Sonatype , profile picture
Uploaded bySonatype
PDF, PPTX1,963 views

A Secure DevOps Journey

The document outlines Veracode's transition from traditional development methodologies to a secure DevOps approach, detailing the evolution from waterfall to agile and finally to DevOps. It emphasizes the importance of cultural changes, automation, and integrated security practices throughout this journey. The presentation also highlights the challenges faced and the need for continuous improvement in the organization's processes and technologies.

Embed presentation

Download as PDF, PPTX
November 15, 2016 A Secure DevOps Journey Peter Chestna, Director of Developer Engagement, Veracode
November 15, 2016
• Development methodologies used at Veracode – Waterfall, Agile, DevOps – People – Process – Technology – Security • Veracode’s journey – What did we change – What were the results Goals
• 2006 – Veracode founded/Waterfall • 2012 – Agile • 2013 – Purina • 2014 – Microservices • 2015 - DevOps Veracode Timeline
Felt like… Transformation – People/Org/Culture Management • Leading change • Organizational • Breaking the silos • New specialties • New skills – care & feeding • New expectations Individual • Uncertainty/fear/anger • Organizational • New manager • New team/peers • New skills – X-functional • New expectations
Looked like… Transformation - Process Most of the change occurred in Agile • Waterfall -> Agile was revolutionary • Agile -> DevOps was evolutionary • Like the Monty Python theory of dinosaurs
Waterfall Transformation - Technology Agile DevOps Not as big of a difference between stages Just more and more automation
There was Waterfall In the beginning…
Waterfall - Process Finding anything late creates a cycle of waste
O p e r a t i o n s S e c u r i t y Q u a l i t y D e v e l o p m e n t A r c h i t e c t u r e R e q u i r e m e n t s Waterfall - People
• Gantt charts • Text documents • Requirements • Architecture • Designs • Test plans • Manual tests • Manual deploy • Shell scripts • SQL cripts Waterfall - Technology Old School
Waterfall - Security Occurred during testing cycle Back end of process Mostly manual Unpredictable amount of work
Coming of Age: Agile
Agile - Process Copyright 2005, Mountain Goat Software
Agile - People Dev/QA ITDept OPS Org Security
Agile – Technology Initially
Agile – Security – Early Days 3 Build 4 Static Analysis Hardening Sprint 5 Security Results Security Results 2 Check in 1 Develop Agile Backlog
1 Develop 6 Static Analysis 7 Synchronize 4 Check in Static Analysis 3 Build & Test 2 Agile Backlog Agile – Security – Automated and Integrated 5 Build Nightly
Agile – Security is not limited to automation of static analysis! Security Champions Security Grooming (Requirements Review) Security as part of the Definition of Done Threat Modeling Secure Code Review Pen Testing Pre-Productions Dynamic Analysis
Agile - Culture clash between Dev, OPS and Security
We Have Arrived: DevOps
DevOps - Process
DevOps - People Break the Silos Reorganize Change the Culture
DevOps - Technology Automate! Automate! Automate! Feature switching for controlled rollout Rolling upgrades Zero downtime Make incremental changes
DevOps - Security
1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog DevOps – Security – Integrated into CD Pipeline Pass? 7 Synchronize No Yes 7 Deploy to Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Prod Per Check-in 5 Build CD Pipeline
Training (eLearning, instructor led, metadata driven) Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration Testing Red Team Activities Runtime Application Self Protection Dynamic Application Security Testing Plan Code Build Test Stage Deploy Monitor Threat Modeling Security Grooming Secure Design DevOps – Pervasive Security
This Is Our Journey • Revolution at the micro level • Evolution at the macro level Innovation • Always constructively dissatisfied • Hypothesize, prototype, measure • Sharpen the saw Continuous Improvement
November 15, 2016
Thank You w w w . v e r a c o d e . c o m @PeteChestna

