SlideShare a Scribd company logo

Seven Deadly Saves To Security With Integrations

S
SBWebinars

The document discusses the integration of security into the software development process through the concept of DevSecOps, emphasizing the importance of addressing security earlier in the development lifecycle. It highlights the need for collaboration between development and security teams, as well as the implementation of various methodologies such as CI/CD and Agile to improve efficiency and reduce costs. The document also outlines the role of Veracode's integrations team in facilitating these security practices within development teams.

Technology
1 of 29
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
© 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.1 DEVSECOPS
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.2 Who are we? Tim Jarrett (@tojarrett) • Over 20 years in software: development, project management, product management & strategy • At Veracode since 2008 • Grammy award winner, Bacon number of 3 Diptesh Shah • Over 15 years experience as a developer and engineering leader • At Veracode since 2017 • Recent Winter Olympics “swept” me into Curling
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.3 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES Why appsec integrations?
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.4 • Continuous Delivery • Shorten feedback loops • Learn quickly DevSecOps: the end of manual security?
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.5 Fix earlier = fix cheaper 0 20 40 60 80 100 120 Design Implementation Testing Maintenance Source: IBM,based on Boehm, 1981/2001
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.6 Avoid rework Code Ship Discover issue Fix and ship again Development process – current state Code Discover issue Fix issue Ship Development process with integrations
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.7 Avoid context switching
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.8 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.9 DevSecOps – Follow the Code
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.10 Code phase 1 Develop 2 Check in Team processes (build, test, agile planning)
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.11 Build phase 1 Get latest check-ins from source control 2 Build and Run Tests Test Failures 3 Stage/ Deploy
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.12 Deploy and Production phase Deployment pipeline Stage/ Deploy Monitor for Incidents Scan for issues in production
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.13 Different development methodologies = different integration approaches Waterfall Agile DevOps 1-4 Releases Per Year 12-24 Releases Per Year 100+ Releases Per Year 50+ people 6-12 people 6-12 people
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.14 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog (tickets) Waterfall to agile: “build and test” Pass? 7 Synchronize No Yes 6 Static Analysis 6 Unit Tests Manual acceptance testing, move to stage, move to prod Nightly/ weekly 5 Build Scheduled Build 3a Manual Testing*
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.15 CI CD 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog DevOps: Protect the Pipeline Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 1a Static Analysis
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.16 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.17 Veracode Integrations Team Focused on delivering integration capabilities with the Veracode platform that enable development teams to “shift security left” and make the idea of “DevSecOps” a reality. • 12 person team; geographically distributed • Responsible for 20+ applications & supporting modules • 75 releases in 2017 (on pace for 144 releases in 2018) • SAFe / Agile Scrum • DevSecOps (evolution continues) • Vested interest in achieving our mission!!
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.18 In The Beginning 3 Build 4 Static Analysis 5 Security Results 2 Check in 1 Develop Backlog Scheduled Build Nightly/ weekly
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.19 Initially Fast Forward to Now Empower Developers – IDE Integration 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 1a Greenlight Static Analysis
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.20 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Automated Assessment – Build Server Integration 6 Static Analysis Nightly/ weekly 5 Build Scheduled Build 1a Greenlight Static Analysis Security Results 7
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.21 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Automated Issue Tracking Nightly/ weekly Scheduled Build 1a Greenlight Static Analysis 6 Static Analysis 5 Build 7 Synchronize
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.22 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Automated Assurance – Fail the Build Pass? 7 Synchronize No Yes 6 Static Analysis 6 Unit Tests Manual acceptance testing, move to stage, move to prod Nightly/ weekly 5 Build Scheduled Build 1a Greenlight Static Analysis
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.23 CI CD 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Continued Assurance Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests Per Check-in 5 Build CI/CD Pipeline 1a Greenlight Static Analysis Manual acceptance testing, move to stage, move to prod
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.24 CI CD 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Continued Assurance – End Goal Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 1a Greenlight Static Analysis
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.25 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES Making it happen
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.26 Relationships • Who is your peer in development / security? • Do you meet with them? • Do you understand each others’ goals? • Are you sympathetic to each others struggles?
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.27 Accountability • Shared between development and security • Part of annual goals for both teams • Measured and reported regularly
© 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.28 Plan Code Build Test Stage Deploy Monitor Shift Left & Monitor Dynamic Application Security Testing Runtime Application Self Protection Open Source Risk MonitoringStatic Application Security Testing + 3rd Party Risk Analysis Training (eLearning, instructor led, metadata driven) Manual Penetration Testing Red Team Activities Remediation and Mitigation Guidance Secure Code Reviews Threat Modeling Security Grooming Secure Design
© 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.29 © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES. Questions? @tojarrett

