Professional Documents
Culture Documents
Recognized by
Cloudbees as
Women Leader in
DevOps & Featured
Working with clients in USA Today as
to Build Security In part of Women in
within their CI and Technology - 2017
CD Pipelines since & 2018
Reviewed the very
first book on 2012
Continuous
Expertise
Integration, and
switched from
Hudson to Jenkins in
Moved to Hudson 2011
since its inception
in 2004
Started using
CruiseControl since it’s
first release in 2001 –
17 years ago
Time
© 2017 Synopsys, Inc. 2 Confidential
Agenda
Total (n=350)
Fuzz testing 31%
80%
71%
70%
61%
60%
49%
50%
42% 43%
40%
30%
20%
10%
0%
Developers Testing and QA IT operations Leadership and management Security team
60%
60% 57%
50%
50%
40% 38%
30%
20%
10%
0%
On the fly while coding When developers commit code At central build Unit testing vs. integration testing
70% 67%
60% 59%
50%
44% 45%
40%
30%
20%
10%
0%
On the fly while coding When developers commit code At central build Unit testing vs. integration testing
Operate &
Plan Code Build Test Release Deploy Monitor
Shift Left 11
© 2017 Synopsys, Inc. 11 Confidential
Static Analysis Security Testing
Developer workstation
Manual code review
Architecture risk
analysis
Out-of-band activities
SAST04
The SAST tool uses
comprehensive rulesets. All
previous rulesets are excluded.
The goal is to find issues before
the code goes to production.
The scan should take anywhere
SAST02 from an hour to 3–4 hours,
The SAST tool is automated on depending on production
the CI server. The tool is velocity.
configured for the client’s top 10
issues, such as command
injection and hard-coded keys.
The tool also uses rules from
SAST01. The scan should take
4–5 minutes so developers get
feedback fast.