SlideShare una empresa de Scribd logo

Successful DevSecOps Organizations - by Dawid Balut

Descargar como PPTX, PDF
D
Dawid Balut

Subject: Successful DevSecOps evolution through realistic expectations and company-wide transparency Description: Although most companies are somewhere in the middle and it's hard to really determine the factors that allow them to manage their security operations, there is a lot we can learn by studying the stories of companies that thrive on DevSecOps and those that really struggle to make it work. In my experience, the biggest reason for companies failing to succeed with DevSecOps is that instead of embracing it, they engage in the project with deep resistance because they know they haven't really done their homework and aren't prepared enough to comprehend the big-picture perspective. During my presentation, I want to share with you my observations from over 5 years spent in the trenches, which should turn helpful if your goal is to build a DevSecOps roadmap that focuses on practicality and positive long-term influence at your organization. The release of this video on my youtube channel has been approved by Joe Colantonio from SecureGuild 2019.

Tecnología
1 de 16
Successful DevSecOps evolution through realistic expectations and company-wide transparency by Dawid Bałut
The challenge To build a DevSecOps roadmap that focuses on practicality and positive long-term influence at your organisation
Practical cyber resilience 1 security engineer vs 5 cybercriminals OR 100 security-savvy software engineers + 1 security engineer vs 5 cybercriminals?
How to fail at DevSecOps - believe in the power of one - put processes and tools before humans - plan in months instead of years - underestimate the value of transparent communication - distract yourself with the latest industry news
Closer you look, the less you see 99% of things TOP 1% of companies do, aren’t practical for 99% of other companies, unless you follow their path - instead of trying to replicate the state of their destination.
Secure SDLC by Microsoft (2002)
How to increase the chances of success for the DevSecOps evolution - enable capable ones to become willing and able - deploy automation and processes to support humans - keep the whole organisation in sync with the evolution - follow a multi-year long strategic roadmap - be flexible by executing in weeks-long sprints
My TOP essentials 1. Educate all technical stakeholders such as software engineers, QA testers, product owners and engineering managers on secure software engineering. The training should cover secure programming as well as create the awareness of corporate security policies, procedures, processes and best practices. The goal is to provide employees with an access to the “bigger picture” mindset, enabling them to easily connect the dots going forward. Security training should be conducted at least yearly, preferably in a form of interactive workshops. Employees should have access to comprehensive knowledge base e.g. in a form of a e-learning platform that allows ad-hoc access to the specific modules so employees can easily find the material that’s actually relevant to their situation at a given moment.
My TOP essentials 2. Educate the business-oriented professionals on how important it is for them to support their tech teams during their day to day work. Management must be made aware and regularly reminded that in order to improve company’s cyber resilience, it’s required of them to actually provide employees with necessary resources do get their job done. Sometimes the best support one can provide is to stop themselves from creating additional problems.
My TOP essentials 3. Each and every member of the Security Team must be aligned with the vision, because if you want to earn the trust of the whole organisation, you need to be integral and stable. Security professionals shouldn’t be treated as an independent consultancy silo, but as a teammate like any other. The goal is to make every employee feel like the security pros are there for them and such atmosphere is created by infosec willingly sharing their knowledge and contributing to the engineering projects acting as a subject matter expert in their respective domain.
My TOP essentials 4. Deploy systems and tools to provide you a high level of insights into what’s going on at the company. You want to know what changes are being made by engineers so you can react appropriately, knowing that you can’t protect something if you don’t know it exists. Once properly tuned and optimized you can delegate the tool’s ownership to relevant department and delegate the issue’s remediation to the very person that introduced a malfunctioning change. Avoid fixing all the things in the dark, because you want employees to be made aware and educated, so they learn how they can do things better in the future.
My TOP essentials 5. Define minimum viable security requirements that must be met in each software / operations related project. You want to have a document or a system which allows engineers to easily comprehend the compliance and infosec requirements expected against their contributions. In an agile world, each back-and-forth with security team is a waste of time, which is why all documentation should be prepared upfront and delivered to relevant stakeholders so they don’t have the resistance to work on security, just because they didn’t know where to look for help. Create quality gates that define which risk levels should automatically fail the build and not allow software to be deployed in the external environment. As a signal to the algorithm making this decision, use the input from the automated systems for code scanning, dynamic application security testing, config auditing as well as manual testing.
My TOP essentials 6. Incorporate one-time manual and automated threat modeling and design reviews. Reviewing software design at earliest and final phase of SDLC enables you to provide contextual guidelines for development teams. It’ll also prepare the security department for risks associated with development of very specific software so that you are prepared for the incidents that are likely to arise around the mission critical components. You can get your security to the next level if you train product owners and systems architects how to create threat models that allow them to perform risk analysis at lower cost without direct involvement of a security team.
My TOP essentials 7. Define benchmarks which will be enforced by the automated systems of combined scanning tools. If you’ve made people aware of the requirements and guided them for long enough, there comes a point in which you should feel comfortable with deploying systems that execute the verification for you.
Simple starting points 1. Learn about and understand the existing software development practices to optimize existing processes first, and then move onto adding more things on top of it. 2. Educate everyone on the principles of the DevSecOps culture and perform the relevant training. 3. Incrementally implement new processes and automated systems supporting software engineers in writing and maintaining secure code and secure infrastructure.
Q & A happy to answer all the questions you may have :) - Dawid Bałut

