Dev[Sec]Ops != Dev[Suck]Ops: A Journey Toward a DevOps Security Culture

Presented at Kernelcon 2019, April 5, 2019, 11:15 a.m. (20 minutes)

The traditional approach to software security testing typically involves some form of human interaction. It is accompanied by long wait times, and large, overwhelming scan results. This hardly lives up to the automation hype of the DevOps culture. With the traditional model, follow-up remediation typically includes lengthy conversations with security engineers to a back-and-forth fix and retest cycle. This process is often an afterthought towards the end of the SDLC when code fixes are costly and deployment schedules are tight. The traditional approach does not scale with today's software engineering demands. DevOps, 12 Factor apps, quick agile iterations, and aggressive deployment schedules require security to operate at a new speed; the speed of DevSecOps. How many product owners have had to hit the pause button on a roll-out in order to complete a full SAST or DAST of the entire world before going live? Traditional find, fix, rinse, and repeat methods are being upstaged by more streamlined solutions that integrate directly into the developer's native workflow allowing a real-world shift-left. This includes allowing the developer to interact with SAST/DAST/IAST/Open Source Monitoring from their development workspace, and also in the CI/CD pipeline. Advanced DevSecOps implementations facilitate agility, early fixes, open source visualization, and developer-centric tooling that give dev teams much more control over secure coding models.


Presenters:

  • Rob Temple - Mutual of Omaha
    Rob is a Software Security Engineer and the lead security advisor on the DevOps Delivery & Practice team at Mutual of Omaha. Rob is current member and past President of the OWASP Omaha Chapter as well as member of the newly formed Cloud Security Alliance (CSA) DevSecOps Working Group. Coming from several years as a software developer, his recent mission has been to help design automated software assurance processes and solutions that plug-n-play into native developer workflows.

Links:

Similar Presentations: