Avinash Jain

Avinash Jain

Avinash is an information security researcher working as a Lead Security Engineer managing complete end-to-end information security. He loves to break application logic and find vulnerabilities in them, have been - acknowledged by various MNCs like Google, Yahoo, NASA, Vmware, MongoDB, and other top companies. He is also an active blogger where he writes about interesting vulnerabilities that I find on my bug bounty journeys, data privacy issues, and everything security. Some of his articles and interviews have been published in various security magazines, newspapers, and newsletters like Forbes, BBC, Techcrunch, Economic times, Huffingtonpost, Hindustan times, ZDNet, Hakin9, Hackerone, etc. He is also a cybersecurity speaker, loves to share his views on various infosec threads.

Talk / Workshop
Description
Talk

Shift Left Using Cloud: Implementing baseline security into your deployment lifecycle

In the agile world, where continuous iteration of development and testing happens throughout the software development lifecycle involving constant collaboration with stakeholders and continuous improvement and iteration at every stage, where engineers release their changes very frequently. All this makes the chances of potential security loopholes become more and more real.
A fast-moving lean and agile culture makes it necessary to bring the testing of software support earlier in the development and release process. This brings us to the quote - “Security shouldn’t be treated as an after-thought”, it should be brought as close to engineers and as early in SDLC. When we bring something close to the source, and in this context, if we bring Security closer to the source, we call it Shift Left Security. It not only gives a much better opportunity to see improved security outcomes in products sooner, and include the requirements, suggestions, advice at an earlier stage, but also saves time, effort, and overall cost of product delivery. Shift Left approach takes this a step further, integrating security into CICD. With security requirements represented earlier in the software development process, it also makes enforcement part of the Continuous Delivery pipeline with improved testing, monitoring, and response to support security drift detection. By integrating security in CICD, one can deliver secure and compliant application changes rapidly while running operations consistently with automation. In order to do this well, the most logical place security can be checked are code reviews. But now the series of questions raised -

  • How can it be achieved?
  • How can we make sure every release that goes to production has proper security sign-off?
  • How can we scan and test every piece of code that is changed from not just DAST or SAST point of view but also including wide custom and flexible security test cases?

Here we will talk about building such a solution and framework to integrate security in CICD and automating the complete process for continuous scanning of different kinds of potential security issues on every code change in AWS Codepipeline.

Subscribe and get our news and updates.