SlideShare a Scribd company logo

Scale DevSecOps with your Continuous Integration Pipeline

DevOps.com
DevOps.com

The document covers the integration of DevSecOps within continuous integration pipelines, highlighting the importance of collaboration among cross-functional teams to enhance security and efficiency in software development. It discusses best practices, metrics for success, and tools like Greenlight that assist developers in identifying security flaws early in the coding process. Overall, it emphasizes the role of automation and continuous feedback in achieving agile and secure software deployment.

Technology
1 of 33
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
© 2019 VERACODE INC.1 © 2019 VERACODE INC. Scale DevSecOps with your Continuous Integration Pipeline Presented by DevOps.com and Veracode
© 2019 VERACODE INC.2 Today’s Presenters Janet Worthington Principal Product Manager Vineeta Puranik Vice President of Engineering and Operations
© 2019 VERACODE INC.3 Audience Poll What is your role on the team? • Developer • Developer in Test • Security • DevOps • Manager
© 2019 VERACODE INC.4 What is Dev(Sec)Ops? • “DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.” • “DevOps is also characterized by operations staff using many of the same techniques as developers for their systems work.” Source : ‘What Is DevOps?’ 2010. The Agile Admin. August 2. https://theagileadmin.com/what-is-devops/
© 2019 VERACODE INC.5 DevSecOps: Shift in culture Dev Sec Ops Work in small batches Automate when possible Security controls: automate Trust: Safe to fail Fast delivery to customers Collaborate Feedback Learn
© 2019 VERACODE INC.6 Metrics to measure Source: DORA: 2018 State of DevOps Report
© 2019 VERACODE INC.7 DevOps allows teams to deploy code daily/hourly, reduce lead time for changes, reduce time to restore service and minimize the impact of new changes on production. Source: DORA: 2018 State of DevOps Report
© 2019 VERACODE INC.8 Work Flow cycle: Agile Development Team • Dev, QA, IT, Ops, UX, Security – cross functional teams collaborate to achieve common organizational goal • Less friction, more velocity – Work flows smoothly through entire value stream to customer • Plan, code, Test – Agile – Modular – Automate • Small continuous deploys • Infrastructure as code Recommended book DevOps Handbook by Gene Kim
© 2019 VERACODE INC.9 Software Deployment CICD • Promote code early and often Test early and often, including security issues • Continuous integration, builds, and tests • Fast and reliable automation test suites • Package once, deploy anywhere • Canary or blue green deployments
© 2019 VERACODE INC.10 Software Availability: Operations • Monitoring- server, app performance • Continuous Feedback, Learning • Experiment: Fail fast; learn fast • Testing Operations Security – everyone’s job everyday • Increased awareness of production issues
© 2019 VERACODE INC.11 DevSecOps Best Practices Source: Veracode: The Developer’s Guide to the DevSecOps Galaxy
© 2019 VERACODE INC.12 Benefits of DevSecOps for Developers Source: Stripe: The Developer Coefficient, Sept 2018 Source: Puppet: 2016 State of DevOps Report
© 2019 VERACODE INC.13 Source: Veracode: State of Software Security Volume 9
© 2019 VERACODE INC.14 Security Throughout The Lifecycle Static Policy Speed & Prevention Coverage & Remediation Is the Application Secure? Is My Code Secure? Is Our Combined Code Secure? Static SandboxGreenlight JAVA JAVA
© 2019 VERACODE INC.15 Greenlight Helps developers answer the question – “Is my code good?” Continuous Flaw Feedback Fast, Early, Focused scans of code that a developer is currently working on Secure Coding Education Remediation guidance provided directly to the Developer to assist with quick fixes  Reduce the number of flaws entered into downstream activities  Maintain development velocity  Improve adoption with tools that work the way developers expect them to
© 2019 VERACODE INC.16 Greenlight Where You Want It IDE Build CI RAD
© 2019 VERACODE INC.17 Code Code Continuous Testing Pipeline Functional Tests / Integration Tests / Performance Tests + Static Sandbox DevSecOps: Scan Early, Scan Often Continuous Integration Pipeline Build / Unit Test / Code Quality / Code Review + Greenlight API Continuous Delivery Pipeline Stage/ UAT/ Final Validation / Deploy + Static Policy Continuous Development Code / Compile / Debug / Unit Test / Commit + Greenlight IDE
© 2019 VERACODE INC.18 CI CD Workflow Example
© 2019 VERACODE INC.19 Continuous Integration Pipelines
© 2019 VERACODE INC.20 Dev Env: Write, Commit and Push
© 2019 VERACODE INC.21 Feature Branch Pipeline: Failed scan new/changed files Greenlight
© 2019 VERACODE INC.22 Greenlight Scan: Summary Results
© 2019 VERACODE INC.23 Greenlight JSON Results Archive Greenlight results JSON file with scan details is archived to: gl-scanner-java_<projectref-commithash>_greenlight-results.zip
© 2019 VERACODE INC.24 Dev Env: Fix, Commit and Push
© 2019 VERACODE INC.25 Feature Branch Pipeline: Success Greenlight scan new/changed files
© 2019 VERACODE INC.26 Feature Branch: Merge Request
© 2019 VERACODE INC.27 Feature Branch: Merge Approval
© 2019 VERACODE INC.28 Continuous Integration Succeeds, Continuous Test Triggered Tag for Release
© 2019 VERACODE INC.29 Continuous Test Succeeds & Continuous Delivery Triggered Veracode Static Scan Project Deploy
© 2019 VERACODE INC.30 Pipeline Configuration Code .gitlab-ci.yml Greenlight CI Tool
© 2019 VERACODE INC.31
© 2019 VERACODE INC.32 DevSecOps Resources Kim, Gene, Patrick Debois, and John Willis. 2016. The Devops Handbook: How to Create World- Class Agility, Reliability, and Security in Technology Organizations Veracode Helps Developers Find Security Flaws Faster Using AWS. 2017. AWS. https://aws.amazon.com/sol utions/case- studies/veracode/ State of Software Security. Volume 9. Veracode. https://www.veracode.com /state-of-software-security- report The Developers Guide To The DevSecOps Galaxy. 2017. Veracode. https://info.veracode.com /guide-developers-to- devsecops-galaxy.html ‘2018 Accelerate: State of DevOps Report’. 2018. Dora. https://cloudplatformonline. com/rs/248-TPC- 286/images/DORA- State%20of%20DevOps.pdf
© 2019 VERACODE INC.33 Thank You

