My name is Anubha Gaur, and I'm the executive director at Quest Diagnostic. Today, I will be, talking about integrating AI in DevSecOps for enhancing security and efficiencies.At Quest, I am, leading the transformation through API platform, DevSecOps, SRE practices. And, since, I am passionate about APIs and cloud optimizations, how it does actually reduce the operational overhead and then bringing the business value. So integrating AI is going to take it to the next level, and that's what we are going to cover in next twenty minutes. Okay. So today, I will start with the DevSecOps core principles, and then we'll dive into the introductions of the AI role in the DevSecOps pipeline. We'll share how AI enhance security and efficiencies. Again, things looks good on sometimes on paper, but we see the challenges in reality.

I will share those challenges and considerations, and we'll add the our call. This the whole talk is around what is the final thoughts? What are the key takeaways? Sounds like a plan? Okay. So let's go, to label set what is the DevSecOps. I am sure you must have heard it, multiple places. DevSecOps, fundamentally, it is all you know. It is not a tool. It is the mindset. Yes. It stand with the development, security, and operations. It is all about how we are adding the security throughout the software life cycle, Means starting from planning to the deployment. And security is not after the thought. It is the heart of our software delivery. So we use some fundamental principles. When I say it's a hard, it says the shift left. How do we enable the the security starting from the planning during the stories, during the epic, during the feature time?

This and then we treat security as a code, policy as a code. It is not just something that the team is doing in manually, but it is all through, you know, integrated through the pipeline. Then the third principle says, how do we continuously evaluating the compliance and auditing requirements not as a silo? It is treated just the shared responsibility, which is the last, you know, principle is the collaborations. Break the silo. It's become the shared responsibility across the function. And, yes, you all know it has the main you know, purpose. It has it brings the in the value. The value is definitely from the business side that we are faster and reliable when we are releasing the software in a secure manner.

And important piece is building a culture of a shared responsibility. So, again, as I said, DevSecOps is not a tool. It is the mindset. So the next question comes, let's talk about why DevSecOps, as we know now, which I just talked about it, should evolve. So let's, you know, go step by step. The first one is team wants to move fast. Yes. In today's world, team, they have to deliver their releases not monthly, not weekly. It's on the daily. And even within daily, multiple times that they have to do. So security, become, as you know, is after the thought, and it's become a time then it should evolve. Like, we cannot afford to have securities become the bottleneck because sometimes that's if they are the gates, it slow down the speed, and that is a problem. Second driver is security delays. Right? It become the business risk. Why? Because if we are finding these security vulnerabilities after post productions that the cost is high.

It the any bridge can have the massive impact on the company branding. It can have the financially. It can legally. So not only delay can have the business impact, it can have the serious, you know, issues if we see the bridges in the prod production. The third factor is that we we want to consider is the traditional practices. So let's be honest. Many organization is still rely on manual processes. They have their own manual scans and then manual review board, the security review board, isolated policies. And that has become a problem because this model doesn't scale. So it is the time to shift from reactive to the proactive. More on the automated, more on the AI enhanced security. And that is what the the this this the right hand side is talking about from the development. That is the journey.

Started with the development, integrated with the operations, then added the security. Now add the AI. So the question is, how do we make security as fast and smart as it should be? So let's now let's take a look. What are the, superpower, the key drivers in the dev dev sec ops that is going to make our CICD pipeline the faster act file, you know, the smarter and then have the con continuously we are securing our code. So the first area, you know, pillar is the pattern recognitions. So we all know that AI learns from the historical vulnerabilities, threat patterns, and it doesn't just match the signature. It detects the pattern based on your code structure, based on your data flow, based on your system behavior. It can detect that these are the based on the patterns.

So the question is that, you know, whenever we are moving fast, your code base is is big. It's based it can find out the pattern recognitions based on your historical data. That is the the first pillar. The second, pillar of this power is the speed and then automations. So you know the security checks sometimes take hours. But adding the AI, whatever is it's, you know, taking hours, it can be done in the seconds. Because AI can scan thousands of the files, third parties dependencies, API call, all in real time. So this actually dramatically accelerate your pipeline because you are reducing time to detection. So it's a mean in MTD. Right? It's going to mean time to detect.

