Agile Event Session

From DevOps to DevSecOps – Application security for a Lean/Agile/DevOps environment

Abstract/Description

The bad guys don’t break in through the highly secure bank vault door; they attack the crumbly bricks and mortar of the vault walls. The same is true for application security. The vast majority of incidents don’t target security features like encryption, authentication, and authorization… the bank vault door. Rather, they target vulnerabilities in the “boring”, non-security parts of the code… the crumbly bricks and mortar of the vault walls.

The security function is still largely throw-it-over-the-wall at many organizations, but things are changing. There is growing awareness that you cannot prevent the vast majority of incidents with a bolt-on approach to security. You have to produce applications that are free of such vulnerabilities as they are being developed. In other words, you have to BUILD SECURITY IN.

Just like DevOps is a cultural transformation, to BUILD SECURITY IN we need a mindset shift and cultural change. We need DevSecOps.

This talk starts by introducing a DevSecOps manifesto and then a process model for achieving a “BUILD SECURITY IN” DevSecOps culture. The framework is designed to sit on top of any SDLC but it is particularly suited to Lean/Agile environments and even more so to a DevOps environment or in conjunction with an ongoing DevOps transformation.

Additional Resources

Add to Bookmarks Remove Bookmark

Add to Bookmarks Remove from Bookmarks

Larry Maccherone

Speaker(s) may be willing to present this session at local group meetings and other events.

Agile2017

Slides, Video

Advancing

More Agile Event Session Videos

You’re Not Failing Fast Enough: Tips & Tricks for an Agile Build System

A team's agility is severely limited when developers have to wait 4, 6, even 24 hours to learn whether their latest change plays nicely with the rest of the code base. And untangling bugs introduced by other changes made in the meantime can take hour…

View Session >

Principles of Self-Service Infrastructure

The management of development and test environments is major concern when trying to optimize the value stream of any software development project. In this context, implementing Self-Service Infrastructure may help your organization to simplify the ma…

View Session >

Building evolutionary infrastructure

Infrastructure as code tools like Ansible, Chef, Puppet, Terraform, etc. can make it easy to build and manage infrastructure in the cloud. But as with any code, this can quickly devolve into a fragile monolith that is difficult and scary to change…

View Session >

DevOps Performance Measurement: A Foundational Element For Building High-Trust Cultures

One of the primary drivers, if not THE central driver, behind any Enterprise DevOps transformation is the organizations need to optimize the flow of business value (in the form of incremental software) between developers and end-users. Within many or…

View Session >

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
_csrf	session	This cookie is essential for the security of the website and visitor. It ensures visitor browsing security by preventing cross-site request forgery.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
gdpr[allowed_cookies]	1 year	This cookie is set by the GDPR WordPress plugin. It is used to store the cookies allowed by the logged-in users and the visitors of the website.
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
pmpro_visit		The cookie is set by PaidMembership Pro plugin. The cookie is used to manage user memberships.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	This cookie is set by Addthis to make sure you see the updated count if you share a page and return to it before our share count cache is updated.
__atuvs	30 minutes	This cookie is set by Addthis to make sure you see the updated count if you share a page and return to it before our share count cache is updated.
__jid	30 minutes	Used to remember the user's Disqus login credentials across websites that use Disqus
aka_debug		This cookie is set by the provider Vimeo.This cookie is essential for the website to play video functionality. The cookie collects statistical information like how many times the video is displayed and what settings are used for playback.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
CONSENT	16 years 8 months 15 days 5 hours	Description Pending
disqus_unique	1 year	Disqus.com internal statistics
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
language		This cookie is used to store the language preference of the user.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
locale	3 days	This cookie is used to store the language preference of a user allowing the website to content relevant to the preferred language.
STYXKEY_aa_signup_visited	session	No description

Cookie	Duration	Description
_gat_UA-17319182-1	1 minute	Set by Google Analytics and Google Tag Manager to enable website owners to track visitor behaviour and measure site performance. These cookies are used to collect information about how you use our website. The information collected includes number of visitors, pages visited and time spent on the website. The information is collected by Google Analytics in aggregated and anonymous form, and we use the data to help us make improvements to the website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_17319182_1	1 minute	Set by Google Analytics and Google Tag Manager to enable website owners to track visitor behaviour and measure site performance. These cookies are used to collect information about how you use our website. The information collected includes number of visitors, pages visited and time spent on the website. The information is collected by Google Analytics in aggregated and anonymous form, and we use the data to help us make improvements to the website.
_gat_UA-0000000-1	1 minute	Set by Google Analytics and Google Tag Manager to enable website owners to track visitor behaviour and measure site performance. These cookies are used to collect information about how you use our website. The information collected includes number of visitors, pages visited and time spent on the website. The information is collected by Google Analytics in aggregated and anonymous form, and we use the data to help us make improvements to the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
eud	1 year 24 days	The domain of this cookie is owned by Rocketfuel. This cookie is used to sync with partner systems to identify the users. This cookie contains partner user IDs and last successful match time.
S	1 hour	domain .google.com
uvc	1 year 1 month	The cookie is set by addthis.com to determine the usage of Addthis.com service.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Membership

Members-only Content

Become an Agile Alliance member!

Agile Conferences

Free Member Events

Community Events

Agile MiniCon – The Future of AI in Agile

Agile Essentials

Download the Agile Manifesto

Recent Blog Posts

Boost your Agile expertise by joining Agile Alliance today

Meet the Agile2024 Program Team – Reese Schmit

Neurodiversity and invisible disabilities in Agile

Agile Resources

Remote Working Guide

Sustainability Manifesto

MEMBER INITIATIVES

Your Community

Global Development

Global Affiliates

OUR POLICIES

ABOUT US

Become a sponsor

Agile Event Session

From DevOps to DevSecOps – Application security for a Lean/Agile/DevOps environment

This video content is for Agile Alliance members only

Abstract/Description

Additional Resources

More Agile Event Session Videos

You’re Not Failing Fast Enough: Tips & Tricks for an Agile Build System

Principles of Self-Service Infrastructure

Building evolutionary infrastructure

DevOps Performance Measurement: A Foundational Element For Building High-Trust Cultures

You’re Not Failing Fast Enough: Tips & Tricks for an Agile Build System

Principles of Self-Service Infrastructure

Building evolutionary infrastructure

Have a comment? Join the conversation

Discover the many benefits of membership

Our Cornerstone Corporate Supporting Members