SlideShare una empresa de Scribd logo

Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practices

Descargar como PPTX, PDF
Akond Rahman
Akond Rahman

In organizations that use DevOps practices, software changes can be deployed as fast as 500 times or more per day. Without adequate involvement of the security team, rapidly deployed software changes are more likely to contain vulnerabilities due to lack of adequate reviews. The goal of this paper is to aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment. We analyzed a selected set of Internet artifacts and surveyed representatives of nine organizations that are using DevOps to systematically explore experiences in utilizing security practices. We observe that the majority of the software practitioners have expressed the potential of common DevOps activities, such as automated monitoring, to improve the security of a system. Furthermore, organizations that integrate DevOps and security utilize additional security activities, such as security requirements analysis and performing security configurations. Additionally, these teams also have established collaboration between the security team and the development and operations teams.

Tecnología
1 de 22
1 Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practice Akond Rahman(aarahman@ncsu.edu), and Laurie Williams Department of Computer Science, North Carolina State University
2 Why Security in DevOps? • Ensuring quality even when software deployment is rapid • Adoption concerns
3 Research Objective Aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment.
4 Background • DevSecOps is the concept of integrating security principles through increased collaboration • We differentiate between ‘activity’, and ‘security practice’. – A DevOps activity focuses on achieving a small, well- defined goal that has a tangible output. – A security practice is a collection of activities that can be grouped based on existing similarities within those activities.
5 Our Contributions • A list of DevOps activities that might have a positive and negative impact • A list of security practices and an analysis of how they are used in DevOps organizations • An analysis that quantifies the levels of collaboration
6 Research Questions • RQ1: Perception. How do software practitioners perceive the integration of DevOps and security? What DevOps related activities contribute to those perceptions? • RQ2: Security Practices. What security practices are used by organizations that integrate security into DevOps?
7 Methodology 66 Internet artifacts66 Internet Artifacts Nine DevOps Organizations
8 RQ1: Identified Perceptions • Positive Perceptions – Use of automated monitoring – Use of automated pipeline to deploy software – Automatic deployment of software – Automatic testing of software changes – Delivering software in small increments
9 RQ1: Identified Perceptions • Negative Perceptions – Use of immature automated deployment tools – Use of inappropriate software metrics – Inadequate monitoring of collaboration
10 RQ2: Identified Automated Activities • Automation of Code Review • Automation of Monitoring • Automation of Software defined Firewall • Automation of Software Licensing • Automation of Testing
11 RQ2: Identified Non-Automated Activities • Design Review • Input Validation • Isolation of Untrusted Inputs • Performing Compliance Requirements • Performing Security Configurations • Performing Security Policies • Security Requirements Analysis • Performing Manual Security Tests • Risk Analysis • Threat Modeling
12 RQ1: Empirical Findings – Positive Aspects (Internet Artifacts) 0 1 2 3 4 5 6 7 8 9 10 Automated monitoring Automated pipeline Automated deployment Automated testing Delivering software in small increments CountofInternetArtifacts
13 RQ1: Empirical Findings – Negative Aspects (Internet Artifacts) 0 1 2 Use of immature automated deployment tools Use of inappropriate software metrics Inadequate monitoring of collaboration CountofInternetArtifacts
14 RQ2: Empirical Findings – Automation Practices (Internet Artifacts) 0 2 4 6 8 10 12 14 16 18 20 Automation of monitoring Automation of testing Automation of code review Automation of software licensing Automation of software defined firewall CountofInternetArtifacts
15 RQ2: Empirical Findings – Non Automation Practices (Internet Artifacts) 0 1 2 3 4 5 6 Security requirements analysis Performing security configurations Performing security policies Performing manual security tests Performing compliance requirements Design review Input validation Isolation of untrusted inputs Threat modeling Risk analysis CountofInternetArtifacts
16 RQ1: Empirical Findings – Positive Aspects (Survey) 0 1 2 3 4 5 6 7 8 9 Use of automated monitoring Use of automated pipeline to deploy software Automatic deployment of software Automatic testing of software changes Delivering software in small increments CountofOrganizations Yes No
17 0 1 2 3 4 5 6 7 8 9 Automation of monitoring Automation of testing Automation of code review Automation of software defined firewall Automation of software licensing CountofOrganizations Yes No RQ2: Empirical Findings – Automation Practices (Survey)
18 0 1 2 3 4 5 6 7 8 9 Performing security policies Performing manual security tests Input validation Performing compliance requirements Performing security configurations Risk analysis Isolation of untrusted inputs Threat modeling Design review Security requirements analysis CountofOrganizations Yes No RQ2: Empirical Findings – Non Automation Practices (Survey)
19 0 1 2 3 4 5 6 7 8 9 Dev&Ops Dev&Sec Sec&Ops CountofOrganizations Lowest Low Moderate High Highest RQ2: Empirical Findings – Collaboration (Survey)
20 Summary • Answer to RQ1: – A certain set of DevOps activities are perceived to be beneficial for system’s security • Answer to RQ2: – A certain set of DevOps specific automated and non-automated activities are used to implement security – Moderate to strong collaboration exists between teams
21 Limitations • Incomprehensive set of Internet artifacts • Incomprehensive set of security practices • Generalizability of empirical findings • Impact of collaboration on practice usage
22 Conclusion • Commonly used DevOps activities can be helpful to a system’s security. • Security teams actively collaborate with development and operations teams in established DevOps organizations. • Security awareness is prevalent amongst established DevOps organizations

