Title: Beyond Testing: Application Security in the Age of DevOps
It's a common question from security practitioners in any development practice: how do I secure the code my development team is building? The challenge of answering this question in DevOps: the time between developer check-in and deployment is measured in minutes, not days or weeks. But focusing only on speed without understanding the goals of DevOps can lead to undesirable trade-offs, like unnecessarily shutting down the build pipeline. In this presentation, we establish five principles for securing DevOps development (Automate Security In, Integrate to Fail Quickly, No False Alarms, Build Security Champions, Keep Operational Visibility). We review the state of the art of application security practices and talk about ways to leverage the principles and practices of DevOps, such as quick feedback loops and feature toggling, to create more secure code. And we look at organizational, process, and technology innovations to secure applications in ways that incorporate, but go beyond, testing for vulnerabilities, by looking at what developers can do before checking in code and what application security looks like in production.