AppSec DevOps automation – real world cases
Everybody wants to create the perfect AppSec test automation as part of DevOps. Transparently identifying security vulnerabilities as code is created and fixing them before they are ever noticed. But how does this work in real life? In this session we will review real world examples of building a successful automation process for delivery of secure software by DevOps groups.
The move to rapid development with continuous integration and continuous delivery has changed the way R&D organisations operate and gave birth to DevOps as we know it today. Alongside these delivery challenges, the challenge of delivering secure code has become even bigger than before.
Over the past years, we had the opportunity to work alongside a large number of customers struggling with these challenges, and being there with them through the process of building an automation process that incorporates security testing as an integral part of the continuous integration and delivery to guarantee the delivery of secure software. In this talk we will talk how building the right process with DevOps methodology can help resolve some of these challenges and creative solutions we have seen our customers go through over the years.
The talk will begin with a quick review of the main challenges introduced by moving to a fast-pace (agile) software development world, where timeframes from coding to delivery can be as short as a few days, leaving no room for traditional security audits and reviews that were the main practice in the past. We will show some examples of how this is leading organisations to give up their best practices, and move to a world where software is pushed into production insecurely, and is only tested and fixed after it is already exposed.
Following that, we will present the core principles of continuous integration and testing automation (that may not be familiar to the security audience) as they are deployed and managed by DevOps, and analyse many of the pitfalls organisations are facing in the attempt to move from the theoretical practice to practical implementation of such a process.
Finally, we will examine three cases of customers (Retail, Insurance and Software Vendor), who have successfully built a process that works. For each case we will review the specifics of the process, the team, the interaction between Dev, DevOps, Security, QA, etc. that was needed to achieve a working solution. We will review the specific technical issues at hand and how environments were setup.
At the end of the session, participants will have a much broader view on practical, real world ways of building successful automation of secure coding practices.