More Related Content

What's hot (20)

PPTX
DevOps: Security's Big Opportunity
Timothy Jarrett
 
PDF
Open Source Security at Scale- The DevOps Challenge 
WhiteSource
 
PDF
The State of Open Source Vulnerabilities Management
WhiteSource
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
PDF
Tackling the Risks of Open Source Security: 5 Things You Need to Know
WhiteSource
 
PDF
Shift Left Security - The What, Why and How
DevOps.com
 
PDF
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
PDF
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
PDF
Barriers to Container Security and How to Overcome Them
WhiteSource
 
PPTX
Secure DevOPS Implementation Guidance
Tej Luthra
 
PPTX
Why Serverless is scary without DevSecOps and Observability
Eficode
 
PDF
Addressing the Challenges of Mobile Test Automation
TechWell
 
PPTX
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
PDF
Testing in a Continuous Delivery Pipeline: Faster, Better, Cheaper
TechWell
 
PDF
Testing in an Agile World: The Current State and Future Possibilities
TechWell
 
PDF
Tackling the Container Iceberg:How to approach security when most of your sof...
WhiteSource
 
PDF
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 
PDF
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
PDF
DevSecOps for the DoD
JamesHarmison
 
DevOps: Security's Big Opportunity
Timothy Jarrett
 
Open Source Security at Scale- The DevOps Challenge 
WhiteSource
 
The State of Open Source Vulnerabilities Management
WhiteSource
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Tackling the Risks of Open Source Security: 5 Things You Need to Know
WhiteSource
 
Shift Left Security - The What, Why and How
DevOps.com
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
Barriers to Container Security and How to Overcome Them
WhiteSource
 
Secure DevOPS Implementation Guidance
Tej Luthra
 
Why Serverless is scary without DevSecOps and Observability
Eficode
 
Addressing the Challenges of Mobile Test Automation
TechWell
 
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Testing in a Continuous Delivery Pipeline: Faster, Better, Cheaper
TechWell
 
Testing in an Agile World: The Current State and Future Possibilities
TechWell
 
Tackling the Container Iceberg:How to approach security when most of your sof...
WhiteSource
 
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
DevSecOps for the DoD
JamesHarmison
 

Similar to Scale DevSecOps with your Continuous Integration Pipeline (20)

PPTX
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
PDF
Seven Deadly Saves To Security With Integrations
SBWebinars
 
PPTX
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
PPTX
How to get the best out of DevSecOps - a developers perspective
Colin Domoney
 
PDF
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
 
PDF
Enhancing Devops Workflow and he details
Invensis Learning
 
PPTX
DevOps Overview in my own words
SUBHENDU KARMAKAR
 
PPTX
How to apply DevOps in a regulated organisation
Colin Domoney
 
PDF
When You Test Matters: Why Testing Early in the SDLC is Important
CA Technologies
 
PDF
DevOps and DevSecOps, Incident Management
ShriniKulkarni
 
PDF
Leveraging DevOps for Faster and Scalable Deployments - Keynote.pdf
PaschalOruche1
 
