights are revealed by subjecting the product to test traffic to answer questions such as “in a microservice architecture, how do I ensure that security is end-to-end and not just for one microservice?”
The “Deploy,” “Monitor” and “Operate” stages: This is where most security tools are deployed. These tools should not disrupt the DevOps process, but should be effective and efficient at protecting the applications. The agility of the DevOps process demands that security tools deliver application-specific security, specific to each version of each application.
- The mindset companies need to adopt to successfully insert security into DevOps
- Tailoring the DevSecOps process to the personas of everyone involved
- Leveraging each person’s expertise within each stage of the DevSecOps process
Technical Level: Low