Recomendados

Splitting The Check On Compliance and Security
Splitting The Check On Compliance and SecuritySplitting The Check On Compliance and Security
Splitting The Check On Compliance and SecurityNew Relic
 
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
Key Findings from the 2019 State of DevOps Report
Key Findings from the 2019 State of DevOps ReportKey Findings from the 2019 State of DevOps Report
Key Findings from the 2019 State of DevOps ReportPuppet
 
DevSecOps: Security and Compliance at the Speed of Continuous Delivery
DevSecOps: Security and Compliance at the Speed of Continuous DeliveryDevSecOps: Security and Compliance at the Speed of Continuous Delivery
DevSecOps: Security and Compliance at the Speed of Continuous DeliveryDag Rowe
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
A Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingA Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingVikram Khanna
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Network Intelligence India
 

Recomendados

Splitting The Check On Compliance and Security
Splitting The Check On Compliance and SecuritySplitting The Check On Compliance and Security
Splitting The Check On Compliance and SecurityNew Relic
 
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
Key Findings from the 2019 State of DevOps Report
Key Findings from the 2019 State of DevOps ReportKey Findings from the 2019 State of DevOps Report
Key Findings from the 2019 State of DevOps ReportPuppet
 
DevSecOps: Security and Compliance at the Speed of Continuous Delivery
DevSecOps: Security and Compliance at the Speed of Continuous DeliveryDevSecOps: Security and Compliance at the Speed of Continuous Delivery
DevSecOps: Security and Compliance at the Speed of Continuous DeliveryDag Rowe
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
A Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingA Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingVikram Khanna
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Network Intelligence India
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLCNazar Tymoshyk, CEH, Ph.D.
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
 
[Europe merge world tour] Coverity Development Testing
[Europe merge world tour] Coverity Development Testing[Europe merge world tour] Coverity Development Testing
[Europe merge world tour] Coverity Development TestingPerforce
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaPositive Hack Days
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...WhiteSource
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLCChitpong Wuttanan
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateMahaut Gouhier
 
Efforts in Scaling Application Security Programs
Efforts in Scaling Application Security ProgramsEfforts in Scaling Application Security Programs
Efforts in Scaling Application Security ProgramsEric Fay
 
Security testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienSecurity testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienHo Chi Minh City Software Testing Club
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Great Wide Open
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlcAvancercorp
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
TSS - App Penetration Testing Services
TSS - App Penetration Testing ServicesTSS - App Penetration Testing Services
TSS - App Penetration Testing ServicesAhmad Sharaf
 
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...North Texas Chapter of the ISSA
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Sailaja Tennati
 
OpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDOpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDSparsh Raj
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCigital
 
Beschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps EngineerBeschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps EngineerMarc Servaes (06-47841367)
 
