[DevSecOps Live] DevSecOps: Challenges and Opportunities
•
1 gefällt mir•486 views
In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities. Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey. He will cover DevSecOps challenges he has faced and how he converted them into opportunities. He will cover the following as part of the session. DevSecOps Challenges. DevSecOps Opportunities. Converting Challenges into Opportunities. Quick wins and lessons learned. … and more useful takeaways!
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie [DevSecOps Live] DevSecOps: Challenges and Opportunities
Ähnlich wie [DevSecOps Live] DevSecOps: Challenges and Opportunities (20)
Mehr von Mohammed A. Imran
Mehr von Mohammed A. Imran (14)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
[DevSecOps Live] DevSecOps: Challenges and Opportunities
- 1. DEVSECOPS CHALLENGES & OPPORTUNITIES MOHAN YELNADU
- 3. P. P. T • • QUALITY • PRAGMATIC • • OPEN • ACCOMMODATING • • RIGHT SET • SUIT MY REQUIREMENTS People Tools Process
- 4. PEOPLE • SMALL BUT SMART • CAN ACHIEVE A LOT • • • • • • SAVVY • CHANGE THE LANGUAGE • BUSINESS RISKS
- 5. APPSEC TOOLS • • MAKE OR BREAK • COE, TEAM WITH CURIOSITY.. • • • • • GO FOR POC/LISTEN TO EXPERTS IN THE FIELD
- 7. PROCESS • • • • S • S • S • • EARLY, EFFORTLESS, AND CONSTANT FEEDBACK
- 8. EXAMPLE SAST – Static Application Security Testing OSS – Open Source Software Security CSec – Container Security DAST – Dynamic Application Security Testing
- 9. • SMOOTH ONBOARDING • AUTOMATE WHAT YOU CAN • IMPROVING TOOL ADOPTION • ROLLOUT STRATEGY • MANAGING CRITICAL ISSUES • MAKING IT WORK FOR SOC • PRODUCTION MONITORING • TAILORED CONFIGURATION • DO THE RIGHT THING • PRAGMATIC HYGIENE • MANAGING ZERO DAYS
- 10. SMOOTH ONBOARDING • AUTOMATED ONBOARDING ON SECURITY TOOLS • • • HEARD THE TOOL NAME, & ONBOARDED
- 11. AUTOMATE WHAT YOU CAN O N B OA R D I N G S C A N N I N G T R I AG E B U I L D B R EA K E R I S S U E M A N AG E M E N T
- 12. TRIAGE Scan Raise Triage Request Analyze Findings Fix True issues False Positives Analyze Triage Issues (If required meet developers) True issues False Positives Ignore/Not Applicable Developer AppSec SME
- 13. BUILDBREAKER: Pre-process Build Security Scan Code Quality Scan BuildBreaker PROD Example BitBucket Artifactory Source Code Build Artefact No-Go Go BuildBreaker Example: • No critical security issues in production build
- 14. IMPROVING TOOL ADOPTION Allow developers to Get used to the Tools‘‘ ’’ Give enough notice while enabling BuildBreakers/Gating‘‘ ’’ Create Ecosystem: FAQs, Documentation, Demos, Videos ‘‘ ’’ Give as many Live Demos as possible, share about new Tools & Processes ‘‘ ’’
- 15. ROLLOUT STRATEGY Break Build: In Stages‘‘ ’’ Handholding in False Positive Analysis: Triage & Guidance‘‘ ’’ Dispensation Management: Logging & Validity‘‘ ’’
- 16. MANAGING CRITICAL ISSUES • • LEVEL 10/CRITICAL • IDENTIFICATION • • FOLLOW-UP • Developers DO NOT realise the Gravity of Level 10 OSS Issues Self-Expérience J ‘‘ ’’
- 17. • • • • MAPPING APP WITH RIGHT STAKEHOLDERS IN DASHBOARD WORKING WITH SOC
- 18. PRODUCTION MONITORING • MONITORING • • NIGHTLY • ALERT Effective PROD Monitoring saved a huge effort! Self-Expérience J ‘‘ ’’
- 19. TAILORED CONFIGURATION • • • • DISPENSATION • LOGGING • CREATE DEVELOPER
- 20. DO THE RIGHT THING • • UPLOAD LIBRARY AND ANALYSE • BROWSER PLUGIN TO SCAN • IDE PLUGIN TO ENABLE LOCAL SCANS
- 21. PRAGMATIC HYGIENE • UPGRADING THE TOOLS TO LATEST VERSIONS • NEW FEATURES INNOVATIONS • ANALYSE IN TEST ENVIRONMENT 01 03 05 04 02
- 22. MANAGING ZERO DAYS • EYES AND EARS OPEN ZERO DAYS: • YOUR LIBRARIES TOOLS • • WAF • CONSTANT TOUCH WITH VENDOR • EVER READY TO ACT THE SHOW MUST GO ON!
- 23. IMPORTANT : SECRETS MANAGEMENT • • • •