Download as PDF, PPTX
Uploaded bySynopsys Software Integrity Group
Webinar–Best Practices for DevSecOps at Scale
The document outlines best practices for implementing DevSecOps at scale, emphasizing the integration of security into agile development processes without hindering speed. It highlights various tools and methodologies for vulnerability detection across different stages of the software development lifecycle, including static and dynamic application security testing. A strong DevSecOps culture is positioned as a key differentiator for organizations seeking to lead in security, with recommendations for utilizing managed security services to enhance application security efforts.
More Related Content
Similar to Webinar–Best Practices for DevSecOps at Scale
More from Synopsys Software Integrity Group
Webinar–Best Practices for DevSecOps at Scale
- 1. © 2020 Synopsys,Inc. 1 Best Practices for DevSecOps at Scale
- 2. © 2020 Synopsys,Inc. 2 Who are we?
- 3. © 2020 Synopsys,Inc. 3 Leader in end-to-end software security The Forrester Wave™ Static Application Security Testing The Forrester Wave™ Software Composition Analysis Gartner Magic Quadrant Application Security Testing
- 4. © 2020 Synopsys,Inc. 4 The Synopsys approach Deliver holistic, intelligent solutions combining people, process, and technologies, optimized to meet DevSecOps challenges and companies’ security needs
- 5. © 2020 Synopsys,Inc. 5 Secure your proprietary code Secure your open source • Finds common security weaknesses in source code as it’s being written • Identifies source code defects and weaknesses • Integrates with IDEs and CI/CD workflows Coverity SAST • Cost-effective dynamic application security testing by experts delivered on demand • Provides risk analysis and remediation guidance • Analyzes applications in test or production Managed Security Testing DAST & Pen Test • Finds open source vulnerabilities in binaries and source code • Identifies vulnerable third-party components and dependencies • Integrates with IDEs and CI/CD workflows Black Duck SCA • Finds and verifies vulnerabilities during automated/manual web application testing • Identifies code location of vulnerabilities and data leakage • Integrates with CI/CD workflows - Seeker IAST Secure your app behavior and configuration Synopsys addresses AppSec end to end World-class products and services TestCode OperateBuild Deploy
- 6. © 2020 Synopsys,Inc. 6 Change is constant. Are your development workflows keeping pace? Security tools CI/CD DevOps Vulnerabilities Regulatory requirements Product velocity acceleration Vendors and supply chains Languages, frameworks, architectures Attackers and attacksAgile Cloud Containers, microservices Everything as code Development workflows
- 7. © 2020 Synopsys,Inc. 7 What is DevSecOps? DevSecOps is the integration of security into emerging agile IT and DevOps development as seamlessly and as transparently as possible. Ideally, this is done without reducing the agility or speed of developers or requiring them to leave their development toolchain environment.
- 8. © 2020 Synopsys,Inc. 8 Design Code Test Build Deploy Security touchpoints So much to do and so little time 8 • Code and crypto standards • Peer and manual code review • IDE integration • Static code analysis • Secure unit and fuzz testing • Secure integration tests (IAST) • Static code analysis (SAST) • Third-party library security • Secure supply chain • Software composition analysis Ops • Design requirements • Security requirements • Threat models • Risk analysis • Secure configuration • Platform hardening Training Metrics Standards Incident Management • Red teaming • DAST and penetration testing • Monitoring • Developer instructor-led training • eLearning self-paced training
- 9. © 2020 Synopsys,Inc. 9 DevOps exposes the AppSec testing gap SAST & SCA Find & fix vulnerable code in source and components during development DAST & Pen test Test & report vulnerable behavior in running applications during QA & production TestCode OperateBuild Deploy No runtime verification Limited guidance for dev Weak CI/CD integration
- 10. © 2020 Synopsys,Inc. 10 A well-rounded and mature DevSecOps culture differentiates your company as a security leader. But what if your team has neither the visibility into the current state of your SSI nor the data they need to create an improvement strategy and prioritize SSI change?
- 11. © 2020 Synopsys,Inc. 11 What do we mean by ‘scale’? • Traditional development – Waterfall with stage gates – Few to tens of applications – Big changes every year or two – Deployment quarterly or yearly • DevSecOps – Agile with no barriers – Thousands of apps – Small changes every day – Deployment 10–100 times a day
- 12. © 2020 Synopsys,Inc. 12 What Managed Services delivers •Expertise on demand •Efficient and repeatable processes that integrate with your development activities •Advanced tooling: experienced additional analysis over and above automated tooling creating tickets Managed Security Testing can assist •Portfolio management •Test automation •Elastic capacity, such as Managed Security Testing Scale •Feature and delta retests •Tight integration between developers and security Small changes every day •More types of testing (design, sprint, code, etc.) •Unit and integration test automation •Elastic capacity for milestone releases Deployment
- 13. © 2020 Synopsys,Inc. 13 Manage the risk • Enable secure business – Yes, if… • Mixture of pipeline and formal processes • Mixture of internal and external specialists • Mixture of development and security tools • Mitigate – Build security in – Maturity Action Plans – Tightly integrate development, security, and operations • Transfer – Elastic specialist capacity—Managed Security Testing – Cyber insurance • Accept – Only once you understand the risk
- 14. © 2020 Synopsys,Inc. 14 The BSIMM as a measuring stick Comparisons Blue points that fall INSIDE the green points indicate practices where the example firm is substantially behind what we have observed elsewhere.
- 15. © 2020 Synopsys,Inc. 15 What to look for in a solution Standardization Efficiency Maturity Coverage Quality
- 16. © 2020 Synopsys,Inc. 16 What to look for in a partner organization Industry leadership Scalability Knowledge transfer Standards based
- 17. © 2020 Synopsys,Inc. 17 • Manual and automated secure code review • Deep coverage • Manual, static code, and software composition analysis • Business logic flows and access controls SAST • Black box mobile security testing • Deep coverage • Manual, static, and automated tests • Business logic flows and access controls MAST • Black box web application and API security testing • Deep coverage • Manual and automated tests • Business logic flows and access controls Penetration Testing • Automated security testing • Select coverage • Additional checks for PCI DSS and OWASP Top 10 compliance • No false positives - DAST Synopsys Managed Security Testing Integrating industry-leading, standards-setting, high-impact services into your DevSecOps processes CoverageExpertise QualityStandardization Maturity • External black box network vulnerability scanning • Additional checks for PCI DSS quarterly scan requirements • No false positives NST
- 18. © 2020 Synopsys,Inc. 18 Call to action • Consider Managed Security Testing for your elastic assurance requirements • Deeply embed security into your secure development life cycle • Mature your agile development processes To learn more • Managed Application Security Testing • Make the right choices on your path to DevSecOps • Accelerate your application security program with the help of experts
- 19.
- 20.