SlideShare a Scribd company logo

DevSecOps at Agile 2019

Elizabeth Ayer
Elizabeth Ayer

If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk. This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later. This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them. There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.

Technology
1 of 64
Download to read offline
Dev???Ops The Missing Middle: Security Elizabeth Ayer 18F - TTS - GSA @ElizAyer Agile 2019
DevSecOps @ElizAyer I am going to show you today how to get more secure applications delivered faster.
DevSecOps @ElizAyer But first I am going to tell you how we got less secure applications delivered more slowly….
Storytime...
DevSecOps @ElizAyer Key dynamics: ● Everyone had many responsibilities. No matter what the official priorities, compliance paperwork came last ● Dev had already damaged trust ● Security was severely underresourced ● Compliance sucked the oxygen from security ● At any point, the director could have made this happen… but didn’t
DevSecOps @ElizAyer Truly, everyone did the best job he or she could, given what was known at the time, his or her skills and abilities, the resources available, and the situation at hand.
We could have been here
But we spent our time here instead
DevSecOps @ElizAyer Why bring security into the development process? [Crowdsourced] ● In any org with formal compliance, ignoring security may mean delivering late or not at all. ● Can select what controls are important to YOU ○ Can also be platform specific ● Improves security - devs should understand what they might do to cause a breach. Educate them early. ● Cost of fixing vulnerability is exponential ● Reduces schedule drift - improved flow ● Understand which tools can/can’t be used. ● Task may not be allowed at all ● May need to do major refactoring to incorporate, e.g. encryption ● Platform-level security practices. ● Brand reputation ***
10 DevOps 101 DevSecOps SEC v
DevSecOps @ElizAyer DevOps is... A combination of philosophies, practices and tools that increases an organization’s ability to deliver applications and services at high velocity - AWS What is DevOps? (Dev Perspective)
DevSecOps @ElizAyer DevOps is... [A way to] reduce waste and make releases boring - Jez Humble, Author &18F Alumni (Ops perspective) +Security!
DevSecOps @ElizAyer DevOps is... An approach that resolves the apparent conflict between speed and reliability Security fits Here
DevSecOps @ElizAyer Why isn’t security within the Ops in DevOps? We call out security separately because: 1) Security is truly a specialist discipline 2) Security got left out of the first wave of DevOps 3) Security is used to encompass compliance, and that’s definitely not part of DevOps
DevSecOps @ElizAyer https://slack.engineering/moving-fast-and-securing-things-540e6c5ae58a
DevSecOps @ElizAyer Why isn’t security within the Ops in DevOps? We call out security separately because: 1) Security is truly a specialist discipline 2) Security got left out of the first wave of DevOps 3) Security is used to encompass compliance, and that’s definitely not part of DevOps
DevSecOps @ElizAyerhttps://tech.gsa.gov/guides/dev_sec_ops_guide/
DevSecOps @ElizAyer DevSecOps is... Development + Security + Operations = Safer Software Sooner
DevSecOps @ElizAyer Digression: Why DevSecOps, not DevOpsSec?
DevSecOps @ElizAyer PEOPLE1 PROCESS 2 TOOLS3 The DevOps Value Pyramid
DevSecOps @ElizAyer PEOPLE1 PROCESS 2 TOOLS3 The DevOps Value Pyramid
DevSecOps @ElizAyer One team handles a software system through inception, delivery, maintenance, end-of-life of a system. 1. People: the DevOps culture
DevSecOps @ElizAyer Shared responsibility for how software behaves in production 23 Continuous feedback results in tighter processes that get better and better Optimization of the full system, not just one piece, department, or interest. Open communications and knowledge sharing enhance trust within the team 1. People: the DevOps culture
DevSecOps @ElizAyer PEOPLE1 PROCESS 2 TOOLS3 The DevOps Value Pyramid
DevSecOps @ElizAyer 2. Process: Empowered Teams & Shift Left An empowered team contains the skills and authority it needs to develop & operate its systems. For DevSecOps, the team needs basic security skills and access to expertise.
DevSecOps @ElizAyer 2. Process: Empowered Teams & Shift Left “Shift Left” means that operability concerns should be considered as early in the dev cycle as possible. +Security!
DevSecOps @ElizAyer Evil User Story (aka Abuser Story) 1: As a hacker, I want to have somebody’s benefits paid to me instead. 2. Process: Empowered Teams & Shift Left
DevSecOps @ElizAyer Evil User Story (aka Abuser Story) 2: As the Russian government, I want to steal data and release it so that I undermine confidence of the American people in democracy. 2. Process: Empowered Teams & Shift Left
DevSecOps @ElizAyer PEOPLE1 PROCESS 2 TOOLS3 The DevOps Value Pyramid
DevSecOps @ElizAyer 3. Tools: CI/CD ● Source Code Management ● CI/CD Systems ● Unit test framework ● Infrastructure-as-code ● etc.
31 https://dzone.com/articles/learn-how-to-setup-a-cicd-pipeline-from-scratch 3. Tools: Development Pipeline
32 https://dzone.com/articles/learn-how-to-setup-a-cicd-pipeline-from-scratch 3. Tools: Development Pipeline Evil User Stories
33 https://dzone.com/articles/learn-how-to-setup-a-cicd-pipeline-from-scratch 3. Tools: Development Pipeline Static Code Analysis
