Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Post DevOps What Should We Shift-Left

Riotaro OKADA
PRO
September 25, 2021
0
1

Post DevOps What Should We Shift-Left

Post DevOps What Should We Shift-Left
ポストDevOps、これから我々は何をシフトレフトすべきか

Abstract:
The traditional V-shaped quality assurance of waterfall has been replaced by DevOps and CI/CD. It is clear that fast improvement cycles have contributed to making the code much easier to maintain and higher quality.
But why is it that AppSec is still vulnerable to attacks and has yet to mature? Do automated mechanisms contribute to robustness against change?
In this talk, I will show what we have learned through our experience of organizing Hardening Project in Japan. I will cover the critical points related to each stage of DevOps to take DevOps to the next stage - they are about risk profile, architecture design of threat response, and operational matter. I hope it will show some challenges that AppSec faces in its further evolution.

Riotaro OKADA
PRO

September 25, 2021
Tweet

More Decks by Riotaro OKADA

See All by Riotaro OKADA
How Application Security Will Change with the Rise of AI
okdt
PRO
1
45
秘伝:脆弱性診断をうまく活用してセキュリティを確保するには
okdt
PRO
3
730
脆弱性とこれからの話 - ソフトウェアサプライチェインリスク
okdt
PRO
6
1.4k
ソフトウェアセキュリティはAIの登場でどう変わるか - OWASP LLM Top 10
okdt
PRO
14
7.1k
今から取り組む企業のための脆弱性対応 ~大丈夫、みんなよく分かっていないから~
okdt
PRO
1
140
DXとセキュリティ - IPA Digital Symposium 2021
okdt
PRO
0
100
SHIFT LEFT PATH at AWS DEV DAY3 General Session
okdt
PRO
3
1.2k
CISOが、適切にセキュリティ機能とレベルを決めるには ― 現状維持か変革かを分けるポイント
okdt
PRO
0
1
超高速開発を実現するチームに必要なセキュリティとは
okdt
PRO
0
0

Featured

See All Featured
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
GraphQLとの向き合い方2022年版
quramy
43
13k
How GitHub (no longer) Works
holman
311
140k
Faster Mobile Websites
deanohume
304
30k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Designing for humans not robots
tammielis
249
25k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
27
1.9k
The Power of CSS Pseudo Elements
geoffreycrofte
72
5.3k
The World Runs on Bad Software
bkeepers
PRO
65
11k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.8k

Transcript

  1. [email protected] @okdt OWASP Life-time member 15+ OWASPer AppSec professional OWASP

    Japan

  2. Congratulations!

  3. The first era of OWASP Documents in Japanese thanks to

    Mr. Satoru Takahashi, 2004-2006

  4. 2012 OWASP Japan 1st meetup

  5. Thank you for all your support!

  6. SHIFT LEFT? By @akiko_pusu, 2017

  7. Japanese

  8. 2021年 Developers Dislike Security: Ten Frustrations and Resolutions Chris Romeo,

    2021. https://www.youtube.com/watch?v=nN7NH752onk

  9. Shift-left analogy Let's do shift-left for progressive purposes. Front Loading

    Retrospective Kaizen Why 5 times

  10. ,FZGBDUPSTUPTVDDFFE4)*'5-&'5 MUTUAL UNDERSTANDING BUSINESS GOAL & RISKS KEEP UP TO

    DATE

  11. WASFORUM.jp

  12. None

  13. Hardening Project

  14. None
  15. None

  16. Started

  17. Spy comes…

  18. Attackers

  19. Attackers are very good at collaboration

  20. Incident response

  21. Marketplace

  22. None

  23. SCORE BOARD

  24. 8-hour competition

  25. None

  26. Softening Day

  27. presentations

  28. Hardening DX

  29. “Kuromame 6”

  30. None

  31. Summary: Key Success factors of SHIFT-LEFT MUTUAL UNDERSTANDING BUSINESS GOAL

    & RISKS KEEP UP TO DATE

  32. My idea – “proactive controls” Be a guardrails. Discuss the

    most effective fixing points and timing Study their languages and environments Update frequently and show flexibility Give reasonable countermeasures, even if it is “plan-B” Teach how developers can check findings by themselves. Have the common goal and Praise their success Have good experience to collaborate with different roles. Join OWASP

  33. #シフトレフト powered by OWASP For your photo! #shiftleft