Post-DevOps, what should we shift-left?
Conference: OWASP 20th Anniversary Event
2021-09-25
Authors: Riotaro OKADA
Summary
The presentation discusses the challenges of implementing AppSec in DevOps and CI/CD and proposes solutions based on the experience of organizing the Hardening Project in Japan.
- Shift left is important in integrating security early on in the development process
- Development and security teams need to work together to maximize mutual understanding and cooperation
- Risk profiling is important in designing effective security defenses
- The Hardening Project in Japan is an eight-hour security competition that helps participants update their knowledge about incident response and improve their defenses
- The competition involves dealing with technical failures, customer complaints, and public relations response
- The Softening Day is a session where teams and attackers give presentations to share and summarize their activities and strategies
Abstract
Abstract:The traditional V-shaped quality assurance of waterfall has been replaced by DevOps and CI/CD. It is clear that fast improvement cycles have contributed to making the code much easier to maintain and higher quality.But why is it that AppSec is still vulnerable to attacks and has yet to mature? Do automated mechanisms contribute to robustness against change?In this talk, I will show what we have learned through our experience of organizing Hardening Project in Japan. I will cover the critical points related to each stage of DevOps to take DevOps to the next stage - they are about risk profile, architecture design of threat response, and operational matter. I hope it will show some challenges that AppSec faces in its further evolution.
Materials: