1. How to make security pervasive
without falling into the
DevSecOps trap
Matteo Emili
Microsoft MVP – Developer Technologies
matteo.emili@live.com
https://mattvsts.github.io || http://twitter.com/MattVSTS
1
6. Shift left
• Move the security problem in
the developer space
• Ensure the team agrees and
accepts the cultural shift
• Provide tools to address issues
as early as possible
Engineering practices
• Integrate lightweight security
toolkits in build and release
pipelines
• Consider security a first class
citizen since the earliest
possible stage
• Adopt and enforce via process
well known best practices
Two fronts to work on
6
11. Integrate a security
toolkit in your CI/CD
process
For the same shift left principle, if you spot a problem
during a CI build it is going to be cheaper to fix than in a
Release Candidate
11
12. You can do it at every
corner
Security should be a foundation, not an afterthought!
12
13. It starts from the
developer...
…and it is looped by the engineering practices.
13
14. Always an interesting day…
14
Quality tools and metrics within
the IDE (DevSkim)
Facilitators and connected
services (KeyVault)
Security as a first class citizen
(incorporating SDL principles)
Software Composition Analysis
(WhiteSource)
Code quality scans
(OWASP/SANS via SonarQube,
etc.)
Static Security Testing
(Fortify, CheckMarx, etc.)
Malware scans
(any AV solution with an API)
Dynamic Security Testing
(against live applications)
IaC security validation
(AzSK or similar)
Proactive mitigations
(learning from incidents and
reports)
Continuous Assurance
(checking for infrastructure
drift)
Continuous Monitoring
(Azure Monitor, etc.)
15. Let’s take a look!
Build your toolkit from the ground up
15
16. Code or IDE tools
DevSkim (https://github.com/microsoft/DevSkim)
SonarLint (https://www.sonarlint.org/)
16