Agile + DevOps East 2019 - Security | TechWell

Agile + DevOps East 2019 - Security

Customize your Agile + DevOps East 2019 experience with sessions covering security for software developers and testers.

Tuesday, November 5

Tom Stiehm
Coveros, Inc.
TF

Tools for DevSecOps

Add to calendar
Tuesday, November 5, 2019 - 8:30am to 12:00pm

DevOps is about creating alignment across the value stream for an application, service, or product. DevSecOps integrates security into this process, making the entire team responsible for delivering secure code that works and can be deployed and used securely. But how do you actually do that? What tools do you add to your DevOps pipeline to help make your software secure and provide your stakeholders with a high level of confidence that the software meets all security requirements & standards? In this tutorial Tom Stiehm will explore what security tools you can add to your DevOps...

Wednesday, November 6

AW6

Wabi-Sabi Your DevSecOps

Add to calendar
Wednesday, November 6, 2019 - 10:30am to 11:30am

The ability of DevSecOps to produce secure code requires the merging of two very different cultures: AppSec and DevOps. While AppSec lives in a black-and-white world of secure or not secure that would cause “Hello World” to take six months to release, DevOps knows that the reality of software development is actually shades of gray, especially as demands are increasingly placed on development teams to produce more, faster. Brittany Greenfield will teach you how to apply the Japanese concept of wabi-sabi, which accepts imperfections in the things that we create, to DevSecOps, allowing you to...

Tom Stiehm
Coveros, Inc.
AW22

Shifting Security Left: The Innovation of DevSecOps

Add to calendar
Wednesday, November 6, 2019 - 3:00pm to 4:00pm

DevSecOps uses application security practices that have existed for a while. The innovation of DevSecOps is incorporating security into the daily workflow of the team rather than leaving it to the end, shifting security left by automating aspects of security testing. DevSecOps leverages DevOps practices to make application security a first-class citizen in the practices of modern software development. But that requires a culture change: DevSecOps starts before the code is even written, using techniques like threat modeling and risk analysis to figure out who will attack you and how. Come...

Helen J Beal
Ranger4
Guy Herbert
Atlassian
AW24

DevOps Panel: Compliance While Moving Faster

Add to calendar
Wednesday, November 6, 2019 - 3:00pm to 4:00pm

Do you want to move at the speed of DevOps, but need to show compliance to your organization, a governing body, or through regulation? Are you already struggling with compliance and want to know how DevOps could help? Come listen to our panelists as they answer questions about compliance and security in DevOps without slowing down. This panel is looking to answer your questions about all things Compliance, so be ready to participate.

Thursday, November 7

Tim_Guay
AgileWorks
AT15

A Fool with a Tool: The Dangers of Ignoring Culture by Overfocusing on Tools

Preview
Add to calendar
Thursday, November 7, 2019 - 11:30am to 12:30pm

Many organizations ignore culture and overfocus on picking and implementing the right tools. However, these tools have underlying cultural assumptions. If the current culture does not support these assumptions, then automation will only have limited success, or even fail altogether. So how do you address this problem? By recognizing that overfocusing on tools is a problem in the first place. Start by understanding the cultural assumptions supporting the optimum use of the tools, as well as how your organization measures up in relation to high-performing organizations. Finally,...

Guy Herbert
Atlassian
AT21

How DevOps and Agile Fit with Compliance Obligations

Add to calendar
Thursday, November 7, 2019 - 3:30pm to 4:30pm

DevOps and agile are designed to help you be adaptable and move quickly. But meeting your compliance obligations tends to slow you down and make processes rigid. However, by using key components of agile and DevOps and approaching compliance obligations from a different angle, you can meet your obligations while being adaptable. Guy Herbert will show examples of how his company structures their CI/CD processes to include compliance and how they have changed their compliance approach to be able to better meet the needs of the DevOps teams. Guy will also discuss the cultural implications of...

AT22

So You’re Using Docker. Now What?

Add to calendar
Thursday, November 7, 2019 - 3:30pm to 4:30pm

These days everyone wants to containerize their application, but not everyone understands the best way to go about it. You need a tool to manage your containers, you need tools for image security scanning, you need to completely rethink how your application fits into its deployment environment, and most importantly you need to make sure you’re following good DevSecOps practices. Join Ryan Kenney as he discusses how he has addressed these concerns, among others, for various clients. Ryan will discuss options for container orchestration tools like Kubernetes and its competitors. Then, he...