More Related Content

PDF
Moving to Open-Source Tools - How to Increase Performance Test Coverage Throu...
CA Technologies
 
PDF
Testing in an Agile World: The Current State and Future Possibilities
TechWell
 
PDF
Testing in a Continuous Delivery Pipeline: Faster, Better, Cheaper
TechWell
 
PDF
Software Defect Prevention via Continuous Inspection
Josh Gough
 
PDF
Leading the Transformation: Stories from the Trenches
DevOps.com
 
PPTX
Testing in a DevOps team
Laurent PY
 
PDF
Continuous Delivery Pipelines: Metrics, Myths, and Milestones
DevOps.com
 
PPTX
DevOps presentation at gemeente Rotterdam
Miel Donkers
 
Moving to Open-Source Tools - How to Increase Performance Test Coverage Throu...
CA Technologies
 
Testing in an Agile World: The Current State and Future Possibilities
TechWell
 
Testing in a Continuous Delivery Pipeline: Faster, Better, Cheaper
TechWell
 
Software Defect Prevention via Continuous Inspection
Josh Gough
 
Leading the Transformation: Stories from the Trenches
DevOps.com
 
Testing in a DevOps team
Laurent PY
 
Continuous Delivery Pipelines: Metrics, Myths, and Milestones
DevOps.com
 
DevOps presentation at gemeente Rotterdam
Miel Donkers
 

What's hot (20)

PDF
DevOps+ to Leverage Software Development
DOCOMO Innovations, Inc.
 
PPTX
Angelique henry performance non regression
🎸 Angélique Jard 🎸
 
PPTX
Get Ready for Changes To Load Testing
SOASTA
 
PDF
How to Measure Agility Project Success in Business Terms
Ethan Ram
 
PDF
How a Mortgage Company is Transforming Their Business with Continuous Delivery
XebiaLabs
 
PPT
Agile vs Waterfall From A Tester's Eyes by Shweta Parashar & Abhishek Agrawal
Xebia IT Architects
 
PDF
Performance Testing in Agile and DevOps Environments
TechWell
 
PPT
Agile Load Testing In The Real World
SOASTA
 
PDF
Testing in the new world-bug prevention vs. bug detection
Michael Palotas
 
PDF
Solve Everyday IT Problems with DevOps
Josiah Renaudin
 
PPTX
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Serena Software
 
PPTX
ApexUnit: Open source test framework for apex
Vamshidhar Gandham
 
PDF
How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...
Jennifer Finney
 
PDF
Requirements Management applied in an agile Project Environment
Association for Project Management
 
PPTX
Augury's Journey Towards CD by Assaf Mizrachi
AgileSparks
 
PDF
Top 5 Considerations for DevOps Success in 2018
DevOps.com
 
PDF
ITIL® Release, Control and Validation
mitchell burner
 
PPTX
Salesforce – Proven Platform Development with DevOps & Agile
Sai Jithesh ☁️
 
PPTX
What's the State of Agile Software Development?
VersionOne
 
PPTX
Testing In Production (TiP) Advances with Big Data & the Cloud
SOASTA
 
DevOps+ to Leverage Software Development
DOCOMO Innovations, Inc.
 
Angelique henry performance non regression
🎸 Angélique Jard 🎸
 
Get Ready for Changes To Load Testing
SOASTA
 
How to Measure Agility Project Success in Business Terms
Ethan Ram
 
How a Mortgage Company is Transforming Their Business with Continuous Delivery
XebiaLabs
 
Agile vs Waterfall From A Tester's Eyes by Shweta Parashar & Abhishek Agrawal
Xebia IT Architects
 
Performance Testing in Agile and DevOps Environments
TechWell
 
Agile Load Testing In The Real World
SOASTA
 
Testing in the new world-bug prevention vs. bug detection
Michael Palotas
 
Solve Everyday IT Problems with DevOps
Josiah Renaudin
 
Micro Focus DevOps Drive-in with Gary Gruver - Starting and Scaling DevOps in...
Serena Software
 
ApexUnit: Open source test framework for apex
Vamshidhar Gandham
 
How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...
Jennifer Finney
 
Requirements Management applied in an agile Project Environment
Association for Project Management
 
Augury's Journey Towards CD by Assaf Mizrachi
AgileSparks
 
Top 5 Considerations for DevOps Success in 2018
DevOps.com
 
ITIL® Release, Control and Validation
mitchell burner
 
Salesforce – Proven Platform Development with DevOps & Agile
Sai Jithesh ☁️
 
What's the State of Agile Software Development?
VersionOne
 
Testing In Production (TiP) Advances with Big Data & the Cloud
SOASTA
 
Ad

Similar to Seven Deadly Saves To Security With Integrations (20)