It is going to reduce that. The third, pillar in this, section is the context because AI, is, has the ability of course, it has the pluses and minuses. But, yes, I will talk about during the challenges when we find out some of the issues. But it is has the ability to understand the intent. What is the reasoning behind this? Right? And which are the safe alerts, which are the false positive? And based on the user input, based on the access labels, based on the data sensitive, it can easily identify the intent, the context. And based on the context, it can prioritize the real threats. The fourth one is the continuous learning because AI system doesn't stand still. It continuously you know, learning the model that retains and improve the process based on the data, based on the the security posture. It brings the intelligence over time.

So in short, AI helps DevSecOps as, you know, so they just think faster, continuously improving the security posture. Right? So the next is then how do we translate this power into the real efficiencies? So my next slide is more around the same. This is the typical, as you can see, that, the DevSecOps pipeline is starting from planning to the monitor. So we can start with the plan. Planning start that, you know, what is the you know, AI can help into backlog grooming sessions based on the epic features and then story, it can prioritize what are the features could be the rest, where are and it can flag the potential compliance gap based on the defining the the, the grooming time.

Second is the co decoding when the developers are writing the code. So AI can take a look. I will share what kind of the the tools that we actually using for each and every phase in, you know, towards the the the next slide. But here, the developers, they are actually, you know, can help significantly improve the security patterns. Right? Flag the risk logic that could become a issue, and then doing the static analysis. So it all can be done, right, in a faster manner. The third area is more around the build. Yes. Build the third party scanning, you know, so when they are creating the artifacts. So they are during the build stage, they do the auto scan on the third party libraries, vulnerabilities finding out, right, immediately informing, and then have the faster feedback loop back to the developer.

Testing is the another area based on the user stories. This ML driven, testing, they can identify the possible test cases, even the executions that, you know, that it can call and you can use MCP, Model Context Protocol. You can use it and use the AI agents, can streamline testing area. The release, definitely before the deployment, AI will do the checks for the policy compliance, misconfiguration risk, validate the, your configurations, your artifacts that going to be released as a part of the build, and then finally, multiple monitoring tools, logging and monitoring tools, they have this, the AI capabilities, which post deployment, it will monitor your live environments.

And whenever they find some unexpected access patterns, performance shift, it will immediately detect and then alert. So these are starting from planning to monitoring. AI across that, it will, every phases. So AI turns DevSecOps more into the smarter and then faster way. And remember, this is not the future. This is actually happening. So so in traditional, areas so this is a picture is talk about that in the traditional DevSecOps, which you can see on the on the left hand side, it is more around, securities issues often discovered late in the cycle, sometimes after the code is deployed. Another area is the manual testing. I'm sure you must have seen the manual security testing. The test cases sometimes are missed, but they happen at a separate step, not the part of the CICD pipeline, which results. It is takes lot of time to response and react. Very reactive approach. On the other side of when it is the AI enhanced, it is the shift.

Shift about that, you can easily compare identifying AI vulnerabilities, early stages, starting from code when you do the pull request, when you're doing the automated build. It is continuously finding out the security issues, automating the security testing. Hence, result is you can see the faster incident response. When you combine these areas, these are the high level two benefits that you can easily see immediately that AI reduce your vulnerabilities and and, and identifying the the security issues and then how to, you know, resolve that, reducing the time. And other side of it, AI is actually helping in improving your code quality, which is already happening in, you know, with the developers. So, these are the areas that you can easily see this, but the question is then, what are the other benefits then you see when we integrated AI? I will go very high level, not going into the detail.

It's, first step that I am sure you must have heard it, that your team is using fragmented tool chain. So it helps to unify this fragmented area. So instead of, managing the security access in the isolated system, it enable us to bring more centralized policy enforcement. Second area is that, now we have the fewer manual handle, so which means then it is, identifying, you know, proactively finding out based on the patterns where are the issues are, and it is reducing the security posture. So that is the the the other benefit. Third benefit because it streamline the the tools. Right? Reduce the fragmentate now, that is bringing the better developer experience because now every developer is kind of is following the same playbook, which is do the things through the CICD automated fashion. So it's actually improved the developer efficiencies. And finally, that last, you know, tools bringing the better, developer efficiencies, that means they're reducing the cost, reducing the manual overhead.

