Video of the talk
Presentation: DevSecOps: What Why and How
Video of the talk
Presentation: DevSecOps: What Why and How
AI Generated Content Disclaimer
Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.
This expanded 50-slide presentation by Anant Shrivastava at Black Hat USA 2019 provides a comprehensive guide to DevSecOps β integrating security into DevOps pipelines through both automation and cultural transformation. Building on the core “What, Why, and How” framework, this version adds significant depth with detailed breakdowns of each pipeline stage, language-specific tooling matrices, cloud-native DevSecOps implementations across AWS/Azure/GCP, sample lab demonstrations for Ruby/PHP/Python/Node.js, real-world case studies from organizations like Fannie Mae and ABN Amro, and a critical discussion on securing the security toolchain itself (“Who Watches the Watcher”). The presentation positions DevSecOps as a multi-pillar strategy encompassing People, Process, and Technology.
DevSecOps Defined: An effort to achieve “Secure by Default” by integrating security via tools, creating a Security as Code culture, and promoting cross-skilling. DevSecOps makes it easier to manage the rapid pace of development and enables smoother scaling of secure deployments.
The Shift Left Business Case: Finding a single SQL injection earlier in the pipeline (at the developer/source code stage) requires fewer man-days of effort, eliminates the need for new deployments, and can be caught through automated source code review β dramatically reducing cost compared to discovering it in production penetration testing.
Complete DevSecOps Pipeline Architecture: The presentation details security integration at every stage:
Tools of the Trade: Organized by category with preference for open-source:
Pipeline Tool Criteria: API/CLI access, 15-minute maximum execution time, containerizable/scriptable, minimal licensing limitations, machine-readable output (JSON/XML), and configurable for false positive/negative management.
Pipeline Optimization Strategies: Tailor the pipeline based on the type of change β skip SCA for CSS-only changes, skip SAST for dependency-file-only changes (pom.xml/gradle), fast-track infrastructure scans when IaC has zero changes. Run the full unoptimized pipeline periodically to catch anything missed.
Language-Specific Tool Matrix: Detailed breakdown across Java, PHP, Python, Ruby/Rails, .NET, and Node.js covering both SCA and SAST tools:
Cloud-Native DevSecOps: Comprehensive comparison table mapping conventional tools to cloud-native equivalents across AWS, Azure, and GCP for source code management, IaC, CI/CD, artifact repositories, staging/production servers, monitoring, firewalls, DLP, threat detection, vulnerability scanning, and secrets management.
Cloud Security Considerations: The threat landscape changes β focus on IAM, asset inventory, billing, security groups, permissions, rogue/shadow admins, and forgotten resources. Different providers approach security differently, but SAST, DAST, SCA, and vulnerability management tools still need to be sourced regardless of provider.
Security Enablers β People, Process, Technology:
Security Champions Program: A single person per team who bridges Dev, Sec, and Ops. Incentivize collaboration through internal bug bounties, sponsored social interactions, and cross-skilling training.
Real-World Case Studies: Positive examples from Fannie Mae and ABN Amro demonstrating successful DevSecOps adoption, plus negative case studies showing cloud asset misconfiguration and the consequences of inadequate monitoring.
“Who Watches the Watcher”: A critical point about securing the security toolchain itself β if an attacker controls security tools or the build chain, they gain limitless power (DevSecOops). The same security practices must be applied to security tools: secure configuration, patching, and basic security hygiene.
