Stefan Streichsbier, profile picture
Uploaded byStefan Streichsbier
PPTX, PDF203 views

State of DevSecOps - GTACS 2019

The document discusses the importance of DevSecOps. It notes that existing security solutions are no longer adequate as software can now be distributed globally and created more cheaply in the cloud. DevSecOps aims to integrate security into development and operations by making security teams empower developers and help them succeed. It outlines how security tools and responsibilities have evolved from separate security testing to being integrated into product teams. The document argues DevSecOps is important because fixing defects early is cheaper than during production, and most modern applications use open source components which could contain vulnerabilities. It concludes security teams should empower product teams and help solve technology problems while product teams should be mindful of security.

Embed presentation

Download to read offline
The State of DevSecOps Stefan Streichsbier CEO GuardRails #GTACS2019
About me Stefan Streichsbier @s_streichsbier Supported by:
What do these companies have in common? <10 years
Tech Startups in Asia – #10YearChallenge 2009 vs 2019
1. Existing solutions are no longer adequate Provide A Terrible User Experience Enterprise Solutions Come From The Waterfall Era Enterprise Means Overpriced
2. SaaS enable wide-spread distribution Your Users Are Everywhere No Need To Go To A Physical Location No Need to Create WW Sales Teams
3. Cheaper to create & operate Software Startup Ecosystems Empower Entrepreneurs Open Source Software Provides Building Blocks Cloud Computing Provides Low Barrier of Entry
To summarize The existing solutions are ripe for replacement Creating new technology solutions was never faster Software can be Distributed globally
DevSecOps: How important is it really? • Agile took us from months to days to deliver software • DevOps took us from months to minutes to deploy software • More applications are mission critical • Now security has become the bottleneck
The real impact of hacks & breaches News is full of high-profile breaches that get widespread attention. But they are not the only target of hackers 43% of all cyber attacks target small businesses. 60% of small businesses that are Hacked go out of business within 6 months. 1/5 data breaches are the result of attackers abusing insecure web applications.
DevSecOps: Who is responsible?
The Evolution of Security Tools Secure SDLCPenetration Testing DevSecOps Duration 2-4 weeks 1-2 weeks Continuous and Real-time Tools • Port Scanners • Vulnerability Scanners • Exploitation Tools Audience • Security Professionals Tools • Code Security Scanners • Dynamic Security Scanners • Vulnerability Scanners Audience • Security Professionals in Enterprise Security Teams Tools • Code Security Scanners • Interactive Security Scanners • Runtime Application Self Protection Audience • Developers in Product Teams
Security Development Operations The Evolution of Security Teams Secure SDLCPenetration Testing DevSecOps Security Development Operations Security Development Operations “Department of NO” “Let’s work together” “How can we help you succeed?”
Modern security teams empower dev teams! 100 10 1 Dev Ops Sec: : : : Looks like we have a scale problem
- John Willis You build it, you secure it.
Mindset within your product teams • Have Shared Pain and Shared Goals • Clearly defined global delivery goals (no competing KPIs) • Measure outcome (customer value), not output • Be Autonomous • Maximize flow (minimize cycle times) • Implement fast automated test suites • Never pass defects downstream • Create quality at the source (provide knowledge where needed) • Full decision authority • Full Accountability • Good or bad - you own it. There is no one else to blame
Leveraging DevSecOps Principles
Understanding benefits of security controls Create Test Monitor Challenges • Changing human behavior • Difficult to enforce • People churn Benefits • Reduce new vulnerabilities Challenges • Vulnerability Noise • Fixing issues • Coverage of issues Benefits • Enforceable • Provide Metrics Challenges • Coverage of issues • Org wide rollout Benefits • Enforceable • Provide Metrics • Block attacks Security
DevSecOps - Monitor Are your applications currently under attack? Are we automatically defending against this attack? What are attackers going after? • Micro Segmentation • Runtime Application Self Protection (RASP) • Bug Bounties Questions you should be able to answerAvailable Technologies
DevSecOps - Test Do the latest changes introduce new security issues? Does our code contain hard- coded secrets? Do any of our 3rd party libraries have known security issues? Questions you should be able to answer • Static Application Security Testing (SAST) • Sensitive Information Scanners (SIS) • Software Composition Analysis (SCA/CCA) • Dynamic Security Scanning (DAST) • Interactive Application Security Testing (IAST) Available Technologies
Automated Security Testing SAST SCA DAST/IASTCCA CommercialOpenSource 60+
Where do these tools live? Source: https://twitter.com/djschleen
DevSecOps - Create Do your teams know the most common successful attacks? Who is the dedicated security contact in a team? Do your teams know how to detect and avoid them? Questions you should be able to answer • Security Awareness • Secure Coding Training • Shared Knowledge Base • Security Focused Hackathons • Security Champion Program Available Options
DevSecOps Do we really need it now? There are some compelling statistics • It’s 30 times cheaper to fix security defects in development vs production • 80% to 90% of modern applications consist of open source components • An average data breach costs close to 4M USD • Most of the DevOps high-performers include security in their delivery process Security as Competitive Advantage
State of DevSecOps - Conclusion Security TeamTechnologies Product Team • Tools have improved • Choose them wisely • Solve technology problems • Cover the whole portfolio • Start acting on data in prod • Department of YES • Empowering product teams • Use scarce resources wisely • Knowledge is power • Turn developers into security champs • Be mindful that change is slow • Build it, run it, secure it
Thank You #GTACS2019
Get a curated list of security resources Consisting of: • Awesome security lists • Developer trainings • List of great security tools • Security Page templates • Free digital copy of my book • the slides • … and more Then send an email to: iwant@guardrails.io

