Tim Jarrett

Talk Abstract

Title: Beyond Testing: Application Security in the Age of DevOps


It's a common question from security practitioners in any development practice: how do I secure the code my development team is building? The challenge of answering this question in DevOps: the time between developer check-in and deployment is measured in minutes, not days or weeks. But focusing only on speed without understanding the goals of DevOps can lead to undesirable trade-offs, like unnecessarily shutting down the build pipeline. In this presentation, we establish five principles for securing DevOps development (Automate Security In, Integrate to Fail Quickly, No False Alarms, Build Security Champions, Keep Operational Visibility). We review the state of the art of application security practices and talk about ways to leverage the principles and practices of DevOps, such as quick feedback loops and feature toggling, to create more secure code. And we look at organizational, process, and technology innovations to secure applications in ways that incorporate, but go beyond, testing for vulnerabilities, by looking at what developers can do before checking in code and what application security looks like in production.


Tim Jarrett

Tim Jarrett


Tim Jarrett is Senior Director of Enterprise Security Strategy at Veracode. A Grammy-award winning product professional, he joined Veracode in 2008 and has a Bacon number of 3. He has previously spoken at numerous events including the Birst Forward conference, the RSAM User Summit, and regional ISACA events, as well as on webcasts for Dark Reading, Black Hat, and the SANS Institute. He can be found on Twitter as @tojarrett