DevSecOps: What, Why and How

Presented at Black Hat Asia 2019, March 28, 2019, 5 p.m. (30 minutes)

<div><span>Security is often added towards the end of a typical DevOps cycle, through manual/automated review. In DevSecOps, security can be injected at every stage of a DevOps pipeline in an automated fashion. Having a DevSecOps pipeline enables an organisation to:</span></div><ul><li><span>Create a security culture amongst the already integrated “DevOps” team</span></li><li><span>Find and fix security bugs as early as possible in the SDLC</span></li><li><span>Promote the philosophy “security is everyone’s problem” by creating Security champions within the organisation</span></li><li><span>Integrate all security software centrally and utilize the results more effectively</span></li><li><span>Measure and shrink the attack surface</span></li></ul><div><span><br></span></div><div><span>In this talk, we focus on how a DevOps pipeline can easily be metamorphosed into DevSecOps, and we will identify the accompanying benefits . The talk will discuss a number of open source tools and also the cultural changes needed to implement DevSecOps. The talk will also present various case studies on how critical bugs and security breaches affecting popular software and applications could have been prevented using a simple DevSecOps approach.</span></div>

Presenters:

• Anant Shrivastava - Regional Director - Asia Pacific, NotSoSecure
  Anant Shrivastava is an information security professional with 11+ yrs of corporate experience with expertise in Network, Mobile, Application and Linux Security. He is Regional Director - Asia Pacific for NotSoSecure Global Services. He has trained ~800 delegates at various conferences (Black Hat -USA, ASIA, EU, Nullcon and many more). He has also been a speaker at various conferences such as Nullcon, c0c0n, Rootconf. Anant also leads Open Source project Android Tamer (www.androidtamer.com) and CodeVigilant (www.codevigilant.com). He is active in various open security communities like OWASP, null, G4H. He is chapter leader for local null community chapter and is an avid open source contributor. He is a contributing author for OWASP Web Testing Guide v4.0 and a reviewer for Mobile Testing Guide and Mobile ASVS standard documents by OWASP. His work can be found at anantshri.info

Links:

• https://www.blackhat.com/asia-19/briefings/schedule/#devsecops-what-why-and-how-14754
• https://www.youtube.com/watch?v=jdPlQvvloac

Similar Presentations:

• Black Hat USA 2022 / RollBack - A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems
• Black Hat USA 2020 Virtual / A Framework for Evaluating and Patching the Human Factor in Cybersecurity
• Black Hat USA 2019 / DevSecOps : What, Why and How