Modern development teams are delivering features at a rapid pace using modern technologies such as containers, microservices, and serverless functions. Operations and infrastructure teams are supporting these rapid delivery cycles using Infrastructure as Code, Test Driven Infrastructure (TDI), and cloud automation. Yet, most security teams are still using traditional security approaches and can't keep up with the rate of accelerated change. Security must be reinvented in a DevOps world to take advantage of the opportunities provided by continuous integration and delivery pipelines.

This talk will introduce attendees to the SANS Secure DevOps Toolchain poster and explore the key phases of pre-commit and commit. In these phases, we will identify the key security controls and discuss the open source tools that integrate into the DevOps workflow. Attendees will walk away with a practical approach for building a successful DevSecOps program.

Speakers

Eric Mead

Eric Mead has more than 15 years of experience in software development, primarily in the financial and agriculture industries. His primary focus is the .NET framework, however, Eric has a considerable amount of experience in front end frameworks such as Angular and React. He has held positions as a software consultant, business intelligence developer and a senior software developer. At Puma Security, Eric is a software architect, writes static source code analysis rules, and contributes to the open source version. Eric holds a bachelor of science in computer engineering degree from Iowa State University, with emphasis in Software Engineering and Information Security.

Eric Johnson

Eric's extensive experience includes application security automation, cloud security reviews, static source code analysis, penetration testing, SDLC consulting, and secure code review assessments. As a co-founder of Puma Security, his passion lies in modern static analysis product development and DevSecOps automation.

Previously, Eric spent 5 years as a principal security consultant at an information security consulting firm helping companies deliver secure products to their customers, and another 10 years as an information security engineer at a large US financial institution performing source code audits. As a Certified Instructor with the SANS Institute, Eric authors information security courses on DevSecOps, cloud security, secure coding, and defending mobile apps. He serves on the advisory board for the SANS Security Awareness Developer training program, delivers security training around the world, and presents security research at conferences including SANS, BlackHat, OWASP, BSides, JavaOne, UberConf, and ISSA.

Eric completed a bachelor's degree in computer engineering and a master’s degree in information assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications.