Cloud Native ChannelDevSecOps: Making it Happen
In today's fast-paced cloud-native environments, delivering applications quickly is essential, and security must be seamlessly integrated into the process. This webinar explores how DevSecOps unites development, operations, and security to proactively identify and mitigate security risks, improving both development speed and security.
What You’ll Learn:
• Best Practices: Nine key elements for successful DevSecOps adoption, with actionable insights to immediately strengthen your security approach.
• Challenges in Cloud Native Environments: Tackle the key obstacles like containerization and shifting security left to safeguard the entire software lifecycle.
• Real-World Success Stories: Discover how companies like PayPal have embraced DevSecOps to secure their cloud-native environments.
Join us to see how you can accelerate delivery without compromising security.
What You’ll Learn:
• Best Practices: Nine key elements for successful DevSecOps adoption, with actionable insights to immediately strengthen your security approach.
• Challenges in Cloud Native Environments: Tackle the key obstacles like containerization and shifting security left to safeguard the entire software lifecycle.
• Real-World Success Stories: Discover how companies like PayPal have embraced DevSecOps to secure their cloud-native environments.
Join us to see how you can accelerate delivery without compromising security.
Transcript
Hello, everyone, and welcome to DevSecOps Making It Happen, the webinar. I'm Joe Murphy, your host for today's session. We're going to dive into how DevSecOps brings together development, operations, and security to secure cloud native environments, all without slowing down deliberately.
And today, we'll explore best practices and real world stories, including insights from companies like PayPal that have successfully woven security into their development workflows.
And our goal here is simple. We want you to walk away with practical ideas on managing that balancing act that is DevSecOps and driving a culture that that will promote, driving a cultural shift that's gonna help you promote collaboration.
But before we get started, I'm gonna need some help from the audience here.
Need some help settling a little debate.
So Aaron and I have gone back and forth on this for about a week now. So, in the comments, let us know. Would you rather never run out of a Wi Fi signal or your cell phone battery power?
So please, please, please, pop your answers in the chat.
Personally, I don't think I could deal with never having any of them, so my answer is both. But apparently, you can only pick one. So wifi signal or battery power?
Yeah. Let us know. Let's settle the internal debate.
Yeah. And and while those, votes are rolling in, I also wanna let everybody know about, a little experiment that we're gonna be also running today. So some of you might be aware, but LinkedIn live doesn't support traditional polls.
So we're gonna try to MacGyver it a little bit. Later on, you're gonna see a question pop up in the chat and you can respond using a specific, reaction emoji.
Now, it's probably not going to work perfectly but let's give it a try.
So also as always this session is being recorded.
Please feel free to engage in the chat. Your input always makes for great dialogue.
And we're gonna cover as many questions as possible with our speaker, Erin, at the end. And if, we can't get to them all, rest assured we'll follow-up individually to make sure that you get your answer. And speaking of Erin, quick intro for those who haven't met her. Erin is our director of, product marketing and my partner in crime for our webinar program.
Hey. She's a frequent flyer at the big industry events and just an all around wonderful person. So thanks for being here with us today, Erin.
Thank you, Joe. Thanks for having me. Very excited. If anyone's going to KubeCon in a few weeks, I'll I'll see you there. I'll be at the booth. So I'm very excited.
I'll let the floor's yours, Erin. I'll let you take it away. Awesome.
Alright. I hope you guys got in. Battery power or Wi Fi signal because we're gonna move into DevSecOps making it happen. And really wanted to start, you know, as Joe said, so I won't repeat, you know, the intro.
But Houston, we have a problem. Right? Our DevSecOps teams, why you're all here with us today is there's pressure. There's pressure to move fast while staying secure.
So we're gonna cover a ton of great stuff today. As Joe mentioned, please feel free to drop drop questions in the in the chat for us. We're gonna have a poll in a little bit. But I wanted just to get everybody started as I always do.
So if you've attended a webinar that I've presented before, but a basic definition. Right? Let's get us all on sort of the ground floor of, you know, understanding the role of DevSecOps in modern software development. And DevSecOps, right?
It's not a product or a tool. You're not gonna find it on a vendor's price list. Right? It's not something we're gonna buy, but it's a framework.
It's a practice. It's a methodology that's integrating security into every phase of our software development life cycle. Cycle. And it's really, you know, an extension of a dev ops practice.
So something that's been around for a little bit longer. But what we're doing is we're combining development operations with security. So it's not, you know, you on the dev team versus me on the security team versus these operations folks over here. Right?
We're bringing everything together. And the practice of DevSecOps is really aiming to help our development teams in particular address security issues more efficiently and earlier on. We'll talk about what that means in a few minutes, but with security baked in, right? With it built into the development process from the start, rather than being something we're tacking on or trying to add on at the end, this means that we can deliver faster and more securely.
So we really can have both and everybody is working towards the same goal. So for, from a business perspective, right? For our business leaders, our suites, our C suite, this is helping to reduce security and compliance issues, reducing costs, right? And allowing our organizations to deliver more secure software faster, which is ultimately what we want to do.
So starting sort of with a basic definition, but you know, the rise of DevSecOps, right? The reason we're all here today is because we've been hearing about this topic, you know, putting it into practice and what this means. But what's really important to understand is sort of the rise of DevSecOps practices are very closely linked to the growth of cloud native applications.
And primarily, this is due to all of the unique security challenges that cloud native environments present. And if you've been on a webinar with me or with Joe or anyone from Aqua in the past, we talk a lot about this. Right? Cloud native is still new.
And if you're an organization who's in the midst of your digital transformation, right, you're moving from sort of these traditional or these monolithic, you know, applications that you've used in the past to cloud native. This is, you know, introducing a whole different set of security concerns. Right? If you're adopting, you know, microservices, containers, Kubernetes, you know, for that matter, all of these are meant you know, the rise of the of cloud native, all of these wonderful benefits to enhance scalability, agility, but all of that comes with new complexities.
Right? New security challenges, a broadened attack surface that traditional security approaches can't keep up with. Right? They struggle to address.
So this is where we enter DevSecOps. This is why these are so tightly conjoined. As you can see, even from this, slide here from Gartner. Right? Because by integrating security into every phase of the development pipeline, we're empowering teams to secure our cloud native applications more proactively.
And we're ensuring that security is really evolving in tandem with this rapid pace of cloud native development. Again, all of the wonderful benefits come unique challenges, but this is where DevSecOps really goes hand in hand.
So it's a great intro to kind of go into what are these benefits. Right? What is DevSecOps bringing to the enterprise? Why is this becoming such a popular practice that, you know, organizations like yours are trying to implement?
And the first is enhancing security, right? When we include security early on, we're catching these potential issues before they become bigger problems. It's pretty simple, right? Start from the beginning before we wait until the very end. And it's like fixing the cracks right before it turns into a major major leak. It's faster, it's cheaper, and it's safer.
And speaking of faster, right, what is the edict of cloud native? Right? What are our development teams, you know, trying to do? We're trying to push out software as fast as possible.
Right? That's why we're moving to the cloud because we want the agility. We want the flexibility. We want the scalability, and we certainly do not wanna be slowed down by security.
Right? Or anything for that matter, especially if you're in a situation where, you know, you have a bug fix. Right? You have a maybe an unhappy customer and you're trying to push something out, or you have a really, really cool competitive feature that you're trying to launch.
You know, the business wants it launched now. And so we want to be able to ensure this fast and scalable development by but also include security. So these automated security checks help our teams to move faster because they're not waiting around for a manual review. Right?
We're not getting, you know, three quarters of the way there and then having to start back from scratch. And so you can think of a DevSecOps practices like, you know, a spell check for your for your development team. Right? A spell check for security.
Right? We're catching these issues as we go along instead of having to go backwards. Right? So we can work without delays.
We can deliver that amazing new competitive feature. We can fix that cuss that bug that that customer is complaining about while including security early on.
And then a big part of, you know, things that we're gonna talk about later and, you know, is improved collaboration. So DevSecOps is really fostering, and Joe mentioned this, right, as a culture of shared responsibility between all of the teams. It's not a finger pointing game. It's not, you know, oh, you slowed me down. Well, you didn't build an, you know, secure code. Well, this isn't the way this is supposed to operate. It's everybody coming together so that we can lead to better communication and more efficient processes.
And that's not just with security. Right? That's a complete overhaul of thinking on how we're bringing new software to market and, you know, by bringing our teams together, a much, much better solution.
And then of course, efficiency, cost, time, resource savings. Right? What does our c suite want? They want us to save money, save time, and we can do that by catching security issues early on.
Because if you really think about it, right, catching a bug that's in production is like tearing down an entire building because you forgot to put a lock on a door. Right? It doesn't actually make any sense. And it's way more expensive than if you would have caught it in the planning phase and not to mention pretty demotivating.
You don't wanna push something all the way out just to go back and start from scratch. I know that I certainly don't.
But if we think about all this, right, and some of these benefits, right, all there's some listed here, many more, but IDC actually recently, very recently within the last few weeks, just put out their twenty twenty four DevSecOps security survey. And what this survey found is that sixty six percent of application development teams are using DevSecOps methodologies on average. So really interesting, right? We're seeing a growth here, but what I'm excited for is our test, Joe, of our LinkedIn poll. So I'm gonna switch the screen and let you talk about what we're trying to do here. And so everyone get your get your fingers ready to to hit your favorite emoji.
Let's see.
Oh, I think Joe's muted.
I am muted. Yeah.
There we go.
This is a MacGyver, poll, everyone. So let me just post the question in the chat.
I'm just gonna abbreviate.
Doing it live in real time.
Yeah. You should all be able to see while Joe's doing that. Right? If you're on LinkedIn right now, you should be very familiar with all of these emojis.
So what we're trying to gauge here is, you you know, where are all of you? Where are you in your, your application development teams? How much are you utilizing DevSecOps methodologies today? Are you closer to five percent just getting started?
If so, wonderful. You're on the right webinar. If you're a hundred percent, amazing, and hopefully you learn something new, by attending today, but let's just get a a pulse on where everybody is.
Yep.
So I think I'm realizing that. I don't know if we can react to the comment with the five options.
I said it wasn't gonna be perfect.
Sorry. If you guys wanna if you wanna drop your feedback in the chat, that is cool too. So just trying to, you know, get us all on the same page here and No problem. Sure that's yep.
Awesome. Awesome.
Yeah. Alright.
Well, we'll, we'll take a closer look later, and I I can't really see the the actual comment from in here.
But okay. So some people are starting to type it out.
Nice. Nice.
Yeah.
I think I think I'm hearing it. Mute for a second.
Alright. Yeah. I guess let's, you want to jump to the next slide?
Yeah, sure. Cool. Okay, good. The echo went away. But thanks, Scott. Yeah. Let us know.
Right? We're here to help. We're interested in hearing, you know, where you are in terms of your, your adoption of DevSecOps. But regardless of where you are, right, if you're just getting started, you're in the right place.
And I think what's really important is that, you know, DevSecOps is the ideal state. Right? We can all agree on that. But if it was so easy to do, a hundred percent of people would be doing it.
There would be no reason for you to even be in our webinar today. Right? But no, that's not the case. So we want you all here.
We're excited to talk about it, but I think it's important to talk about some common challenges. Right? This is a difference. This is a this is a change.
This is a shift. This is the practice as we mentioned. It's not something that can be, you know, quickly turned on overnight. So let's talk about sort of the first challenge here.
Right? Which is it's a cultural shift. And we shouldn't have to feel like we have to either have one or the other. Right?
Fast deployments or secured appointments. Why can't we have both? And I think one of the biggest challenges and, you know, curious from all of you too, feel free to drop in the chat is, you know, this is a mindset shift. Right?
We're changing the way we've traditionally done things and security teams, sorry, whether we like it or not, have sometimes those that are kind of putting the stop sign in the middle of our progress and saying, no, stop, wait.
And they're the ones that seemingly are slowing things down. But with DevSecOps, we're gonna change that completely. Right? We're flipping it on its head because we're asking everybody to come together from the start. So we're eliminating some of those cultural challenges, but this can be tough, right? This isn't something that can happen overnight. We definitely need our leadership to support.
And it's especially tough if people are in like used to working in silos, right? That happens. So acknowledging that, you know, this can be a challenge and it does sometimes feel like it's one or the other that we can't have both.
And the next is a bottleneck, right? No single person wants to be a bottleneck. No, no team wants to be a bottleneck. And we certainly do not want our tools to be a bottleneck.
And so another challenge, especially in cloud native, right, is there are so many different tools that we're using right across the development cycle. No matter, you know, if you're writing code, if you're deploying code. So trying to get all of these people to work together, all these teams to work together, but all the tools that we're using to work smoothly together is definitely tricky. And, you know, especially in bigger organizations, right, in large enterprises where we might have a mix of different technologies, we might have some legacy things.
We might, you know, again, if we're in our cloud transformation journey, we may have some stuff on prem, some stuff in multiple clouds. It's confusing. And it's, you know, it's definitely worth acknowledging that.
And then of course, manual tasks, right? We, nobody wants to be stopped when they're in the zone. Right? We don't wanna kill anyone's flow.
But automation, you know, yes, while it's the goal, scaling that can be very hard. And it's you know, you can't just slap some automated policies in place and say, okay, done. We've achieved our DevSecOps practice. Right?
That's not how it works. So we really need to find that balance. Again, this is why collaboration is so important. We need to find that balance between speed and security.
And that is definitely something that some teams struggle with. So it's definitely worth acknowledging these as challenges.
But what gets even more complicated is when we enter the world of cloud native, right? And visibility and control. Because in cloud native development, everything is moving fast. Everything is constantly changing. You can see from the slide on your screen, right? And so getting visibility into what's happening, whether it's in your containers, your virtual machines or serverless functions, it can be overwhelming because it is right. These environments are always changing, keeping track of everything, keeping consistent policies.
You know, you add Kubernetes to the mix, for example. You know, this requires now a specialized security knowledge. Like, it can be a lot. And, you know, an increased attack surface, you know, you have your microservices, your containers.
All of these are introducing new potential weak points that our traditional security measures weren't prepared for. So the very, very good news is that DevSecOps can help. And I think not to be the the negative one. Right?
But is can we really find this balance? And, Joe, like, this is the question. Right? This is the reason we're all in this webinar.
Is it even possible to find the balance that gives us everything with DevSecOps? You know? Can we really bring these pillars of speed, security, and automation together? That's that's the question.
Right? The question of the hour. But the good news is, Joe, it is. And Yes.
We can. We can. We can. Yes. We can do this, and we're gonna talk to you now about a few of the best practices to achieving a DevSecOps practice in your organization.
And I'm gonna hint a little bit that towards the end of our presentation, we're actually gonna have a very exclusive, QR code download, that talks about some of these best practices in a little bit more detail. So if you're a note taker like me, feel free, but you will have the opportunity a little bit later on to, download our new exclusive, buyer's guide for DevSecOps that will go into these in more detail. But, Joe, I think we should jump into the how we can do it. Right?
That's right. Alright. Cool.
So first and foremost, let's talk about our first pillar. Right? Our first pillar is speed. And so what does that mean?
You know, our goal is to be embedding comprehensive security testing and really powerful policy driven controls from the start. So right in the very beginning of our application development, but we're not gonna stop there. We wanna do this throughout the entire life cycle. So first things first, sort of first best practice is we wanna start by embedding security checks into every phase.
Right? We wanna integrate security early. We wanna shift as far left as we possibly can.
And that can be done with tools like static application security testing, for example. This is gonna allow us to scan our proprietary code to find any potential issues, right, and to fix them at the code or the integration level before deployment so we can prevent any possible delays.
And so for example, we wanna do these checks. Right? We wanna do these automatic scans on every code commit so that any potential risks, any vulnerabilities are flagged and corrected before we move to the next stage.
And it's important, right? The additional, you know, best practices here too, is to enforce these policies at the very beginning so that we can prevent any potential vulnerable code from merging into our main branch and to move on throughout development. So first things first integrate as early as possible.
And then from there, we want full visibility, right? We want to manage our third party risks. And this is especially important in cloud native because as we know, again, part of cloud native, the scalability, the agility, the ability to move things fast is because we're leveraging a lot of third party and open source, packages in order to do that. So we wanna leverage tools like, you know, the ability to generate a software bill of materials or an SBOM. You might have, heard it referred to as to get a comprehensive list of all of our third party and open source source components So we can understand what we're building, you know, what are the tools that are in the toolbox that we're using to sort of these building blocks.
And then what is the risk score measures that we wanna put in place. Right? We wanna be able to assess and evaluate the health of these libraries before we include them into our code base. And this can be based on, you know, different factors, but, you know, does it have any known vulnerabilities?
And when was the last time it was updated? How popular is this package?
And we can use tools like software composition analysis to do that, right? It's going to analyze our open source libraries and it's going to assess their current vulnerability status.
And so then we have an idea of, okay, what does this look like? And we wanna be able to apply policies, right, that are gonna flag any, you know, outdated or vulnerable libraries and give our developers time so we can, you know, alert them that maybe they need to switch to a different package, right? A safer alternative. So again, by addressing these things early on, we're preventing any potential issues from carrying us through and especially carrying us through into production.
And then the third one here is hardening our CICD pipeline. So we wanna do this by quickly correcting identifying correcting any misconfigurations across all of the DevOps, platforms and tools that we're using. Right? I'm sure your organization is using a lot of different tooling, so we want to make sure that we're addressing any potential misconfigurations early.
And we wanna regularly be auditing those permissions. Right? Think about applying a zero trust principle and limit any access being very strict. So that it's only, you know, the necessary resources and credentials have access.
So locking down hardening that CICD pipeline, managing those third party risks and integrating security early, that is gonna help us to embed security from development all the way through to deployment. So sort of our first pillar of security.
