The Implementation and Practice of DevSecOps - Jihai Zhou

Since 2018, we started to implement Cyber Security into DevOps process by running a DevSecOps program, which aims to shift left the Cyber security mindset to the development teams through promoting DevSecOps tools combined with the relevant training. In this presentation, we will share our DevSecOps implementation experience and the DevSecOps model we established to promote DevSecOps across development teams. The first step is to introduce the DevSecOps tools, such as SAST, DAST, IAST and FOSS. Different DevSecOps tools (such as Checkmarx, Contrast and Sonatype IQ ) need to be integrated into development CICD pipeline to automatically discover vulnerability and produce reports. In addition, we will demonstrate three different ways to provide cyber security training to help development teams gradually grow their knowledge to be able to fix the vulnerability discovered by DevSecOps tools. Finally, we build up a DevSecOps maturity model to measure the level of development teams’ DevSecOps ability. Based on the maturity level, the cyber security assessment will be simplified to benefit the development team (speed up the delivery) This presentation is for the people who have interest in DevOps transformation and how to integrate/left shift cyber security during DevOps process.