Agile Event Session

DevSecOps: Essential Pipeline Tooling to Enable Continuous Security

This video content is for Agile Alliance members only

If you’re already an active member, please log in now.

To view this content, and gain access to many more valuable resources, conference discounts, and invitations to exclusive networking and learning events, please consider becoming an Agile Alliance member.

Abstract/Description

As we embrace DevOps to optimize our Agility, we need to move away from slow, manually intensive processes into more of a continuous flow of software into production. Whether we are doing true “Continuous Deployment” straight to production or not, we no longer have time for slow, manual, late-lifecycle security assessments to determine if our code is going to put us on the front page of the newspaper (for the wrong reasons). What we need is the visibility to know that our code is secure enough to pass muster every day. What we need is continuous security.

The DevSecOps movement is about exactly that: shifting security assessment left and integrating it into the daily and sprint-ly cycles that DevOps has made popular. It means finding those touchpoints in our continuous integration/continuous delivery (CI/CD) pipeline where security tools can be inserted and run continuously against the software changes as they are made. It means using static code analysis, dynamic security testing, secure composition analysis of third party components, and platform vulnerability scanning to look at all aspects of security everyday. It means breaking builds and rejecting changes when developers introduce new security vulnerabilities. It means integrating all this information with the observability tools we are putting in place to continuously monitor the health of our system. In this talk, I present my successes and challenges with integrating security into DevOps pipelines to provide continuous assessment of security posture. I focus on my latest experiences building delivery pipelines for a containerized microservice-based project where we integrated a broad set of open source and commercial tools to gather and present security data.

Specifically, I highlight:

* Touchpoints in your pipeline to asses security during build, deployment, and testing

* Tool categories needed with examples of open-source and commercial options

* Considerations to align tools with “security controls” for compliance

* Data gathering, reporting, and dashboarding to get an easy view of security status and improve the overall observability of the system

* Team structures to encourage collaboration of security engineers with developers

This talk is perfect for people struggling with ways to integrate application security assessment into their Agile development process.

Additional Resources

Add to Bookmarks Remove Bookmark
Add to Bookmarks Remove from Bookmarks
Add to Bookmarks Remove from Bookmarks

Speaker(s) may be willing to present this session at local group meetings and other events.

Agile2021
Practicing

More Agile Event Session Videos

The State of Sustainability in Agile 2024
The planet faces many challenges, including war, social inequity, and the climate crisis, that ask for greater sustainability. Agile can make a difference in building a more sustainable and resilient world. In this online MiniCon, we highlighted the …
Agile Kata
According to a study conducted by McKinsey in conjunction with Agile Alliance in 2022, three out of four Agile transformations fail. The number one reason is the lack of cultural change. Using a waterfall process for a transformation, as many comp…
The State of Sustainability in Agile 2024
The planet faces many challenges, including war, social inequity, and the climate crisis, that ask for greater sustainability. Agile can make a difference in building a more sustainable and resilient world. In this online MiniCon, we highlighted the …
Agile Kata
According to a study conducted by McKinsey in conjunction with Agile Alliance in 2022, three out of four Agile transformations fail. The number one reason is the lack of cultural change. Using a waterfall process for a transformation, as many comp…

Have a comment? Join the conversation

Discover the many benefits of membership

Your membership enables Agile Alliance to offer a wealth of first-rate resources, present renowned international events, support global community groups, and more — all geared toward helping Agile practitioners reach their full potential and deliver innovative, Agile solutions.

IMPORTANT: We have transitioned to a new membership platform. If you have not already done so, you will need to set up an account on the new platform to establish your user profile.

When you see the login screen, choose “Set up Account” and follow the prompts to create your new account. You can choose to log in using your social credentials for either Google or Linkedin (recommended), or you can set up your account using an email address.

Not yet a member? Sign up now