And then we want to talk about accelerating the speed, right? We want to speed up our software delivery without sacrificing security. This is one of the biggest challenges that we face, right? We, we don't want to have to pick between the two.
So we want to ensure that our security policies are enforced across development, staging, and production. And we wanna reduce the risk as early as possible and enable our teams to adopt a DevSecOps practice, right, without slowing down development.
So the first thing we wanna do here in terms of speed is we wanna be able to rapidly detect threats. And we can do that by comprehensively scanning. Again, if we're in a cloud native environment, this means our container images, our VMs, our functions, We wanna be scanning them for known vulnerabilities, any potential sneaky hidden malware that could be in there, you know, embedded secrets, you know, due to, you know, poor management. You know, again, going back to open source, are there licensing issues, you know, are there configuration issues?
And then we want to use, you know, a risk based approach to filter out those findings, you know, those known risks. We don't wanna just dump them over the fence and say, okay, here development team, here's a bunch of things you have to go fix. Right? That's not helpful.
What's the best, you know, highest priority item? What is the most risky to our business?
And so you can do that by filtering out these findings and looking, you know, what are those top priority issues that are gonna pose the greatest risk? And so you can do this by analyzing, you know, impact of CVEs, for example, you know, by, you know, code reachability, EPSS score, you know, are they in an actively running package? What's the remote exploitability, things like that. So setting these standards, again, not just scanning, finding results and throwing it over the fence, but having those processes in place so that you can prioritize what is the most important or having the right solution that can help you do that.
And then the next part is protecting active workloads. And unfortunately, I think this is the piece that a lot of people accidentally miss, which is protecting in runtime.
And it it's really important because we could do everything right. You guys could go leave this webinar, get all the best practices, do every single thing right.
But you're not doing it right unless you're shifting right. Because there are still the risk of the unknown, right? There's still the risk of of the next zero day vulnerability. There's still the risk of the things that we just don't know, and we did as best as we could to prevent against, but things are still gonna happen.
Right? And so runtime really needs to be considered that last line of defense, especially in a DevSecOps practice. And so it really does play a crucial role because we are ensuring that security is maintained even after our applications are deployed. And again, incredibly important in the dynamic nature of cloud native workloads, right?
Because we have to be preventing against these threats, but also detecting them in real time. And we need to be, you know, have the ability, again, whether it's through the solution that you're using to block attacks across all workload types, to simplify the investigation so that we're not slowing things down and to respond quickly to security incidents without compromising speed, without compromising agility.
And so by having a runtime solution in place, you know, this continuous security throughout, we're going to be able to deliver more secure and more resilient software. So really important part to remember is to making sure that a runtime protection solution is part of your DevSecOps practice.
And then we talk about streamlining delivery, right? Where this is the whole pillar here is of speed. And so how can you do that? Well, using infrastructure as code, right? This is gonna help us to manage the consistent security policies across all of our environments.
And so I see tools like Terraform, for example, will help to create human readable code templates, and those can define how your environments should be deployed, what they should look like, and they can automatically provision those resources based on those templates. So the value of this, again, if we're talking about speed, is that security can be baked into the resources as they're deployed. So you can continue to move fast without having to have those stop gaps without having to have someone go, wait, stop, start again, because we've baked it in from the beginning.
So next and finally is our automation pillar. So automation is incredibly important because we want to combine these, you know, previously disparate capabilities into a single solution. We want to be able to save limited resource and really streamline operations, right? We want to unify security and compliance across our cloud environments.
And the first way to do this is, you know, we wanna automate compliance. So with all the security checks, everything that we mentioned, we wanna be sure that we're proactively monitoring our cloud environments for, you know, common compliance standards. Right? PCI, HIPAA, GDPR, if you're in EMEA, Dora, for example, so that we can prevent issues, you know, and audits down the road.
But we can also keep our teams focused on delivering not just secure, but compliant software without that constant manual oversight. Right? Nobody wants someone kinda looking over them, making sure that we're, you know, we're compliant throughout.
So making sure that these compliance, checks are constant, that they're baked in, that they're embedded throughout, you know, ensures that every release is going to meet these regulatory standards. And again, we don't have to go back to square round square one and that we're prepared for those audits that come, you know, later in the year.
And next, you know, best practice is centralized security. Right? We want to be able to bring all of this together. If we talked about our pain points, you know, earlier and having so many disparate tools, having visibility in cloud native, for example, We need a central place so that we can have a centralized view of what's going on, but that we can also ensure consistent enforcement across development, staging, and production.
So So we wanna be able to standardize our security policies and set clear risk thresholds.
But what's really important about this is that these need to be shared policies. So these need to be, you know, a combination of a collaboration of our teams coming together. So dev second operations coming together and aligning on what do these policies look like? What is this centralized view? But what are these rules that we wanna put in place?
And what's the, you know, acceptable risk threshold? What's the acceptable vulnerability level? And this can depend on, you know, a variety of factors. Right?
It can depend on, you know, is this a testing environment versus a production environment? You know, is this, you know, what is the risk for versus what is the vulnerability severity? You know, are there embedded secrets? Are there not like you as a team can come together and establish what these rules look like so that if I'm a developer pushing to test a testing environment, a QA environment, I have a little bit more flexibility so I can move forward in what I need to do versus if I'm pushing to prod.
We know that we've, you know, established all these baselines. We checked all the boxes and that we've hit the appropriate risk threshold for that application to be running live in a production environment. So really important is to centralize the security, not just with the solution, but coming together in collaboration as a team.
And then next is maintaining consistency, right? Again, a really big challenge in cloud native environments, especially as we talked about, if you're in the middle of your cloud transformation journey, you could have, you know, some applications still on premise. You could have a mix of both. You could be using, you know, three different public clouds. That's a lot, that's a lot to have visibility into, but it's also a lot to secure.
And so what you want to be able to maintain is this consistency of security across all of these environments. And so having a practice in place that has, you know, this defined once define these security, security practices once run everywhere that ensures those same level of controls are applied across all of the environments. So we're approving efficiency. We're reducing risk.
We're automating, right? We're continuing to move fast so that no matter where you are, no matter what environment you're using, you know that that same consistency, that same policy has been created. You know what to expect. You're not gonna be blindsided if you're working and, you know, deploying something on prem versus in the cloud.
So maintaining that consistency is really crucial. And another, you know, capability, another thing to keep in mind is, you know, being able to, you know, have a unified scanner. Right? That consistency across all of the entire life cycle.
Tool sets are a lot having to consolidate scan results is a whole nother thing. So being able to replace multiple tools with one helps facilitate one more accurate, consistent results, but it helps us to detect those issues and find a resolution earlier on.
So a lot of things here. Right? I know we covered a lot. Again, this is why I'm gonna, preface that we're gonna have this, exclusive buyer's guide for you to download to learn more. But, you know, the good news, Joe, after all of this is it's true. We really can find a perfect balance with DevSecOps. We really can merge security, speed, and automation.
And by integrating security from the code commit to run time, we can speed up secure development without having to slow down the pipeline, and we can achieve continuous compliance and unified security for our cloud native environments.
Sounds like a pretty good deal. Right?
Okay. Sounds incredible.
So I think Joe, you mentioned this in our intro about a real world use case. So I wanted to pull up and just give everyone a little highlight that, you know, PayPal, a major financial corporation was having these same challenges. They wanted to adopt a DevSecOps methodology, and they had to find a way to do it at scale.
So PayPal, right, again, you know, think about I don't know if any of you have the PayPal app on your phone, but think about, you know, maybe even in your organizations or you as a user. Right? The world demands things to be more easily accessible, demands things to be, you know, in the palm of your hand. And so as organizations are shifting to be able to provide this kind of level of access, this means moving things to the cloud. And so PayPal is one of these examples, right? They had to be able to move and also shift from sort of this project driven mindset to a product aligned approach that prioritize security.
So they wanted to integrate, security into their existing DevOps workflows. And this could be a situation that many of you are in. Right? But part of the challenge is they had to help empower their developers with the security knowledge and with the tools.
And one of the challenges we talked about right early on is this culture shift. So an example here from PayPal is they actually had to create these internal teams, right? They created a change champions and a transformation team members teams to help guide their organization through this change. So it is a challenge. Right? And it's not just, you know, if you're experiencing any of this, if you're listening to this webinar and you're experiencing this, like PayPal is a perfect example and you really do need, you know, leadership buy in. You have to be prepared to make this sort of change for the better.
And PayPal saw the results, right? By automating their security scans, it allowed them to create more secure code at scale and achieve a DevSecOps practice within their organization. And you can see from the screen, right, they were handling a scale of over a hundred or excuse me, one million builds per month. So massive, massive, massive organization, massive amounts of, you know, development that are happening. But if they're able to do it, if they're able to adopt the DevSecOps practice, I am very confident you all can too, and especially with the right tools.