More Related Content

PPTX
SecDevOps: The New Black of IT
byCloudPassage
 
PDF
Ast in CI/CD by Ofer Maor
byDevSecCon
 
PDF
DevSecOps - Building Rugged Software
bySeniorStoryteller
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
PPTX
DevOps & Security: Here & Now
byCheckmarx
 
PDF
Integrating DevOps and Security
byStijn Muylle
 
KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
PDF
Continuous Security Testing - DevSecCon
byStephen de Vries
 
SecDevOps: The New Black of IT
byCloudPassage
 
Ast in CI/CD by Ofer Maor
byDevSecCon
 
DevSecOps - Building Rugged Software
bySeniorStoryteller
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
DevOps & Security: Here & Now
byCheckmarx
 
Integrating DevOps and Security
byStijn Muylle
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
Continuous Security Testing - DevSecCon
byStephen de Vries
 

What's hot

PDF
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
byDevSecOpsSg
 
PPTX
DevSecOps
byCheah Eng Soon
 
PDF
DevSecCon London 2017: Shift happens ... by Colin Domoney
byDevSecCon
 
PDF
DevSecOps - The big picture
byDevSecOpsSg
 
PPTX
Automating security tests for Continuous Integration
byStephen de Vries
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PDF
Merging Security with DevOps - An AppSec Perspective
byAbhay Bhargav
 
PDF
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
byDevSecCon
 
PDF
DevSecCon London 2017: How far left do you want to go with security? by Javie...
byDevSecCon
 
PPTX
DevSecOps OWASP
byPriyanka Raghavan
 
PDF
Security in a Continuous Delivery World
byDinis Cruz
 
PPTX
SecDevOps 2.0 - Managing Your Robot Army
byconjur_inc
 
PDF
8 Tips for Deploying DevSecOps
byFelicia Haggarty
 
PPTX
DevSecOps - It can change your life (cycle)
byQualitest
 
PPTX
Security Testing for Containerized Applications
bySoluto
 
PDF
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
byHui (Henry) Chen
 
PDF
Building a DevSecOps Pipeline Around Your Spring Boot Application
byVMware Tanzu
 
PPTX
Owasp glue
bySoluto
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
byDevSecOpsSg
 
DevSecOps
byCheah Eng Soon
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
byDevSecCon
 
DevSecOps - The big picture
byDevSecOpsSg
 
Automating security tests for Continuous Integration
byStephen de Vries
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
Merging Security with DevOps - An AppSec Perspective
byAbhay Bhargav
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
byDevSecCon
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
byDevSecCon
 
DevSecOps OWASP
byPriyanka Raghavan
 
Security in a Continuous Delivery World
byDinis Cruz
 
SecDevOps 2.0 - Managing Your Robot Army
byconjur_inc
 
8 Tips for Deploying DevSecOps
byFelicia Haggarty
 
DevSecOps - It can change your life (cycle)
byQualitest
 
Security Testing for Containerized Applications
bySoluto
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
byHui (Henry) Chen
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
byVMware Tanzu
 
Owasp glue
bySoluto
 

Similar to A Secure DevOps Journey

PDF
A Secure DevOps Journey
byVeracode
 
PDF
Devops: Security's big opportunity by Peter Chestna
byDevSecCon
 
PPTX
How to get the best out of DevSecOps - an operations perspective
byColin Domoney
 
PPTX
DevOps: Security's Big Opportunity
byTimothy Jarrett
 
PPTX
How to get the best out of DevSecOps - a security perspective
byColin Domoney
 
PPTX
Outpost24 webinar - application security in a dev ops world-08-2018
byOutpost24
 
PPTX
How to get the best out of DevSecOps - a developers perspective
byColin Domoney
 
PPTX
DevOps Engineering.pptx
byAbalBoot
 
PDF
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
PPTX
Experiences Bringing CD to a DoD Project
byGene Gotimer
 
PPTX
My journey from Fragile, to Agile and now DevOps
byJason Man
 
PDF
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
PDF
Agile Experiences
byDiego Pacheco
 
PDF
Introduction to DevOps slides.pdf
byBoreVishnusai
 
PDF
Scale DevSecOps with your Continuous Integration Pipeline
byDevOps.com
 
PDF
Scale DevSecOps with your Continuous Integration Pipeline
byDevOps.com
 
PDF
A journey into Application Security
byChristian Martorella
 
PDF
Gartner starting and scaling dev ops
byTapabrata Pal
 
PDF
Seven Deadly Saves To Security With Integrations
bySBWebinars
 
A Secure DevOps Journey
byVeracode
 
Devops: Security's big opportunity by Peter Chestna
byDevSecCon
 
How to get the best out of DevSecOps - an operations perspective
byColin Domoney
 
DevOps: Security's Big Opportunity
byTimothy Jarrett
 
How to get the best out of DevSecOps - a security perspective
byColin Domoney
 
Outpost24 webinar - application security in a dev ops world-08-2018
byOutpost24
 
How to get the best out of DevSecOps - a developers perspective
byColin Domoney
 
DevOps Engineering.pptx
byAbalBoot
 
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
Experiences Bringing CD to a DoD Project
byGene Gotimer
 
My journey from Fragile, to Agile and now DevOps
byJason Man
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
Agile Experiences
byDiego Pacheco
 
Introduction to DevOps slides.pdf
byBoreVishnusai
 
Scale DevSecOps with your Continuous Integration Pipeline
byDevOps.com
 
Scale DevSecOps with your Continuous Integration Pipeline
byDevOps.com
 
A journey into Application Security
byChristian Martorella
 
Gartner starting and scaling dev ops
byTapabrata Pal
 
Seven Deadly Saves To Security With Integrations
bySBWebinars
 

More from Sonatype

PPTX
DevOps Days Columbus - Derek Weeks - 2019
bySonatype
 
PDF
2019 DevSecOps Reference Architectures
bySonatype
 
PDF
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
PPTX
DevSecOps reference architectures 2018
bySonatype
 
PDF
30+ Nexus Integrations to Accelerate DevOps
bySonatype
 
PDF
2017 DevSecOps Survey
bySonatype
 
PPTX
Starting and Scaling DevOps In the Enterprise
bySonatype
 
PPTX
DevOps Friendly Doc Publishing for APIs & Microservices
bySonatype
 
PDF
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
bySonatype
 
PPTX
DevOps and All the Continuouses w/ Helen Beal
bySonatype
 
PDF
Serverless and the Way Forward
bySonatype
 
PDF
A Small Association's Journey to DevOps w/ Edward Ruiz
bySonatype
 
PDF
What's My Security Policy Doing to My Help Desk w/ Chris Swan
bySonatype
 
PDF
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
bySonatype
 
PDF
Static Analysis For Security and DevOps Happiness w/ Justin Collins
bySonatype
 
PDF
Automated Infrastructure Security: Monitoring using FOSS
bySonatype
 
PDF
System Hardening Using Ansible
bySonatype
 
PDF
There is No Server: Immutable Infrastructure and Serverless Architecture
bySonatype
 
PDF
Getting out of the Job Jungle with Jenkins
bySonatype
 
PDF
Modern Infrastructure Automation
bySonatype
 
DevOps Days Columbus - Derek Weeks - 2019
bySonatype
 
2019 DevSecOps Reference Architectures
bySonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
DevSecOps reference architectures 2018
bySonatype
 
30+ Nexus Integrations to Accelerate DevOps
bySonatype
 
2017 DevSecOps Survey
bySonatype
 
Starting and Scaling DevOps In the Enterprise
bySonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
bySonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
bySonatype
 
DevOps and All the Continuouses w/ Helen Beal
bySonatype
 
Serverless and the Way Forward
bySonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
bySonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
bySonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
bySonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
bySonatype
 