PPTX
SecDevOps: The New Black of IT
CloudPassage
 
PDF
Full Spectrum Engineering – The New Full-stack
Deborah Schalm
 
PPTX
Testing in the new age of DevOps
Moataz Mahmoud
 
PDF
An introduction to DevOps
Andrea Tino
 
PDF
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
PDF
An Ultimate 10 Point DevOps Checklist for your Organization.pdf
Sparity1
 
PPTX
What_is_DevOps_how_it's_very_useful_in_daily_Life.
anilpmuvvala
 
PPTX
What is DevOps And How It Is Useful In Real life.
anilpmuvvala
 
PPTX
Devops phase-1
G R VISHAL
 
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
Seven Deadly Saves To Security With Integrations
SBWebinars
 
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
How to get the best out of DevSecOps - a developers perspective
Colin Domoney
 
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
 
Enhancing Devops Workflow and he details
Invensis Learning
 
DevOps Overview in my own words
SUBHENDU KARMAKAR
 
How to apply DevOps in a regulated organisation
Colin Domoney
 
When You Test Matters: Why Testing Early in the SDLC is Important
CA Technologies
 
DevOps and DevSecOps, Incident Management
ShriniKulkarni
 
Leveraging DevOps for Faster and Scalable Deployments - Keynote.pdf
PaschalOruche1
 
SecDevOps: The New Black of IT
CloudPassage
 
Full Spectrum Engineering – The New Full-stack
Deborah Schalm
 
Testing in the new age of DevOps
Moataz Mahmoud
 
An introduction to DevOps
Andrea Tino
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
An Ultimate 10 Point DevOps Checklist for your Organization.pdf
Sparity1
 
What_is_DevOps_how_it's_very_useful_in_daily_Life.
anilpmuvvala
 
What is DevOps And How It Is Useful In Real life.
anilpmuvvala
 
Devops phase-1
G R VISHAL
 
Ad

More from DevOps.com (20)

PDF
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
PDF
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
PPTX
Vulnerability Discovery in the Cloud
DevOps.com
 
PDF
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
PDF
A New Year’s Ransomware Resolution
DevOps.com
 
PPTX
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
PDF
Don't Panic! Effective Incident Response
DevOps.com
 
PDF
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
PDF
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
PDF
Monitoring Serverless Applications with Datadog
DevOps.com
 
PDF
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
PPTX
Securing medical apps in the age of covid final
DevOps.com
 
PDF
How to Build a Healthy On-Call Culture
DevOps.com
 
PPTX
The Evolving Role of the Developer in 2021
DevOps.com
 
PDF
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
PPTX
Secure Data Sharing in OpenShift Environments
DevOps.com
 
PPTX
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
PDF
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
Vulnerability Discovery in the Cloud
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
A New Year’s Ransomware Resolution
DevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
Don't Panic! Effective Incident Response
DevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
Monitoring Serverless Applications with Datadog
DevOps.com
 
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
Securing medical apps in the age of covid final
DevOps.com
 
How to Build a Healthy On-Call Culture
DevOps.com
 
The Evolving Role of the Developer in 2021
DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Secure Data Sharing in OpenShift Environments
DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 
Ad

Recently uploaded (20)

PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PPTX
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 

