Conference:  Global AppSec Dublin 2023

Authors: Chris Romeo

2023-02-15

The presentation discusses common failures in DevOps security and provides solutions to address them.

• Failure to prioritize security in DevOps
• Lack of collaboration between security and development teams
• Inadequate training and education on application security
• Inefficient use of tools and technology
• Lack of integration of threat modeling in DevOps process
• Vulnerable code in the wild

Conference:  Global AppSec San Francisco 2022

Authors: Joshua Bregler, Corbin Moyer

2022-11-18

Make no mistake, secure development relies on automation. In a DevSecOps culture, having scalable, reliable tools and processes are the only way to make DevSecOps a reality. Creativity and technical chops are lauded for their ability to bring magic from the machines. However, is anyone in charge of making sure that your organization is automating the right things? How much attention is being paid towards supporting that automation across an Enterprise? The security is baked in, right? It may just be possible to focus so heavily on automation and tools that disparate teams lose sight of the bigger picture.This talk discusses the pitfall that many organizations trip into all too readily. By focusing forcefully or narrowly on automation, an organization can find itself creating technical debt, waste, and classically unsupportable support systems. We utilize two real-world case studies to clearly demonstrate classic automation problems and propose functional solutions. Audiences will come away with data-driven DevSecOps security management techniques as well as how to recognize and accept the trade-offs in a secure DevSecOps culture. This includes how to avoid creating new, unintended, invisible stove-pipe problems, drawing from our 25+ years of experience in the military and commercial spaces. Finally, we explore methods to find these opportunities, track meaningful metrics, and recognize when you’ve fallen over the edge.