So these are the other benefits that start finding out when integrated the AI into the pipeline. So, the next, as I was telling that, things looks good when we talk about. Right? But it is important that we should talk about the reality. So the reality is that the first one, as you can see, the trust developers, they actually, the teams, they were hesitate or they were not confident this this in the beginning that the based on AI alerts, they were not sure it is at the right flags starting from story writing to the monitoring.

The other the the second area, we had see the challenges that, AI, yes, works best when the tools are well integrated. But, we had multiple platforms, multiple type of the builds. One team is doing one way of the testing, another one was doing different way. Same thing with the monitoring. It was not consistent. So it was difficult because tools are not talking to each other. It was not, you know, followed the common standard. So, yes, it is another it is the whole tool chain brings the other label of the complexity. The fourth area was that, it is all good when your data is good. If the data is not good, it's not accurate, then it's or incomplete. You we start seeing some, you know, false positive or missed vulnerabilities. So that is the another issue. The final one was that, yes, team gap definitely was there.

So without the proper onboarding, team was having the challenges because it was a huge skill gap. So these are the real steps, sir. The next section, I will talk you through step by step then how we implemented, what kind of the tools that we, we use it. So starting with the planning. So I'm sure you might know, you know, Jira has that the integrations. So beginning, epic feature in stories integrated with Jira. Actually, it has a test case management. So this is the one that's how we integrated the tool using this one. The other, the CICD, which is the bigger platform is more around the GitHub. GitHub, which is the second step, you can see some of the tools, CodeQL, Advanced Security, this is all has the AI enabled. So it's auto detecting the vulnerabilities, helping the developers, the copilot. Great. So that is how we were actually integrating.

Even for the testing, for the build, yes, before I, go to the testing, even for the build that has GitHub actions, then automated the build vulnerabilities, and have this the whole, another layer of the code quality checks, SonarQube, which is also apply some rule set and AI driven code smell detections.

So once the build is done, the second p you know, the the third step was now we are going to test and validate. So, yes, same thing with the GitHub actions. Remember that we have X so the test case were generated into a Cucumber, a Gherkin format. Right? So using this as a source code in the GitHub actions, using this, you know, the AI's specific area, we integrated this automations on the testing. Of course, not everything was fully tested. It has some manual functional testing, but we reduced the manual manual function testing. The final one is, the deployment when everything is validated. Deployment, again, is AI agents help us to streamline the deployment, not for all the tech stacks. There are some areas where the legacy systems which was manual, but there are some areas that we have that Cloud native architecture use this more as the AI agent driven deployment.

And then final one, monitoring and measures. So, yes, Dynatrace, Copilot, you know, that they have it. It has AI based alerting. Same thing that, you know, identifying, auto correlations, within the logs and based on the patterns, it's proactively finding out some of the possible issues. Yes, these are very high level, so you get some flavor what kind of the tools that we used and where, and, we still have some challenges. So as I, wrap up, this talk, I want to leave you few of the key takeaways. So the first one as you see that we have seen how AI helps us to automate, this the DevSecOps pipeline. It help us to identify the risk earlier. But one thing which is, important that I would like to share that it's not about you pick any tool or the newest shiny AI tool that you have to use to be successful.

No. It is about building a culture. It's about, you know, building a scalable platform so that the people, they are part your team is a part of this journey, and then they feel it is going to be helpful for them. So remember, as as I am telling that, your first step is use one tool, start small. Right? You don't have to be, you know, big bang and then roll out for every team. Start with the one and two teams. Implement this, you know, this state starting from planning till, you know, the monitor. But start with the small small steps. And then when you start seeing the value, that's how the innovation brings because now people is also part of this journey. Okay?

So with that, I would like to say thank you.