Duration: 0:00

85 views

5

In this fourth session of the Microsoft Security for ISV series, our expert speakers share real-world insights to help independent software vendors (ISVs) integrate security into every step of their product development and deployment. Join Daphne Choong, Aimin Fatima, Michael Friedrich, and special guest Ken Thompson from BuildKite as they discuss how to tackle modern cyber threats, embed DevSecOps practices, and secure your supply chain: from code to cloud.

00:00 – Webinar Introduction & Session Overview
• Quick walkthrough on enabling live captions and using the Q&A function in Teams.
• Overview of the webinar agenda, the Microsoft Security for ISV series purpose, and a preview of topics like DevSecOps, GitHub Advanced Security, Microsoft Defender CSPM, and the Secure Future Initiative.

06:44 – Microsoft Security Priorities & Core Principles
• Introduction of the three guiding principles:
– Secure by Design
– Secure by Default
– Secure Operations
• A sneak peek into how these principles shape development and operations at Microsoft.

07:52 – Application Security Challenges & DevSecOps Fundamentals
• Discussion on the evolution from traditional DevOps to DevSecOps:
– Shifting security “left” in the development lifecycle
– Bridging the gap between developers and security teams
– Addressing pain points such as fragmented tooling and skill shortages
• Emphasis on the need for continuous security integration to reduce vulnerabilities early on.

20:51 – Deep Dive: Microsoft Defender for Cloud & the Secure Future Initiative
• Key features highlighted:
– Pinpointing and remediating risks in multi-cloud environments and developer pipelines
– Unified visibility into DevOps security posture
– Continuous scanning for code, secrets, and dependencies
• Overview of the Secure Future Initiative and its six pillars:
1. Protecting identities and secrets
2. Securing tenant isolation and production systems
3. Network protection and segmentation
4. Enhancing code security for software assets
5. Monitoring and detecting threats via comprehensive logging and analytics
6. Preventing exploitation of vulnerabilities with proactive remediation

37:38 – BuildKite: DevSecOps in Action
– BuildKite Pipelines (continuous integration and orchestration)
– Test Engine (optimizing and managing testing)
– Package Registries (universal package management)
– Mobile Delivery Cloud (tailored for mobile build use cases)
Explanation of BuildKite’s hybrid model:
– Hosted control plane manages orchestration, identity, and audit logging.
– Open source agents run on customer infrastructure—ensuring that source code and secrets remain private.
• Demonstration of security features such as integrated scanning, vulnerability annotations in build pipelines, and the SLSA framework for verifying software artifact provenance.

41:16 – Customer Success Stories & DevSecOps Benefits
Discussion on real-world deployments and the impact of integrating security scanning into DevOps:
– Examples of reducing build times (e.g., Uber’s dramatic improvement from 60 minutes to around 10 minutes)
– Enhancements through dynamic pipelines and caching strategies
– How BuildKite’s approach helps ISVs deploy secure software faster without disrupting agile workflows

53:49 – Closing Remarks & Next Steps
#DevSecOps #CyberSecurity #ISV #Azure #GitHub #MicrosoftDefender #SecureFutureInitiative

[eventID:25561]