Automated Infrastructure Security: Monitoring using FOSS
bySonatype
 
System Hardening Using Ansible
bySonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
bySonatype
 
Getting out of the Job Jungle with Jenkins
bySonatype
 
Modern Infrastructure Automation
bySonatype
 

Recently uploaded

PDF
Insurance-CRM-Software-The-Key-to-Digital-Transformation.pdf
byInsurance Tech Services
 
PDF
Build Vs. Buy: Cloud Cost Management and FinOps
byAmnic
 
PPTX
Wired_AnalyticsTraineeship_13112025_clean.pptx
bySimonedeGijt
 
PPTX
Invisible protection against AI training - Poison Pill
byPoison Pill
 
PDF
SiyanoAV: The Best Antivirus Software for Complete Digital Protection
byabhisheksiyano
 
PDF
Top 10 Ways AI Can Improve SEO Strategies in 2025.pdf
bybpractseo
 
PPTX
How Embedded Analytics Drives SaaS Growth in Fintech.pptx
byVarsha Nayak
 
PDF
Simplify Finances with Qandle’s Expense Software.pdf
byQandle
 
PDF
Cost to Develop a Careem Clone App in the UAE
byMobility Infotech
 
PPTX
AI and Automation Software | Best AI and Automation Software
byEasy Clinic
 
PPTX
EMR software | Best EMR software | EasyClinic
byEasy Clinic
 
PDF
The future Android App Development in 2025
byLoudOwls Solutions Private Limited
 
PDF
Cloud-based Hotel PMS_ Why hotels Must Upgrade Now.pdf
byHotelogix
 
PPTX
AI in Payroll Automate & Optimize Workforce Management
byMatellio
 
PPTX
Real-Time AI Voice Agents over WebRTC - A Practical Playbook
byAlberto González Trastoy
 
PDF
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
PDF
Patterns of Patterns and why we need them
bydescri1
 
PDF
Effortless MBOX Conversion — Fast, Secure, and Compatible with SysInfo MBOX C...
bySysInfo Tools
 
PDF
The future of software delivery is agentic
byMaxim Salnikov
 
PPTX
Cache management across scenarios_version5.pptx
bykamarajsindhuja1
 
Insurance-CRM-Software-The-Key-to-Digital-Transformation.pdf
byInsurance Tech Services
 
Build Vs. Buy: Cloud Cost Management and FinOps
byAmnic
 
Wired_AnalyticsTraineeship_13112025_clean.pptx
bySimonedeGijt
 
Invisible protection against AI training - Poison Pill
byPoison Pill
 
SiyanoAV: The Best Antivirus Software for Complete Digital Protection
byabhisheksiyano
 
Top 10 Ways AI Can Improve SEO Strategies in 2025.pdf
bybpractseo
 
How Embedded Analytics Drives SaaS Growth in Fintech.pptx
byVarsha Nayak
 
Simplify Finances with Qandle’s Expense Software.pdf
byQandle
 
Cost to Develop a Careem Clone App in the UAE
byMobility Infotech
 
AI and Automation Software | Best AI and Automation Software
byEasy Clinic
 
EMR software | Best EMR software | EasyClinic
byEasy Clinic
 
The future Android App Development in 2025
byLoudOwls Solutions Private Limited
 
Cloud-based Hotel PMS_ Why hotels Must Upgrade Now.pdf
byHotelogix
 
AI in Payroll Automate & Optimize Workforce Management
byMatellio
 
Real-Time AI Voice Agents over WebRTC - A Practical Playbook
byAlberto González Trastoy
 
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
Patterns of Patterns and why we need them
bydescri1
 
Effortless MBOX Conversion — Fast, Secure, and Compatible with SysInfo MBOX C...
bySysInfo Tools
 
The future of software delivery is agentic
byMaxim Salnikov
 
Cache management across scenarios_version5.pptx
bykamarajsindhuja1
 

A Secure DevOps Journey