DevSecOps on Romano Roth

Continuous Security with DevSecOps and Platform Engineering

Tue, 04 Mar 2025 00:00:00 +0000

Imagine a world where security is seamlessly integrated into your development workflow from ideation until production, so that development teams can completely focus on feature development while building secure applications. That is exactly what I presented at the OWASP Chapter Meetup Switzerland. In this talk, I show how platform engineering transforms modern application security and makes DevSecOps a reality at scale.

Continuous Security with DevSecOps: How Platform Engineering Transforms Modern Application Security

Wed, 19 Feb 2025 00:00:00 +0000

Security is no longer an afterthought in modern software development. It must be integrated seamlessly into every stage of the development lifecycle. This talk delves into the transformative power of combining DevSecOps principles with Platform Engineering to address the challenges of ensuring continuous security in a fast-paced, agile environment.

Architecting for Continuous Delivery at Conf42 DevSecOps 2024

Tue, 09 Jan 2024 00:00:00 +0000

At the Conf42 DevSecOps 2024 conference, I presented my approach to architecting for continuous delivery. After more than 21 years at Zühlke, working across industries on DevOps transformations, I keep seeing the same fundamental problem: value streams broken by walls of confusion. In this talk, I walk through how organizations can move from project thinking to product thinking, build in quality and security from the start, architect for operability, and use platform engineering to scale it all.

GitHub DevSecOps Part 12: Our Recommendations and Lessons Learned

Tue, 13 Jun 2023 00:00:00 +0000

After eleven sessions building a full DevSecOps pipeline with GitHub — covering Software Composition Analysis, License Compliance, SAST, Container Scanning, Secret Detection, DAST, Pull Requests, Scheduled Pipelines, and Vulnerability Management — Patrick Steger and I close the series with our recommendations. What works on GitHub, where the gaps are, and what we would tell anyone setting out to build the same pipeline.

GitHub DevSecOps Part 11: Scheduled Pipelines for Production Code

Mon, 05 Jun 2023 00:00:00 +0000

Across ten sessions we wired security checks into a GitHub Actions pipeline that fires on every commit and every Pull Request. That covers code we are actively changing. It does not cover the code that is already running in production while researchers keep finding new CVEs in the libraries it uses. In Part 11 of the GitHub DevSecOps series, Patrick Steger and I add a scheduled workflow that re-scans the production branch — and we run straight into a GitHub limitation worth knowing about up front.

GitHub DevSecOps Part 10: Branch Protection and Pull Requests

Tue, 30 May 2023 00:00:00 +0000

In the previous nine sessions Patrick Steger and I built a GitHub DevSecOps pipeline with build, SCA, License Compliance, SAST, Container Scanning, Secret Detection and DAST. All useful — but only if it actually runs before code lands in main, and only if the merge is blocked when something serious shows up. In Part 10 we wire that gate together with Pull Requests and Branch Protection rules.

GitHub DevSecOps Part 9: Vulnerability Management

Mon, 22 May 2023 00:00:00 +0000

We have spent the previous eight sessions adding scanners to our GitHub DevSecOps pipeline — SCA, SAST, container scanning, secret detection, DAST. The scanners now produce a steady stream of findings, and the question is: where do we manage them? In Part 9, Patrick Steger and I look at GitHub’s built-in Vulnerability Management — the Security Tab — and call out what it does well and what is still missing.

GitHub DevSecOps Part 8: Dynamic Application Security Testing (DAST)

Wed, 19 Apr 2023 00:00:00 +0000

After seven sessions of static analysis — SCA, license compliance, SAST, container scanning, secret detection — Patrick Steger and I move into the dynamic side of the pipeline. In Part 8 we add Dynamic Application Security Testing to our GitHub Actions pipeline. DAST runs the application and then attacks it. GitHub does not ship this out of the box, so we wire in a community action built on OWASP ZAP — and we are honest about where that approach falls short for enterprise use.

GitHub DevSecOps Part 7: Finding Secrets in Your Code with Secret Scanning

Tue, 14 Feb 2023 00:00:00 +0000

API keys, tokens, and passwords still leak into repositories all the time — sometimes by accident, sometimes by a developer who genuinely did not know better. In Part 7 of our GitHub DevSecOps series, Patrick Steger and I switch on GitHub’s built-in Secret Scanning, add a custom pattern of our own, try out push protection, and look honestly at what the feature finds and where it falls short.

GitHub DevSecOps Part 6: How to Use Container Scanning

Thu, 09 Feb 2023 00:00:00 +0000

We have built up the GitHub Actions pipeline through five sessions: the project basics, software composition analysis, license compliance, and static application security testing. The next layer is container scanning — looking for vulnerabilities inside the Docker image we ship, not just in the source we wrote. In Part 6 of our series, Patrick Steger and I split the work into two GitHub Actions sub-workflows: one builds the image and pushes it to the registry, the other pulls it back and runs Trivy on it.

GitHub DevSecOps Part 5: Static Application Security Testing (SAST)

Wed, 01 Feb 2023 00:00:00 +0000

SCA covered our dependencies. License compliance covered what we are allowed to ship. SAST is where we point the scanners at the code we wrote ourselves. In Part 5 of our GitHub DevSecOps series, Patrick Steger and I add Static Application Security Testing to the pipeline — and find out the hard way that on GitHub it takes three Actions, not one.