More Related Content

PPTX
State of DevSecOps - DevOpsDays Jakarta 2019
byStefan Streichsbier
 
PPTX
State of DevSecOps - DevSecOpsDays 2019
byStefan Streichsbier
 
PPTX
Security and Mobility Co Create Week Jakarta
byStefan Streichsbier
 
PDF
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
byDevOps Indonesia
 
PDF
DevSecOps in 2031: How robots and humans will secure apps together Log
byStefan Streichsbier
 
PDF
DevOps not a Toolbox
byDevOps Indonesia
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PDF
New Barriers of Transformation
byDevOps Indonesia
 
State of DevSecOps - DevOpsDays Jakarta 2019
byStefan Streichsbier
 
State of DevSecOps - DevSecOpsDays 2019
byStefan Streichsbier
 
Security and Mobility Co Create Week Jakarta
byStefan Streichsbier
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
byDevOps Indonesia
 
DevSecOps in 2031: How robots and humans will secure apps together Log
byStefan Streichsbier
 
DevOps not a Toolbox
byDevOps Indonesia
 
The Future of DevSecOps
byStefan Streichsbier
 
New Barriers of Transformation
byDevOps Indonesia
 

What's hot

PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PDF
The State of DevSecOps
byDevOps Indonesia
 
PDF
DevSecOps: Bringing security to the DevOps pipeline
byAarno Aukia
 
PPTX
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
bySeniorStoryteller
 
PPTX
Safely Removing the Last Roadblock to Continuous Delivery
bySeniorStoryteller
 
PPTX
Securing a great DX - DevSecOps Days Singapore 2018
byStefan Streichsbier
 
PDF
Taking Open Source Security to the Next Level
byWhiteSource
 
PPTX
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
byDevOps.com
 
PDF
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
PDF
DevSecOps The Evolution of DevOps
byMichael Man
 
PDF
The New Security Playbook: DevSecOps
byJames Wickett
 
PPT
DevSecOps Singapore introduction
byStefan Streichsbier
 
PPTX
DevSecOps
byJoel Divekar
 
PPTX
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
PDF
Open Source Security: How to Lay the Groundwork for a Secure Culture
byWhiteSource
 
PDF
The Challenges of Scaling DevSecOps
byWhiteSource
 
PDF
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
PPTX
Dev secops indonesia-devsecops as a service-Amien Harisen
byNadira Bajrei
 