Recomendados

How to Choose the Right Security Training for You
How to Choose the Right Security Training for YouHow to Choose the Right Security Training for You
How to Choose the Right Security Training for You
Cigital
 
U08784 part 2 presentation
U08784 part 2 presentationU08784 part 2 presentation
U08784 part 2 presentation
xero42
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
Cigital
 
Information Security Life Cycle
Information Security Life CycleInformation Security Life Cycle
Information Security Life Cycle
vulsec123
 
Strategizing to build a perfect test environment
Strategizing to build a perfect test environmentStrategizing to build a perfect test environment
Strategizing to build a perfect test environment
Enov8
 
Incident Response Test
Incident Response TestIncident Response Test
Incident Response Test
Siemplify
 
Shedding Light Onto the Top 6 Threat Modeling Misconceptions
Shedding Light Onto the Top 6 Threat Modeling MisconceptionsShedding Light Onto the Top 6 Threat Modeling Misconceptions
Shedding Light Onto the Top 6 Threat Modeling Misconceptions
Synopsys Software Integrity Group
 
5 Traits of a Proactive Guard Tour System
5 Traits of a Proactive Guard Tour System5 Traits of a Proactive Guard Tour System
5 Traits of a Proactive Guard Tour System
24/7 Software
 

Recomendados

How to Choose the Right Security Training for You
How to Choose the Right Security Training for YouHow to Choose the Right Security Training for You
How to Choose the Right Security Training for You
Cigital
 
U08784 part 2 presentation
U08784 part 2 presentationU08784 part 2 presentation
U08784 part 2 presentation
xero42
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
Cigital
 
Information Security Life Cycle
Information Security Life CycleInformation Security Life Cycle
Information Security Life Cycle
vulsec123
 
Strategizing to build a perfect test environment
Strategizing to build a perfect test environmentStrategizing to build a perfect test environment
Strategizing to build a perfect test environment
Enov8
 
Incident Response Test
Incident Response TestIncident Response Test
Incident Response Test
Siemplify
 
Shedding Light Onto the Top 6 Threat Modeling Misconceptions
Shedding Light Onto the Top 6 Threat Modeling MisconceptionsShedding Light Onto the Top 6 Threat Modeling Misconceptions
Shedding Light Onto the Top 6 Threat Modeling Misconceptions
Synopsys Software Integrity Group
 
5 Traits of a Proactive Guard Tour System
5 Traits of a Proactive Guard Tour System5 Traits of a Proactive Guard Tour System
5 Traits of a Proactive Guard Tour System
24/7 Software
 
Appsec Agility: A Brief Tour
Appsec Agility: A Brief TourAppsec Agility: A Brief Tour
Appsec Agility: A Brief Tour
Robert Keefer
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM Assessment
Cigital
 
Dev ops ppt
Dev ops pptDev ops ppt
Dev ops ppt
sterlingit
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security Program
Cigital
 
