SlideShare uma empresa Scribd logo

DevSecOps with Microsoft Tech

D
Darin Morris

Slides from my presentation at the Microsoft Cape Town User Group September 2018 meetup.

Apresentações e oratória
1 de 33
DevSecOps with Microsoft Tech Darin Morris @techdevdari n in/darinmorris
In General: What we’re going talk about 2. How “doing DevOps” affects how we secure Data and Computer-centric Information Systems In Particular: 1. What it really means to do DevOps Thoughts I’ve had around DevOps and Security
Motivation for this talk • I want “information technology practitioners” to become more professional, more productive and happier at work. Many reasons, but some of the more major reasons are: • Information systems need to be of higher quality and delivered faster – we need to really understand the DevOps philosophy to do that well. • Security is often an afterthought in the IT systems lifecycle – that needs to change. • We need a common language – not buzzwords.
DevOps and Security are very broad domains!
SOMEONE ONCE TOLD ME NOT TO BITE OFF MORE THAN I COULD CHEW… I said I’d rather CHOKE ON GREATNESS THAN NIBBLE ON MEDIOCRITY.
Let’s get to know each other a little better!
Fun facts about me Most used programming languages: C#, JavaScript “SiliconCape Native” First PC: Pentium 1 with Windows 95 First programming language: Java (JDK 1.3)
Professional background • I’m a self-taught “Technologist” and I solve problems using technology. • I've been a founder, manager, team lead and software engineer, in various sectors, and in teams of different shapes and sizes. • Microsoft Certified Professional • Certified ScrumMaster • In the process of completing CSSLP, ITIL and ISTQB certifications. • Member of a number of professional IT associations and bodies i.e. OWASP, ISACA, IITPSA • Fulltime full stack software engineer for the past 13 years, primarily focussed on web and cloud-native software.
OK! Less about me. More about you!
Sales or Relationship Management Does this sound like your role? Marketing Finance Leadership (C-Suite) Human Resources Business Analyst / Big Data Analyst General Administrator In-house Legal
Project Manager or Coordinator Product Manager/Owner Software Architect Software Engineer Test Engineer Provision and Manage IT Infrastructure (IT Ops) Does this sound like your role? Dedicated Security or Compliance Something else? ?
Let’s play a game!
True or False? DevOps is only done by technical staff. Question #1
True or False? DevOps is a Role. Question #2
True or False? DevOps is a way of thinking about how we do work. Question #3
It’s DevOps – not DevITOps (Nor is it BizDevOps or DevTestOps or OpsDev or even DevSecOps)
Things DevOps is associated with
What is DevOps really?
• DevOps Principles and Practices are compatible with Agile • DevOps is a logical continuation of Agile • Agile serves as an effective enabler of DevOps Myth #1: DevOps replaces Agile
• Can be made compatible - many areas just become automated. Myth #2: DevOps is incompatible with ITIL
• Controls are integrated into every stage of daily work of the SDLC resulting in better quality and security and compliance outcomes. Myth #3: DevOps is incompatible with InfoSec and Compliance Image credit: Checkmarx Software Exposure platform (www.checkmarx.com)
• Rarely the case. Nature of IT Operations work just changes. • Collaborates far earlier in SDLC with development. • Enables developer productivity through APIs and self-service platforms that create environments, test and deploy code, monitor and display production telemetry, etc. • IT Ops become more like Development • i.e. engaged in product development for developers. Myth #4: DevOps means eliminating IT Operations
• “DevOps isn’t about automation, just as astronomy isn’t about telescopes” - Christopher Little Myth #5: DevOps is just Infrastructure as Code
DevOps is about Team Work that enables efficient creation of value What DevOp really boils down to
Not convinced? Read these books Gene KimPatrick Debois John Willis Jaz Humble Kevin Behr George Spafford
So where does Security fit in?
Security and DevOps - DevSecOps? • Security is fundamentally about mitigating risk (you’ll never be 100% secure). • Mitigating risk is enabled by maintaining integrity, availability and confidentially. • Security principles haven’t changed, the way we implement security has.
Security Fail Securely Minimize attack surface Least Privilege Auditing Keep Things Simple (Economy of mechanism) Confidentiality Psychological Acceptability Availability Single Point of Failure Defense in Depth Leverage Existing Components Open Design Complete Mediation Security Principles and Concepts Separation of duties/privilege Integrity
Where is Security and Compliance applied?
Questions?
Key Take-aways! 1. DevOps is primarily about a culture of teamwork that enables efficient creation of value at all levels of an organization. 2. Security principles haven’t changed, security and compliance just happens more often and at more localized scale.
That’s a wrap! @techdevdarin in/darinmorris Connect with me:

