So hello, and welcome to this deep dive session into AI augmented DevSecOps.So firstly, thanks to this forum, Women in Tech, for giving us this opportunity to present our thoughts on this particular topic here. And we are really glad to be, talking here in this in this forum. So, before we deep dive into our topic, let's have a quick introduction introduction of ourselves. So I am Vidi Saxana, and I'm part of, DevOps CEO in Nagarro. And I have around sixteen plus years of experience in IT where my major expertise lies in helping the clients and enterprises to embrace DevOps in the right manner and also to implement and innovate in the world of DevOps. So that's a quick introduction about me. I would also like Anupam to introduce herself to the herself to the audience. So, Anupam, if you can do it.

Hello, everyone. So I also work with Negaro. I currently hold almost fourteen plus years of experience, wherein I, again, help the clients with their cloud infrastructure, help them with their DevOps culture, and also how they can accelerate and get be good when it comes to faster time to market. I'm also enthusiastic about participating at the different forums, where I we can share our ideas, and, of course, we can gain, insights from each and everyone. So that was a quick intro round about myself. Over to you, Vidhi.

Okay. Thank you, Anupam. So let's have a quick look at the agenda as to what we have in the session plan today. So first, we'll be, seeing why is AI taking over the conversation everywhere. So wherever we go, we are seeing everyone is talking about AI. So we'll see why is that so. Then we'll have a quick look at the AI enhanced DevSecOps landscape, followed by a quick, talk on the AI enabled DevSecOps blueprint with all the tools and technologies embedded into it. And then towards the, end, we have a a quick quick demo as to what we talk about in this particular session. We have wrapped it up in a quick demo to show you how an AI augmented DevSecOps pipe pipeline looks like.

And we have also leveraged the power of AI in that, in creating that demo because we have used Cursor app for it. So for those who don't know, Cursor App is an AI powered code editor on top of, built on the top of visual studio code, and it has its own agent tech, AI capabilities. So, yeah, we'll be talking about more, about it in the second half of the session. So, yeah, let's get started. So as we can see, AI is taking over the conversations everywhere. So wherever we we go, now it's no more, a buzzword. In fact, many enterprises have already started investing into AI because AI is going to stay because of the benefits that it brings it, brings on to the table. So let's see why is it everywhere.

So as for the market statistics, when we talk about AI and DevOps market, it is expected to grow from $3,500,000,000 in twenty twenty three to twenty three point eight billion dollars by 2028 as per the, results of the report given by markets and markets. Then if we talk about the aspect of, the global market of AI assisted software driven tools, it's projected to reach around 12.5 $12,600,000,000 by 2026. Then when we talk about how enterprises are now, adopting AI into their platforms and everything, so over 65% of enterprises have already integrated AI or ML into their DevSecOps landscape, as of 2024. So, yeah, it's quite evident that AI is revolutionizing the industry, with the endless benefits that it brings to the table. And there are endless use cases also where

it has already, you know,

proven beneficial for the enterprises. Be it enhancing the software development with intelligent code assistance, by automating infrastructure management through AI ops, then, spending the cybersecurity using real time threat detection and many. So the use cases and the benefits are endless, and that's why AI is already make its it its, impact in transforming how the industry looks like now. And the enterprises are also, embedded AI into their tools and platforms to, drive smarter decision making, predictive maintenance, and automated operations. And it has also, transformed our ways of working in order to have more agile, collaborative, and highly automated DevOps and IT workflows. So, yeah, that's how AI is setting its foot everywhere in the market.

And when we talk about high how AI impacts the DevOps infinity loop, So as we can see, the entire DevOps infinity loop has been, transformed by AI starting from the planning phase to the last phase, which is the monitor phase. So each and every phase starting from the, planning phase to the last phase, everywhere AI can be embedded into it to reap the benefits out of it. So let's see how it can be done. So now, this is how basic, DevSecOps pipeline looks like. So, yeah, a DevOps pipeline is very simple, but we, when it comes to DevSecOps, this is how it should look like, because we have highlighted the major security hacks that can be embedded into a DevOps pipeline to make it more secure. So all the DevSecOps best practices have been embedded, into other phases, the six major stages of, of, the SDLC. So starting from the planning phase, then to code phase, build, test, deploy, monitor.