Devops/Sysops security
Devops/Sysops securityDevops/Sysops security
Devops/Sysops securityLogicaltrust pl
 

Más contenido relacionado

La actualidad más candente

Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
 
[Europe merge world tour] Coverity Development Testing
[Europe merge world tour] Coverity Development Testing[Europe merge world tour] Coverity Development Testing
[Europe merge world tour] Coverity Development TestingPerforce
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaPositive Hack Days
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...WhiteSource
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateMahaut Gouhier
 
Efforts in Scaling Application Security Programs
Efforts in Scaling Application Security ProgramsEfforts in Scaling Application Security Programs
Efforts in Scaling Application Security ProgramsEric Fay
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Great Wide Open
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlcAvancercorp
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
TSS - App Penetration Testing Services
TSS - App Penetration Testing ServicesTSS - App Penetration Testing Services
TSS - App Penetration Testing ServicesAhmad Sharaf
 
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...North Texas Chapter of the ISSA
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Sailaja Tennati
 
OpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDOpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDSparsh Raj
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCigital
 

La actualidad más candente (20)

Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
 
[Europe merge world tour] Coverity Development Testing
[Europe merge world tour] Coverity Development Testing[Europe merge world tour] Coverity Development Testing
[Europe merge world tour] Coverity Development Testing
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in Russia
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
 
Efforts in Scaling Application Security Programs
Efforts in Scaling Application Security ProgramsEfforts in Scaling Application Security Programs
Efforts in Scaling Application Security Programs
 
Security testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienSecurity testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh Hien
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlc
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
TSS - App Penetration Testing Services
TSS - App Penetration Testing ServicesTSS - App Penetration Testing Services
TSS - App Penetration Testing Services
 
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
 
Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter
 
OpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDOpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATED
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
 

Destacado

Beschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps EngineerBeschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps EngineerMarc Servaes (06-47841367)
 
Application Secret Management with KMS
Application Secret Management with KMSApplication Secret Management with KMS
Application Secret Management with KMSSonatype
 
My Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is MagicMy Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is MagicApollo Clark
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
 
The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2Zensar Technologies Ltd.
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Christian Schneider
 
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...Sonatype
 
Security and dev ops for high velocity organizations
Security and dev ops for high velocity organizationsSecurity and dev ops for high velocity organizations
Security and dev ops for high velocity organizationsChef
 
Security, Identity, and DevOps, oh my - Print
Security, Identity, and DevOps, oh my - PrintSecurity, Identity, and DevOps, oh my - Print
Security, Identity, and DevOps, oh my - PrintChris Sanchez
 
DevOps and IT security
DevOps and IT securityDevOps and IT security
DevOps and IT securitych.osme
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenSonatype
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)Arjun Comar
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedRelease Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedSeniorStoryteller
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 

Destacado (20)

Beschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps EngineerBeschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps Engineer
 
Devops/Sysops security
Devops/Sysops securityDevops/Sysops security
Devops/Sysops security
 
Application Secret Management with KMS
Application Secret Management with KMSApplication Secret Management with KMS
Application Secret Management with KMS
 
My Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is MagicMy Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is Magic
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Devops security
Devops securityDevops security
Devops security
 
The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
 
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
 
Security and dev ops for high velocity organizations
Security and dev ops for high velocity organizationsSecurity and dev ops for high velocity organizations
Security and dev ops for high velocity organizations
 
Security, Identity, and DevOps, oh my - Print
Security, Identity, and DevOps, oh my - PrintSecurity, Identity, and DevOps, oh my - Print
Security, Identity, and DevOps, oh my - Print
 
DevOps and IT security
DevOps and IT securityDevOps and IT security
DevOps and IT security
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/Green
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedRelease Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
 

Similar a Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practices

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationPuppet
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
How Automation Can Improve Your DevOps Security
How Automation Can Improve Your DevOps SecurityHow Automation Can Improve Your DevOps Security
How Automation Can Improve Your DevOps SecurityDev Software
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveApigee | Google Cloud
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDag Rowe
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and SecurityJason Chan
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 

Similar a Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practices (20)

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
How Automation Can Improve Your DevOps Security
How Automation Can Improve Your DevOps SecurityHow Automation Can Improve Your DevOps Security
How Automation Can Improve Your DevOps Security
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and Security
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 

