Security as Code: A DevSecOps Approach

September 4, 2021

Security as Code (SaC) is the methodology of codifying security tests, scans, and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security vulnerabilities. Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization. In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, in particular, how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that allows us to implement security checks with code, and will demo how we can code queries for Spring-specific vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline. Alvaro Muñoz, Staff Security Researcher at GitHub Tony Torralba, Software Engineer at GitHub Slides: https://www.slideshare.net/Pivotal/security-as-code-a-devsecops-approach

Delivering Container Security in Complex Kubernetes Environments

For teams struggling to achieve true DevSecOps, VMware Tanzu Advanced enables leaps in capability by delive...

Next Video

Tanzu Talk: Secure Supply Chain, with Henri van den Bulk

DevSecOps alert! Container security alert! Coté talks with Henri van den Bulk about the ideas of a “secur...

Why Tanzu

Paving the Road to Modern Apps

Tanzu Application Platform

Tanzu for Kubernetes Operations

Build apps

Modernize apps

Build your platform

Get started with VMware Tanzu

Developer Center

KubeAcademy

Security as Code: A DevSecOps Approach

Previous

Next Video

Security as Code: A DevSecOps Approach

Previous

Next Video

Related content in this Stream

To maintain robust security without compromising development velocity, we need to encourage better collaboration between security specialists and delivery teams.

Tanzu Labs partnered with a major branch of the Department of Defense to build an automated DevSecOps process using VMware Tanzu and several open source tools.

Vulnerability scanning, software bill of materials, image signing, and more embedded features make it even easier to secure software developers’ path to production.

How the U.S. Army improved its cybersecurity posture by integrating controllable input metrics, product management, and balanced teams into its software development organization.

Path-to-production analysis enables you to identify all the steps in the process, including the wait time and duration (cycle time) of each of them.

VMware Tanzu can help make your organization more secure today and prepare it for the anticipated National Institute of Standards and Technology (NIST) guidelines tomorrow.

For teams struggling to achieve true DevSecOps, VMware Tanzu Advanced enables leaps in capability by delivering container compliance and transparency on day one.

DevSecOps alert! Container security alert! Coté talks with Henri van den Bulk about the ideas of a “secure software supply chain.” When you’re building, running, and managing your own software, how

In this blog post, you will see how new DevSecOps thinking is necessary as we look at the impact a development-led change can have on your operational security.