So going to talk a little bit now on how Aqua can help you all do and achieve a DevSecOps practice, you know, just like PayPal. Again, I know we talked about a lot today and a lot of best practices, and it's a lot to take in. And this is especially a lot to take in if you're, you know, sort of in the middle. Right? You're you're on the line of, you know, moving to the cloud of adopting cloud native. I know that's, you know, a big shift there too.
So let's talk a little bit about, you know, how Aqua can help you all as well. And the first is the ability to shift security left. So right we talked about this as a best practice. You know, a DevSecOps methodology, a DevSecOps practice needs to incorporate security across the life cycle.
So being able to, with Aqua, integrate security early on, you know, by scanning your code using static application security testing, you know, by analyzing your source code, excuse me, using, static application security testing to analyze your source code, but also software composition analysis to check that third party and the open source packages for those security issues and any potential license conflicts. If any of you are familiar with Aqua Trivy, this is the scanner that, you know, can help you do that. But this proactive approach is really addressing these issues before they reach production so that you can enhance speed and security.
Right? We can start from the very, very start.
And then automating security checks. So Appa helps you do this in a variety of different ways. You know, we integrate seamlessly into your CICD pipelines, and we can also help you enforce these policies without disrupting your workflows. Right? We want, you know, we were born and bred in cloud native. So we want to amplify those benefits, right, of speed and security.
And with Aqua as well, you know, in our container security solution, you can set up these, you know, flexible assurance policies. So as I mentioned, you know, come together as a team and set those risk thresholds, set those guardrails, you know, at each stage of your development. So depending on the security need of the different applications and of the pipeline, you can set those practices in place and have those as automated checks instead of, again, being that stop gap that's slowing down your organization.
And then Aqua's runtime protection. Right? We're providing this real time protection for, you know, your containers, VMs, and serverless functions. So we're the ability to detect and prevent active threats.
Aqua's runtime protection is powered by our AquaNautilus team. So we have real world threat intelligence that's helping you to keep, you know, the most updated behavioral detection so you know exactly what's happening in production. Again, this is a really important piece because you can do all the things on, you know, the left side of the screen, but you need to have a runtime protection in place to protect those running workloads from the unknown, from the next zero day, from the, as we like to say at Aqua, the next log log five j. So we wanna ensure that those workloads are protected at every turn.
And then, of course, full visibility into your, full visibility and risk management, right, into vulnerabilities, for example. This is a huge, huge component, especially, again, when we're talking about integrating open source third party components.
So being able to prioritize, you know, it's one thing to just, as we mentioned, get a list of all of the millions of things you need to fix. It's another to be able to shorten it and know exactly what the most risky vulnerability is in your organization.
And being able to have that code to cloud context, being able to see what's running in production, connect it all the way back to that line of code. Again, that is DevSecOps right there. It's being able to speed, automate, and security. Right? So we can understand the risk of these vulnerabilities based on all of these factors and have that context that helps make the team smarter, helps us make better data driven decisions than just trying to pick off of a list of vulnerabilities based on some prioritization rules that we really don't understand. Right? Filter through the noise, filter through the false positives, and really help us to manage those critical threats and our risks more effectively.
So in summary, DevSecOps, it's essential to maintaining security in our, in today's very fast paced cloud native environments.
By shifting left, by automating security, by fostering collaborations across teams, we can accelerate software delivery while minimizing risks.
And with Aqua, we can simplify DevSecOps. You know, Aqua's platform ensures that security controls are enforced across development, across staging, across production. We're helping you reduce these risks early. We're enabling teams just like yours to adopt DevSecOps practices without slowing down development. So I think, Joe, we can call it a wrap on the presentation. I think we can say that we've officially simplified DevSecOps. What do you say?
I love it. That's a wrap Awesome. On that. Yeah. And if if anyone, you know, hasn't had the chance to to check Aqua out, would highly encourage you reach out.
We're here to help. So any question, that you have, we'll be happy to to help you navigate through it. Yeah.
For sure.
Alright. So we've got a couple questions came in through the chat.
We've got the buyer's guide. Yeah.
But, first, I just wanna say, I always come up with things when I listen to you talk and all the mention of zero days. And then when you said log four j, I had, like, a I just remembered, like, two years ago, and I said to myself, I said, I hope we don't get another zero day for Christmas this year.
Definitely not. Definitely not. I'd like to have I think everybody would like to have their Christmas break, a very peaceful Christmas break.
Yeah. Yeah. I don't think anyone's putting that on their Christmas list.
No. No. Not asking Santa for that one.
Yep. Alright.
You wanna tackle the questions, Erin, or do you wanna go into the Mhmm.
I can talk about some questions.
So this is actually really cool.
So someone, Pedro in the chat was talking about about this.
Totally agree, Pedro, with everything that you're saying there. Mhmm. This question, what do you think is the biggest mix misconception about DevSecOps, and how can I help my management see the value?
Oh, that's a really good one. I think, again, you know, in my conversations with customers, you know, whether it's, you know, on Zoom calls or at the booth, I think a lot of it is well, it's easy. Right? You know, we put this practice in place and, you know, we have this EDA come down and, you know, sure.
We'll help develop, but it's not that. Right? You know, thinking of all the challenges that we talked about, especially if teams are used to working a certain way, we really need leadership support. Right? Which, you know, management see the value.
I think by, you know, combining, by showing, you know, one, here's how we're moving to this cloud native, you know, environments.
And two, here's why we really need to bring security in from the start. You know, whether that's, you know, specific stats or time savings, money savings. Right? All of this is value.
But I think one of the biggest misconceptions is that it can just be done overnight. That, hey. Yeah. We're adopting DevSecOps, and that's that's not true.
Right? You're literally changing the way your organizations work. And if the PayPal example is any proof of that, right, that a massive organization like PayPal that, you know, you needed to have, you know, change management in place. You needed leadership to be on board in order to do this safely and securely and getting everybody, you know, to understand each other's perspectives and working together to really put it into practice.
So it's one thing to say. Right? Theory versus practice are two different things.
So I know.
So wait. So you're telling me you can't just go out and buy DevSecOps?
Or You can't.
No. I don't think it's on anyone's SKU list. Not not today. Maybe Santa will bring us DevSecOps and stuff for today.
That's actually a really good idea. I'm gonna Yeah. Add that to the list.
I love it.
Yeah.
We need to highlight the risks of not collaborating and showing the business in there.
Mhmm.
It's been a lot of that, Erin.
Like, just the operation side of it. Right? Like, people are probably stuck in their ways and or, like, especially larger companies.
Yep. Yeah. Proof points. Right? That, you know, that's what changes that's what moves the needle and, you know, being able to share some examples.
You know, hopefully, it's not where things went left. But, you know, being able to show some examples of, hey, if we would have done this earlier on, you know, this would have had a bigger impact. Right? Unfortunately, sometimes we don't we don't know until we're in this situation.
But, you know, by bringing these things further and sharing with each other. Right? I, you know, I encourage all of you as you're in the chat. Like, share with each other.
Talk to your peers. How have they done it? You know, that's a it's super, super important. You know?
Do that all the time.
Good community we have here.
Mhmm. Yep. Oh, I like what's on the executive sponsorship. Exactly. And that goes for anything.
Right? Anything that you're trying to implement in front of your in your organization. Right? You need executives to be able to help you sponsor and even PayPal, for example.
Like, they just started with the scanning, you know, in the in the use case. Like, you could continue that on and on and on, but starting small, starting to see. But, yes, having that exec, sponsor sponsorship is is critical. Yeah.
I completely agree.
Completely agree.
And I like how they form those teams too. So I I feel like one person trying to get the buy in versus a whole team or multiple teams, like, that would make a a in my opinion, a big difference in terms of Yeah.
Taking you seriously and and making sure that Yep.
That you get the funds to to invest in the methodology.
For sure.
But I think we talked about we shared perfect timing. We told everyone we were gonna give them an exclusive access. Right? So very excited about this new piece.
Right? Our essential strategy is for DevSecOps, implementing DevSecOps, especially in cloud native. Again, Aqua, our expertise, everything we do is around cloud native. That's where we were born and bred and will continue to live.
So a DevSecOps strategy for you and whether, again, you're just starting out or you're, you know, an expert in cloud native, you know, definitely check out check out our guide. I'm excited about it, Joe. I don't know about you.
It's beautiful. Yeah. I I love the the whole layout of it. It's easy to read, follow, and can easily be shared with, peers, friends, colleagues, you name it.
So Yeah.
For sure.
Yep. And I tested that QR code. It still works.
We're not sending you to, like, a, site to buy a a bunch of Halloween candy or something like that.
Yeah. Alright. When's when's KubeCon? You're gonna be there. Right?
Yeah. It is, oh, in the coming weeks. The thirteenth or the fifteenth of November, I think it is. Yeah.
Yeah.
Yep. Yep. Very soon. Yeah. So anybody who will be in Salt Lake City, excited to see you.
Please come and stop by our booth. I will be there. I'd love to chat with you about DevSecOps or, you know, cloud native, anything in general. I'd love to hear from you.