Más de Akond Rahman

How Do Students Feel About Automated Security Static Analysis Exercises?
How Do Students Feel About Automated Security Static Analysis Exercises? How Do Students Feel About Automated Security Static Analysis Exercises?
How Do Students Feel About Automated Security Static Analysis Exercises? Akond Rahman
 
Exercise Perceptions: Experience Report From A Secure Software Development Co...
Exercise Perceptions: Experience Report From A Secure Software Development Co...Exercise Perceptions: Experience Report From A Secure Software Development Co...
Exercise Perceptions: Experience Report From A Secure Software Development Co...Akond Rahman
 
Under-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes ManifestsUnder-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes ManifestsAkond Rahman
 
Shhh!: Secret Management Practices for Infrastructure as Code
Shhh!: Secret Management Practices for Infrastructure as Code Shhh!: Secret Management Practices for Infrastructure as Code
Shhh!: Secret Management Practices for Infrastructure as Code Akond Rahman
 
Synthesizing Program Execution Time Discrepancies in Julia Used for Scientifi...
Synthesizing Program Execution Time Discrepancies in Julia Used for Scientifi...Synthesizing Program Execution Time Discrepancies in Julia Used for Scientifi...
Synthesizing Program Execution Time Discrepancies in Julia Used for Scientifi...Akond Rahman
 
Source Code Properties of Defective Infrastructure as Code Scripts
Source Code Properties of Defective Infrastructure as Code ScriptsSource Code Properties of Defective Infrastructure as Code Scripts
Source Code Properties of Defective Infrastructure as Code ScriptsAkond Rahman
 
Characteristics of Defective Infrastructure as Code Scripts in Continuous Dep...
Characteristics of Defective Infrastructure as Code Scripts in Continuous Dep...Characteristics of Defective Infrastructure as Code Scripts in Continuous Dep...
Characteristics of Defective Infrastructure as Code Scripts in Continuous Dep...Akond Rahman
 
What Questions Do Programmers Ask About Configuration as Code?
What Questions Do Programmers Ask About Configuration as Code?What Questions Do Programmers Ask About Configuration as Code?
What Questions Do Programmers Ask About Configuration as Code?Akond Rahman
 
Comprehension Effort and Programming Activities: Related? Or Not Related?
Comprehension Effort and Programming Activities: Related? Or Not Related?Comprehension Effort and Programming Activities: Related? Or Not Related?
Comprehension Effort and Programming Activities: Related? Or Not Related?Akond Rahman
 
Characterizing Defective Configuration Scripts Used for Continuous Deployment
Characterizing Defective Configuration Scripts Used for Continuous DeploymentCharacterizing Defective Configuration Scripts Used for Continuous Deployment
Characterizing Defective Configuration Scripts Used for Continuous DeploymentAkond Rahman
 
Predicting Android Application Security and Privacy Risk With Static Code Met...
Predicting Android Application Security and Privacy Risk With Static Code Met...Predicting Android Application Security and Privacy Risk With Static Code Met...
Predicting Android Application Security and Privacy Risk With Static Code Met...Akond Rahman
 
Which Factors Influence Practitioners' Usage of Build Automation Tools?
Which Factors Influence Practitioners' Usage of Build Automation Tools?Which Factors Influence Practitioners' Usage of Build Automation Tools?
Which Factors Influence Practitioners' Usage of Build Automation Tools?Akond Rahman
 
Synthesizing Continuous Deployment Practices in Software Development
Synthesizing Continuous Deployment Practices in Software DevelopmentSynthesizing Continuous Deployment Practices in Software Development
Synthesizing Continuous Deployment Practices in Software DevelopmentAkond Rahman
 

Más de Akond Rahman (13)

How Do Students Feel About Automated Security Static Analysis Exercises?
How Do Students Feel About Automated Security Static Analysis Exercises? How Do Students Feel About Automated Security Static Analysis Exercises?
How Do Students Feel About Automated Security Static Analysis Exercises?
 
