Security as Code: A DevSecOps Approach

September 4, 2021

Security as Code (SaC) is the methodology of codifying security tests, scans, and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security vulnerabilities. Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization. In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, in particular, how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that allows us to implement security checks with code, and will demo how we can code queries for Spring-specific vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline. Alvaro Muñoz, Staff Security Researcher at GitHub Tony Torralba, Software Engineer at GitHub Slides: https://www.slideshare.net/Pivotal/security-as-code-a-devsecops-approach

The History of CI/CD

When you’re new to an industry, you encounter a lot of new concepts. This is especially true with DevOps, a...

Next Video

How To Be a Java Automated Testing Superstar

Automated testing is a crucial step in modern software development. A quality automated test suite enables ...

Security as Code: A DevSecOps Approach

Previous

Next Video

Related content in this Stream

The ability to respond to user feedback and ship new application code to production quickly and safely are hallmarks of successful digital enterprises. Continuous integration and continuous delivery (

There's been a lot of talk about controlling cloud costs by bringing workloads back to the datacenter, you know, private cloud. The three of us discuss what's going on here. Also, surveys...

There's been a lot of talk about controlling cloud costs by bringing workloads back to the datacenter, you know, private cloud. The three of us discuss what's going on here. Also, surveys consistently

There's a lot going on in the build, pipeline, CI/CD, supply chain space - so much so that there's all these phrases for the concept. Dagger.io is taking stab (hahahahah...) at builds and...

Tekton is a powerful and flexible open-source framework for creating CI/CD systems, allowing developers to build, test, and deploy across cloud providers and on-premise estates. Cloud-native and built

Don’t have real CI/CD in place? Check out the Tanzu Application Platform: https://tanzu.vmware.com/application-platform?utm_source=cote&utm_campaign=devrel&utm_content=14hurdlesPlatformNoCICD 14 Digi

Think you're doing frequent app releases and CI/CD? Maybe you're amazing! Survey says: probably not! After having some salad with my daughter and I, look baseline of what agile looks like for large or

Software supply chains are the evolution of CI/CD that will enable a smooth path to production.

Cartographer is an exciting new OSS project that elegantly addresses the difficulty of integrating various CI/CD tools to create secure and comprehensive pipelines. Join us as Cora Iberkleid and David

Looking for a build pipeline for your kubernetes apps? Check out this demo of the open source Cartographer project. Cartographerallows you to create secure and reusable supply chains that define all

You’re probably not doing CI/CD, maybe not even CI! If you’re going all kubernetes and cloud native, you need to solve that problem BEFORE DOING ANYTHING ELSE. It’s a good reason to check out VMware T

When you’re new to an industry, you encounter a lot of new concepts. This is especially true with DevOps, a fairly young corner of tech where things move very quickly, by design. Some of the concepts

Automated testing is a crucial step in modern software development. A quality automated test suite enables rapid development and deployment practices like CI/CD by providing a stable quality check bef

This video demonstrates how to integrate VMware Tanzu Build Service into continuous integration and continuous delivery (CI/CD) pipelines using Azure DevOps and Harbor. The sample code for the video

tanzu.tv/tt/64 Software development has changed dramatically in recent years; no longer can you afford to say, “That’s how we’ve always done it.” Applications are evolving rapidly, which requires y

We are always talking about new exciting technologies and which problems they solve at a higher level! But do you really know why there is a need for microservices architectures, DevOps, CI/CD, and mo

VMware Tanzu Build Service 1.1, now generally available, adds image signing capabilities, CLI enhancements, and beta support for Windows to accelerate containerization at scale.

Spring Cloud Data Flow for Kubernetes 1.2.0, now GA, adds a new dashboard and real-time alerts to simplify how you build and run modern data pipelines.