Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deployment Firewall and DBOM

JamesAnderson135 97 views 18 slides Jun 04, 2024

Slide 1 of 18

About This Presentation

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM

The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.

The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).

Speakers:

Bob Boule

Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.

Gopinath Rebala

Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Size: 2.81 MB

Language: en

Added: Jun 04, 2024

Slides: 18 pages

Slide Content

Delivery to Deployment
Application Security
May 2024

Managing Application Security
Agenda
●State of AppSec
●OpsMx Secure Software Delivery Overview
●Solution Demonstration
●Next Steps

OpsMx Team
●Bob Boule, VP of Product
●Gopi Rebala, CTO

OpsMx secures and intelligently automates software delivery
from developer to deployment, building on an
Open Software Delivery architecture and AI/ML-powered DevSecOps
Ship Better Software Faster

OpsMx Delivery Shield
OpsMx Delivery Shield secures your application
lifecycle with continuous security posture
management, global visibility, and policy
enforcement.

AppSec Today
●Too many tools that don’t work together
●Disjointed data – no unified view
●“Shift Left” slowing down developers

OpsMx Offers
●Faster, more secure application releases
●Automated compliance and enforcement
●Lower overall cost of AppSec
Software Development Lifecycle
OpsMx Delivery Shield
Application Security Posture Management
Existing Security & DevOps Tools
Vulnerability management, code scanners, CI/CD
platforms, ticketing, cloud platforms, etc.
Security App DevDevOps

Managing Application Security
In a DevOps World
Old World
●Centralized teams
●Consistent Dev environment
●Monolithic applications
●One path to production
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
BUILD DEPLOY OPERATE
New World
●Distributed development teams
●Service-based architecture
●Frequent releases to multiple targets
●Teams choose DevOps tools
●Shift left security responsibilities

AppSec Challenges We Hear
“Choose Your Own Adventure”
Every team is using different
tools, different processes
Siloed Visibility
We have all the data that we
need, but it is siloed in separate
tools and data sets
Too Many Alerts
Each tool generates its own
alerts, but no rationalization
across them
Overloaded Developers
“Shift Left” overloads
developers without reducing
security risks
Security Effectiveness
No good way to show the
overall results of the security
program.
Every Tools Adds Cost, Complexity
How can I stop paying for some
of the tools that I pay for today?$

CISO / Exec MgmtSecOps / DevOps
●Global security visibility
●Audit reports with
compliance checklist
●Easy to implement with
existing tools, central
management
●Lower TCO
●Eliminate tool sprawl
●Reduce tools license
costs
Application Developers
●Detect, prioritize,
remediate security
threats
●Automated checks /
controls
●Shift-left security
●Blocks vulnerable
deployments
●Continue to leverage
existing tools /
workflows
●Shift-left without
burdening developers
●Fits in the existing
SDLC workflow
●Security / fix
recommendations to
Developers
●Developer visibility and
productivity

Challenges Addressed by OpsMx

Real-Time
Policy
Enforcement

to Dev / Test /
Staging / Prod

OpsMx Delivery Shield Architecture
DEPENDENCIES
BUILD
DEVELOPER
SOURCE CODE
ARTIFACTS
REPOSITORY
DEPLOY OPERATE
SDLC-DB
DevOps Integrations
Delivery
Bill of Materials
“Developer to Deployment” Lifecycle Visibility
Continuous Security Posture Evaluation
Security Policy Management Compliance Automation

OpsMx Benefits
Faster Application Releases
Only manage security exceptions,
automate everything else
Lower Cost of AppSec
Improve team efficiency, reduce
redundant tools, leverage open source
Global Security Visibility
See what is really happening
across tools & teams in one place
Productive "Shift Left"
Developer-friendly visibility and
guidance to close security gaps
Automated Compliance
Automated policy enforcement,
automated audit reporting
More Secure Applications
Broad end-to-end data drives more
comprehensive risk assessment

Delivery Shield
Product Capabilities

OpsMx Delivery Sheild Capabilities
Application
Security
Posture Mgmt.
Incident Response
●Monitor for new vulnerabilities
●Trace CVEs in production
●Detect drift in security posture
Software Delivery Audit & Compliance
●Full audit, automated compliance reporting
●Delivery Bill of Materials (DBoM)

Application Lifecycle Visibility
●Real-time, end-to-end, Developer to Deployment
●Auto-discovered, synthesized, stored in SDLC
●Powered by 90+ DevOps integrations

Security Posture Evaluation
●Evaluated against industry, organization policies
●Security of release artifacts, artifact provenance
●CVE scans and posture
●Deployment target configuration, IAC
●Compliance with delivery process steps
Policy Enforcement
●Automated approvals, release verification
●Option to use Deployment Firewall to block
out-of-compliance releases
●Policy exception tracking and management

SDLC Tracking: Representative Data Set
“Developer to Deployment” view of the application lifecycle – all available in one place
DEPENDENCIES
BUILD
DEVELOPER
SOURCE CODE
ARTIFACTS
REPOSITORY
DEPLOY OPERATE
●Code repo
●Coders
●Code reviewer
●SAST / DAST
scan results
●Posture check
●Build tool
●Artifact
provenance
●Build approvers
●Dependency
validation
●Artifact repo
●CVE scan
report
●Deployment tool
●Kubernetes cluster
●Kubernetes service
●CIS benchmarks

Real-Time Risk Assessment

Deployment Firewall
Real-time, policy-driven evaluation of deployment policies across dev, test, staging, and
production environments
Deployment Firewall Policy Checks
Code
Quality &
Security
Binary
Security
Approvals &
Compliance

Infra
Security
Blocked/Alerted
Deployed
Deployed
Production
Blocked/Alerted
Deployment
Verification

Delivery Bill of Materials
SBoM + Delivery and Deployment Process
●Approvals
●Security posture
●Policy checks
●Policy exceptions
●Build process
●Test results
Captured at time of Deployment
Preserved for future audit / compliance
Delivery Bill of Materials
Comprehensive, consolidated record of the application delivery and deployment process
Software Bill
of Materials
●Component
●Version
●Supplier
●Dependencies
Captured at Build

Demo

OpsMx Offerings
OpsMx Delivery Shield
●Secures application lifecycle with continuous
security posture management
●Visibility across existing tools and processes
●Faster, more secure application releases
●Automated compliance and enforcement
●Lower overall cost of AppSec
Software Development Lifecycle
OpsMx Delivery Shield
Application Security Posture Management
Existing Security & DevOps Tools
Vulnerability management, code scanners,
ticketing, cloud platforms, etc.
Security App DevDevOps
Open Continuous Delivery
Open source CD platform support & consulting
OpsMx Open CD
●24x7 support for Argo, Spinnaker, Flux
●Faster, more secure application releases
●CD consultation and development services

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deployment Firewall and DBOM

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Alt. GDG Cloud Southlake #33: Boule &amp; Rebala: Effective AppSec in SDLC using Deployment Firewall and DBOM

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deployment Firewall and DBOM