Security as Code: A DevSecOps Approach

September 4, 2021

Security as Code (SaC) is the methodology of codifying security tests, scans, and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security vulnerabilities. Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization. In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, in particular, how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that allows us to implement security checks with code, and will demo how we can code queries for Spring-specific vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline. Alvaro Muñoz, Staff Security Researcher at GitHub Tony Torralba, Software Engineer at GitHub Slides: https://www.slideshare.net/Pivotal/security-as-code-a-devsecops-approach

Previous
Episode 187: DevSecOps for US Federal agencies (FIPs, STIGs, auditors, AOs, and all that)
Episode 187: DevSecOps for US Federal agencies (FIPs, STIGs, auditors, AOs, and all that)

When Federal people ask to secure a DevOps app creation and delivery process, what do they mean? Chris Will...

Next Video
Tanzu Talk: Secure Supply Chain, with Henri van den Bulk
Tanzu Talk: Secure Supply Chain, with Henri van den Bulk

DevSecOps alert! Container security alert! Coté talks with Henri van den Bulk about the ideas of a “secur...