So the key message here is to integrate security right from the beginning rather than giving it an afterthought. The emphasis is on towards shifting left, in terms of security so that, we can bake security, into the entire SDLC in its each and every phase so that the whole DevOps landscape is more, much more protected and it's more reliable, stable, and resilient. So this is how, the DevSecOps, best practices can be embedded into our DevSecOps landscape. But now how do we take a step further and make it more smart and intelligent by harnessing the power of AI? So these are the measures which can be integrated in our DevSecOps pipeline to make it more smart and intelligent by leveraging the power of AI. So as we can see, the different security has that, are emphasized here are related to the shift left focus on the security in SDLC along with the use of AI assisted tools.

So if we talk about the different six phases over here, so in the planning phase, we can, leverage the power of AI part set modeling tools, then we can also do risk assessments. Then when we talk about the coding phase in that, we can use code suggestion tools like, GitHub pilot, Courser, etcetera. So there are many in the market, but, yes, these tools helps us to suggest the best practice, of the coding and, like, to see if there are any, vulnerabilities or let's say, if there are any issues with the coding guidelines or stuff which is being violated, then then they can be well taken care of in the coding phase itself.

Then we talk of when we talk about the build phase, we can use AI, enhanced, SaaS tools, which are there in the market. We can also use AI enabled software composition analysis tools, and we can also perform auto remediation of the different vulnerabilities that could be there in the code by using AI tools and libraries. Then, when we come to the next phase, which is the test phase. So in the testing phase, we can use the power of ML for doing the DAST and ISD scans. So DAST scans are dynamic code analysis, test that can run on your, code. And then we have interactive application, security testing tool, which is ISD, test that can run on your on your code.

So we can use the tools which can run these, test on our code, which also uses the power of machine learning. Then, when it comes to generating the test cases, be it the unit test cases or integration test cases, AI can be leveraged leveraged in that particular area also to see that we are not missing any critical parts of the testing and all the critical parts are well covered, and we are not missing any edge cases as well.

So it in turns provides a good quality, code coverage and code quality, which is, again, a key factor in, having a stable and, reliable code infraction. Then, we can also have behavior and anomaly prediction in the pre prod environment to see whether we are good to go, live or not based on the anomaly prediction that we can have by using AI assisted tools. Then when, we come to the deploy phase, when we are almost ready to release the code to the environment, then, we can apply the power of AI for risk based release gates. We can also have change approval automations using the AI tools. And then we can, also it's always recommended to do the security scans using the AI tools in the market on our infrastructure as code so that there are no misconfigurations. And if there's any deviation, the AI tools can prompt us to take care of those misconfigurations and also enforce security best practices.

Then, when we come to the last phase, that is the monitor phase where we are all once the code is deployed, we are ready to hand it over to the operations team. That time, we can employ AI for runtime, threat detection using tools like, dark trace. Then we can also, use behavioral analysis and self healing mechanisms. So let's say if there's any issue in production, then we can run, anomaly detection on it. And then based on the predictive data analytics, we can, take care, of healing, get those, anomalies healed by itself rather than, manually intervening and doing it, fixing the stuff in production. So they're also for self healing mechanisms. AI tools are there in the market which can be leveraged and can be well integrated with your pipelines. And we can also integrate AI part tools like, the log analytics tools or SIM tools for continuous logging and proactive monitoring of the entire system.

So this flow, visually emphasizes how AI embed security checks at every phase, enabling continuous intelligent protection in the more modern DevOps workflow. So, yeah, this is how, a pro like, a a good a good AI enhanced DevOps landscapes looks like, which all with all the security and the AI enabled best practices embedded into each and every phase of the SDLC. So from now here, Anupam will take over at, on, takeover, and she'll be explaining it a little more in details related to the technical aspect of it. So over to you, Anupam.

Thank you, Priti. Hi, everyone. So let's get back to dev DevOps first. So in most of the traditional DevOps pipelines, the ones that you see on the top side of it, security checks are often bolted onto the end of the development cycle. So sometimes it happens, like, right before the release that is happening. So it's like if we call it in a layman language, it's like locking your doors after a burglar has already entered into your house. Right? So So now let me give you another example. So imagine you have already built and you have tested your application, and it is ready to go live. But when the final security review takes place, you just let's say, a critical vulnerability in one of your, open source libraries.

