OWASP BASC 2025

In today’s application security landscape, navigating complex deployment environments often feels like facing an onslaught of cyber adversaries. Much like Batman’s trusty utility belt—equipping with the perfect gadget for every challenge—integrating robust security into your SDLC; transforms your pipeline into a resilient defense against vulnerabilities and breaches. This talk deep dives into a comprehensive case study where we revolutionized our security posture. On one hand, we applied an innovative strategy to unify all our deployments to 'Unified Deployment Model' based on Elastic Kubernetes Service (EKS), while on the other by integrating JFrog XRAY into each stage of our Software Development Lifecycle (SDLC). Through this integration, our team uncovered about 100K previously undetected security violations, that our traditional fragmented approach had overlooked. When dealing with large codebases comprising of several services, including client-side applications such as mobile and front-end, the lack of standardization, common-tooling causes increased operational burden, where-in multiple teams cook various in-house implementations for deployment. This causes two waves of problems. One there is no consistent approach to "shift-left" to have a faster feedback cycle. On the other hand – there is no means to have a uniform security posture, compliance and quality across the board. These make it challenging to get visibility on key metrics such as DORA metrics, due to the distributed and divergent nature of the pipelines across varied tech-stacks. Here, we'll explore approaches for architecting a 'Unified Deployment Pipeline' that accelerates developer velocity and productivity while enforcing robust security governance across the SDLC with integrated logging, tracing, and metrics. Additionally, by automating SBOM generation, our strategy delivers an organization-wide impact—enhancing transparency, compliance, and overall risk mitigation. This architecture also provides central observability of progress and aggregates metrics to monitor the health and maturity of deployments. Additionally, we will also investigate how the “Build Once, Deploy Many times” paradigm aligns with the proposed architecture. If you are a software engineer operating in the DevSecOps space, this talk aims at providing a high-level architecture for a unified end-to-end CICD pipeline that can help deploy services to production faster with greater confidence and better visibility, while being secure, compliant and deployed in a standardized manner. Hope this serves as a compelling blueprint for organizations looking to bridge the gap between innovative security practices and scalable, high-quality software delivery. Top takeaways: • Integration Strategy: How embedding XRAY into our unified deployment pipeline transformed our vulnerability management process. • Operational Impact: A deep dive into the metrics—over 100K security violations detected, reduced deployment times, and enhanced quality control—that validate the effectiveness of our approach. • Automated Compliance: The role of daily SBOM generation in maintaining transparency, ensuring regulatory compliance, and promoting rapid vulnerability remediation. • Lessons Learned: Challenges encountered during integration, the iterative improvements made along the way, and best practices for adopting a similar framework in diverse operational settings. Notes: 1. The aim is to show practical, architecture-level guidance that viewers can adapt. Additional code samples and diagrams will be provided as supporting materials. 2. This session is geared toward professionals with an intermediate to advanced understanding of DevSecOps practices, while still providing a foundational overview for newcomers 3. Beyond just theory, we’ll delve into practical tooling: incorporating OWASP-based scanning tools for code and dependency checks, embedding code-quality linters into the pipeline, and adopting runtime security scanning to prevent vulnerabilities from slipping into production. We’ll examine how OpenTelemetry can be used for distributed tracing, structured logging, and metrics collection, ensuring that each deployment is both transparent and auditable. 4. This session will provide the high-level guidance and practical insights needed to streamline end-to-end CI/CD pipelines and enhance overall reliability, visibility, and velocity.