Secure DevOps: How to Fit Security into your DevOps Program

DevOps is changing the way that organizations design, build, deploy, and operate online systems. Engineering teams are making hundreds or even thousands of changes per day, and traditional approaches to security are struggling to keep up. Security must be reinvented in a DevOps world to take advantage of the opportunities provided by continuous integration and delivery pipelines.

In this talk, we start with a case study of an organization trying to leverage the power of Continuous Integration (CI) and Continuous Delivery (CD) to improve its security posture. After identifying the key security checkpoints in the pre-commit, commit, acceptance, and deployment lifecycle phases, we will explore how unit testing and static analysis fit into SecDevOps. Live demonstrations will show how to enforce
security unit tests and static analysis in a Jenkins CI build pipeline. Attendees will walk away with a better understanding of how security fits into DevOps to help secure their organization’s applications.


Aaron Cure

About Aaron Cure

Aaron is a senior security consultant at Cypress Data Defense, and an instructor and contributing author for the CDD Introduction to Internet Security in .NET course. After ten years in the U.S. Army as a Russian Linguist and a Satellite Repair Technician, he worked as a database administrator and programmer on the Iridium project, with subsequent positions as a telecommunications consultant, senior programmer, and security consultant. Other experience includes developing security tools, secure code review, vulnerability assessment, penetration testing, risk assessment, static source code analysis, and security research. Aaron holds the GIAC GSSP-.NET, GWAPT, GMOB, and CISSP certifications and is located in Arvada, CO.

More About Aaron »

Steve Kosten

About Steve Kosten

Steve Kosten is a security consultant at Cypress Data Defense and an instructor for the SANS DEV541 Secure Coding in Java/JEE: Developing Defensible Applications course. He's previously performed security work in the defense and financial sectors and headed up the security department for a financial services firm. He is currently the Open Web Application Security Project (OWASP) Denver chapter leader and is on the board for the OWASP AppSec USA conference. He has presented security talks before numerous conferences. He is experienced in secure code review, vulnerability assessment, penetration testing, risk management. He holds a bachelor of science in Aerospace Engineering from the Pennsylvania State University and a Master of Science in Information Security from James Madison University. He currently maintains GSSP-JAVA, GWAPT, CISSP, and CISM certifications. Steve resides in Golden, Colorado. In his spare time, Steve enjoys attending his childrens' sporting events with his wife, road and mountain biking, snowboarding, golfing, volleyball, and paragliding.

More About Steve »