The traditional way of handling security issues in DevOps involves security teams analyzing vulnerabilities and opening issues/tickets, with closing the loop on resolutions being difficult. This model is changing as the cost of fixing later-stage defects rises significantly. The shift is toward DevSecOps where responsibility for application security moves to development teams. Developers are integrating security tools earlier in the software development lifecycle (SDLC) to enable a more secure-by-design approach. Effective DevSecOps requires tools that fit seamlessly into developer workflows and prioritize actual vulnerabilities over non-issues. It also demands integrating security practices into DevOps processes through agile methodologies and automation.

1. 1
Presented by:
Anders Wallgren ,VP of Technology Strategy at CloudBees
Jeffrey Martin, Senior Director of Product at WhiteSource

2. 2
1
The Shift from
DevOps to
DevSecOps

3. 3
Why Traditional DevOps is Changing

4. The Common Way of Handling Security Issues
Security teams
analyze and
prioritize
vulnerabilities
Sending emails or
opening
issues/tickets
Closing the loop on
resolution is hard

5. 5
The cost of fixing security and quality issues is rising significantly, as
the development cycle advances.
Coding
$80/Defect
Build
$240/Defect
QA & Security
$960/Defect
Production
$7,600/Defect
Late Detection Can Turn Out Costly

6. § Cost Reduction
§ Speed of delivery
§ ‘Secure by design’
§ Open discussion
6
The Business Benefits of DevSecOps
Quality
Time
Cost

7. 7
The Operational Benefits of DevSecOps
§ Versions are up-to-date
§ Nearly “zero” re-work
§ Early identification of vulnerabilities in code
§ Enables a culture of constant iterative improvements

8. 8
2
Responsibility over
AppSec is shifting
to development
teams

9. 9
Who is Owning Application Security in the Organization?
of the respondents stating the ownership
lies in the software development side
72%
22%

10. 10
Organizations of all sizes are shifting their operational
security to software development teams
Who owns security in your organization, by company size?

11. 11
The impact of developers taking over security is that
they are integrating security tools earlier in the SDLC
of developers are taking action
towards application testing on build
stage or before.
66%
In what stage of the SDLC do you spend most
of your time implementing security measures?

12. 12
In what stage of the SDLC do you spend most
of your time implementing security measures,
by open source usage?
The higher usage for open source, the more likely that
developers would implement application security tools

13. 13
3
Tools and
Strategies Needed
to Implement
DevSecOps

14. 14
The new generation of security tools:
Developers security tools

15. 15
Developers need robust tools, that fit into
their workflows

16. 16
EFFECTIVE VULNERABILITY
If the proprietary code is making calls
to the vulnerable functionality
INEFFECTIVE VULNERABILITY
If the proprietary code is NOT making
calls to the vulnerable functionality
EFFECTIVE VS INEFFECTIVE
VULNERABILITIES IN A COMPONENT
Prioritization is key to vulnerability detection and
remediation

17. After testing 2,000 Java applications, WhiteSource found
that 72% of all detected vulnerabilities were deemed
ineffective.

18. § Integrate the security aspects and practices with the DevOps processes
§ Use agile methodologies to deliver small, secure pieces of code in frequent
releases
§ Automate the security processes whenever possible
§ The best response to the bottleneck effect of older security models on the
modern continuous delivery pipeline
18
DevSecOps: Integrating DevOps & Security Culture

19. Shifting the Mindset: Shift Left and Close the Loop
§ Build guardrails, don't be gatekeepers
§ Avoid Bottlenecks in the process: If the process
slows you down, it needs to be changed
§ Make security everyone’s responsibility
§ Facilitate regular discussions about application
security throughout the development process

20. 20
Q&A

21. Thank You!
21