PPTX
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
byOutpost24
 
PDF
Container Security: What Enterprises Need to Know
byDevOps.com
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
The State of DevSecOps
byDevOps Indonesia
 
DevSecOps: Bringing security to the DevOps pipeline
byAarno Aukia
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
bySeniorStoryteller
 
Safely Removing the Last Roadblock to Continuous Delivery
bySeniorStoryteller
 
Securing a great DX - DevSecOps Days Singapore 2018
byStefan Streichsbier
 
Taking Open Source Security to the Next Level
byWhiteSource
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
byDevOps.com
 
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
DevSecOps The Evolution of DevOps
byMichael Man
 
The New Security Playbook: DevSecOps
byJames Wickett
 
DevSecOps Singapore introduction
byStefan Streichsbier
 
DevSecOps
byJoel Divekar
 
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
byWhiteSource
 
The Challenges of Scaling DevSecOps
byWhiteSource
 
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
Dev secops indonesia-devsecops as a service-Amien Harisen
byNadira Bajrei
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
byOutpost24
 
Container Security: What Enterprises Need to Know
byDevOps.com
 

Similar to State of DevSecOps - GTACS 2019

PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PPTX
DevSecOps Powerpoint Presentation for Students
bypoonawala2303
 
PDF
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
byDicodingEvent
 
PDF
DevSecOps - Background, Status and Future Challenges
bydsc71656
 
PPTX
Outpost24 webinar - application security in a dev ops world-08-2018
byOutpost24
 
PPTX
DevSecOps without DevOps is Just Security
byKevin Fealey
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
PDF
DevSecOps - The big picture
byDevSecOpsSg
 
PDF
DevSecOps - The big picture
byStefan Streichsbier
 
PDF
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
PPTX
DevSecOps Best Practices-Safeguarding Your Digital Landscape
bystevecooper930744
 
PDF
August 2018: DevSecOps - London Gathering
byMichael Man
 
PDF
Security at the Speed of Software Development
byDevOps.com
 
PDF
Scale security for a dollar or less
byMohammed A. Imran
 
PDF
Pentest is yesterday, DevSecOps is tomorrow
byAmien Harisen Rosyandino
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PDF
Security Process in DevSecOps
byOpsta
 
PDF
Protecting Agile Transformation through Secure DevOps (DevSecOps)
byEryk Budi Pratama
 
PDF
How DevOps Improves Security DevSecOps Explained.pdf
byhimanshuwowit
 
Introduction to DevSecOps
byabhimanyubhogwan
 
DevSecOps Powerpoint Presentation for Students
bypoonawala2303
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
byDicodingEvent
 
DevSecOps - Background, Status and Future Challenges
bydsc71656
 
Outpost24 webinar - application security in a dev ops world-08-2018
byOutpost24
 
DevSecOps without DevOps is Just Security
byKevin Fealey
 
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
DevSecOps - The big picture
byDevSecOpsSg
 
DevSecOps - The big picture
byStefan Streichsbier
 
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
bystevecooper930744
 
August 2018: DevSecOps - London Gathering
byMichael Man
 
Security at the Speed of Software Development
byDevOps.com
 
Scale security for a dollar or less
byMohammed A. Imran
 
Pentest is yesterday, DevSecOps is tomorrow
byAmien Harisen Rosyandino
 
The What, Why, and How of DevSecOps
byCprime
 
Security Process in DevSecOps
byOpsta
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
byEryk Budi Pratama
 
How DevOps Improves Security DevSecOps Explained.pdf
byhimanshuwowit
 

More from Stefan Streichsbier

PPTX
Practical Secure Coding Workshop - {DECIPHER} Hackathon
byStefan Streichsbier
 
PPTX
Securing a great Developer Experience - v1.3
byStefan Streichsbier
 
PDF
A Tale of Three Horses - RSAC 2017 APJ - DevOps Connect: DevSecOps Edition, S...
byStefan Streichsbier
 
PPTX
Null application security in an agile world
byStefan Streichsbier
 
PDF
Application Security in an Agile World - Agile Singapore 2016
byStefan Streichsbier
 
