DevSecOps: Essential Pipeline Tooling To Enable Continuous Security
As we embrace DevOps to optimize our Agility, we need to move away from slow, manually intensive processes into more of a continuous flow of software into production. Whether we are doing true "Continuous Deployment" straight to production or not, we no longer have time for slow, manual, late-lifecycle security assessments to determine if our code is going to put us on the front page of the newspaper (for the wrong reasons). What we need is the visibility to know that our code is secure enough to pass muster every day. What we need is continuous security.
The DevSecOps movement is about exactly that: shifting security assessment left and integrating it into the daily and sprint-ly cycles that DevOps has made popular. It means finding those touchpoints in our continuous integration/continuous delivery (CI/CD) pipeline where security tools can be inserted and run continuously against the software changes as they are made. It means using static code analysis, dynamic security testing, secure composition analysis of third party components, and platform vulnerability scanning to look at all aspects of security every day. It means breaking builds and rejecting changes when developers introduce new security vulnerabilities. It means integrating all this information with the observability tools we are putting in place to continuously monitor the health of our system.
In this talk, Rich Mills will present his successes and challenges with integrating security into DevOps pipelines to provide continuous assessment of security posture. He will focus on my latest experiences building delivery pipelines for a containerized microservice-based project where they integrated a broad set of open source and commercial tools to gather and present security data. This talk is perfect for people struggling with ways to integrate application security assessment into their agile development process.