Adding API Security to your DevSecOps Toolbelt
Scott Bly
Audience:
Everyone
Topic:
DevOpsDay LA

How do you integrate API Security into your DevSecOps processes? You have DevOps tooling and CI/CD pipelines for your product release cycle. Your Dev & Ops teams work well together. You started a DevSecOps transformation to Shift Left and test code security in pipelines. But how do you integrate the Security teams into DevOps to achieve true DevSecOps? Then, how do you integrate APIs, as they are behavior-based? Traditional AppSec can’t identify vulnerabilities in API consumption. Learn how to integrate API testing into Shift Left DevSecOps pipelines to eliminate vulnerabilities. Learn how to bring Dev, Sec, Ops teams together to improve Mean Time To Remediation, and keep your teams happy!

 

The Problem:
DevOps Release code to market faster Traditional release 1-2x annual fails at cloud scale DevOps tooling, microservices architecture allow independent releases DevOps culture grew organically as Dev and Ops teams learned to work harmoniously. DevSecOps Newer thinking - security integration to DevOps processes, AppSec integration to pipelines improved code security But developers are still incentivized to get features to market fast Ops teams are incentivized for uptime and keeping dev teams moving Security teams are incentivized to reduce risk, in opposition to above objectives. Risk reduction slows development, blocks code release due to late stage vulnerability discovery. Shift left moves discovery earlier, but security teams are already stretched thin. API security is behavior based, not traditional code security discoverable, so how do you add this?
The Solution
Shift further left Integrate Security teams even earlier in the pipeline - catch problems at the design stage. APIs are products that deliver data, and the business problems can be caught at design stage as well
Tooling API Scanning tools can integrate to CI/CD pipelines, shifting left into the existing test/build phases But they require live dev environments to test API behavior
Culture DevSecOps triad in large orgs are siloed Form DevSecOps Center of Excellence as first steps Share best practices Co-host technical trainings Co-host social events to bring teams together organically Cross-incentivize

 

Presentation:
PDF icon Scott Bly DevSecOps Presentation.pdf
Time:
Monday, October 21, 2024 - 21:30