Scale DevSecOps with your Continuous Integration Pipeline

  • 1. © 2019 VERACODE INC.1 © 2019 VERACODE INC. Scale DevSecOps with your Continuous Integration Pipeline Presented by DevOps.com and Veracode
  • 2. © 2019 VERACODE INC.2 Today’s Presenters Janet Worthington Principal Product Manager Vineeta Puranik Vice President of Engineering and Operations
  • 3. © 2019 VERACODE INC.3 Audience Poll What is your role on the team? • Developer • Developer in Test • Security • DevOps • Manager
  • 4. © 2019 VERACODE INC.4 What is Dev(Sec)Ops? • “DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.” • “DevOps is also characterized by operations staff using many of the same techniques as developers for their systems work.” Source : ‘What Is DevOps?’ 2010. The Agile Admin. August 2. https://theagileadmin.com/what-is-devops/
  • 5. © 2019 VERACODE INC.5 DevSecOps: Shift in culture Dev Sec Ops Work in small batches Automate when possible Security controls: automate Trust: Safe to fail Fast delivery to customers Collaborate Feedback Learn
  • 6. © 2019 VERACODE INC.6 Metrics to measure Source: DORA: 2018 State of DevOps Report
  • 7. © 2019 VERACODE INC.7 DevOps allows teams to deploy code daily/hourly, reduce lead time for changes, reduce time to restore service and minimize the impact of new changes on production. Source: DORA: 2018 State of DevOps Report
  • 8. © 2019 VERACODE INC.8 Work Flow cycle: Agile Development Team • Dev, QA, IT, Ops, UX, Security – cross functional teams collaborate to achieve common organizational goal • Less friction, more velocity – Work flows smoothly through entire value stream to customer • Plan, code, Test – Agile – Modular – Automate • Small continuous deploys • Infrastructure as code Recommended book DevOps Handbook by Gene Kim
  • 9. © 2019 VERACODE INC.9 Software Deployment CICD • Promote code early and often Test early and often, including security issues • Continuous integration, builds, and tests • Fast and reliable automation test suites • Package once, deploy anywhere • Canary or blue green deployments
  • 10. © 2019 VERACODE INC.10 Software Availability: Operations • Monitoring- server, app performance • Continuous Feedback, Learning • Experiment: Fail fast; learn fast • Testing Operations Security – everyone’s job everyday • Increased awareness of production issues
  • 11. © 2019 VERACODE INC.11 DevSecOps Best Practices Source: Veracode: The Developer’s Guide to the DevSecOps Galaxy
  • 12. © 2019 VERACODE INC.12 Benefits of DevSecOps for Developers Source: Stripe: The Developer Coefficient, Sept 2018 Source: Puppet: 2016 State of DevOps Report
  • 13. © 2019 VERACODE INC.13 Source: Veracode: State of Software Security Volume 9
  • 14. © 2019 VERACODE INC.14 Security Throughout The Lifecycle Static Policy Speed & Prevention Coverage & Remediation Is the Application Secure? Is My Code Secure? Is Our Combined Code Secure? Static SandboxGreenlight JAVA JAVA
  • 15. © 2019 VERACODE INC.15 Greenlight Helps developers answer the question – “Is my code good?” Continuous Flaw Feedback Fast, Early, Focused scans of code that a developer is currently working on Secure Coding Education Remediation guidance provided directly to the Developer to assist with quick fixes  Reduce the number of flaws entered into downstream activities  Maintain development velocity  Improve adoption with tools that work the way developers expect them to
  • 16. © 2019 VERACODE INC.16 Greenlight Where You Want It IDE Build CI RAD
  • 17. © 2019 VERACODE INC.17 Code Code Continuous Testing Pipeline Functional Tests / Integration Tests / Performance Tests + Static Sandbox DevSecOps: Scan Early, Scan Often Continuous Integration Pipeline Build / Unit Test / Code Quality / Code Review + Greenlight API Continuous Delivery Pipeline Stage/ UAT/ Final Validation / Deploy + Static Policy Continuous Development Code / Compile / Debug / Unit Test / Commit + Greenlight IDE
  • 18. © 2019 VERACODE INC.18 CI CD Workflow Example
  • 19. © 2019 VERACODE INC.19 Continuous Integration Pipelines
  • 20. © 2019 VERACODE INC.20 Dev Env: Write, Commit and Push
  • 21. © 2019 VERACODE INC.21 Feature Branch Pipeline: Failed scan new/changed files Greenlight
  • 22. © 2019 VERACODE INC.22 Greenlight Scan: Summary Results
  • 23. © 2019 VERACODE INC.23 Greenlight JSON Results Archive Greenlight results JSON file with scan details is archived to: gl-scanner-java_<projectref-commithash>_greenlight-results.zip
  • 24. © 2019 VERACODE INC.24 Dev Env: Fix, Commit and Push
  • 25. © 2019 VERACODE INC.25 Feature Branch Pipeline: Success Greenlight scan new/changed files
  • 26. © 2019 VERACODE INC.26 Feature Branch: Merge Request
  • 27. © 2019 VERACODE INC.27 Feature Branch: Merge Approval
  • 28. © 2019 VERACODE INC.28 Continuous Integration Succeeds, Continuous Test Triggered Tag for Release
  • 29. © 2019 VERACODE INC.29 Continuous Test Succeeds & Continuous Delivery Triggered Veracode Static Scan Project Deploy
  • 30. © 2019 VERACODE INC.30 Pipeline Configuration Code .gitlab-ci.yml Greenlight CI Tool
  • 32. © 2019 VERACODE INC.32 DevSecOps Resources Kim, Gene, Patrick Debois, and John Willis. 2016. The Devops Handbook: How to Create World- Class Agility, Reliability, and Security in Technology Organizations Veracode Helps Developers Find Security Flaws Faster Using AWS. 2017. AWS. https://aws.amazon.com/sol utions/case- studies/veracode/ State of Software Security. Volume 9. Veracode. https://www.veracode.com /state-of-software-security- report The Developers Guide To The DevSecOps Galaxy. 2017. Veracode. https://info.veracode.com /guide-developers-to- devsecops-galaxy.html ‘2018 Accelerate: State of DevOps Report’. 2018. Dora. https://cloudplatformonline. com/rs/248-TPC- 286/images/DORA- State%20of%20DevOps.pdf
  • 33. © 2019 VERACODE INC.33 Thank You