Download as PDF, PPTX
Uploaded byVeracode
A Secure DevOps Journey
Pete Chestna has 25 years of experience in enterprise software development and has worked at Veracode for over 10 years. He discusses the evolution from waterfall to agile to DevOps approaches. With waterfall, quality tasks like security occurred late in the process and were unpredictable. Agile broke down silos but security initially remained separate. DevOps integrates security throughout by automating tasks, enabling zero downtime upgrades, and embedding security into definitions of done. The journey requires revolution at a micro level and evolution at a macro level through continuous improvement and empathy.
More Related Content
![[DevSecOps Live] DevSecOps: Challenges and Opportunities](https://cdn.slidesharecdn.com/ss_thumbnails/20200316dsochallengesopportunities-200416111818-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
Similar to A Secure DevOps Journey
A Secure DevOps Journey
- 1. A Secure DevOps Journey Pe t e C h e s t n a , D i r e c t o r o f D e v e l o p e r E n g a g e m e n t
- 2. • Massachusetts bornand raised – Grew up in Milford, Graduated from WPI, live in Auburn • 25 years experience in enterprise software development • 10+ years at Veracode – Individual contributor – Director of Engineering – Director of Developer Engagement – Certified Scrum Master & Scrum Product Owner – 2 trillion lines of code under my (Veracode’s) belt! About me
- 3.
- 4. Waterfall - Process Addressing qualitytoo far down the development lifecycle created a cycle of waste
- 5. Waterfall - People DevQA Ops Security Organizational silos Arch Dev
- 6. Waterfall - Technology •Gantt Charts • Text documents • Requirements • Architecture • Designs • Test plans • Manual tests • Manual Deploy • Shell Script • SQL Script
- 7. Waterfall - Security Backend of process Occurred during testing cycle Unpredictable amount of work Mostly manual
- 8. Coming of Age:Agile
- 9. Agile - Process Copyright2005, Mountain Goat Software
- 10. Agile - People Security Dev& QA IT Operations Product Mgmt Product Mgmt Security is a gate keeper on the outside looking in
- 11. Agile – TechnologyInitially
- 12. Security Test Release Static Analysis Pen Testing Code Integrate Function alTest Production Ready Develop Agile Development with Waterfall Security Testing Agile – Security in the early days
- 13. Agile – Security– Early Days Security Results 3 Build 5 Security Results 4 Static Analysis Hardening Sprint 1 Develop 2 Check in Agile Backlog
- 14. 4 Check in 1 Develop 6 Static Analysis 5 Build 7 Import Static Analysis 3 Build & Test 2 Agile Backlog Agile– Security – Automated and Integrated Nightly
- 15. Agile – Securityis not limited to automation! Security Champions Security Grooming (Requirements Review) Security as part of the Definition of Done Threat Modeling Secure Code Review Pen Testing Pre-Productions Dynamic Analysis
- 16. Agile - Cultureclash with OPS and Security
- 17. We Have Arrived:DevOps
- 18.
- 19. DevOps - People Breakthe Silos Reorganize Change the Culture
- 20.
- 21. Training (eLearning, instructor led,metadata driven) Static Application Security Testing + Software Composition Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration Testing Runtime Application Security Protection Dynamic Application Security Testing Plan Code Build Test Stage Deploy Monitor Threat Modeling Security Grooming DevOps – Pervasive Security
- 22. This Is OurJourney •Revolution at the micro level •Evolution at the macro level Innovation •Always constructively dissatisfied •Hypothesize, prototype, measure •Sharpen the saw Continuous Improvement •We have been where our customers are going •Project Purina Empathy
- 23. Thank You w ww . v e r a c o d e . c o m Pete Chestna: @PeteChestna