logo
securityArticlesConferencesPresentations

DSOMM from Theory to Enforcement

Conference:  Global AppSec San Francisco 2022

2022-11-17

Authors:   Chris Koehnecke

Summary

The presentation discusses the OWASP DevSecOps Maturity Model and how to practically apply security controls using open source tools for each requirement.
  • The OWASP DevSecOps Maturity Model provides a framework for companies to apply security in a cloud-native and fast-paced engineering world.
  • Whatever isn't automated is much more difficult to practically apply to systems.
  • Open source security tools have evolved and provide good coverage for many of the layers of the DSOMM model.
  • The presentation walks through the different security requirements in the DSOMM framework and does live code demos for each.
  • Prioritization of security issues can be done per each pull request.
  • The speaker shares their experience with implementing security processes in a startup environment.
  • Developers owning security is seen as the future of the security industry.
The speaker shares their experience working in a big four consulting firm where they realized that the processes they implemented stifled development velocity and didn't have a lasting impression. They then joined a startup where they prioritize security per each pull request and see developers owning security as the future of the industry.

Abstract

Like many of the OWASP projects, the OWASP DevSecOps Maturity Model provides an excellent framework and roadmap for companies looking to truly apply security in a cloud-native and fast-paced engineering world. However, like all things Dev+Ops related, whatever isn’t automated is much more difficult to practically apply to our systems. This is true from post-mortem learnings to security plans.Open source security tools have also evolved immensely over the years, and there are many excellent, well-maintained, and robust tools that provide very good coverage for many of the layers of the DSOMM model - many of them provided by OWASP. In this talk, we’d like to walk you through the different security requirements in the different stages of the DSOMM framework and do live code demos for each taking a deep dive into how to apply the relevant security control with great open source tools for each requirement.
Materials:
Tags:
OWASP
DevSecOps
maturity
model
framework

Post a comment

Related work

AuthN and AuthZ at Cruise: Crawl, Walk, Run

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: James Barclay, Roman Porter
2021-10-15

Going for Graduation: Crossing the Chasm

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Katie Gamanji, Bill Mulligan
2023-04-19

The future is simple - introducing the CRE

Conference:  OWASP 20th Anniversary Event
Authors: Rob van der Veer, Spyros Gasteratos
2021-09-24

Achieving Security by Shifting Left in Agile

Conference:  OWASP 20th Anniversary Event
Authors: BHUSHAN B GUPTA
2021-09-24

Fight Back Against Cyber Risk in the Software Supply Chain with a Secure and Compliant DevSecOps Pipeline for Regulated Environments

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Krishna Rajeesh Nallur Valiyaveettil, Brendan Kelly
2023-04-19

Top 10 Challenges for DevSecOps

Conference:  OWASP 20th Anniversary Event
Authors: Gary Robinson
2021-09-24