Adding API Security to your DevSecOps Toolbelt
Scott Bly
Audience:
Everyone
Topic:
DevOpsDay LA

How do you integrate API Security into your DevSecOps processes? You have DevOps tooling and CI/CD pipelines for your product release cycle. Your Dev & Ops teams work well together. You started a DevSecOps transformation to Shift Left and test code security in pipelines.
 
But how do you integrate the Security teams into DevOps to achieve true DevSecOps? Then, how do you integrate APIs, as they are behavior-based? Traditional AppSec can’t identify vulnerabilities in API consumption.
 
Learn how to integrate API testing into Shift Left DevSecOps pipelines to eliminate vulnerabilities. Learn how to bring Dev, Sec, Ops teams together to improve Mean Time To Remediation, and keep your teams happy!

 

The Problem:
 
DevOps Releases code to market faster. Traditional release patterns of 1-2x annualyl fails at cloud scale. DevOps tooling and microservices architectures allow for independent releases. DevOps culture grew organically as Dev and Ops teams learned to work harmoniously.
 
However, DevSecOps represents newer thinking with security integration to DevOps processes. Early efforts such as traditional AppSec integrated security to pipelines, which improved code security, but we still see breaches at record levels.
 
Part of the problem is organizational incentives are at cross purposes. Developers are still incentivized to get features to market fast. Ops teams are incentivized for uptime and keeping Dev teams moving. Security teams are incentivized to reduce risk, in opposition to the above objectives. Risk reduction after code development and integration slows progress and blocks code release due to late stage vulnerability discovery.
 
Shift left moves discovery earlier, but security teams are already stretched thin. API security is behavior based, not traditional code security discoverable, so how do you add this?
 
The Solution:
 
Shift further left! Integrate Security teams even earlier in the pipeline - catch problems at the design stage. APIs are products that deliver data, and the business problems can be caught at design stage as well.
 
Tooling:
 
API Scanning tools can integrate to CI/CD pipelines, shifting left into the existing test/build phases. But they require live dev environments to test API behavior, akin to DAST tools.
 
Culture:
 
DevSecOps triad in large orgs are siloed. Form a DevSecOps Center of Excellence as your first steps. Share best practices. Co-host technical trainings. Co-host social events to bring teams together organically. Fix the incentives problem by cross-incentivizing your teams.

 

Presentation:
PDF icon Scott Bly DevSecOps Presentation.pdf
Time:
Monday, October 21, 2024 - 21:30