DevOps.com
Latest
Articles
Features
Most Read
News
News Releases
Topics
AI
Continuous Delivery
Continuous Testing
Cloud
Culture
DataOps
DevSecOps
Enterprise DevOps
Leadership Suite
DevOps Practice
ROELBOB
DevOps Toolbox
IT as Code
Videos/Podcasts
Techstrong.tv Podcast
Techstrong.tv - Twitch
DevOps Unbound
Webinars
Upcoming
Calendar View
On-Demand Webinars
Library
Events
Upcoming Events
Calendar View
On-Demand Events
Sponsored Content
Related Sites
Techstrong Group
Cloud Native Now
Security Boulevard
Techstrong Research
DevOps Dozen
DevOps TV
Techstrong TV
Techstrong.tv Podcast
Techstrong.tv - Twitch
Media Kit
About
Sponsor
AI
Cloud
CI/CD
Continuous Testing
DataOps
DevSecOps
DevOps Onramp
Platform Engineering
Low-Code/No-Code
IT as Code
More
Serverless on AWS
Builder Community Hub
Application Performance Management/Monitoring
Culture
Enterprise DevOps
ROELBOB
Lucky Kumar Sappa
http://hcl.com
Lucky Kumar Sappa is a software engineer at HCL Technologies, working with Docker, Kubernetes, GitLab, Jenkins and other DevOps tools and practices.
Kubernetes Jenkins Master-Slave: Scaling the Scalability Issue
July 19, 2018
LinkedIn, Sony, Dell and many other companies use Jenkins as a CI/CD tool and builds happen with substantial code bases that run 365 days in parallel. Generally, you may not have as ...
Lucky Kumar Sappa
Application Security Check Up
AI/ML Feature Store
Step
1
of
7
14%
Does someone in your organization write software?
(Required)
Yes
No
What portion of your cyber risk is Application Security (AppSec)? (Select one)
(Required)
We over-focus on AppSec
We focus on AppSec to match the risk
We under-focus on AppSec
What are the biggest challenges you face implementing a robust AppSec strategy? (Select all that apply)
Lack of budget
Insufficient skilled personnel
Complexity of integrating security into the development lifecycle
Resistance from development teams
Keeping up with evolving security threats
Lack of executive buy-in
Other (please specify)
Other
Which DevSecOps practices are widely used for actively developed projects (not legacy) (Select all that apply):
(Required)
Automated unit and functional tests for quality run in the pipeline with merge blocking
Automated application security testing (AST) in development and (SAST/IAST) runs in the pipeline
Automated AST tools to find vulnerabilities in the code you import (SCA) run in the pipeline
Merge blocking at current policy level for AST checks
Secrets management so no secrets stored in source code repositories
How do you assess and mitigate risk of For NON actively developed products (legacy) (Select all that apply):
In-production scans using DAST products like Qualys, Nessus, etc.
Periodic penetration testing
Periodic running of AST tools
Manual code reviews by security specialists
Use of third-party security assessment services
No assessment or mitigation effort is happening
How do you resolve the security issues found? (Select all that apply):
(Required)
Findings are manually triaged
Findings are communicated to engineering via mostly manual processes
Finding above a certain severity automatically populate engineering backlogs
Service level agreements (SLAs) are enforced based on severity
An exception process exists to allow the business to accept risk
The exception process is rarely used and must be renewed periodically
Which best describes security training for your developers? (Select all that apply)
(Required)
Monthly
Quarterly
Annually
As part of onboarding
Just-in-time via integration with AST tools when a vulnerability is found
No formal training provided
Δ