DevSecOps @ElizAyer 3. Enhancing the Pipeline for Security Static Application Security Testing (SAST) tools scan for code patterns likely to cause vulnerabilities. Examples: SonarQube (Open Source), Fortify, Coverity, Veracode https://www.owasp.org/index.php/Source_Code_Analysis_Tools
35 https://dzone.com/articles/learn-how-to-setup-a-cicd-pipeline-from-scratch 3. Tools: Development Pipeline Dynamic Analysis
DevSecOps @ElizAyer 3. Enhancing the Pipeline for Security Dynamic Application Security Testing (DAST) tools scan a running application for vulnerabilities or assist in manual penetration testing. OSS Examples: Arachni, Metasploit, sqlmap*
DevSecOps @ElizAyer Why would you not point hacker tools at your application? They will!
Back to the story...
DevSecOps @ElizAyer Would any of this have helped our Eligibility System deliver? Nope.
DevSecOps @ElizAyer That project was held up by compliance.
DevSecOps @ElizAyer In order to be compliant, you generally need controls or a POAM - a Plan of Action and Milestones.
DevSecOps @ElizAyer In order to agree what to POAM, you need a threat model.
How to get towards DevSecOps
DevSecOps @ElizAyer Threat modeling: the key to initiating DevSecOps
Help translate fears into a threat model.
Help translate fears into a threat model.
Help translate fears into a threat model. 1 2 3
What is a threat model? (OWASP) “Most of the time, a threat model includes: ● A description / design / model of what you’re worried about ● A list of assumptions that can be checked or challenged in the future as the threat landscape changes ● A list of potential threats to the system ● A list of actions to be taken for each threat ● A way of validating the model and threats, and verification of success of actions taken Our motto is: Threat modelling: the sooner the better, but never too late.” https://www.owasp.org/index.php/Application_Threat_Modeling
Threat Modelling Exercise: Your trip home from Agile 2019 (from here to when you walk in your front door). 1. What could go wrong? DevSecOps @ElizAyer
What could go wrong Agile 2019-> Home [Crowdsourced] ● Flight delay, cancelled, ● TSA ● Lost luggage, passport/id ● Forget keys (house, car) ● Random act of violence ● Shut down freeways/metro, beltway traffic ● Car accident ● Personal sickness ● Lose your phone - ● GPS malfunction ● ● Wrong airport ● Alien abduction ● Uber goes out of business ● Water taxi piracy ● Car stolen/hacked ● Call from work for actual problem, miss transport ● Oversleep ●
Threat Modelling Exercise: Your trip home from Agile 2019 (from here to when you walk in your front door). 2. What could you do to prevent or mitigate the threats? DevSecOps @ElizAyer
For me…. I would have threat modelled car accidents, traffic, missed or delayed flights…. DevSecOps @ElizAyer
For me what did happen I failed to get permissions until literally the last possible second. All sane flights were gone by the time I could book them. I did my best and ended up with two separate bookings. SeaTac immigration was a madhouse, and I missed the second. They booked me into a hotel room without a bed or shower. I’ve revised my threat model DevSecOps @ElizAyer
Why do threat modeling? (OWASP) ● Build a secure design ● Efficient investment of resources; appropriately prioritize security, development, and other tasks ● Bring Security and Development together to collaborate on a shared understanding, informing development of the system ● Identify threats and compliance requirements, and evaluate their risk ● Define and build required controls. ● Balance risks, controls, and usability ● Identify where building a control is unnecessary, based on acceptable risk ● Identification of security test cases / security test scenarios to test the security requirements https://www.owasp.org/index.php/Application_Threat_Modeling (abridged)
Identify & prioritize security improvements https://tech.gsa.gov/guides/dev_sec_ops_guide/
Identify & prioritize security improvements
Identify & prioritize security improvements Case study: DevOps and Security on a Small Team by Aidan Feldman, 18F
In Summary... To fully realize the joint benefits of speed and reliability, Security/Compliance must be brought into DevOps…
In Summary... Incorporating Security is primarily a people activity. Threat modelling helps develop a shared language and set of concerns...
In Summary... But Security is typically severely underresourced compared to Development, so we can’t use the same team structures. We need: 1) Basic dev team security education 2) Dev team access to expertise 3) Enough security capacity to engage … which generally requires Senior Management Support!
In Summary... Automation helps scale security. You’ll get the most out of your tools investment by prioritizing according to your threat model, involving Security and Product.
DevSecOps @ElizAyer DevSecOps is... Development + Security + Operations = Safer Software Sooner
DevSecOps @ElizAyer Resources! DevSecOps: The Missing Link in Delivering on the Promise of Business Velocity (Webinar feat. @realgenekim @wickett) https://xebialabs.com/community/webinars/devsecops-missing-li nk-of-business-velocity/ The Open Web Application Security Project https://www.owasp.org/ GSA DevSecOps Guide https://tech.gsa.gov/guides/dev_sec_ops_guide/ Agile Application Security (Book) https://www.oreilly.com/library/view/agile-application-security/9781491938836/
Discussion