Friday, November 8

Chris Wysopal
Veracode
DS2

Shifting Security Left: Where to Start

Add to calendar
Friday, November 8, 2019 - 8:45am to 9:30am

Equipped with this guidance you can begin to make the changes that will transform application security into a responsibility that is shared by development and security and that continues once applications are in production and operation. By shifting security left, you unburden your security team, empower your developers to write better code…

DS3

Rome Wasn't Built in a Day...and Neither is Your DevSecOps

Add to calendar
Friday, November 8, 2019 - 9:30am to 10:00am

DevSecOps is about more than just the tools – it is an organizational, operational, and strategic transformation. So, as a “thorough or dramatic change in form or appearance” across the three main pillars of an organization, how can we expect a DevSecOps transformation to take place overnight? Taking lessons from process transformations throughout history, attendees will learn how to evaluate their current DevSecOps maturity and understand the key tools and processes that will help their organization ascend the DevSecOps maturity curve, through achievable milestones and stages.

DS1

Building Trust Between Security and Development to Accomplish Culture Change

Add to calendar
Friday, November 8, 2019 - 10:00am to 10:30am

DevSecOps empowers engineering teams to take ownership of how their product behaves in production, including security aspects. The primary goal of a DevSecOps initiative is to get development teams to shift their mindset and adopt security practices in their daily activities. However, this can only happen with healthy collaboration and mutual trust between development and security teams. Larry Maccherone can show you how. Larry will discuss how to effectively build trust between developers and security personnel to facilitate a successful DevSecOps program. He will present a proven "Trust...

Tom Stiehm
Coveros, Inc.
DS5

Panel Discussion: Effective Integration of Tooling into DevOps

Add to calendar
Friday, November 8, 2019 - 11:00am to 11:45am

Integrating security tools into a DevOps pipeline is about more than just dropping them into a test environment. It’s about putting them where the business return is greatest. Where fast feedback can be gathered. Picking the right tools for the job. Join DevSecOps experts as they discuss and debate the merits of SAST, DAST, IAST, and RAST tools for your pipeline. Learn about the pros and cons of each type of security testing and how to choose the right tools for your needs. Hear how various organizations have gotten started with DevSecOps tooling and learn tips and trick for implementing...

Jeff Williams
Contrast Security
DS3

Taking DevSecOps To The Next Level - Cutting Edge Tools for your Pipeline

Add to calendar
Friday, November 8, 2019 - 12:45pm to 1:30pm

DevSecOps is so much more than forcing developers to use legacy scanning tools. In this talk, we will discuss a continuous, effective, and scalable DevSecOps pipeline using free cutting-edge tools. We'll discuss and show IAST (Interactive Application Security Testing) to accurately pinpoint vulnerabilities in both custom code and libraries in real time without scanning. We'll discuss and show RASP (Runtime Application Self-Protection) in production to gain visbility into application attaches and to prevent vulnerabilities from being exploited. And we'll discuss how to integrate the results...

Gene Gotimer
Coveros, Inc.
DS7

A Practical Approach to Building Security In

Add to calendar
Friday, November 8, 2019 - 1:30pm to 2:00pm

The release date is a week away. Development is complete. The code works, and everything looks good. Marketing is ready with the media blitz. Our customers are waiting to get their hands on the new features and are sure to give us good feedback. The only step left is to get the security group to scan the application and give us the approval to release. Cross your fingers- let’s hope we get the green light! Otherwise, I don’t know what we are going to do. DevOps, and more importantly, DevSecOps, promises to do away with rolling the dice at the end and hoping we are allowed to release what...

Tom Stiehm
Coveros, Inc.
DS9

Panel Discussion: Getting Development and Security To Work Together

Add to calendar
Friday, November 8, 2019 - 2:45pm to 3:30pm

DevSecOps is all about getting security teams, practices, processes, and tooling integrated into your DevOps process but often getting a cross-functional team that includes security in place is difficult. Join DevSecOps practitioners in exploring the best ways to get security groups and personnel involved in day-to-day DevOps teams. Learn what role security personnel play in Sprint activities and how to remove compliance from being an end-of-lifecycle hurdle. Hear how leading organizations successfully shift security left and tips and tricks for getting started.