Post DevOps What Should We Shift-Left
ポストDevOps、これから我々は何をシフトレフトすべきか
Abstract:
The traditional V-shaped quality assurance of waterfall has been replaced by DevOps and CI/CD. It is clear that fast improvement cycles have contributed to making the code much easier to maintain and higher quality.
But why is it that AppSec is still vulnerable to attacks and has yet to mature? Do automated mechanisms contribute to robustness against change?
In this talk, I will show what we have learned through our experience of organizing Hardening Project in Japan. I will cover the critical points related to each stage of DevOps to take DevOps to the next stage - they are about risk profile, architecture design of threat response, and operational matter. I hope it will show some challenges that AppSec faces in its further evolution.