Agile + DevOps East 2019 - Security
Tuesday, November 5
Tools for DevSecOps
DevOps is about creating alignment across the value stream for an application, service, or product. DevSecOps integrates security into this process, making the entire team responsible for delivering secure code that works and can be deployed and used securely. But how do you actually do that? What tools do you add to your DevOps pipeline to help make your software secure and provide your stakeholders with a high level of confidence that the software meets all security requirements & standards? In this tutorial Tom Stiehm will explore what security tools you can add to your DevOps...
Wednesday, November 6
Wabi-Sabi Your DevSecOps
The ability of DevSecOps to produce secure code requires the merging of two very different cultures: AppSec and DevOps. While AppSec lives in a black-and-white world of secure or not secure that would cause “Hello World” to take six months to release, DevOps knows that the reality of software development is actually shades of gray, especially as demands are increasingly placed on development teams to produce more, faster. Brittany Greenfield will teach you how to apply the Japanese concept of wabi-sabi, which accepts imperfections in the things that we create, to DevSecOps, allowing you to...
Shifting Security Left: The Innovation of DevSecOps
DevSecOps uses application security practices that have existed for a while. The innovation of DevSecOps is incorporating security into the daily workflow of the team rather than leaving it to the end, shifting security left by automating aspects of security testing. DevSecOps leverages DevOps practices to make application security a first-class citizen in the practices of modern software development. But that requires a culture change: DevSecOps starts before the code is even written, using techniques like threat modeling and risk analysis to figure out who will attack you and how. Come...
DevOps Panel: Compliance While Moving Faster
Do you want to move at the speed of DevOps, but need to show compliance to your organization, a governing body, or through regulation? Are you already struggling with compliance and want to know how DevOps could help? Come listen to our panelists as they answer questions about compliance and security in DevOps without slowing down. This panel is looking to answer your questions about all things Compliance, so be ready to participate.
Thursday, November 7
So You’re Using Docker. Now What?
These days everyone wants to containerize their application, but not everyone understands the best way to go about it. You need a tool to manage your containers, you need tools for image security scanning, you need to completely rethink how your application fits into its deployment environment, and most importantly you need to make sure you’re following good DevSecOps practices. Join Ryan Kenney as he discusses how he has addressed these concerns, among others, for various clients. Ryan will discuss options for container orchestration tools like Kubernetes and its competitors. Then, he...
How DevOps and Agile Fit with Compliance Obligations
DevOps and agile are designed to help you be adaptable and move quickly. But meeting your compliance obligations tends to slow you down and make processes rigid. However, by using key components of agile and DevOps and approaching compliance obligations from a different angle, you can meet your obligations while being adaptable. Guy Herbert will show examples of how his company structures their CI/CD processes to include compliance and how they have changed their compliance approach to be able to better meet the needs of the DevOps teams. Guy will also discuss the cultural implications of...
Friday, November 8
Shifting Security Left: Where to Start
Equipped with this guidance you can begin to make the changes that will transform application security into a responsibility that is shared by development and security and that continues once applications are in production and operation. By shifting security left, you unburden your security team, empower your developers to write better code…
Rome Wasn't Built in a Day...and Neither is Your DevSecOps
DevSecOps is about more than just the tools – it is an organizational, operational, and strategic transformation. So, as a “thorough or dramatic change in form or appearance” across the three main pillars of an organization, how can we expect a DevSecOps transformation to take place overnight? Taking lessons from process transformations throughout history, attendees will learn how to evaluate their current DevSecOps maturity and understand the key tools and processes that will help their organization ascend the DevSecOps maturity curve, through achievable milestones and stages.
Building Trust Between Security and Development to Accomplish Culture Change
DevSecOps empowers engineering teams to take ownership of how their product behaves in production, including security aspects. The primary goal of a DevSecOps initiative is to get development teams to shift their mindset and adopt security practices in their daily activities. However, this can only happen with healthy collaboration and mutual trust between development and security teams. Larry Maccherone can show you how. Larry will discuss how to effectively build trust between developers and security personnel to facilitate a successful DevSecOps program. He will present a proven "Trust...
Panel Discussion: Effective Integration of Tooling into DevOps
Integrating security tools into a DevOps pipeline is about more than just dropping them into a test environment. It’s about putting them where the business return is greatest. Where fast feedback can be gathered. Picking the right tools for the job. Join DevSecOps experts as they discuss and debate the merits of SAST, DAST, IAST, and RAST tools for your pipeline. Learn about the pros and cons of each type of security testing and how to choose the right tools for your needs. Hear how various organizations have gotten started with DevSecOps tooling and learn tips and trick for implementing...
Taking DevSecOps To The Next Level - Cutting Edge Tools for your Pipeline
DevSecOps is so much more than forcing developers to use legacy scanning tools. In this talk, we will discuss a continuous, effective, and scalable DevSecOps pipeline using free cutting-edge tools. We'll discuss and show IAST (Interactive Application Security Testing) to accurately pinpoint vulnerabilities in both custom code and libraries in real time without scanning. We'll discuss and show RASP (Runtime Application Self-Protection) in production to gain visbility into application attaches and to prevent vulnerabilities from being exploited. And we'll discuss how to integrate the results...
A Practical Approach to Building Security In
The release date is a week away. Development is complete. The code works, and everything looks good. Marketing is ready with the media blitz. Our customers are waiting to get their hands on the new features and are sure to give us good feedback. The only step left is to get the security group to scan the application and give us the approval to release. Cross your fingers- let’s hope we get the green light! Otherwise, I don’t know what we are going to do. DevOps, and more importantly, DevSecOps, promises to do away with rolling the dice at the end and hoping we are allowed to release what...
The Hammer, the Carrot & the Olive Branch: Ways Security Makes Wins... And Friends with Devs
DevSecOps can be a beacon of hope. Rather than engaging in seemingly futile battles, there are paths to achieving unified wins for devs, ops, compliance—and security. But different situations call for different tools—both technical and social. Join Julie Tsai as she provides realistic examples of things that may have (or not) worked. Mileage may vary.
Panel Discussion: Getting Development and Security To Work Together
DevSecOps is all about getting security teams, practices, processes, and tooling integrated into your DevOps process but often getting a cross-functional team that includes security in place is difficult. Join DevSecOps practitioners in exploring the best ways to get security groups and personnel involved in day-to-day DevOps teams. Learn what role security personnel play in Sprint activities and how to remove compliance from being an end-of-lifecycle hurdle. Hear how leading organizations successfully shift security left and tips and tricks for getting started.