DevSecOps – The Latest Trends in Application Security from DevSecCon Boston

Scott Young

BY Scott Young

Solutions Architect

I spent a very rewarding couple of days at DevSecCon in Boston recently. The conference focused on DevSecOps, which is a catch-all phrase for addressing security concerns as early as possible in the product development lifecycle. In no particular order, here were a few of the takeaways that were swimming around in my head as I left Boston.

Scott Young - DevSecOps

That’s me on the left at DevSecOps Boston.

DevSecOps is all about moving security activities ‘to the left’

The latest tools are tightly integrated with developer workflows, allowing meaningful security analysis, identification, and remediation during initial code development. Throughout the development, testing, QA, and production pipeline, there are tools that mean that in production there can be a high degree of certainty that there are no OWASP Top-10 vulnerabilities present.

It’s raining containers.

Containers are everywhere, and they are one of the enabling technologies that make both DevOps and DevSecOps possible, or at least make them easier and more fun to do. The ephemeral nature of containers, their implicit infrastructure-as-code paradigm and the continuing maturity of the technology all make containers one of those things that need to be in place for DevSecOps to work. (You also need automated tests, of course. You can read more on the importance and value of automated testing here and here).

DevSecOps is easier when it has a champion – or champions.

Developing security champions within engineering teams provides a quick way of spreading tools and best practices quickly throughout an organization. In my experience, the Champion is between the security expert and the main team of engineers.

Security doesn’t have to be painful to work.

One comment made by the excellent Matt Jones during his presentation emphasized that security really needs to disappear into the background. This is exactly the approach that 3Pillar’s UX teams take when thinking about security. Matt’s example was spot on – using two-factor authentication with a code from an app on your phone is WAY too many steps. Why not use an SMS based solution? It’s simpler, quicker, and a much better overall experience. This will be even more true when iOS 12 is released. Your Apple device will recognize recent codes in iMessages and email and offer to autofill them for you.

Most interesting tool: Contrast Security

I was very intrigued by what I learned about Contrast Security (www.contrastsecurity.com), a tool that provides automated detection and protection through in-code instrumentation. Contrast was recently listed as the only visionary in Gartner’s Magic Quadrant for Application Security Testing, and I could see why based on how simple it makes it to keep applications secure.

See DevSecOps Presentations on Slideshare

If you’re interested in learning more about what was shared at the conference, there are a number of presentations that were given at the event – seven to be exact – that are now available on Slideshare. You can view them here.

About The Author

Scott Young is a Solutions Architect for 3Pillar Global, specializing in AWS cloud architecture and optimization. Scott has over 25 years of experience in software development, with expertise in full stack and agile development and certifications for both AWS and TOGAF.

Leave a Reply

Related Posts

Determining the First Release The first thing you release needs to put the solution to your customer's most important problem in their hands. Deciding what the most important probl...
The Art of Building Rapid (and Valuable) Proofs of Concept Clients and stakeholders want results. They want assurances that their investment is well spent and they're building the right product. The software d...
Are You Doing Stuff or Creating Value? You can put a bunch of stickies on the wall, create tons of JIRA tickets, and commit lots of code, but are you creating value? Is the work your produc...
Costovation – Giving Your Customers Exactly What They ... On this episode of The Innovation Engine podcast, we delve into “cost-ovation,” or innovation that gives your customers exactly what they want – and n...
AI & Machine Learning Will See You Now, and Other Takea... A 3Pillar team and I spent a few days in Santa Clara recently for the 12th annual Health 2.0 Conference. As usual, we spent some time after the confer...