As DevOps continues to embrace rapid release cycles at scale, delivering robust application security scans becomes a bottleneck. With a mix of paid and open source tools to scan for secrets, vulnerable open source libraries, security bugs in the code, and peer-reviewed commits, engineers have to juggle the findings from multiple tools to make sure their code is compliant with security standards.
New Relic is an organization with 1500+ engineers making thousands of commits, hundreds of Pull Requests, and dozens of deployments to production per day. In order to enforce security best practices at this scale, we needed to integrate Application Security into the overall DevOps pipeline. Therefore, to reduce context switching, our security teams provision and maintain infrastructure to automate vulnerability scanning. In this talk, get an overview on how to integrate security into a DevOps pipeline and lessons learned from implementing “DevSecOps” at New Relic.