GitHub DevSecOps Part 4: How to Ensure License Compliance

Wed, 25 Jan 2023 00:00:00 +0000

GitHub does not ship a license scanner out of the box, and when we went looking in the marketplace, none of the existing actions did what we needed. So we built our own with a colleague from Microsoft and published it. In Part 4 of our GitHub DevSecOps series, Patrick Steger and I plug that License Finder action into our Spring Boot pipeline, configure which licenses are acceptable, and show how to surface the results inside GitHub.

GitHub DevSecOps Part 3: Software Composition Analysis with Dependabot and CRDA

Thu, 19 Jan 2023 00:00:00 +0000

GitHub does not ship a default SCA tool the way GitLab does. You have to combine two things: a platform feature called Dependabot and an SCA action from the Marketplace. In Part 3 of the GitHub DevSecOps series, Patrick Steger and I wire both into our pipeline — and find out the hard way that the Marketplace path is not as smooth as the slides suggest.

GitHub DevSecOps Part 2: Creating a Simple Project and Your First Workflow

Wed, 11 Jan 2023 00:00:00 +0000

Before we plug security tools into anything, we need a repository, a pipeline, and a working build. In Part 2 of our GitHub DevSecOps series, Patrick Steger and I create a private GitHub repo for a small Java Spring Boot service, enable GitHub Actions, and wire up a two-workflow pipeline that compiles the code and runs the unit tests. This is the skeleton everything else in the series hangs on.

GitHub DevSecOps Part 1: What Is GitHub and Why Shift Security Left?

Tue, 03 Jan 2023 00:00:00 +0000

After we finished the GitLab DevSecOps series, Patrick changed jobs — and his new team is on GitHub. The problem is the same: no security checks during development. The platform is different. In Part 1 of our GitHub DevSecOps series, we cover what GitHub is, the CI/CD vocabulary you have to share before any pipeline conversation works, and the shape of the DevSecOps pipeline we will build over the next sessions.

DevOps Top Trends and Emerging Technologies to Watch

Sun, 01 Jan 2023 20:55:56 +0000

DevOps trends 2023

We quickly review my projections for 2021 and 2022 before moving on to the difficulties businesses are already facing. Due to silo organizations, there is almost no coordination between the various organizational divisions, and businesses continue to plan annual projects rather than products. Hence, businesses must adopt some DevOps methods or trends. DevOps is a mindset, culture with technical practices that align all people across the value stream to continuously deliver value to the customer. The top DevOps trends for 2023 include building products, running the product, ensuring product quality, monitoring the product, organizing across the value stream, enabling DevOps in product teams, and industrializing the whole product development.

The Future of DevOps: Top Trends to Watch in 2023

Sun, 01 Jan 2023 00:00:00 +0000

Two years of trend predictions later, the DevOps conversation has shifted. In 2021 we talked about adoption. In 2022 we mapped trends onto the adoption lifecycle. In 2023 the most useful lens is the value stream: how products get built, run, quality-assured, monitored, organised, enabled and industrialised end-to-end. Most organisations still suffer from silos and project-based annual planning. The 2023 trends are about closing those gaps.

GitLab vs. GitHub: DevSecOps Pipeline

Wed, 28 Dec 2022 11:25:25 +0000

by Romano Roth and Patrick Steger

This video series will show you how to build up an enterprise-ready DevSecOps Pipeline with GitLab and GitHub and compare the two platforms.

GitLab DevSecOps Part 12: Our Recommendations and Lessons Learned

Wed, 16 Nov 2022 00:00:00 +0000

After eleven sessions building a full DevSecOps pipeline with GitLab — from Software Composition Analysis to Container Scanning, SAST, Secret Detection, DAST, merge request integration, and scheduled pipelines — Patrick Steger and I close the series with our recommendations. What worked, what tripped us up, and what we would tell anyone setting out to build the same pipeline today.

GitLab DevSecOps Part 11: Scheduled Pipelines for Production Code

Wed, 09 Nov 2022 00:00:00 +0000

Over ten sessions we wired six security tools into a GitLab pipeline that fires on every commit and every Merge Request. So are we done? Not quite. Code in production sits there for weeks or months, and during that time researchers keep finding new CVEs in the dependencies you are already shipping. In Part 11 of the GitLab DevSecOps series, Patrick Steger and I add a scheduled pipeline so the production branch gets re-scanned automatically — without anyone having to push a commit.

GitLab DevSecOps Part 10: How to Do a Merge Request the Right Way

Wed, 02 Nov 2022 00:00:00 +0000

In the previous nine sessions Patrick Steger and I built a GitLab DevSecOps pipeline that runs SAST, secret detection, software composition analysis, container scanning and DAST. Useful — but only if it actually catches issues before they reach the default branch. In Part 10 we close that loop: we wire the pipeline into Merge Requests so every change is scanned, the deltas against the default branch are visible, and approvals are required when new high or critical vulnerabilities appear.