So definitely come over and say hi.
And if you if you answered that question in the beginning, let Erin know which which which team you're on.
Yes.
It looked like everyone said battery, which makes sense. Yeah.
Because you can't really have Wi Fi without the phone.
But yeah. Ugh.
Insane how much we rely on the Wi Fi and Yes.
Hacks. Yep. That's the way of the world. But Indeed. So I think we're good. Ready to wrap us?
Yep. Ready to wrap. Everybody, thank you so much, Erin. Thank you for as always for for sharing your insights.
Yep.
And, yeah, we'll leave you with this, everybody. Stay curious, stay safe, and stay cool. We'll catch you guys later.
Bye, guys. Thanks.
And today, we'll explore best practices and real world stories, including insights from companies like PayPal that have successfully woven security into their development workflows.
And our goal here is simple. We want you to walk away with practical ideas on managing that balancing act that is DevSecOps and driving a culture that that will promote, driving a cultural shift that's gonna help you promote collaboration.
But before we get started, I'm gonna need some help from the audience here.
Need some help settling a little debate.
So Aaron and I have gone back and forth on this for about a week now. So, in the comments, let us know. Would you rather never run out of a Wi Fi signal or your cell phone battery power?
So please, please, please, pop your answers in the chat.
Personally, I don't think I could deal with never having any of them, so my answer is both. But apparently, you can only pick one. So wifi signal or battery power?
Yeah. Let us know. Let's settle the internal debate.
Yeah. And and while those, votes are rolling in, I also wanna let everybody know about, a little experiment that we're gonna be also running today. So some of you might be aware, but LinkedIn live doesn't support traditional polls.
So we're gonna try to MacGyver it a little bit. Later on, you're gonna see a question pop up in the chat and you can respond using a specific, reaction emoji.
Now, it's probably not going to work perfectly but let's give it a try.
So also as always this session is being recorded.
Please feel free to engage in the chat. Your input always makes for great dialogue.
And we're gonna cover as many questions as possible with our speaker, Erin, at the end. And if, we can't get to them all, rest assured we'll follow-up individually to make sure that you get your answer. And speaking of Erin, quick intro for those who haven't met her. Erin is our director of, product marketing and my partner in crime for our webinar program.
Hey. She's a frequent flyer at the big industry events and just an all around wonderful person. So thanks for being here with us today, Erin.
Thank you, Joe. Thanks for having me. Very excited. If anyone's going to KubeCon in a few weeks, I'll I'll see you there. I'll be at the booth. So I'm very excited.
I'll let the floor's yours, Erin. I'll let you take it away. Awesome.
Alright. I hope you guys got in. Battery power or Wi Fi signal because we're gonna move into DevSecOps making it happen. And really wanted to start, you know, as Joe said, so I won't repeat, you know, the intro.
But Houston, we have a problem. Right? Our DevSecOps teams, why you're all here with us today is there's pressure. There's pressure to move fast while staying secure.
So we're gonna cover a ton of great stuff today. As Joe mentioned, please feel free to drop drop questions in the in the chat for us. We're gonna have a poll in a little bit. But I wanted just to get everybody started as I always do.
So if you've attended a webinar that I've presented before, but a basic definition. Right? Let's get us all on sort of the ground floor of, you know, understanding the role of DevSecOps in modern software development. And DevSecOps, right?
It's not a product or a tool. You're not gonna find it on a vendor's price list. Right? It's not something we're gonna buy, but it's a framework.
It's a practice. It's a methodology that's integrating security into every phase of our software development life cycle. Cycle. And it's really, you know, an extension of a dev ops practice.
So something that's been around for a little bit longer. But what we're doing is we're combining development operations with security. So it's not, you know, you on the dev team versus me on the security team versus these operations folks over here. Right?
We're bringing everything together. And the practice of DevSecOps is really aiming to help our development teams in particular address security issues more efficiently and earlier on. We'll talk about what that means in a few minutes, but with security baked in, right? With it built into the development process from the start, rather than being something we're tacking on or trying to add on at the end, this means that we can deliver faster and more securely.
So we really can have both and everybody is working towards the same goal. So for, from a business perspective, right? For our business leaders, our suites, our C suite, this is helping to reduce security and compliance issues, reducing costs, right? And allowing our organizations to deliver more secure software faster, which is ultimately what we want to do.
So starting sort of with a basic definition, but you know, the rise of DevSecOps, right? The reason we're all here today is because we've been hearing about this topic, you know, putting it into practice and what this means. But what's really important to understand is sort of the rise of DevSecOps practices are very closely linked to the growth of cloud native applications.
And primarily, this is due to all of the unique security challenges that cloud native environments present. And if you've been on a webinar with me or with Joe or anyone from Aqua in the past, we talk a lot about this. Right? Cloud native is still new.
And if you're an organization who's in the midst of your digital transformation, right, you're moving from sort of these traditional or these monolithic, you know, applications that you've used in the past to cloud native. This is, you know, introducing a whole different set of security concerns. Right? If you're adopting, you know, microservices, containers, Kubernetes, you know, for that matter, all of these are meant you know, the rise of the of cloud native, all of these wonderful benefits to enhance scalability, agility, but all of that comes with new complexities.
Right? New security challenges, a broadened attack surface that traditional security approaches can't keep up with. Right? They struggle to address.
So this is where we enter DevSecOps. This is why these are so tightly conjoined. As you can see, even from this, slide here from Gartner. Right? Because by integrating security into every phase of the development pipeline, we're empowering teams to secure our cloud native applications more proactively.
And we're ensuring that security is really evolving in tandem with this rapid pace of cloud native development. Again, all of the wonderful benefits come unique challenges, but this is where DevSecOps really goes hand in hand.
So it's a great intro to kind of go into what are these benefits. Right? What is DevSecOps bringing to the enterprise? Why is this becoming such a popular practice that, you know, organizations like yours are trying to implement?
And the first is enhancing security, right? When we include security early on, we're catching these potential issues before they become bigger problems. It's pretty simple, right? Start from the beginning before we wait until the very end. And it's like fixing the cracks right before it turns into a major major leak. It's faster, it's cheaper, and it's safer.
And speaking of faster, right, what is the edict of cloud native? Right? What are our development teams, you know, trying to do? We're trying to push out software as fast as possible.
Right? That's why we're moving to the cloud because we want the agility. We want the flexibility. We want the scalability, and we certainly do not wanna be slowed down by security.
Right? Or anything for that matter, especially if you're in a situation where, you know, you have a bug fix. Right? You have a maybe an unhappy customer and you're trying to push something out, or you have a really, really cool competitive feature that you're trying to launch.
You know, the business wants it launched now. And so we want to be able to ensure this fast and scalable development by but also include security. So these automated security checks help our teams to move faster because they're not waiting around for a manual review. Right?
We're not getting, you know, three quarters of the way there and then having to start back from scratch. And so you can think of a DevSecOps practices like, you know, a spell check for your for your development team. Right? A spell check for security.
Right? We're catching these issues as we go along instead of having to go backwards. Right? So we can work without delays.
We can deliver that amazing new competitive feature. We can fix that cuss that bug that that customer is complaining about while including security early on.
And then a big part of, you know, things that we're gonna talk about later and, you know, is improved collaboration. So DevSecOps is really fostering, and Joe mentioned this, right, as a culture of shared responsibility between all of the teams. It's not a finger pointing game. It's not, you know, oh, you slowed me down. Well, you didn't build an, you know, secure code. Well, this isn't the way this is supposed to operate. It's everybody coming together so that we can lead to better communication and more efficient processes.
And that's not just with security. Right? That's a complete overhaul of thinking on how we're bringing new software to market and, you know, by bringing our teams together, a much, much better solution.
And then of course, efficiency, cost, time, resource savings. Right? What does our c suite want? They want us to save money, save time, and we can do that by catching security issues early on.
Because if you really think about it, right, catching a bug that's in production is like tearing down an entire building because you forgot to put a lock on a door. Right? It doesn't actually make any sense. And it's way more expensive than if you would have caught it in the planning phase and not to mention pretty demotivating.
You don't wanna push something all the way out just to go back and start from scratch. I know that I certainly don't.
But if we think about all this, right, and some of these benefits, right, all there's some listed here, many more, but IDC actually recently, very recently within the last few weeks, just put out their twenty twenty four DevSecOps security survey. And what this survey found is that sixty six percent of application development teams are using DevSecOps methodologies on average. So really interesting, right? We're seeing a growth here, but what I'm excited for is our test, Joe, of our LinkedIn poll. So I'm gonna switch the screen and let you talk about what we're trying to do here. And so everyone get your get your fingers ready to to hit your favorite emoji.
Let's see.
Oh, I think Joe's muted.
I am muted. Yeah.
There we go.
This is a MacGyver, poll, everyone. So let me just post the question in the chat.
I'm just gonna abbreviate.
Doing it live in real time.
Yeah. You should all be able to see while Joe's doing that. Right? If you're on LinkedIn right now, you should be very familiar with all of these emojis.
