The DevSecOps Playbook: A Step-by-Step Guide to Implementing DevSecOps .. – Paul McCarty

Channel	Publish Date	Thumbnail & View Count	Download Video
	Publish Date not found	0 Views	View on YouTube Download Video

What is DevSecOps? How do I /"do/ it? There's a lot of hype around DevSecOps right now, and it can be challenging to get two people to agree on what exactly it means. Unfortunately, there are a lot of vendor reports claiming it's CI/CD with a bit of security, but DevSecOps is much more than that! My career was transformed by the DevOps movement, and I believe DevSecOps should build on DevOps. What does that mean? Well, what made DevOps so impactful for me in the late 2000s was that it brought people from different departments together to work together. Developers learned more about how to manage the underlying infrastructure, and operations teams learned how to use code to build and manage automation. That was impactful, and I believe we can do the same with DevSecOps: bring security teams into the processes and workflows that DevOps built, while at the same time those security teams evolve to understand how operations and development teams work. This talk is about my DevSecOps Playbook, an open source step-by-step guide to implementing DevSecOps for any organization.
This playbook is divided into five different subject areas:
1. Development environment
2. Source code management
3. Continuous integration/deployment and other automation
4. Deployment environments
5. Organization
The DevSecOps playbooks distribute controls evenly across these 5 domains and emphasize that this is a group responsibility. There is also an appendix for compliance frameworks and how these map to the tasks and controls listed in the playbook.

In this talk, I will outline these 5 areas and talk about the different controls and tasks in each area. I will also give examples of how to implement each feature. Each task has a priority and a level of difficulty. The priority is a number from one to three, with one being the most important tasks and three being the last tasks you should do. For example:
The difficulty level indicates how difficult a particular step is. For example, using a credential store instead of .env files has priority one but difficulty two. This shows that the task should be prioritized, but at the same time shows that it is not a trivial matter.

By the end of this talk, my audience should be familiar with many specific security tasks that they can use in their own SDLC processes and have seen concrete examples of how to implement each task.

Moderator: Paul McCarty, SecureStack, Founder

(Apiiro Room, Day 1, Session 1)