PDF
Application Security at DevOps Speed - DevOpsDays Singapore 2016
byStefan Streichsbier
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
byStefan Streichsbier
 
Securing a great Developer Experience - v1.3
byStefan Streichsbier
 
A Tale of Three Horses - RSAC 2017 APJ - DevOps Connect: DevSecOps Edition, S...
byStefan Streichsbier
 
Null application security in an agile world
byStefan Streichsbier
 
Application Security in an Agile World - Agile Singapore 2016
byStefan Streichsbier
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
byStefan Streichsbier
 

Recently uploaded

PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PPTX
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PDF
UiPath Veterans Day Acknowledgement and Benefits
byDianaGray10
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
UiPath Veterans Day Acknowledgement and Benefits
byDianaGray10
 
WebXR in Android and Linux with OpenXR
byIgalia
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 

State of DevSecOps - GTACS 2019

  • 1.
    The State ofDevSecOps Stefan Streichsbier CEO GuardRails #GTACS2019
  • 2.
  • 3.
    What do thesecompanies have in common? <10 years
  • 4.
    Tech Startups inAsia – #10YearChallenge 2009 vs 2019
  • 5.
    1. Existing solutionsare no longer adequate Provide A Terrible User Experience Enterprise Solutions Come From The Waterfall Era Enterprise Means Overpriced
  • 6.
    2. SaaS enablewide-spread distribution Your Users Are Everywhere No Need To Go To A Physical Location No Need to Create WW Sales Teams
  • 7.
    3. Cheaper tocreate & operate Software Startup Ecosystems Empower Entrepreneurs Open Source Software Provides Building Blocks Cloud Computing Provides Low Barrier of Entry
  • 8.
    To summarize The existingsolutions are ripe for replacement Creating new technology solutions was never faster Software can be Distributed globally
  • 9.
    DevSecOps: How important isit really? • Agile took us from months to days to deliver software • DevOps took us from months to minutes to deploy software • More applications are mission critical • Now security has become the bottleneck
  • 10.
    The real impactof hacks & breaches News is full of high-profile breaches that get widespread attention. But they are not the only target of hackers 43% of all cyber attacks target small businesses. 60% of small businesses that are Hacked go out of business within 6 months. 1/5 data breaches are the result of attackers abusing insecure web applications.
  • 11.
  • 12.
    The Evolution ofSecurity Tools Secure SDLCPenetration Testing DevSecOps Duration 2-4 weeks 1-2 weeks Continuous and Real-time Tools • Port Scanners • Vulnerability Scanners • Exploitation Tools Audience • Security Professionals Tools • Code Security Scanners • Dynamic Security Scanners • Vulnerability Scanners Audience • Security Professionals in Enterprise Security Teams Tools • Code Security Scanners • Interactive Security Scanners • Runtime Application Self Protection Audience • Developers in Product Teams
  • 13.
    Security Development Operations The Evolution ofSecurity Teams Secure SDLCPenetration Testing DevSecOps Security Development Operations Security Development Operations “Department of NO” “Let’s work together” “How can we help you succeed?”
  • 14.
    Modern security teamsempower dev teams! 100 10 1 Dev Ops Sec: : : : Looks like we have a scale problem