Abdulla ali it career software development manager
Abdulla ali it career software development managerAbdulla ali it career software development manager
Abdulla ali it career software development manager
Dan Rieb
 
Webinar 3 ways to increase team collaboration bh-ad-fnl
Webinar 3 ways to increase team collaboration bh-ad-fnlWebinar 3 ways to increase team collaboration bh-ad-fnl
Webinar 3 ways to increase team collaboration bh-ad-fnl
Perforce
 
Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018
Claire Priester Papas
 
OSEHRA Summit 2017: Legacy System Modernization Using Open Source Tools and A...
OSEHRA Summit 2017: Legacy System Modernization Using Open Source Tools and A...OSEHRA Summit 2017: Legacy System Modernization Using Open Source Tools and A...
OSEHRA Summit 2017: Legacy System Modernization Using Open Source Tools and A...
Adam D'Angelo
 
Introducing Puppet Remediate™
Introducing Puppet Remediate™Introducing Puppet Remediate™
Introducing Puppet Remediate™
Puppet
 
10 web application security best practices for 2020
10 web application security best practices for 202010 web application security best practices for 2020
10 web application security best practices for 2020
developeronrents
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
Cigital
 
Quality Software Development
Quality Software DevelopmentQuality Software Development
Quality Software Development
Srinivasan Hariharan
 
You Need a Unified Solution (Not Individual Tools)
You Need a Unified Solution (Not Individual Tools)You Need a Unified Solution (Not Individual Tools)
You Need a Unified Solution (Not Individual Tools)
24/7 Software
 
Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...
Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...
Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...
truvantis
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!
Cigital
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
Cigital
 
CYBER SECURITY ANALYST - HOW TO BECOME, JOB DEMAND AND TOP CERTIFICATIONS
CYBER SECURITY ANALYST - HOW TO BECOME, JOB DEMAND AND TOP CERTIFICATIONSCYBER SECURITY ANALYST - HOW TO BECOME, JOB DEMAND AND TOP CERTIFICATIONS
CYBER SECURITY ANALYST - HOW TO BECOME, JOB DEMAND AND TOP CERTIFICATIONS
Sprintzeal
 
Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyder
Sebastien Deleersnyder
 
Software development philosophies v1
Software development philosophies v1Software development philosophies v1
Software development philosophies v1
Praveen Nair
 
How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..
Sprintzeal
 
Software risk management
Software risk managementSoftware risk management
Software risk management
Jose Javier M
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
Enov8
 

Más contenido relacionado

La actualidad más candente

Abdulla ali it career software development manager
Abdulla ali it career software development managerAbdulla ali it career software development manager
Abdulla ali it career software development manager
Dan Rieb
 
Webinar 3 ways to increase team collaboration bh-ad-fnl
Webinar 3 ways to increase team collaboration bh-ad-fnlWebinar 3 ways to increase team collaboration bh-ad-fnl
Webinar 3 ways to increase team collaboration bh-ad-fnl
Perforce
 
Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018
Claire Priester Papas
 
Introducing Puppet Remediate™
Introducing Puppet Remediate™Introducing Puppet Remediate™
Introducing Puppet Remediate™
Puppet
 
How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..
Sprintzeal
 

La actualidad más candente (20)

Appsec Agility: A Brief Tour
Appsec Agility: A Brief TourAppsec Agility: A Brief Tour
Appsec Agility: A Brief Tour
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM Assessment
 
Dev ops ppt
Dev ops pptDev ops ppt
Dev ops ppt
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security Program
 
Abdulla ali it career software development manager
Abdulla ali it career software development managerAbdulla ali it career software development manager
Abdulla ali it career software development manager
 
Webinar 3 ways to increase team collaboration bh-ad-fnl
Webinar 3 ways to increase team collaboration bh-ad-fnlWebinar 3 ways to increase team collaboration bh-ad-fnl
Webinar 3 ways to increase team collaboration bh-ad-fnl
 
Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018Critical Considerations for Continuous Delivery 04.09.2018
Critical Considerations for Continuous Delivery 04.09.2018
 
OSEHRA Summit 2017: Legacy System Modernization Using Open Source Tools and A...
OSEHRA Summit 2017: Legacy System Modernization Using Open Source Tools and A...OSEHRA Summit 2017: Legacy System Modernization Using Open Source Tools and A...
OSEHRA Summit 2017: Legacy System Modernization Using Open Source Tools and A...
 