GitLab DevSecOps Part 9: Overcoming Vulnerability Management Challenges

Wed, 12 Oct 2022 00:00:00 +0000

After eight sessions of adding scanners to our GitLab pipeline — SAST, secret detection, SCA, license compliance, container scanning, DAST — we now have a different problem. We have hundreds of vulnerability findings. In Part 9, Patrick Steger and I look at GitLab’s built-in Vulnerability Management: what it gives you, where it falls short, and how to actually triage findings without losing your mind.

GitLab DevSecOps Part 8: Dynamic Application Security Testing (DAST)

Wed, 05 Oct 2022 00:00:00 +0000

Everything we have done in the GitLab DevSecOps pipeline so far has been static — analysis of source code, dependencies, containers and configuration. In Part 8, Patrick Steger and I cross the line into Continuous Delivery and add Dynamic Application Security Testing. DAST means we deploy the application, start it, and then attack it from the outside with an automated penetration testing tool. GitLab ships this capability out of the box, powered by OWASP ZAP.

GitLab DevSecOps Part 7: Finding Secrets in Your Code with Secret Detection

Wed, 28 Sep 2022 00:00:00 +0000

Hard-coded passwords and API keys are still one of the most common ways credentials leak. They get committed by accident, stay in the git history forever, and only show up when someone is already exploiting them. In Part 7 of our GitLab DevSecOps series, Patrick Steger and I add Secret Detection to the same pipeline we have been growing — one line of YAML — and then look at what GitLeaks actually finds, what it quietly misses, and what to do about it.

GitLab DevSecOps Part 6: How to Use Container Scanning

Tue, 06 Sep 2022 00:00:00 +0000

We have already wired SAST, secret detection, and software composition analysis into the GitLab pipeline. Those checks cover the source code and its dependencies — but the artifact we actually ship is a container image. Operating system packages, the base image, and everything copied in along the way can carry vulnerabilities of their own. In Part 6 of our series, Patrick Steger and I add container scanning to the pipeline, build a Docker image from the jar we compiled earlier, and push it through Trivy and Grype.

GitLab DevSecOps Part 5: Static Application Security Testing (SAST)

Wed, 31 Aug 2022 00:00:00 +0000

Software composition analysis takes care of the libraries you pull in. But what about the code your own team writes? That is where Static Application Security Testing comes in. In Part 5 of our GitLab DevSecOps series, Patrick Steger and I add SAST to the pipeline, plant a few realistic vulnerabilities in our Spring Boot sample, and watch GitLab pick them up.

GitLab DevSecOps Part 4: How to Ensure License Compliance

Wed, 24 Aug 2022 00:00:00 +0000

You ship a Java application that depends on Spring Boot, which depends on dozens of other libraries, each with its own license — and most teams cannot tell you what those licenses actually are. In Part 4 of our GitLab DevSecOps series, Patrick Steger and I add license compliance to the pipeline so the question is answered automatically on every commit. The good news: with GitLab Ultimate, this is one template line away.

GitLab DevSecOps Part 3: Software Composition Analysis with Gemnasium

Wed, 17 Aug 2022 00:00:00 +0000

Your code is the small part. The libraries you pull in are the big part — and that is where most of your CVEs live. In Part 3 of the GitLab DevSecOps series, Patrick Steger and I bring up a tiny Spring Boot demo, wire it into a GitLab pipeline, and then add Software Composition Analysis with a single include line.

GitLab DevSecOps Part 1: What Is GitLab and Why Shift Security Left?

Wed, 10 Aug 2022 00:00:00 +0000

Why does security still get bolted on at the end of the development process, and how do we move it earlier without slowing teams down? In Part 1 of our GitLab DevSecOps series, Patrick Steger and I set the stage: what GitLab is, what shifting security left really means, and which CI/CD concepts you have to understand before you can build a DevSecOps pipeline that actually works.

GitLab DevSecOps Part 2: Creating a Simple Project and Your First Pipeline

Wed, 10 Aug 2022 00:00:00 +0000

Before we can shift any security checks left, we need a project, a repository, and a pipeline that actually builds something. In Part 2 of our GitLab DevSecOps series, Patrick Steger and I log into GitLab, create a new .NET Core project from a template, and look at the .gitlab-ci.yml file that GitLab generates for us — including the build and test jobs that will become the foundation for everything we add later.

What Are the Top DevOps Trends in 2022?

Mon, 03 Jan 2022 00:00:00 +0000

A year ago I called DevSecOps, continuous delivery, cloud and AIOps as the trends for 2021. Most of those landed. For 2022 the picture gets more interesting because DevOps is no longer a single wave — different parts of the market are at very different stages of adoption. To make sense of that, I map the 2022 trends onto the technology adoption lifecycle: late majority, early majority and early adopters.

What Are the Top DevOps Trends in 2021?

Sun, 03 Jan 2021 00:00:00 +0000

What will move the needle in DevOps in 2021? After a year that forced almost every organisation to accelerate digital delivery, the trends I see for 2021 are less about shiny new tools and more about discipline: making DevOps stick at scale, shifting security left, getting serious about continuous delivery, leaning further into the cloud, and watching the early signals from AIOps.