  • 16.
    - John Willis Youbuild it, you secure it.
  • 17.
    Mindset within yourproduct teams • Have Shared Pain and Shared Goals • Clearly defined global delivery goals (no competing KPIs) • Measure outcome (customer value), not output • Be Autonomous • Maximize flow (minimize cycle times) • Implement fast automated test suites • Never pass defects downstream • Create quality at the source (provide knowledge where needed) • Full decision authority • Full Accountability • Good or bad - you own it. There is no one else to blame
  • 18.
  • 19.
    Understanding benefits ofsecurity controls Create Test Monitor Challenges • Changing human behavior • Difficult to enforce • People churn Benefits • Reduce new vulnerabilities Challenges • Vulnerability Noise • Fixing issues • Coverage of issues Benefits • Enforceable • Provide Metrics Challenges • Coverage of issues • Org wide rollout Benefits • Enforceable • Provide Metrics • Block attacks Security
  • 20.
    DevSecOps - Monitor Areyour applications currently under attack? Are we automatically defending against this attack? What are attackers going after? • Micro Segmentation • Runtime Application Self Protection (RASP) • Bug Bounties Questions you should be able to answerAvailable Technologies
  • 21.
    DevSecOps - Test Dothe latest changes introduce new security issues? Does our code contain hard- coded secrets? Do any of our 3rd party libraries have known security issues? Questions you should be able to answer • Static Application Security Testing (SAST) • Sensitive Information Scanners (SIS) • Software Composition Analysis (SCA/CCA) • Dynamic Security Scanning (DAST) • Interactive Application Security Testing (IAST) Available Technologies
  • 22.
    Automated Security Testing SASTSCA DAST/IASTCCA CommercialOpenSource 60+
  • 23.
    Where do thesetools live? Source: https://twitter.com/djschleen
  • 24.
    DevSecOps - Create Doyour teams know the most common successful attacks? Who is the dedicated security contact in a team? Do your teams know how to detect and avoid them? Questions you should be able to answer • Security Awareness • Secure Coding Training • Shared Knowledge Base • Security Focused Hackathons • Security Champion Program Available Options
  • 25.
    DevSecOps Do we reallyneed it now? There are some compelling statistics • It’s 30 times cheaper to fix security defects in development vs production • 80% to 90% of modern applications consist of open source components • An average data breach costs close to 4M USD • Most of the DevOps high-performers include security in their delivery process Security as Competitive Advantage
  • 26.
    State of DevSecOps- Conclusion Security TeamTechnologies Product Team • Tools have improved • Choose them wisely • Solve technology problems • Cover the whole portfolio • Start acting on data in prod • Department of YES • Empowering product teams • Use scarce resources wisely • Knowledge is power • Turn developers into security champs • Be mindful that change is slow • Build it, run it, secure it
  • 27.
  • 28.
    Get a curatedlist of security resources Consisting of: • Awesome security lists • Developer trainings • List of great security tools • Security Page templates • Free digital copy of my book • the slides • … and more Then send an email to: [email protected]