Recommended

DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 

Recommended

DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
Opsta
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
Stefan Streichsbier
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
Eric Jernigan MSIA, CISSP, CISM, CRISC
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
idsecconf
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
Hendri Karisma
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
Security Ninja
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
devopsdaysaustin
 

More Related Content

What's hot

Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
Eric Jernigan MSIA, CISSP, CISM, CRISC
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 

What's hot (20)

[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 

Similar to DevSecOps at Agile 2019

2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
devopsdaysaustin
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
Uchit Vyas ☁
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 

Similar to DevSecOps at Agile 2019 (20)

The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibility
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 

More from Elizabeth Ayer

Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)
Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)
Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)
Elizabeth Ayer
 
FlowCon 2019 - Beyond the Black Hole: Product Management for Continuous Delivery
FlowCon 2019 - Beyond the Black Hole: Product Management for Continuous DeliveryFlowCon 2019 - Beyond the Black Hole: Product Management for Continuous Delivery
FlowCon 2019 - Beyond the Black Hole: Product Management for Continuous Delivery
Elizabeth Ayer
 
Continuous Product Management (Industry 2019)
Continuous Product Management (Industry 2019)Continuous Product Management (Industry 2019)
Continuous Product Management (Industry 2019)
Elizabeth Ayer
 
ABCDs of Database Development
ABCDs of Database DevelopmentABCDs of Database Development
ABCDs of Database Development
Elizabeth Ayer
 
Zen and the Art of Continuous Delivery - Elizabeth Ayer
Zen and the Art of Continuous Delivery - Elizabeth AyerZen and the Art of Continuous Delivery - Elizabeth Ayer
Zen and the Art of Continuous Delivery - Elizabeth Ayer
Elizabeth Ayer
 

More from Elizabeth Ayer (12)

Too many cooks or not enough kitchens?
Too many cooks or not enough kitchens?Too many cooks or not enough kitchens?
Too many cooks or not enough kitchens?
 
Ethics of Influence
Ethics of InfluenceEthics of Influence
Ethics of Influence
 
Remote work a year on (FCW)
Remote work a year on (FCW)Remote work a year on (FCW)
Remote work a year on (FCW)
 
Managing Remote Teams
Managing Remote TeamsManaging Remote Teams
Managing Remote Teams
 
Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)
Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)
Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)
 
FlowCon 2019 - Beyond the Black Hole: Product Management for Continuous Delivery
FlowCon 2019 - Beyond the Black Hole: Product Management for Continuous DeliveryFlowCon 2019 - Beyond the Black Hole: Product Management for Continuous Delivery
FlowCon 2019 - Beyond the Black Hole: Product Management for Continuous Delivery
 
Continuous Product Management (Industry 2019)
Continuous Product Management (Industry 2019)Continuous Product Management (Industry 2019)
Continuous Product Management (Industry 2019)
 
The A-word Agile and Beyond 2019
The A-word Agile and Beyond 2019The A-word Agile and Beyond 2019
The A-word Agile and Beyond 2019
 
Uncle Sam's Recipe (Mile High Agile)
Uncle Sam's Recipe (Mile High Agile)Uncle Sam's Recipe (Mile High Agile)
Uncle Sam's Recipe (Mile High Agile)
 
Aitc2018 ux impact - elizabeth ayer
Aitc2018 ux impact - elizabeth ayer Aitc2018 ux impact - elizabeth ayer
Aitc2018 ux impact - elizabeth ayer
 
ABCDs of Database Development
ABCDs of Database DevelopmentABCDs of Database Development
ABCDs of Database Development
 
Zen and the Art of Continuous Delivery - Elizabeth Ayer
Zen and the Art of Continuous Delivery - Elizabeth AyerZen and the Art of Continuous Delivery - Elizabeth Ayer
Zen and the Art of Continuous Delivery - Elizabeth Ayer
 

Recently uploaded

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Recently uploaded (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 

DevSecOps at Agile 2019