2. In General:
What we’re going talk about
2. How “doing DevOps” affects how we
secure Data and Computer-centric
Information Systems
In Particular:
1. What it really means to do DevOps
Thoughts I’ve had around DevOps and Security
3. Motivation for this talk
• I want “information technology practitioners” to become more professional, more productive and
happier at work.
Many reasons, but some of the more major reasons are:
• Information systems need to be of higher quality and delivered faster – we need to really
understand the DevOps philosophy to do that well.
• Security is often an afterthought in the IT systems lifecycle – that needs to change.
• We need a common language – not buzzwords.
8. Fun facts about me
Most used programming languages:
C#, JavaScript
“SiliconCape Native”
First PC: Pentium 1 with
Windows 95
First programming language: Java (JDK 1.3)
9. Professional background
• I’m a self-taught “Technologist” and I solve problems using
technology.
• I've been a founder, manager, team lead and software engineer,
in various sectors, and in teams of different shapes and sizes.
• Microsoft Certified Professional
• Certified ScrumMaster
• In the process of completing CSSLP, ITIL and ISTQB certifications.
• Member of a number of professional IT associations and
bodies i.e. OWASP, ISACA, IITPSA
• Fulltime full stack software engineer for the past 13 years,
primarily focussed on web and cloud-native software.
11. Sales or Relationship
Management
Does this sound like your role?
Marketing Finance Leadership (C-Suite)
Human Resources
Business Analyst / Big
Data Analyst General Administrator In-house Legal
12. Project Manager or
Coordinator Product Manager/Owner Software Architect Software Engineer
Test Engineer
Provision and Manage
IT Infrastructure (IT Ops)
Does this sound like your role?
Dedicated Security or
Compliance Something else?
?
20. • DevOps Principles and Practices are compatible with Agile
• DevOps is a logical continuation of Agile
• Agile serves as an effective enabler of DevOps
Myth #1: DevOps replaces Agile
21. • Can be made compatible - many
areas just become automated.
Myth #2: DevOps is incompatible with ITIL
22. • Controls are
integrated into
every stage of
daily work of the
SDLC resulting in
better quality and
security and
compliance
outcomes.
Myth #3: DevOps is incompatible with InfoSec and Compliance
Image credit: Checkmarx Software Exposure platform (www.checkmarx.com)
23. • Rarely the case. Nature of IT Operations work just
changes.
• Collaborates far earlier in SDLC with development.
• Enables developer productivity through APIs and
self-service platforms that create environments, test
and deploy code, monitor and display production
telemetry, etc.
• IT Ops become more like Development
• i.e. engaged in product development for developers.
Myth #4: DevOps means eliminating IT Operations
24. • “DevOps isn’t about
automation, just as astronomy
isn’t about telescopes” -
Christopher Little
Myth #5: DevOps is just Infrastructure as Code
25. DevOps is about Team Work
that enables efficient creation of value
What DevOp really boils down to
26. Not convinced?
Read these books
Gene KimPatrick Debois
John Willis
Jaz Humble
Kevin
Behr
George
Spafford
28. Security and DevOps - DevSecOps?
• Security is fundamentally about mitigating risk
(you’ll never be 100% secure).
• Mitigating risk is enabled by maintaining
integrity, availability and confidentially.
• Security principles haven’t changed, the way
we implement security has.
29. Security
Fail Securely
Minimize attack
surface
Least
Privilege
Auditing
Keep Things Simple
(Economy of mechanism)
Confidentiality
Psychological
Acceptability
Availability
Single Point of
Failure
Defense in
Depth
Leverage Existing
Components
Open Design
Complete
Mediation
Security Principles and Concepts
Separation of
duties/privilege
Integrity
32. Key Take-aways!
1. DevOps is primarily about a culture of teamwork that enables
efficient creation of value at all levels of an organization.
2. Security principles haven’t changed, security and compliance
just happens more often and at more localized scale.
Aims:
1.1. Cover key principles.
1.2. Take audience on a journey to my AHA moment.
2. Delve into the impact of DevOps on security
Clarify Terms and Concepts (Information Technology, Technology, DevOps, QA, Security)
Provoke reflection on the way the audience currently does work and thought about what can be done better.
Drive home the importance of security in software
Is a pen and paper information technology?
Disclaimer 1:
I’ve been thinking about this stuff a lot lately, but I’m probably ignorant to something.
There is enough content to write about, never mind a short talk.
Disclaimer 2:
There is potentially a lot we could cover, but we have very little time.
I make joke. Har har.
Answer: False
Reason: DevOps isn't any single person's job. It's everyone's job.
Answer: False
Reason: DevOps isn't any single person's job. It's everyone's job.
Answer: False
Reason: DevOps isn't any single person's job. It's everyone's job.
DevOps is a lot like the Standard Model of particle physics.
Agile Toronto Conference 2008
Patrick Debois coined to the term DevOps when he organized the first DevOpsDays conference in 2009.
DevOps is a lot like the Standard Model of particle physics
DevOps is a lot like the Standard Model of particle physics