The authors of the SANS Institute's DEV540 Secure DevOps & Cloud Application Security course created the Cloud Security and DevSecOps Best Practices poster to help security teams create a methodology for integrating security into the DevOps workflow. As you can see, the poster breaks DevOps down into 5 key phases and includes a massive list of open source tools to help DevOps teams level up their security.
In a new presentation titled Continuous Security: Exploring the DevSecOps Toolchain (Phases 1-2), I spend the entire hour walking the attendees through the first 2 phases of the DevOps workflow:
- Pre-Commit: Security controls that take place as code is written and before code is checked into version control.
- Commit: Fast, automated security controls that are invoked by continuous integration tools during the build.
I had the opportunity to present this talk at the Australia Information Security Association's National Cyber Conference 2018 event this month in Melbourne, as well as a local SANS Community event in Sydney. For those that asked, the presentation slides can be found here:
In the next round, we'll pick up where we left off and explore Phases 3-4. Until then, cheers!
To learn more about DevSecOps and Cloud Security, check out the SEC540: Cloud Security and DevOps Automation course!
Eric is a Co-founder and Principal Security Engineer at Puma Security and a Senior Instructor with the SANS Institute. His experience includes cloud security assessments, cloud infrastructure automation, static source code analysis, web and mobile application penetration testing, secure development lifecycle consulting, and secure code review assessments. Eric is the lead author and an instructor for SEC540: Cloud Security and DevOps Automation, a co-author and instructor for both the brand new SEC510: Multicloud Security Assessment and Defense, and the upcoming SEC584: Defending Cloud Native Infrastructure.
To learn more about Eric, read his full bio here.