PDF
Full Spectrum Engineering – The New Full-stack
Deborah Schalm
 
PDF
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
PDF
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
PDF
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
 
PDF
From Rogue One to Rebel Alliance: Building Developers into Security Champions
Digital Transformation EXPO Event Series
 
PPTX
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
PDF
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
DevOps.com
 
PDF
Devops: Security's big opportunity by Peter Chestna
DevSecCon
 
PPTX
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
PDF
Application Security in a DevOps World
CA Technologies
 
PDF
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
CA Technologies
 
PDF
When You Test Matters: Why Testing Early in the SDLC is Important
CA Technologies
 
PPTX
How to apply DevOps in a regulated organisation
Colin Domoney
 
PDF
A Secure DevOps Journey
Sonatype
 
PDF
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
CA Technologies
 
PPTX
DevOps
Jeremiah Tillman
 
PPTX
DevOps Requires Agility
Stephen Ritchie
 
PDF
Software Quality as a Competitive Differentiator
DevOps.com
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
PPTX
SanDiego_DevOps_Meetup_9212016-v8
Rajwinder Singh
 
Full Spectrum Engineering – The New Full-stack
Deborah Schalm
 
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
 
From Rogue One to Rebel Alliance: Building Developers into Security Champions
Digital Transformation EXPO Event Series
 
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
DevOps.com
 
Devops: Security's big opportunity by Peter Chestna
DevSecCon
 
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
Application Security in a DevOps World
CA Technologies
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
CA Technologies
 
When You Test Matters: Why Testing Early in the SDLC is Important
CA Technologies
 
How to apply DevOps in a regulated organisation
Colin Domoney
 
A Secure DevOps Journey
Sonatype
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
CA Technologies
 
DevOps
Jeremiah Tillman
 
DevOps Requires Agility
Stephen Ritchie
 
Software Quality as a Competitive Differentiator
DevOps.com
 
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
SanDiego_DevOps_Meetup_9212016-v8
Rajwinder Singh
 
Ad

More from SBWebinars (20)

PDF
Securing Mobile Apps, From the Inside Out
SBWebinars
 
PPTX
SAP Concur’s Cloud Journey
SBWebinars
 
PDF
Top Cybersecurity Threats and How SIEM Protects Against Them
SBWebinars
 
PPTX
Software-Defined Segmentation Done Easily, Quickly and Right
SBWebinars
 
PDF
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
SBWebinars
 
PDF
Taking Open Source Security to the Next Level
SBWebinars
 
PPTX
The Next Generation of Application Security
SBWebinars
 
PDF
You're Bleeding. Exposing the Attack Surface in your Supply Chain
SBWebinars
 
PDF
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
SBWebinars
 
PDF
Top 10 Threats to Cloud Security
SBWebinars
 
PDF
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 
PDF
Reduce the Burden Of Managing SAP With Enterprise Identity Management
SBWebinars
 
PDF
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
PDF
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
SBWebinars
 
PDF
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
PDF
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
SBWebinars
 
PDF
The State of Open Source Vulnerabilities Management
SBWebinars
 
PDF
Flow Metrics: What They Are & Why You Need Them
SBWebinars
 
PDF
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
SBWebinars
 
PDF
Building Blocks of Secure Development: How to Make Open Source Work for You
SBWebinars
 
Securing Mobile Apps, From the Inside Out
SBWebinars
 
SAP Concur’s Cloud Journey
SBWebinars
 
Top Cybersecurity Threats and How SIEM Protects Against Them
SBWebinars
 
Software-Defined Segmentation Done Easily, Quickly and Right
SBWebinars
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
SBWebinars
 
Taking Open Source Security to the Next Level
SBWebinars
 
The Next Generation of Application Security
SBWebinars
 
You're Bleeding. Exposing the Attack Surface in your Supply Chain
SBWebinars
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
SBWebinars
 
Top 10 Threats to Cloud Security
SBWebinars
 
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 
Reduce the Burden Of Managing SAP With Enterprise Identity Management
SBWebinars
 
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
SBWebinars
 
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
SBWebinars
 
The State of Open Source Vulnerabilities Management
SBWebinars
 
Flow Metrics: What They Are & Why You Need Them
SBWebinars
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
SBWebinars
 
Building Blocks of Secure Development: How to Make Open Source Work for You
SBWebinars
 

Recently uploaded (20)

PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
Software Development Methodologies in 2025
KodekX
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 

