a secure devops journey
TRANSCRIPT
A Secure DevOps
Journey
P e t e C h e s t n a , D i r e c t o r o f D e v e l o p e r E n g a g e m e n t
• Massachusetts born and raised
– Grew up in Milford, Graduated from WPI, live in Auburn
• 25 years experience in enterprise software development
• 10+ years at Veracode
– Individual contributor
– Director of Engineering
– Director of Developer Engagement
– Certified Scrum Master & Scrum Product Owner
– 2 trillion lines of code under my (Veracode’s) belt!
About me
There Was Waterfall
Waterfall - Process
Addressing quality too far
down the development
lifecycle created a cycle
of waste
Waterfall - People
Dev QA Ops Security
Organizational silos
Arch Dev
Waterfall - Technology
• Gantt Charts• Text documents
• Requirements• Architecture• Designs• Test plans
• Manual tests• Manual Deploy
• Shell Script• SQL Script
Waterfall - Security
Back end of process
Occurred during testing cycle
Unpredictable amount of work
Mostly manual
Coming of Age: Agile
Agile - Process
Copyright 2005, Mountain Goat Software
Agile - People
Security
Dev & QA
IT
Operations
Product Mgmt
Product Mgmt
Security is a gate keeper
on the outside
looking in
Agile – Technology Initially
Security Test Release
Static Analysis
Pen Testing
Code
Integrate
Functional Test
Production Ready
Develop
Agile Development with Waterfall Security Testing
Agile – Security in the early days
Agile – Security – Early Days
SecurityResults 3
Build
5
Security
Results
4
Static
Analysis
HardeningSprint
1
Develop
2
Check in
AgileBacklog
4
Check in
1
Develop
6
Static
Analysis
5
Build
7
Import
Static
Analysis
3
Build
& Test
2
AgileBacklog
Agile – Security – Automated and Integrated
Nightly
Agile – Security is not limited to automation!
Security Champions
Security Grooming
(Requirements Review)
Security as part of the Definition
of Done
Threat ModelingSecure Code
ReviewPen Testing
Pre-Productions Dynamic Analysis
Agile - Culture clash with OPS and Security
We Have Arrived: DevOps
DevOps - Process
DevOps - People
Break the Silos
ReorganizeChange
the Culture
DevOps - Technology
Automate!
Automate!
Automate!
Feature switching
for controlled
rollout
Rolling upgrades
Zero downtime
Make incremental
changes
Training
(eLearning, instructor led, metadata driven)
Static Application Security Testing + Software Composition Analysis
Remediation and Mitigation Guidance
Secure Code ReviewsManual Penetration Testing
Runtime Application
Security Protection
Dynamic Application Security Testing
Plan Code Build Test Stage Deploy Monitor
Threat Modeling
Security Grooming
DevOps – Pervasive Security
This Is Our Journey
• Revolution at the micro level
• Evolution at the macro levelInnovation
• Always constructively dissatisfied
• Hypothesize, prototype, measure
• Sharpen the saw
Continuous Improvement
• We have been where our customers are going
• Project PurinaEmpathy
Thank You
w w w . v e r a c o d e . c o m
Pete Chestna: @PeteChestna