Editor's Notes

  • #2 Also, just to inform you that recently I've attended a conference and the speaker was talking about DevOps. Unfortunately, he couldn't explain to the audience well about DevOps vs Agile. His slides look more towards agile than DevOps. So, for your slides, pls be able to distinguish the concepts and hopefully you can arrange your thought process from fundamentals - intermediate - advanced state of DevSecOps in the 30 mins.
  • #4 The are all from Indonesia! They are all tech companies. The are all considered unicorns (valued over 1 billion) They didn’t exist 10 years ago.
  • #5 And by the way, how many of you here today are in a fintech or any other kind of tech company startup? fintech slide -> You may join the unicorn club soon.
  • #6 1.) The existing solutions (in all industries) typically suck. -> The foundation of this opportunity. Simply put a lot of the existing incumbent solutions (in all industries) are coming from the waterfall era, have a terrible User Experience and follow an enterprise software model. Think about it, even the online banking solutions that exist today are typically much more user-friendly for consumers than they are for business users. -> Waterfall vs Agile vs DevOps "Wait, I have to use this stuff to collaborate? If I can use Facebook Messenger at home, why do I have this crummy messaging tool at work?" So that's certainly been one angle that I think has changed things.
  • #7 2.) Software as a service and the internet in general allow wide-spread and instant distribution. Second is, obviously software as a service and the internet generally, you know, our ability, so we sell into 170 different countries now, so we never could have done that in a traditional enterprise model. We would have needed sales people all over the world, etc. So we can spread out the revenue generation, if you like, much more around the globe, much more quickly.
  • #8 3.) The cost of producing and operating software has gone down significantly. The entry barrier is almost removed. And at the same time, the cost of producing that service or creating that software has gone down rapidly with open source, and cloud computing in terms of AWS, things like that. So we can effectively deliver a better product for cheaper and kind of instantly get it around the world and just let it bubble up. Cloud providers offer up to 100k credits for startups. Every major Saas product that a company needs either offers free plans for startups or heavily reduced prices. Cloud computing
  • #10 Litmus test, how long does it take you to get one line of code through your system? DevOps is all about breaking down barriers, have developers work with the business, with the ops team and simply out-innovate and out-ship the competition. Software has become mission-critical!
  • #11 While hacking-related data breaches and subsequent ransom demands to large corporations like HBO, Target, and Home Depot understandably garner widespread attention, t he resulting assumption that only large companies face this growing digital threat couldn’t be further from the truth. In fact, a study in 2016 found that 43% of all cyber attacks targeted small businesses. Even more alarming is that a staggering 60% of small businesses hit with a cyber attack or data breach go out of business within 6 months. Software has become mission-critical!
  • #12 Everyone!!! Ok, but who is accountable?
  • #13 Different Tools come from different eras and are focused on outcomes and different audiences.
  • #14 Working as an audit/control function Working as security gates in the lifecycle Empowering DevOps teams to move fast and be safe.
  • #15  Alright, so the purpose of security teams Is to support the engineering organization To ensure that the business can achieve Their goals. However, there is a scale problem. Think about how many developers you have in your organization. How many DevSecOps ready security folks? There is a global shortage of 2m cyber security professionals,. It just can’t be solved by throwing security people at the problem You gotta be smart,
  • #16 The traditional model is that you take your software to the wall that separates development and operations, and throw it over and then forget about it. Let’s look at how the big organizations are doing it. https://www.slideshare.net/ufried/the-truth-about-you-build-it-you-run-it
  • #17 You build it you secure it. What does that mean? It’s not a question of responsibility it’s a question of accountability. Why would any third party come and tell you what to do, they don’t know the context, don’t know the other stuff. Why would they run a tool for you that produces a million findings, and leave you with the results to clean it up? Oh and by the way, you have to get rid of all the medium and high before going live. The security team can not be accountable. Ok, so who is accountable?
  • #18 That also means that business can make decisions to override security requirements. Believe me, I am coming from a pentesting background, and there is no perfect security posture. So you gotta think about getting the guardrails established, at the very minimum. Get rid of all the low hanging fruits. Avoid counter productive best practices.
  • #20 Outside in approach Get data -> attacks, vulnerabilities, etc Don’t focus on 1 application, focus on getting this data for the whole portfolio (prioritize by business risk). Where can you solve technology problems reliably across Quality, Performance, Security
  • #21 Think Application Performance monitoring for security Understanding how your app is abused and misused helps with prioritization.
  • #22 Think Code Quality with a focus on security Understanding what kind of insecure patterns are prevalent in your app, which teams can can benefit from targeted support, a real time-view of the security posture of your application portfolio as well as the trends.
  • #23 This is the most mature field in the whole lifecycle, there are hundreds of tools. Just make sure that the tools you start using are useful for developers and not the legacy security tools that are difficult to integrate, slow and noisy.
  • #24 An example of how all of these technologies are tied into a modern development workflow.
  • #26 Those organizations that manage to embed security deeply in their engineering practices and have the right accountability structures, will be able to outperform their competition. In the digital economy switching providers has never been easier, security is going to be one of the leading reasons for that.
  • #27 Focus on the right improvements, e.g. measuring defect density, etc. E.G if a technology can reliably identify and prevent a vulnerability in production, without having to involve humans to fix it, then That’s a good start. If you can have technology that alerts you of breaches while containing them, that’s great. Use it. If you have tools that you can embed in your pipeline to get more continuous security feedback into the hands of developers, then use that Be smart about where to use human efforts on and where not to. Security team should help engineering teams to succeed and achieve the business mission. Not say no and delay releases like an audit function. Start with general training programs, there is excellent free training out there for engineers and basic security awareness. As you get more data from your tools, then you will be able to prioritize the next focus areas and teams that require that training. Teaching people and changing the culture is hard and takes a long time. It is still important but make sure all the other aspects are Reducing your risk while simultaneously buying time.