So what we're trying to gauge here is, you you know, where are all of you? Where are you in your, your application development teams? How much are you utilizing DevSecOps methodologies today? Are you closer to five percent just getting started?
If so, wonderful. You're on the right webinar. If you're a hundred percent, amazing, and hopefully you learn something new, by attending today, but let's just get a a pulse on where everybody is.
Yep.
So I think I'm realizing that. I don't know if we can react to the comment with the five options.
I said it wasn't gonna be perfect.
Sorry. If you guys wanna if you wanna drop your feedback in the chat, that is cool too. So just trying to, you know, get us all on the same page here and No problem. Sure that's yep.
Awesome. Awesome.
Yeah. Alright.
Well, we'll, we'll take a closer look later, and I I can't really see the the actual comment from in here.
But okay. So some people are starting to type it out.
Nice. Nice.
Yeah.
I think I think I'm hearing it. Mute for a second.
Alright. Yeah. I guess let's, you want to jump to the next slide?
Yeah, sure. Cool. Okay, good. The echo went away. But thanks, Scott. Yeah. Let us know.
Right? We're here to help. We're interested in hearing, you know, where you are in terms of your, your adoption of DevSecOps. But regardless of where you are, right, if you're just getting started, you're in the right place.
And I think what's really important is that, you know, DevSecOps is the ideal state. Right? We can all agree on that. But if it was so easy to do, a hundred percent of people would be doing it.
There would be no reason for you to even be in our webinar today. Right? But no, that's not the case. So we want you all here.
We're excited to talk about it, but I think it's important to talk about some common challenges. Right? This is a difference. This is a this is a change.
This is a shift. This is the practice as we mentioned. It's not something that can be, you know, quickly turned on overnight. So let's talk about sort of the first challenge here.
Right? Which is it's a cultural shift. And we shouldn't have to feel like we have to either have one or the other. Right?
Fast deployments or secured appointments. Why can't we have both? And I think one of the biggest challenges and, you know, curious from all of you too, feel free to drop in the chat is, you know, this is a mindset shift. Right?
We're changing the way we've traditionally done things and security teams, sorry, whether we like it or not, have sometimes those that are kind of putting the stop sign in the middle of our progress and saying, no, stop, wait.
And they're the ones that seemingly are slowing things down. But with DevSecOps, we're gonna change that completely. Right? We're flipping it on its head because we're asking everybody to come together from the start. So we're eliminating some of those cultural challenges, but this can be tough, right? This isn't something that can happen overnight. We definitely need our leadership to support.
And it's especially tough if people are in like used to working in silos, right? That happens. So acknowledging that, you know, this can be a challenge and it does sometimes feel like it's one or the other that we can't have both.
And the next is a bottleneck, right? No single person wants to be a bottleneck. No, no team wants to be a bottleneck. And we certainly do not want our tools to be a bottleneck.
And so another challenge, especially in cloud native, right, is there are so many different tools that we're using right across the development cycle. No matter, you know, if you're writing code, if you're deploying code. So trying to get all of these people to work together, all these teams to work together, but all the tools that we're using to work smoothly together is definitely tricky. And, you know, especially in bigger organizations, right, in large enterprises where we might have a mix of different technologies, we might have some legacy things.
We might, you know, again, if we're in our cloud transformation journey, we may have some stuff on prem, some stuff in multiple clouds. It's confusing. And it's, you know, it's definitely worth acknowledging that.
And then of course, manual tasks, right? We, nobody wants to be stopped when they're in the zone. Right? We don't wanna kill anyone's flow.
But automation, you know, yes, while it's the goal, scaling that can be very hard. And it's you know, you can't just slap some automated policies in place and say, okay, done. We've achieved our DevSecOps practice. Right?
That's not how it works. So we really need to find that balance. Again, this is why collaboration is so important. We need to find that balance between speed and security.
And that is definitely something that some teams struggle with. So it's definitely worth acknowledging these as challenges.
But what gets even more complicated is when we enter the world of cloud native, right? And visibility and control. Because in cloud native development, everything is moving fast. Everything is constantly changing. You can see from the slide on your screen, right? And so getting visibility into what's happening, whether it's in your containers, your virtual machines or serverless functions, it can be overwhelming because it is right. These environments are always changing, keeping track of everything, keeping consistent policies.
You know, you add Kubernetes to the mix, for example. You know, this requires now a specialized security knowledge. Like, it can be a lot. And, you know, an increased attack surface, you know, you have your microservices, your containers.
All of these are introducing new potential weak points that our traditional security measures weren't prepared for. So the very, very good news is that DevSecOps can help. And I think not to be the the negative one. Right?
But is can we really find this balance? And, Joe, like, this is the question. Right? This is the reason we're all in this webinar.
Is it even possible to find the balance that gives us everything with DevSecOps? You know? Can we really bring these pillars of speed, security, and automation together? That's that's the question.
Right? The question of the hour. But the good news is, Joe, it is. And Yes.
We can. We can. We can. Yes. We can do this, and we're gonna talk to you now about a few of the best practices to achieving a DevSecOps practice in your organization.
And I'm gonna hint a little bit that towards the end of our presentation, we're actually gonna have a very exclusive, QR code download, that talks about some of these best practices in a little bit more detail. So if you're a note taker like me, feel free, but you will have the opportunity a little bit later on to, download our new exclusive, buyer's guide for DevSecOps that will go into these in more detail. But, Joe, I think we should jump into the how we can do it. Right?
That's right. Alright. Cool.
So first and foremost, let's talk about our first pillar. Right? Our first pillar is speed. And so what does that mean?
You know, our goal is to be embedding comprehensive security testing and really powerful policy driven controls from the start. So right in the very beginning of our application development, but we're not gonna stop there. We wanna do this throughout the entire life cycle. So first things first, sort of first best practice is we wanna start by embedding security checks into every phase.
Right? We wanna integrate security early. We wanna shift as far left as we possibly can.
And that can be done with tools like static application security testing, for example. This is gonna allow us to scan our proprietary code to find any potential issues, right, and to fix them at the code or the integration level before deployment so we can prevent any possible delays.
And so for example, we wanna do these checks. Right? We wanna do these automatic scans on every code commit so that any potential risks, any vulnerabilities are flagged and corrected before we move to the next stage.
And it's important, right? The additional, you know, best practices here too, is to enforce these policies at the very beginning so that we can prevent any potential vulnerable code from merging into our main branch and to move on throughout development. So first things first integrate as early as possible.
And then from there, we want full visibility, right? We want to manage our third party risks. And this is especially important in cloud native because as we know, again, part of cloud native, the scalability, the agility, the ability to move things fast is because we're leveraging a lot of third party and open source, packages in order to do that. So we wanna leverage tools like, you know, the ability to generate a software bill of materials or an SBOM. You might have, heard it referred to as to get a comprehensive list of all of our third party and open source source components So we can understand what we're building, you know, what are the tools that are in the toolbox that we're using to sort of these building blocks.
And then what is the risk score measures that we wanna put in place. Right? We wanna be able to assess and evaluate the health of these libraries before we include them into our code base. And this can be based on, you know, different factors, but, you know, does it have any known vulnerabilities?
And when was the last time it was updated? How popular is this package?
And we can use tools like software composition analysis to do that, right? It's going to analyze our open source libraries and it's going to assess their current vulnerability status.
And so then we have an idea of, okay, what does this look like? And we wanna be able to apply policies, right, that are gonna flag any, you know, outdated or vulnerable libraries and give our developers time so we can, you know, alert them that maybe they need to switch to a different package, right? A safer alternative. So again, by addressing these things early on, we're preventing any potential issues from carrying us through and especially carrying us through into production.
And then the third one here is hardening our CICD pipeline. So we wanna do this by quickly correcting identifying correcting any misconfigurations across all of the DevOps, platforms and tools that we're using. Right? I'm sure your organization is using a lot of different tooling, so we want to make sure that we're addressing any potential misconfigurations early.
And we wanna regularly be auditing those permissions. Right? Think about applying a zero trust principle and limit any access being very strict. So that it's only, you know, the necessary resources and credentials have access.
So locking down hardening that CICD pipeline, managing those third party risks and integrating security early, that is gonna help us to embed security from development all the way through to deployment. So sort of our first pillar of security.
And then we want to talk about accelerating the speed, right? We want to speed up our software delivery without sacrificing security. This is one of the biggest challenges that we face, right? We, we don't want to have to pick between the two.
So we want to ensure that our security policies are enforced across development, staging, and production. And we wanna reduce the risk as early as possible and enable our teams to adopt a DevSecOps practice, right, without slowing down development.
So the first thing we wanna do here in terms of speed is we wanna be able to rapidly detect threats. And we can do that by comprehensively scanning. Again, if we're in a cloud native environment, this means our container images, our VMs, our functions, We wanna be scanning them for known vulnerabilities, any potential sneaky hidden malware that could be in there, you know, embedded secrets, you know, due to, you know, poor management. You know, again, going back to open source, are there licensing issues, you know, are there configuration issues?
