DevSecOps – The Latest Trends in Application Security from DevSecCon Boston

Scott Young

BY Scott Young

Solutions Architect

I spent a very rewarding couple of days at DevSecCon in Boston recently. The conference focused on DevSecOps, which is a catch-all phrase for addressing security concerns as early as possible in the product development lifecycle. In no particular order, here were a few of the takeaways that were swimming around in my head as I left Boston.

Scott Young - DevSecOps

That’s me on the left at DevSecOps Boston.

DevSecOps is all about moving security activities ‘to the left’

The latest tools are tightly integrated with developer workflows, allowing meaningful security analysis, identification, and remediation during initial code development. Throughout the development, testing, QA, and production pipeline, there are tools that mean that in production there can be a high degree of certainty that there are no OWASP Top-10 vulnerabilities present.

It’s raining containers.

Containers are everywhere, and they are one of the enabling technologies that make both DevOps and DevSecOps possible, or at least make them easier and more fun to do. The ephemeral nature of containers, their implicit infrastructure-as-code paradigm and the continuing maturity of the technology all make containers one of those things that need to be in place for DevSecOps to work. (You also need automated tests, of course. You can read more on the importance and value of automated testing here and here).

DevSecOps is easier when it has a champion – or champions.

Developing security champions within engineering teams provides a quick way of spreading tools and best practices quickly throughout an organization. In my experience, the Champion is between the security expert and the main team of engineers.

Security doesn’t have to be painful to work.

One comment made by the excellent Matt Jones during his presentation emphasized that security really needs to disappear into the background. This is exactly the approach that 3Pillar’s UX teams take when thinking about security. Matt’s example was spot on – using two-factor authentication with a code from an app on your phone is WAY too many steps. Why not use an SMS based solution? It’s simpler, quicker, and a much better overall experience. This will be even more true when iOS 12 is released. Your Apple device will recognize recent codes in iMessages and email and offer to autofill them for you.

Most interesting tool: Contrast Security

I was very intrigued by what I learned about Contrast Security (www.contrastsecurity.com), a tool that provides automated detection and protection through in-code instrumentation. Contrast was recently listed as the only visionary in Gartner’s Magic Quadrant for Application Security Testing, and I could see why based on how simple it makes it to keep applications secure.

See DevSecOps Presentations on Slideshare

If you’re interested in learning more about what was shared at the conference, there are a number of presentations that were given at the event – seven to be exact – that are now available on Slideshare. You can view them here.

About The Author

Scott Young is a Solutions Architect for 3Pillar Global, specializing in AWS cloud architecture and optimization. Scott has over 25 years of experience in software development, with expertise in full stack and agile development and certifications for both AWS and TOGAF.

Leave a Reply

Related Posts

High Availability and Automatic Failover in Hadoop Hadoop in Brief Hadoop is one of the most popular sets of big data processing technologies/frameworks in use today. From Adobe and eBay to Facebook a...
How the Right Tech Stack Fuels Innovation – The Innova... On this episode of The Innovation Engine podcast, we take a look at how choosing the right tech stack can fuel innovation in your company. We'll talk ...
The Road to AWS re:Invent 2018 – Weekly Predictions, P... For the last two weeks, I’ve been making predictions of what might be announced at AWS’ upcoming re:Invent conference. In week 1, I made some guesses ...
Building a Microservice Architecture with Spring Boot and Do... This is the fourth blog post in a 4-part series on building a microservice architecture with Spring Boot and Docker. If you would like to read the pre...
Building a Microservice Architecture with Spring Boot and Do... Part III: Building Your First Microservice, its Container, and Linking Containers We're about ready to actually get started with building a microserv...