Seven Deadly Saves To Security With Integrations

  • 1. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.1 DEVSECOPS
  • 2. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.2 Who are we? Tim Jarrett (@tojarrett) • Over 20 years in software: development, project management, product management & strategy • At Veracode since 2008 • Grammy award winner, Bacon number of 3 Diptesh Shah • Over 15 years experience as a developer and engineering leader • At Veracode since 2017 • Recent Winter Olympics “swept” me into Curling
  • 3. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.3 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES Why appsec integrations?
  • 4. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.4 • Continuous Delivery • Shorten feedback loops • Learn quickly DevSecOps: the end of manual security?
  • 5. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.5 Fix earlier = fix cheaper 0 20 40 60 80 100 120 Design Implementation Testing Maintenance Source: IBM,based on Boehm, 1981/2001
  • 6. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.6 Avoid rework Code Ship Discover issue Fix and ship again Development process – current state Code Discover issue Fix issue Ship Development process with integrations
  • 7. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.7 Avoid context switching
  • 8. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.8 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
  • 9. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.9 DevSecOps – Follow the Code
  • 10. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.10 Code phase 1 Develop 2 Check in Team processes (build, test, agile planning)
  • 11. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.11 Build phase 1 Get latest check-ins from source control 2 Build and Run Tests Test Failures 3 Stage/ Deploy
  • 12. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.12 Deploy and Production phase Deployment pipeline Stage/ Deploy Monitor for Incidents Scan for issues in production
  • 13. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.13 Different development methodologies = different integration approaches Waterfall Agile DevOps 1-4 Releases Per Year 12-24 Releases Per Year 100+ Releases Per Year 50+ people 6-12 people 6-12 people
  • 14. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.14 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog (tickets) Waterfall to agile: “build and test” Pass? 7 Synchronize No Yes 6 Static Analysis 6 Unit Tests Manual acceptance testing, move to stage, move to prod Nightly/ weekly 5 Build Scheduled Build 3a Manual Testing*
  • 15. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.15 CI CD 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog DevOps: Protect the Pipeline Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 1a Static Analysis
  • 16. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.16 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
  • 17. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.17 Veracode Integrations Team Focused on delivering integration capabilities with the Veracode platform that enable development teams to “shift security left” and make the idea of “DevSecOps” a reality. • 12 person team; geographically distributed • Responsible for 20+ applications & supporting modules • 75 releases in 2017 (on pace for 144 releases in 2018) • SAFe / Agile Scrum • DevSecOps (evolution continues) • Vested interest in achieving our mission!!
  • 18. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.18 In The Beginning 3 Build 4 Static Analysis 5 Security Results 2 Check in 1 Develop Backlog Scheduled Build Nightly/ weekly
  • 19. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.19 Initially Fast Forward to Now Empower Developers – IDE Integration 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 1a Greenlight Static Analysis
  • 20. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.20 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Automated Assessment – Build Server Integration 6 Static Analysis Nightly/ weekly 5 Build Scheduled Build 1a Greenlight Static Analysis Security Results 7
  • 21. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.21 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Automated Issue Tracking Nightly/ weekly Scheduled Build 1a Greenlight Static Analysis 6 Static Analysis 5 Build 7 Synchronize
  • 22. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.22 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Automated Assurance – Fail the Build Pass? 7 Synchronize No Yes 6 Static Analysis 6 Unit Tests Manual acceptance testing, move to stage, move to prod Nightly/ weekly 5 Build Scheduled Build 1a Greenlight Static Analysis
  • 23. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.23 CI CD 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Continued Assurance Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests Per Check-in 5 Build CI/CD Pipeline 1a Greenlight Static Analysis Manual acceptance testing, move to stage, move to prod
  • 24. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.24 CI CD 1 Develop 4 Check in Sandbox Static Analysis 3 Build & Test 2 Continued Assurance – End Goal Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 1a Greenlight Static Analysis
  • 25. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.25 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES Making it happen
  • 26. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.26 Relationships • Who is your peer in development / security? • Do you meet with them? • Do you understand each others’ goals? • Are you sympathetic to each others struggles?
  • 27. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.27 Accountability • Shared between development and security • Part of annual goals for both teams • Measured and reported regularly
  • 28. © 2018 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.28 Plan Code Build Test Stage Deploy Monitor Shift Left & Monitor Dynamic Application Security Testing Runtime Application Self Protection Open Source Risk MonitoringStatic Application Security Testing + 3rd Party Risk Analysis Training (eLearning, instructor led, metadata driven) Manual Penetration Testing Red Team Activities Remediation and Mitigation Guidance Secure Code Reviews Threat Modeling Security Grooming Secure Design
  • 29. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.29 © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES. Questions? @tojarrett