And then we want to use, you know, a risk based approach to filter out those findings, you know, those known risks. We don't wanna just dump them over the fence and say, okay, here development team, here's a bunch of things you have to go fix. Right? That's not helpful.
What's the best, you know, highest priority item? What is the most risky to our business?
And so you can do that by filtering out these findings and looking, you know, what are those top priority issues that are gonna pose the greatest risk? And so you can do this by analyzing, you know, impact of CVEs, for example, you know, by, you know, code reachability, EPSS score, you know, are they in an actively running package? What's the remote exploitability, things like that. So setting these standards, again, not just scanning, finding results and throwing it over the fence, but having those processes in place so that you can prioritize what is the most important or having the right solution that can help you do that.
And then the next part is protecting active workloads. And unfortunately, I think this is the piece that a lot of people accidentally miss, which is protecting in runtime.
And it it's really important because we could do everything right. You guys could go leave this webinar, get all the best practices, do every single thing right.
But you're not doing it right unless you're shifting right. Because there are still the risk of the unknown, right? There's still the risk of of the next zero day vulnerability. There's still the risk of the things that we just don't know, and we did as best as we could to prevent against, but things are still gonna happen.
Right? And so runtime really needs to be considered that last line of defense, especially in a DevSecOps practice. And so it really does play a crucial role because we are ensuring that security is maintained even after our applications are deployed. And again, incredibly important in the dynamic nature of cloud native workloads, right?
Because we have to be preventing against these threats, but also detecting them in real time. And we need to be, you know, have the ability, again, whether it's through the solution that you're using to block attacks across all workload types, to simplify the investigation so that we're not slowing things down and to respond quickly to security incidents without compromising speed, without compromising agility.
And so by having a runtime solution in place, you know, this continuous security throughout, we're going to be able to deliver more secure and more resilient software. So really important part to remember is to making sure that a runtime protection solution is part of your DevSecOps practice.
And then we talk about streamlining delivery, right? Where this is the whole pillar here is of speed. And so how can you do that? Well, using infrastructure as code, right? This is gonna help us to manage the consistent security policies across all of our environments.
And so I see tools like Terraform, for example, will help to create human readable code templates, and those can define how your environments should be deployed, what they should look like, and they can automatically provision those resources based on those templates. So the value of this, again, if we're talking about speed, is that security can be baked into the resources as they're deployed. So you can continue to move fast without having to have those stop gaps without having to have someone go, wait, stop, start again, because we've baked it in from the beginning.
So next and finally is our automation pillar. So automation is incredibly important because we want to combine these, you know, previously disparate capabilities into a single solution. We want to be able to save limited resource and really streamline operations, right? We want to unify security and compliance across our cloud environments.
And the first way to do this is, you know, we wanna automate compliance. So with all the security checks, everything that we mentioned, we wanna be sure that we're proactively monitoring our cloud environments for, you know, common compliance standards. Right? PCI, HIPAA, GDPR, if you're in EMEA, Dora, for example, so that we can prevent issues, you know, and audits down the road.
But we can also keep our teams focused on delivering not just secure, but compliant software without that constant manual oversight. Right? Nobody wants someone kinda looking over them, making sure that we're, you know, we're compliant throughout.
So making sure that these compliance, checks are constant, that they're baked in, that they're embedded throughout, you know, ensures that every release is going to meet these regulatory standards. And again, we don't have to go back to square round square one and that we're prepared for those audits that come, you know, later in the year.
And next, you know, best practice is centralized security. Right? We want to be able to bring all of this together. If we talked about our pain points, you know, earlier and having so many disparate tools, having visibility in cloud native, for example, We need a central place so that we can have a centralized view of what's going on, but that we can also ensure consistent enforcement across development, staging, and production.
So So we wanna be able to standardize our security policies and set clear risk thresholds.
But what's really important about this is that these need to be shared policies. So these need to be, you know, a combination of a collaboration of our teams coming together. So dev second operations coming together and aligning on what do these policies look like? What is this centralized view? But what are these rules that we wanna put in place?
And what's the, you know, acceptable risk threshold? What's the acceptable vulnerability level? And this can depend on, you know, a variety of factors. Right?
It can depend on, you know, is this a testing environment versus a production environment? You know, is this, you know, what is the risk for versus what is the vulnerability severity? You know, are there embedded secrets? Are there not like you as a team can come together and establish what these rules look like so that if I'm a developer pushing to test a testing environment, a QA environment, I have a little bit more flexibility so I can move forward in what I need to do versus if I'm pushing to prod.
We know that we've, you know, established all these baselines. We checked all the boxes and that we've hit the appropriate risk threshold for that application to be running live in a production environment. So really important is to centralize the security, not just with the solution, but coming together in collaboration as a team.
And then next is maintaining consistency, right? Again, a really big challenge in cloud native environments, especially as we talked about, if you're in the middle of your cloud transformation journey, you could have, you know, some applications still on premise. You could have a mix of both. You could be using, you know, three different public clouds. That's a lot, that's a lot to have visibility into, but it's also a lot to secure.
And so what you want to be able to maintain is this consistency of security across all of these environments. And so having a practice in place that has, you know, this defined once define these security, security practices once run everywhere that ensures those same level of controls are applied across all of the environments. So we're approving efficiency. We're reducing risk.
We're automating, right? We're continuing to move fast so that no matter where you are, no matter what environment you're using, you know that that same consistency, that same policy has been created. You know what to expect. You're not gonna be blindsided if you're working and, you know, deploying something on prem versus in the cloud.
So maintaining that consistency is really crucial. And another, you know, capability, another thing to keep in mind is, you know, being able to, you know, have a unified scanner. Right? That consistency across all of the entire life cycle.
Tool sets are a lot having to consolidate scan results is a whole nother thing. So being able to replace multiple tools with one helps facilitate one more accurate, consistent results, but it helps us to detect those issues and find a resolution earlier on.
So a lot of things here. Right? I know we covered a lot. Again, this is why I'm gonna, preface that we're gonna have this, exclusive buyer's guide for you to download to learn more. But, you know, the good news, Joe, after all of this is it's true. We really can find a perfect balance with DevSecOps. We really can merge security, speed, and automation.
And by integrating security from the code commit to run time, we can speed up secure development without having to slow down the pipeline, and we can achieve continuous compliance and unified security for our cloud native environments.
Sounds like a pretty good deal. Right?
Okay. Sounds incredible.
So I think Joe, you mentioned this in our intro about a real world use case. So I wanted to pull up and just give everyone a little highlight that, you know, PayPal, a major financial corporation was having these same challenges. They wanted to adopt a DevSecOps methodology, and they had to find a way to do it at scale.
So PayPal, right, again, you know, think about I don't know if any of you have the PayPal app on your phone, but think about, you know, maybe even in your organizations or you as a user. Right? The world demands things to be more easily accessible, demands things to be, you know, in the palm of your hand. And so as organizations are shifting to be able to provide this kind of level of access, this means moving things to the cloud. And so PayPal is one of these examples, right? They had to be able to move and also shift from sort of this project driven mindset to a product aligned approach that prioritize security.
So they wanted to integrate, security into their existing DevOps workflows. And this could be a situation that many of you are in. Right? But part of the challenge is they had to help empower their developers with the security knowledge and with the tools.
And one of the challenges we talked about right early on is this culture shift. So an example here from PayPal is they actually had to create these internal teams, right? They created a change champions and a transformation team members teams to help guide their organization through this change. So it is a challenge. Right? And it's not just, you know, if you're experiencing any of this, if you're listening to this webinar and you're experiencing this, like PayPal is a perfect example and you really do need, you know, leadership buy in. You have to be prepared to make this sort of change for the better.
And PayPal saw the results, right? By automating their security scans, it allowed them to create more secure code at scale and achieve a DevSecOps practice within their organization. And you can see from the screen, right, they were handling a scale of over a hundred or excuse me, one million builds per month. So massive, massive, massive organization, massive amounts of, you know, development that are happening. But if they're able to do it, if they're able to adopt the DevSecOps practice, I am very confident you all can too, and especially with the right tools.
So going to talk a little bit now on how Aqua can help you all do and achieve a DevSecOps practice, you know, just like PayPal. Again, I know we talked about a lot today and a lot of best practices, and it's a lot to take in. And this is especially a lot to take in if you're, you know, sort of in the middle. Right? You're you're on the line of, you know, moving to the cloud of adopting cloud native. I know that's, you know, a big shift there too.
So let's talk a little bit about, you know, how Aqua can help you all as well. And the first is the ability to shift security left. So right we talked about this as a best practice. You know, a DevSecOps methodology, a DevSecOps practice needs to incorporate security across the life cycle.