Introducing Puppet Remediate™
Introducing Puppet Remediate™Introducing Puppet Remediate™
Introducing Puppet Remediate™
 
10 web application security best practices for 2020
10 web application security best practices for 202010 web application security best practices for 2020
10 web application security best practices for 2020
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
 
Quality Software Development
Quality Software DevelopmentQuality Software Development
Quality Software Development
 
You Need a Unified Solution (Not Individual Tools)
You Need a Unified Solution (Not Individual Tools)You Need a Unified Solution (Not Individual Tools)
You Need a Unified Solution (Not Individual Tools)
 
Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...
Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...
Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
 
CYBER SECURITY ANALYST - HOW TO BECOME, JOB DEMAND AND TOP CERTIFICATIONS
CYBER SECURITY ANALYST - HOW TO BECOME, JOB DEMAND AND TOP CERTIFICATIONSCYBER SECURITY ANALYST - HOW TO BECOME, JOB DEMAND AND TOP CERTIFICATIONS
CYBER SECURITY ANALYST - HOW TO BECOME, JOB DEMAND AND TOP CERTIFICATIONS
 
Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyder
 
Software development philosophies v1
Software development philosophies v1Software development philosophies v1
Software development philosophies v1
 
How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..
 

Similar a Successful DevSecOps Organizations - by Dawid Balut

Selling Infosec to the CSuite
Selling Infosec to the CSuiteSelling Infosec to the CSuite
Selling Infosec to the CSuite
Dave R. Taylor
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
CruzIbarra161
 
Chapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McChapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by Mc
EstelaJeffery653
 
Software engg. pressman_ch-21
Software engg. pressman_ch-21Software engg. pressman_ch-21
Software engg. pressman_ch-21
Dhairya Joshi
 
I sense prowareness 7 star development methodology
I sense prowareness 7 star development methodologyI sense prowareness 7 star development methodology
I sense prowareness 7 star development methodology
ISense Bv
 
Dsg best practice guide for net suite implementation success
Dsg best practice guide for net suite implementation successDsg best practice guide for net suite implementation success
Dsg best practice guide for net suite implementation success
Bootstrap Marketing
 

Similar a Successful DevSecOps Organizations - by Dawid Balut (20)

Software risk management
Software risk managementSoftware risk management
Software risk management
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdfMaximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
 
VER_WP_CrackingCode_FINAL
VER_WP_CrackingCode_FINALVER_WP_CrackingCode_FINAL
VER_WP_CrackingCode_FINAL
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
 
Selling Infosec to the CSuite
Selling Infosec to the CSuiteSelling Infosec to the CSuite
Selling Infosec to the CSuite
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdf
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
Applying Lean for information security operations centre
Applying Lean for information security operations centreApplying Lean for information security operations centre
Applying Lean for information security operations centre
 
Se
SeSe
Se
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations Center
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValue
 
Chapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McChapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by Mc
 
Software engg. pressman_ch-21
Software engg. pressman_ch-21Software engg. pressman_ch-21
Software engg. pressman_ch-21
 
I sense prowareness 7 star development methodology
I sense prowareness 7 star development methodologyI sense prowareness 7 star development methodology
I sense prowareness 7 star development methodology
 
Dsg best practice guide for net suite implementation success
Dsg best practice guide for net suite implementation successDsg best practice guide for net suite implementation success
Dsg best practice guide for net suite implementation success
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Successful DevSecOps Organizations - by Dawid Balut