So now you are stuck somewhere in the middle. You can either delay your release or you can ship with a known risk. Right? So this is where DevSecOps come into picture. And now how, when we talk about DevOps, DevOps is all about speed, collaboration, and automation like Vidi mentioned. Right? So how we are, breaking the silos between our development and the operation teams, how we are delivering our, software at a much faster pace and in a more reliable way. When it comes to DevSecOps, most of us are already aware with the concept of the DevSecOps. Right? So we are already it is something which is built on top of the DevOps, and we are shifting all the security practices towards the left. So So we are trying to integrate security practices and tools early in the development process, not as an afterthought. Right?

So what you see at the bottom is your DevSecOps pipeline. So when we see a DevSecOps pipeline here, going forward, what I'll be showing you, we will be seeing a holistic approach of how security can be embedded in every stage, like the six phases we recovered, right, right from the source or the planning phase to the monitoring phase, how AI assisted tools can help us in the, security aspect.

So, likewise, when we talk about the, code phase, so for the secret scanning, we have used in our demo a tool named truffle log. So when we start with truffle log, it scans the secrets like our API keys and our password. So the best part of Truffle Hog is that it uses AI for its pattern recognition. So whenever so it can find the secrets or, if there are any hidden, personal information in the code, it can it can be proactive in catching those kind of leaks. Right? So we don't have to wait till the time it shows up in the production. When it comes to the next phase, which is our CI server phase or even when we are talking about the code, another thing that we talked about was the infrastructure as a code.

Right? So, basically, when our infrastructure should be as secure as our code. So here, we are using Checkov. So Checkov is a tool which is focusing majorly on the files aspect of it. Like, we have Terraform files or we have Docker files, which are, like, the blueprints of our environment. Right? So Checkov, what it does is it scans the security misconfigurations before anything is even built. So even before you are trying to build up your environment, it will check, and it will tell you if there are any sort of misconfigurations at that particular at that level, at the infrastructure level. And it will give you a security design around it that these are the misconfigurations in your environment. Right?

When we talk about the code quality or when we talk about the test and scanning, we are here using, flake eight black, pytest, and coverage because this is a Python based application that we have used in this demo to deploy. So when we talk about flak flak it or black, we are enforcing code quality and style. So we are making sure that our code is not just clean or prettier, but it can also reduce the security bugs. Then we are also running our automated test cases using the pytest so that we can generate the coverage reports. So this will, make sure that our code is being tested, and we are not, missing any sort of blind spots. There are no no kind of blind spots there. When it comes to creating the artifacts, we have used a containerized application over here. And in order to scan it, we are using Trivy.

So when the application is containerized, we are scanning it using Trivy, which is also using AI to detect the vulnerabilities in the container images. So given, the scenario how common containerization is happening today, and it is very crucial part of any application deployment, we need to ensure that every layer in the container should be risk free. We we have to catch each and every air, error before the deployment. Right? Also, when we are talking about containerization, we are also looking into container hardening and also in any sort of custom security tools that can help us to know that. So, for example, if this is a Python based application, we have we can create a security dot p y file wherein we can define our own custom rules based on our applications. So this will, not only set certain standards based on our application, but we can make our project more unique. We can set our own standards if we have any.

We can also perform security health checks. We can use any custom security tools based on our project needs. Right? So that is how, right from the beginning, we are trying to embed the security at each and every phase rather than it being an afterthought. Right? Then when we are talking about the dependency on the secret managers, there are multiple tools available in the market. For an example, Snyk. So we can use any third party dependencies for these safeties. So this can help us to prevent us in any sort of supply chain attacks because vulnerabilities in any sort of open libraries that we are trying to download, they are not just dangerous, but they can actually, make worst of our code. Right?

Also, when we talk about managing our secret codes, in this case, we are using GitHub secrets so that, we are not exposing any sort of, information, in the code. We have we are, storing all the sensitive information in as a part of the GitHub secrets. Also, when we talk about the code qualities, there are multiple tools available we can use on our cube, and then we can set different sort of quality gates there. We can have different sort of quality profiles. So when we talk about the code quality also, it is a requirement to move ahead. Right? Whenever we have to move ahead in our, CICD pipeline, we need to make sure that, we our code has the best quality gates. Right? So if any if there is any security issue, the bill should fail, and it should stop. And under unless those issues are being fixed.