So being able to, with Aqua, integrate security early on, you know, by scanning your code using static application security testing, you know, by analyzing your source code, excuse me, using, static application security testing to analyze your source code, but also software composition analysis to check that third party and the open source packages for those security issues and any potential license conflicts. If any of you are familiar with Aqua Trivy, this is the scanner that, you know, can help you do that. But this proactive approach is really addressing these issues before they reach production so that you can enhance speed and security.
Right? We can start from the very, very start.
And then automating security checks. So Appa helps you do this in a variety of different ways. You know, we integrate seamlessly into your CICD pipelines, and we can also help you enforce these policies without disrupting your workflows. Right? We want, you know, we were born and bred in cloud native. So we want to amplify those benefits, right, of speed and security.
And with Aqua as well, you know, in our container security solution, you can set up these, you know, flexible assurance policies. So as I mentioned, you know, come together as a team and set those risk thresholds, set those guardrails, you know, at each stage of your development. So depending on the security need of the different applications and of the pipeline, you can set those practices in place and have those as automated checks instead of, again, being that stop gap that's slowing down your organization.
And then Aqua's runtime protection. Right? We're providing this real time protection for, you know, your containers, VMs, and serverless functions. So we're the ability to detect and prevent active threats.
Aqua's runtime protection is powered by our AquaNautilus team. So we have real world threat intelligence that's helping you to keep, you know, the most updated behavioral detection so you know exactly what's happening in production. Again, this is a really important piece because you can do all the things on, you know, the left side of the screen, but you need to have a runtime protection in place to protect those running workloads from the unknown, from the next zero day, from the, as we like to say at Aqua, the next log log five j. So we wanna ensure that those workloads are protected at every turn.
And then, of course, full visibility into your, full visibility and risk management, right, into vulnerabilities, for example. This is a huge, huge component, especially, again, when we're talking about integrating open source third party components.
So being able to prioritize, you know, it's one thing to just, as we mentioned, get a list of all of the millions of things you need to fix. It's another to be able to shorten it and know exactly what the most risky vulnerability is in your organization.
And being able to have that code to cloud context, being able to see what's running in production, connect it all the way back to that line of code. Again, that is DevSecOps right there. It's being able to speed, automate, and security. Right? So we can understand the risk of these vulnerabilities based on all of these factors and have that context that helps make the team smarter, helps us make better data driven decisions than just trying to pick off of a list of vulnerabilities based on some prioritization rules that we really don't understand. Right? Filter through the noise, filter through the false positives, and really help us to manage those critical threats and our risks more effectively.
So in summary, DevSecOps, it's essential to maintaining security in our, in today's very fast paced cloud native environments.
By shifting left, by automating security, by fostering collaborations across teams, we can accelerate software delivery while minimizing risks.
And with Aqua, we can simplify DevSecOps. You know, Aqua's platform ensures that security controls are enforced across development, across staging, across production. We're helping you reduce these risks early. We're enabling teams just like yours to adopt DevSecOps practices without slowing down development. So I think, Joe, we can call it a wrap on the presentation. I think we can say that we've officially simplified DevSecOps. What do you say?
I love it. That's a wrap Awesome. On that. Yeah. And if if anyone, you know, hasn't had the chance to to check Aqua out, would highly encourage you reach out.
We're here to help. So any question, that you have, we'll be happy to to help you navigate through it. Yeah.
For sure.
Alright. So we've got a couple questions came in through the chat.
We've got the buyer's guide. Yeah.
But, first, I just wanna say, I always come up with things when I listen to you talk and all the mention of zero days. And then when you said log four j, I had, like, a I just remembered, like, two years ago, and I said to myself, I said, I hope we don't get another zero day for Christmas this year.
Definitely not. Definitely not. I'd like to have I think everybody would like to have their Christmas break, a very peaceful Christmas break.
Yeah. Yeah. I don't think anyone's putting that on their Christmas list.
No. No. Not asking Santa for that one.
Yep. Alright.
You wanna tackle the questions, Erin, or do you wanna go into the Mhmm.
I can talk about some questions.
So this is actually really cool.
So someone, Pedro in the chat was talking about about this.
Totally agree, Pedro, with everything that you're saying there. Mhmm. This question, what do you think is the biggest mix misconception about DevSecOps, and how can I help my management see the value?
Oh, that's a really good one. I think, again, you know, in my conversations with customers, you know, whether it's, you know, on Zoom calls or at the booth, I think a lot of it is well, it's easy. Right? You know, we put this practice in place and, you know, we have this EDA come down and, you know, sure.
We'll help develop, but it's not that. Right? You know, thinking of all the challenges that we talked about, especially if teams are used to working a certain way, we really need leadership support. Right? Which, you know, management see the value.
I think by, you know, combining, by showing, you know, one, here's how we're moving to this cloud native, you know, environments.
And two, here's why we really need to bring security in from the start. You know, whether that's, you know, specific stats or time savings, money savings. Right? All of this is value.
But I think one of the biggest misconceptions is that it can just be done overnight. That, hey. Yeah. We're adopting DevSecOps, and that's that's not true.
Right? You're literally changing the way your organizations work. And if the PayPal example is any proof of that, right, that a massive organization like PayPal that, you know, you needed to have, you know, change management in place. You needed leadership to be on board in order to do this safely and securely and getting everybody, you know, to understand each other's perspectives and working together to really put it into practice.
So it's one thing to say. Right? Theory versus practice are two different things.
So I know.
So wait. So you're telling me you can't just go out and buy DevSecOps?
Or You can't.
No. I don't think it's on anyone's SKU list. Not not today. Maybe Santa will bring us DevSecOps and stuff for today.
That's actually a really good idea. I'm gonna Yeah. Add that to the list.
I love it.
Yeah.
We need to highlight the risks of not collaborating and showing the business in there.
Mhmm.
It's been a lot of that, Erin.
Like, just the operation side of it. Right? Like, people are probably stuck in their ways and or, like, especially larger companies.
Yep. Yeah. Proof points. Right? That, you know, that's what changes that's what moves the needle and, you know, being able to share some examples.
You know, hopefully, it's not where things went left. But, you know, being able to show some examples of, hey, if we would have done this earlier on, you know, this would have had a bigger impact. Right? Unfortunately, sometimes we don't we don't know until we're in this situation.
But, you know, by bringing these things further and sharing with each other. Right? I, you know, I encourage all of you as you're in the chat. Like, share with each other.
Talk to your peers. How have they done it? You know, that's a it's super, super important. You know?
Do that all the time.
Good community we have here.
Mhmm. Yep. Oh, I like what's on the executive sponsorship. Exactly. And that goes for anything.
Right? Anything that you're trying to implement in front of your in your organization. Right? You need executives to be able to help you sponsor and even PayPal, for example.
Like, they just started with the scanning, you know, in the in the use case. Like, you could continue that on and on and on, but starting small, starting to see. But, yes, having that exec, sponsor sponsorship is is critical. Yeah.
I completely agree.
Completely agree.
And I like how they form those teams too. So I I feel like one person trying to get the buy in versus a whole team or multiple teams, like, that would make a a in my opinion, a big difference in terms of Yeah.
Taking you seriously and and making sure that Yep.
That you get the funds to to invest in the methodology.
For sure.
But I think we talked about we shared perfect timing. We told everyone we were gonna give them an exclusive access. Right? So very excited about this new piece.
Right? Our essential strategy is for DevSecOps, implementing DevSecOps, especially in cloud native. Again, Aqua, our expertise, everything we do is around cloud native. That's where we were born and bred and will continue to live.
So a DevSecOps strategy for you and whether, again, you're just starting out or you're, you know, an expert in cloud native, you know, definitely check out check out our guide. I'm excited about it, Joe. I don't know about you.
It's beautiful. Yeah. I I love the the whole layout of it. It's easy to read, follow, and can easily be shared with, peers, friends, colleagues, you name it.
So Yeah.
For sure.
Yep. And I tested that QR code. It still works.
We're not sending you to, like, a, site to buy a a bunch of Halloween candy or something like that.
Yeah. Alright. When's when's KubeCon? You're gonna be there. Right?
Yeah. It is, oh, in the coming weeks. The thirteenth or the fifteenth of November, I think it is. Yeah.
Yeah.
Yep. Yep. Very soon. Yeah. So anybody who will be in Salt Lake City, excited to see you.
Please come and stop by our booth. I will be there. I'd love to chat with you about DevSecOps or, you know, cloud native, anything in general. I'd love to hear from you.
So definitely come over and say hi.
And if you if you answered that question in the beginning, let Erin know which which which team you're on.
Yes.
It looked like everyone said battery, which makes sense. Yeah.
Because you can't really have Wi Fi without the phone.
But yeah. Ugh.
Insane how much we rely on the Wi Fi and Yes.
Hacks. Yep. That's the way of the world. But Indeed. So I think we're good. Ready to wrap us?
Yep. Ready to wrap. Everybody, thank you so much, Erin. Thank you for as always for for sharing your insights.
Yep.
And, yeah, we'll leave you with this, everybody. Stay curious, stay safe, and stay cool. We'll catch you guys later.
Bye, guys. Thanks.
Watch Next