  • 1. Successful DevSecOps evolution through realistic expectations and company-wide transparency by Dawid Bałut
  • 2. The challenge To build a DevSecOps roadmap that focuses on practicality and positive long-term influence at your organisation
  • 3. Practical cyber resilience 1 security engineer vs 5 cybercriminals OR 100 security-savvy software engineers + 1 security engineer vs 5 cybercriminals?
  • 4. How to fail at DevSecOps - believe in the power of one - put processes and tools before humans - plan in months instead of years - underestimate the value of transparent communication - distract yourself with the latest industry news
  • 5. Closer you look, the less you see 99% of things TOP 1% of companies do, aren’t practical for 99% of other companies, unless you follow their path - instead of trying to replicate the state of their destination.
  • 6. Secure SDLC by Microsoft (2002)
  • 7. How to increase the chances of success for the DevSecOps evolution - enable capable ones to become willing and able - deploy automation and processes to support humans - keep the whole organisation in sync with the evolution - follow a multi-year long strategic roadmap - be flexible by executing in weeks-long sprints
  • 8. My TOP essentials 1. Educate all technical stakeholders such as software engineers, QA testers, product owners and engineering managers on secure software engineering. The training should cover secure programming as well as create the awareness of corporate security policies, procedures, processes and best practices. The goal is to provide employees with an access to the “bigger picture” mindset, enabling them to easily connect the dots going forward. Security training should be conducted at least yearly, preferably in a form of interactive workshops. Employees should have access to comprehensive knowledge base e.g. in a form of a e-learning platform that allows ad-hoc access to the specific modules so employees can easily find the material that’s actually relevant to their situation at a given moment.
  • 9. My TOP essentials 2. Educate the business-oriented professionals on how important it is for them to support their tech teams during their day to day work. Management must be made aware and regularly reminded that in order to improve company’s cyber resilience, it’s required of them to actually provide employees with necessary resources do get their job done. Sometimes the best support one can provide is to stop themselves from creating additional problems.
  • 10. My TOP essentials 3. Each and every member of the Security Team must be aligned with the vision, because if you want to earn the trust of the whole organisation, you need to be integral and stable. Security professionals shouldn’t be treated as an independent consultancy silo, but as a teammate like any other. The goal is to make every employee feel like the security pros are there for them and such atmosphere is created by infosec willingly sharing their knowledge and contributing to the engineering projects acting as a subject matter expert in their respective domain.
  • 11. My TOP essentials 4. Deploy systems and tools to provide you a high level of insights into what’s going on at the company. You want to know what changes are being made by engineers so you can react appropriately, knowing that you can’t protect something if you don’t know it exists. Once properly tuned and optimized you can delegate the tool’s ownership to relevant department and delegate the issue’s remediation to the very person that introduced a malfunctioning change. Avoid fixing all the things in the dark, because you want employees to be made aware and educated, so they learn how they can do things better in the future.
  • 12. My TOP essentials 5. Define minimum viable security requirements that must be met in each software / operations related project. You want to have a document or a system which allows engineers to easily comprehend the compliance and infosec requirements expected against their contributions. In an agile world, each back-and-forth with security team is a waste of time, which is why all documentation should be prepared upfront and delivered to relevant stakeholders so they don’t have the resistance to work on security, just because they didn’t know where to look for help. Create quality gates that define which risk levels should automatically fail the build and not allow software to be deployed in the external environment. As a signal to the algorithm making this decision, use the input from the automated systems for code scanning, dynamic application security testing, config auditing as well as manual testing.
  • 13. My TOP essentials 6. Incorporate one-time manual and automated threat modeling and design reviews. Reviewing software design at earliest and final phase of SDLC enables you to provide contextual guidelines for development teams. It’ll also prepare the security department for risks associated with development of very specific software so that you are prepared for the incidents that are likely to arise around the mission critical components. You can get your security to the next level if you train product owners and systems architects how to create threat models that allow them to perform risk analysis at lower cost without direct involvement of a security team.
  • 14. My TOP essentials 7. Define benchmarks which will be enforced by the automated systems of combined scanning tools. If you’ve made people aware of the requirements and guided them for long enough, there comes a point in which you should feel comfortable with deploying systems that execute the verification for you.
  • 15. Simple starting points 1. Learn about and understand the existing software development practices to optimize existing processes first, and then move onto adding more things on top of it. 2. Educate everyone on the principles of the DevSecOps culture and perform the relevant training. 3. Incrementally implement new processes and automated systems supporting software engineers in writing and maintaining secure code and secure infrastructure.
  • 16. Q & A happy to answer all the questions you may have :) - Dawid Bałut