CloudNative SecurityCon North America 2023 is a two-day conference that brings together security practitioners, developers, and operators to discuss the latest trends and technologies in cloud native security. The conference features keynotes, technical talks, and interactive workshops.
At this event, Xavier René-Corail presents Security as Code, a DevSecOps approach. Security as Code is the methodology of codifying security tests, scans, and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security vulnerabilities. Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization. In this session, we review lessons learned from DevOps to implement a successful DevSecOps culture, in particular how we can make developers contribute security checks with the SaC approach. We introduce CodeQL, a language that is free for open source that allows us to implement security checks with code, and we demo how we can code queries for vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline.