logo
allArticlesConferencesPresentations

Security as Code: A DevSecOps Approach - Xavier René

Conference:  Cloud Native SecurityCon North America 2023

Authors:   Xavier René-Corail

Summary

Empowering developers with autonomy, mastery, and purpose is key to effectively including security testing into the software development lifecycle.
  • NASA's success in shifting left security testing into their sdlc was due to empowering developers
  • Developers need autonomy, mastery, and purpose to be motivated to do security testing
  • Autonomy means developers are in control of running tests and acting on results
  • Mastery means developers have the skills and knowledge to effectively do security testing
  • Purpose means developers understand the importance of security testing and how it contributes to the overall success of the project
NASA's success in using CodeQL to find and fix critical bugs in their software before deploying to Mars was due to empowering developers with security testing practices. By giving developers autonomy, mastery, and purpose, they were able to effectively include security testing into their sdlc and avoid late security testing and patching in production. This approach was also used in the development of the Perseverance rover, which also landed safely on Mars.

Abstract

Security as Code (SaC) is the methodology of codifying security tests, scans, and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security vulnerabilities. Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization. In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, in particular how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that is free for open source that allows us to implement security checks with code, and will demo how we can code queries for vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline. Finally, we share the lessons learnt from offering security advice to 6 open source projects that have joined our free office hours.
Materials:
Tags:

Post a comment

Related work

Adding SAST to CI/CD, Without Losing Any Friends

Conference:  RSA Conference 2023
Authors: Clint Gibler, Tanya Janca
2023-04-24

Improving CI/CD Process for Cloud Native Python Applications with PyPI Cloud

Conference:  CloudOpen 2022
Authors: Jaehyun Sim
2022-06-23

5 Open Source Security Tools All Developers Should Know About

Conference:  RSA Conference 2023
Authors: David Melamed, Luke O'Malley
2023-04-24

5 Open Source Security Tools All Developers Should Know About

Conference:  CloudOpen 2022
Authors: Ran Regenstreif
2022-06-22

Case Study: Bringing Chaos Engineering to the Cloud Native Developers

Conference:  KubeCon + CloudNativeCon Europe 2022
Authors: Ramiro Berrelleza, Uma Mukkara
2022-05-19

RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise

Conference:  Black Hat USA 2022
Authors:
2022-08-10