Trust, Verify & Authorize with DevSecOps
You may have a secure application today, but you cannot guarantee that it will still be secure tomorrow. Application security is a living process that must be constantly addressed throughout the application lifecycle. This requires continuous security assessments at every phase of the software development lifecycle (SDLC). The SEI has researched a continuous authorization concept—DevSecOps—that allows for constant interaction between developers and information security teams throughout the entire SDLC. This allows any authorizing officials, such as personnel on information security teams, to be in constant contact with developers as changes are made to existing code and as new features are added. From project conception, a developed system security plan should be integrated into the development platform as well as other environments, where both developers and IAs can see the same artifacts for every development and deployment activity. This allows any changes to the system's security posture to be immediately identified and reported to the IA to evaluate and ensure that all security controls are adequately addressed. As a result, all security features can be verified and authorized, and eventually the organization will build a trusted culture among all stakeholders.
Hasan Yasar and Eric Bram will discuss how the continuous aspect of communication and collaboration among developers and information security teams reinforces core DevOps principles, as well as allowing developers to write code with a "secure” development mindset. Giving developers and DevOps engineers the tools and knowledge to excel in their roles not only leads to enhanced productivity but also a more robust and secure application and environment development mindset. Giving developers and DevOps engineers alike the tools and knowledge to excel in their roles not only leads to enhanced productivity but also a more robust and secure application and environment.
Speaker and Presenter Information
Eric Bram is a DevOps engineer and software developer focused creating and deploying platforms and accompanying technologies that support training and education under the Cyber Workforce Development directorate in CERT. Object-oriented software development, DevOps and DevSecOps rank among his top interests.
Previously, Eric was a software developer focused on embedded development primarily in the audio industry. His positions there included Software Developer, System Administrator, and a team lead. He was in charge of handling the company’s primary contract with Texas Instruments (TI) embedded audio division, where graphical user interfaces (GUIs) and accompanying low-level audio processing code were written for TI hardware chips. An M.S. degree with a focus on Security led him to pursue additional areas of work outside of software development.
Hasan Yasar is the Technical Director of the Continuous Deployment Capability at the SEI. Yasar leads an engineering group tasked on developing prototype solutions with DevSecOps. He specializes in secure software solutions design and development in the cybersecurity domain including digital investigation, incident management and large-scale malware analysis. He is an adjunct faculty member at CMU.
Relevant Government Agencies
Air Force, Army, Navy & Marine Corps, DOD & Military, NASA, County Government, Coast Guard, National Guard Association, Federal Government
Event Type
On-Demand Webcast
This event has no exhibitor/sponsor opportunities
Cost
Complimentary: $ 0.00
Website
Click here to visit event website
Organizer
CMU - SEI
