By Jonathan Maresky, Product Marketing Manager, Cloudguard IaaS, published November 20, 2019
If you’re interested in expanding your knowledge about security at scale—and partying a little, or a lot—you’d better start packing your bags, ‘cause we’re going to Vegas! This year’s AWS re:Invent, likely to draw in over 50,000 attendees, will be held December 2-6, 2019 and will offer valuable DevSecOps learning opportunities.
Software development has come a long way since the early days of DevOps. And in this new environment of rapid development cycles and quick releases, security cannot be an afterthought; rather, it must be an integral part of every step of the DevOps process. This is where the term “DevSecOps” comes in—and it isn’t just a buzzword.
The pressure for fast releases is on, but security cannot be compromised; it is an essential part of any successful DevOps team. It’s no surprise then that DevSecOps will be a hot topic at the upcoming AWS re:Invent.
Below, we’ve curated a list of the DevSecOps re:Invent sessions you won’t want to miss.
Session 1: Building a DevSecOps Culture
DevSecOps is not just a role, but a culture, and if your company is undertaking its first DevOps transformation, this is the chalk talk for you. While half of all businesses have embraced a DevOps approach, when it comes to DevSecOps, they are lagging behind.
This session will discuss how to create this culture of change and how to develop the technical guardrails to keep your DevOps team moving at full speed while ensuring security is a collaborative effort.
But building this community can be challenging, as security is often viewed as a hindrance to the DevOps process. That’s where this chalk talk can offer valuable insights. It will examine how to develop foundational practices and how to scale functions to instantiate and operate a resilient and successful DevSecOps model so that security becomes a driver of innovation for your organization rather than a bottleneck.
Details: Monday, Dec 2, 1:00 PM – 2:00 PM (with a repeat session)
Session 2: Life hacks for Automating DevSecOps Security Tasks
Your time is valuable, and this session on automation boasts that it will help you “get your life back” by putting an end to the “madness.” By automating your DevSecOps processes, not only do you dramatically reduce the risk of human error, you also create a faster, more efficient process.
As a critical component of any successful DevOps process, automated security must be the top priority for organizations, according to AWS Senior Solutions Architect Margo Cronin. Organizations that implement elite DevSecOps practices are in fact seven times more likely to have such automation security practices in place throughout the DevOps lifecycle.
So since we all want to be spending more time doing the things we love, this session guiding DevOps and engineering teams on how to automate their InfoSec tasks shouldn’t be missed.
Session 3: Best Practices for Proactive Security Testing
Security is no longer an add-on in the new DevSecOps world. Rather, it must be implemented and tested early on. So how is this achieved? How do you build security in from the start?
This session will take you through this process step by step, including:
- Developing a threat model
- Security implementation
- Proactive security testing
- Penetration testing
This builders session will also offer valuable hands-on training with red team exercises.
Armed with this knowledge, you’ll be able to drive a culture of security and observability within your organization. According to Ponemon’s Costs and Consequences of Gaps in Vulnerability Response study, the average annual organization spending on vulnerability management reached $1.4 million in 2019, compared to $1.16 million in 2018. By following these guidelines to implement security from the earliest stages of the development cycle and thus minimizing the likelihood for vulnerability remediation in the production stage, you’ll also save your organization lots of money.
Details: Monday, Dec 2, 10:00 AM – 11:00 AM (with repeat sessions)
Session 4: DevSecOps: Integrating Security into Pipelines
Does your DevOps team truly know how to handle security incidents across the pipeline? If you’re hoping to get some hands-on training at this year’s re:Invent, this workshop is for you.
In this session you’ll get your hands dirty managing a deployment pipeline for the testing environment and another for production, as well as writing and introducing AWS Lambda functions into the pipeline. The session will also cover:
- Static code analysis
- Dynamic infrastructure review
- Workflow types
Practice makes perfect, and this workshop will be a great learning opportunity for organizations wishing to streamline their DevSecOps processes.
Details: Tuesday, Dec 3, 3:15 PM – 5:30 PM (with a repeat session)
Session 5: AWS Secret Region: Lessons Learned Around DevSecOps
This session will present a particularly useful DevSecOps case study of an organization within the U.S. Department of Defense (DoD) that pioneered the successful development and deployment of apps in multiple security domains—including AWS commercial regions, AWS Secret Region, and Commercial Cloud Services. This DoD unit also successfully built a DevSecOps culture through restructuring and by fostering cooperation among their tech team of military service members, government workers, and contractors.
Another area that the DoD has navigated successfully as part of its DevSecOps adoption process has been containerization, Kubernetes, and AWS native automation tools. Despite their increasing adoption by organizations when it comes to securing these tools, this is an area many companies still struggle with. For example, with containers, the lack of visibility can make it difficult to detect vulnerabilities.
We must always ask ourselves where we can improve the DevSecOps process, and look to the organizations who are doing things right. Among the first to overcome many of the DevSecOps obstacles so many of us are still trying to tackle, this DoD unit is certainly one to emulate, and this talk shouldn’t be missed.
Details: Thursday, Dec 5, 3:15 PM – 4:15 PM
Session 6: Continuous Security Monitoring and Threat Detection with AWS
We could cite the Gartner statistics to death, but we all know the cloud services market is booming, and DevOps adoption has been driven by the cloud. With this rapid growth, of course, comes greater security risks, and half of organizations using the cloud have reported that they rely on their cloud native security capabilities. So what tools are out there to help?
This session will present threat detection and remediation scenarios and explore the many AWS threat-detection tools available, including:
- Amazon GuardDuty
- AWS Security Hub
- Amazon Macie
- AWS Config
It will also cover remediation methods using some of Amazon’s main products, such as S3 and AWS Lambda, as well as additional security tools such as VPC flow logs and CloudTrail.
If your DevSecOps team wants to catch security issues that may otherwise go undiscovered and tackle them without the need for extensive manual intervention, brushing up on your knowledge of these AWS automated tools and other security solutions for your AWS environments is key.
Details: Monday, Dec 2, 2:30 PM – 3:30 PM (with a repeat session)
DevSecOps Driving Innovative Security Solutions
If you want to join the ranks of elite DevOps teams, integrating security across the pipeline is essential. But finding the delicate balance between speed and security can be challenging.
To this end, this year’s re:Invent has much to offer for both established and aspiring DevSecOps teams. So whether you’re just starting out on your DevSecOps journey, you’ve already made the shift to the left, or you just want to schmooze with the some of the brightest minds in DevSecOps, this year’s AWS re:Invent is sure to bring you up to date on driving security at speed, with scale.
We’ll be waiting for you at our re:Invent booth #408, armed and ready to help you on your DevSecOps journey!