Again, when we talk about the repository level security and, when we talk about the web application defenses we are talking about, So here we are using flask limiter. We are using, Talisman. We are using helmet for all side of security headers that are being happening. So we are trying to protect the application against the web based threats like excesses or click jacking. So, like, Vidhi talked about right from the beginning, we need to make sure in the planning phase, we need to use AI tools which can help us to detect all these, if there are any sort of attacks happening in our application. Right? So when we, can we move on to the next slides, Vidi? So I'll just go through a quick demo time. We have recorded the demo, and, Vidi, will you please play it?

So, again, the, like, Vidhi mentioned, the entire, pipeline, entire code, we have tried to design with the help of the cursor. So, like, she mentioned, it is built on top of, Visual Studio. So cursor, what it does, it it combines the functionality of our IDE also, featured IDE, as well as it gives us an intelligent code assistance. So once we have, submitted our code on the left side, you see we have, Python based applications. So we have tried to deploy a sample ecommerce application. And, once our code is checked in, it it will trigger our pipeline. We have created the pipeline using the GitHub actions. And once the GitHub GitHub actions pipeline is triggered, we can see the different stages of all the tools that we have talked about in our recent slide.

This is our Docker repository wherein our images are getting pushed. So if you see, the last image, if you will see, it will get pushed almost a minute ago. And when we see there's different stages you can see, like security scanning, code quality, build and scan container, and then we are deploying it. Right? So currently, if you see, the application, would not be accessible. Right? Once we deploy it, our application would be accessible. So when it comes to security scanning, you can see we are using TruffleLog here. We are using Checkov for our infrastructure security. And that's how all the reports are also getting generated. So in future, if you want to address these issues or you want to share it with your, security teams, they you can probably download these reports and share it with them to, for them to access these vulnerabilities and see what is the severities of these vulnerabilities.

Again, we see that it is trying to install all the dependencies we are using coverage. We are uploading the, reports. And then comes our scanning part, where we are trying to build the Docker image. So we are trying to log in to our Docker registry. We are also building our Docker images. So once our Docker images are built, we are again running Trivy as a vulnerability scanner to see if there are any vulnerabilities. And here, we can classify as high critical what kind of vulnerabilities we would like to highlight. So in this, it shows that there is one high vulnerability and zero critical vulnerabilities there. So, again, this can be shared across to, work upon. And then finally, once our docker images has been created, we are trying to deploy that image on the staging, which is our local system.

And here, we will see that our new docker image has been uploaded, which shows a minute ago. So it was freshly deployed. And whenever a new image is being created, it gets pushed to our Docker Hub. And once it is being pushed, our application will be running. So once we go back to the application, I'll be able to show you that. So at the bottom of the deployment, we'll be able to see the link and the port on which our application has been deployed. So it has been deployed currently on the 5,000 port. So in our local host, if I run 5,000, now the application is up, and we are able to see a basic ecommerce application, which has connectivity with the database.

At the back end, we are using SQLite, in the database. But I haven't worked on too many operations over here because the time limit was less. And, of course, when we go to the main page of the GitHub actions, we can get the link where, our application has been deployed from there there itself. So if we see at the bottom, there is a staging app link. If we click here, we are redirected to the page where our application has been deployed. So this was, pretty much from our end, and, these were the different stages. I have tried to keep the stages minimal, but, the aspect was security. So we have tried to incorporate its security at each and every phase over here. So thank you for listening out to us. Over to you, Vidhi.

Yeah. So, yeah, that was all, in the discussion, like, in the talk today. And, again, we are thankful, to all of you for listening to us, and we'd be happy to answer all your queries. You can post it in the chat group, and we'll be happy to answer them. And here, we have shared our contact details as well. If, offline you want to get connected with us, we are just a ping away on LinkedIn. So, yeah, that's it for the talk today. And, yeah, I hope you all liked it and you got your key takeaways from our talk. Thank you.