DevSecOps: Building a Secure Continuous Delivery Pipeline

Explore best practices and tools that can help you implement security across the entirety of the continuous integration and continuous delivery (CI/CD) pipeline.

Introduction

• Securing your CI/CD pipeline
• What you should know

1. The DevSecOps Toolchain

• Traditional InfoSec is in crisis
• Introducing DevSecOps
• The continuous delivery pipeline
• Goals for a DevSecOps toolchain approach

2. Development Tools

• Secure development practices
• Static code analysis
• Tool: Keeping secrets with git-secrets
• Tool: Rapid Risk Assessment

3. Inherit Tools

• What's in your app?
• OWASP Dependency Check in practice
• JavaScript security with Retire.js: Installation
• JavaScript security with Retire.js: Testing
• Options for software composition analysis

4. Build Tools

• Security testing in the build stage
• AppSec scanning with DAST tools
• Gauntlt in practice

5. Deploy Tools

• Security in the deploy phase
• Rundeck for deployments
• Tricks for making compliance happy

6. Operation Tools

• Keeping security in operate
• Modern application security
• Signal Sciences in practice
• Cloud security monitoring

Conclusion

• Next steps