This is the first part of a series of articles to cover my talks about Security DevOps in general and a maturity model to define steps in reaching more automation of certain security checks. The main idea is to define a roadmap of how projects can reach a level of automation (preferably with OpenSource tools) to check for certain security aspects during the CI (Continuous Integration) build chain.
This first part covers my talk at the OWASP AppSecEU 2015 conference held last week in Amsterdam. I had the chance to present best practices of how OpenSource tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers. My talk introduced a SecDevOps Maturity Model (SDOMM) of different stages of automated security testing and presented concrete examples of how to achieve each stage with open source security tools.