Exercise Perceptions: Experience Report From A Secure Software Development Co...
Exercise Perceptions: Experience Report From A Secure Software Development Co...Exercise Perceptions: Experience Report From A Secure Software Development Co...
Exercise Perceptions: Experience Report From A Secure Software Development Co...
 
Under-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes ManifestsUnder-reported Security Defects in Kubernetes Manifests
Under-reported Security Defects in Kubernetes Manifests
 
Shhh!: Secret Management Practices for Infrastructure as Code
Shhh!: Secret Management Practices for Infrastructure as Code Shhh!: Secret Management Practices for Infrastructure as Code
Shhh!: Secret Management Practices for Infrastructure as Code
 
Synthesizing Program Execution Time Discrepancies in Julia Used for Scientifi...
Synthesizing Program Execution Time Discrepancies in Julia Used for Scientifi...Synthesizing Program Execution Time Discrepancies in Julia Used for Scientifi...
Synthesizing Program Execution Time Discrepancies in Julia Used for Scientifi...
 
Source Code Properties of Defective Infrastructure as Code Scripts
Source Code Properties of Defective Infrastructure as Code ScriptsSource Code Properties of Defective Infrastructure as Code Scripts
Source Code Properties of Defective Infrastructure as Code Scripts
 
Characteristics of Defective Infrastructure as Code Scripts in Continuous Dep...
Characteristics of Defective Infrastructure as Code Scripts in Continuous Dep...Characteristics of Defective Infrastructure as Code Scripts in Continuous Dep...
Characteristics of Defective Infrastructure as Code Scripts in Continuous Dep...
 
What Questions Do Programmers Ask About Configuration as Code?
What Questions Do Programmers Ask About Configuration as Code?What Questions Do Programmers Ask About Configuration as Code?
What Questions Do Programmers Ask About Configuration as Code?
 
Comprehension Effort and Programming Activities: Related? Or Not Related?
Comprehension Effort and Programming Activities: Related? Or Not Related?Comprehension Effort and Programming Activities: Related? Or Not Related?
Comprehension Effort and Programming Activities: Related? Or Not Related?
 
Characterizing Defective Configuration Scripts Used for Continuous Deployment
Characterizing Defective Configuration Scripts Used for Continuous DeploymentCharacterizing Defective Configuration Scripts Used for Continuous Deployment
Characterizing Defective Configuration Scripts Used for Continuous Deployment
 
Predicting Android Application Security and Privacy Risk With Static Code Met...
Predicting Android Application Security and Privacy Risk With Static Code Met...Predicting Android Application Security and Privacy Risk With Static Code Met...
Predicting Android Application Security and Privacy Risk With Static Code Met...
 
Which Factors Influence Practitioners' Usage of Build Automation Tools?
Which Factors Influence Practitioners' Usage of Build Automation Tools?Which Factors Influence Practitioners' Usage of Build Automation Tools?
Which Factors Influence Practitioners' Usage of Build Automation Tools?
 
Synthesizing Continuous Deployment Practices in Software Development
Synthesizing Continuous Deployment Practices in Software DevelopmentSynthesizing Continuous Deployment Practices in Software Development
Synthesizing Continuous Deployment Practices in Software Development
 

Último

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 

Último (20)

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practices

  • 1. 1 Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practice Akond Rahman(aarahman@ncsu.edu), and Laurie Williams Department of Computer Science, North Carolina State University
  • 2. 2 Why Security in DevOps? • Ensuring quality even when software deployment is rapid • Adoption concerns
  • 3. 3 Research Objective Aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment.
  • 4. 4 Background • DevSecOps is the concept of integrating security principles through increased collaboration • We differentiate between ‘activity’, and ‘security practice’. – A DevOps activity focuses on achieving a small, well- defined goal that has a tangible output. – A security practice is a collection of activities that can be grouped based on existing similarities within those activities.
  • 5. 5 Our Contributions • A list of DevOps activities that might have a positive and negative impact • A list of security practices and an analysis of how they are used in DevOps organizations • An analysis that quantifies the levels of collaboration
  • 6. 6 Research Questions • RQ1: Perception. How do software practitioners perceive the integration of DevOps and security? What DevOps related activities contribute to those perceptions? • RQ2: Security Practices. What security practices are used by organizations that integrate security into DevOps?
  • 7. 7 Methodology 66 Internet artifacts66 Internet Artifacts Nine DevOps Organizations
  • 8. 8 RQ1: Identified Perceptions • Positive Perceptions – Use of automated monitoring – Use of automated pipeline to deploy software – Automatic deployment of software – Automatic testing of software changes – Delivering software in small increments
  • 9. 9 RQ1: Identified Perceptions • Negative Perceptions – Use of immature automated deployment tools – Use of inappropriate software metrics – Inadequate monitoring of collaboration
  • 10. 10 RQ2: Identified Automated Activities • Automation of Code Review • Automation of Monitoring • Automation of Software defined Firewall • Automation of Software Licensing • Automation of Testing
  • 11. 11 RQ2: Identified Non-Automated Activities • Design Review • Input Validation • Isolation of Untrusted Inputs • Performing Compliance Requirements • Performing Security Configurations • Performing Security Policies • Security Requirements Analysis • Performing Manual Security Tests • Risk Analysis • Threat Modeling
  • 12. 12 RQ1: Empirical Findings – Positive Aspects (Internet Artifacts) 0 1 2 3 4 5 6 7 8 9 10 Automated monitoring Automated pipeline Automated deployment Automated testing Delivering software in small increments CountofInternetArtifacts
  • 13. 13 RQ1: Empirical Findings – Negative Aspects (Internet Artifacts) 0 1 2 Use of immature automated deployment tools Use of inappropriate software metrics Inadequate monitoring of collaboration CountofInternetArtifacts
  • 14. 14 RQ2: Empirical Findings – Automation Practices (Internet Artifacts) 0 2 4 6 8 10 12 14 16 18 20 Automation of monitoring Automation of testing Automation of code review Automation of software licensing Automation of software defined firewall CountofInternetArtifacts
  • 15. 15 RQ2: Empirical Findings – Non Automation Practices (Internet Artifacts) 0 1 2 3 4 5 6 Security requirements analysis Performing security configurations Performing security policies Performing manual security tests Performing compliance requirements Design review Input validation Isolation of untrusted inputs Threat modeling Risk analysis CountofInternetArtifacts
  • 16. 16 RQ1: Empirical Findings – Positive Aspects (Survey) 0 1 2 3 4 5 6 7 8 9 Use of automated monitoring Use of automated pipeline to deploy software Automatic deployment of software Automatic testing of software changes Delivering software in small increments CountofOrganizations Yes No
  • 17. 17 0 1 2 3 4 5 6 7 8 9 Automation of monitoring Automation of testing Automation of code review Automation of software defined firewall Automation of software licensing CountofOrganizations Yes No RQ2: Empirical Findings – Automation Practices (Survey)
  • 18. 18 0 1 2 3 4 5 6 7 8 9 Performing security policies Performing manual security tests Input validation Performing compliance requirements Performing security configurations Risk analysis Isolation of untrusted inputs Threat modeling Design review Security requirements analysis CountofOrganizations Yes No RQ2: Empirical Findings – Non Automation Practices (Survey)
  • 19. 19 0 1 2 3 4 5 6 7 8 9 Dev&Ops Dev&Sec Sec&Ops CountofOrganizations Lowest Low Moderate High Highest RQ2: Empirical Findings – Collaboration (Survey)
  • 20. 20 Summary • Answer to RQ1: – A certain set of DevOps activities are perceived to be beneficial for system’s security • Answer to RQ2: – A certain set of DevOps specific automated and non-automated activities are used to implement security – Moderate to strong collaboration exists between teams
  • 21. 21 Limitations • Incomprehensive set of Internet artifacts • Incomprehensive set of security practices • Generalizability of empirical findings • Impact of collaboration on practice usage
  • 22. 22 Conclusion • Commonly used DevOps activities can be helpful to a system’s security. • Security teams actively collaborate with development and operations teams in established DevOps organizations. • Security awareness is prevalent amongst established DevOps organizations

Notas del editor

  1. Image Reference: http://www.mmatechs.com/solutions.html http://www.gartner.com/newsroom/id/2867917 Gartner: a leading software engineering research and advisory company