Recomendados

DevOps and the Future of InfoSec
DevOps and the Future of InfoSecDevOps and the Future of InfoSec
DevOps and the Future of InfoSecDarin Morris
 
DevOps and the Future of Information Security
DevOps and the Future of Information SecurityDevOps and the Future of Information Security
DevOps and the Future of Information SecurityDarin Morris
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?Adrian Sanabria
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
Colin Domoney -
Colin Domoney - Colin Domoney -
Colin Domoney - DevSecCon
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCTom Stiehm
 

Recomendados

DevOps and the Future of InfoSec
DevOps and the Future of InfoSecDevOps and the Future of InfoSec
DevOps and the Future of InfoSecDarin Morris
 
DevOps and the Future of Information Security
DevOps and the Future of Information SecurityDevOps and the Future of Information Security
DevOps and the Future of Information SecurityDarin Morris
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?Adrian Sanabria
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
Colin Domoney -
Colin Domoney - Colin Domoney -
Colin Domoney - DevSecCon
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCTom Stiehm
 
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WaySeniorStoryteller
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletinAdrian Sanabria
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceTom Stiehm
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOpsSeniorStoryteller
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentTom Stiehm
 
What we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devopsWhat we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devopsNicole Forsgren
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldShannon Lietz
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps Uleska
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
What We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsWhat We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsSeniorStoryteller
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
 
Long-term IT projects
Long-term IT projectsLong-term IT projects
Long-term IT projectsPaweł Lewtak
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsMagno Logan
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 
Guided Path to DevOps Career.
Guided Path to DevOps Career.Guided Path to DevOps Career.
Guided Path to DevOps Career.wahabwelcome
 

Mais conteúdo relacionado

Mais procurados

DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WaySeniorStoryteller
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceTom Stiehm
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentTom Stiehm
 
What we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devopsWhat we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devopsNicole Forsgren
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldShannon Lietz
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps Uleska
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
What We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsWhat We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsSeniorStoryteller
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
 
Long-term IT projects
Long-term IT projectsLong-term IT projects
Long-term IT projectsPaweł Lewtak
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsMagno Logan
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
 

Mais procurados (20)

DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatops
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletin
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
 
Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 Conference
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanent
 
What we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devopsWhat we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devops
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
What We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsWhat We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOps
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...
 
Long-term IT projects
Long-term IT projectsLong-term IT projects
Long-term IT projects
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applications
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
 

Semelhante a DevSecOps with Microsoft Tech

(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 
Guided Path to DevOps Career.
Guided Path to DevOps Career.Guided Path to DevOps Career.
Guided Path to DevOps Career.wahabwelcome
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
Winnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsWinnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsGene Kim
 
DevOps career (1).pdf
DevOps career (1).pdfDevOps career (1).pdf
DevOps career (1).pdfkrangaswamy1
 
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...Dan Cundiff
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsMagno Logan
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Security Innovation
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps IntroductionRobert Sell
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Deliverydevopsdaysaustin
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015Mirco Hering
 

Semelhante a DevSecOps with Microsoft Tech (20)

(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 
Guided Path to DevOps Career.
Guided Path to DevOps Career.Guided Path to DevOps Career.
Guided Path to DevOps Career.
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
DevOps in 2014
DevOps in 2014DevOps in 2014
DevOps in 2014
 
Winnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsWinnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOps
 
DevOps
DevOpsDevOps
DevOps
 
DevOps career (1).pdf
DevOps career (1).pdfDevOps career (1).pdf
DevOps career (1).pdf
 
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015
 

Último

SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrsaastr
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Salam Al-Karadaghi
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Pooja Nehwal
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfhenrik385807
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024eCommerce Institute
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...NETWAYS
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 

Último (20)

SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 

DevSecOps with Microsoft Tech

  • 1. DevSecOps with Microsoft Tech Darin Morris @techdevdari n in/darinmorris
  • 2. In General: What we’re going talk about 2. How “doing DevOps” affects how we secure Data and Computer-centric Information Systems In Particular: 1. What it really means to do DevOps Thoughts I’ve had around DevOps and Security
  • 3. Motivation for this talk • I want “information technology practitioners” to become more professional, more productive and happier at work. Many reasons, but some of the more major reasons are: • Information systems need to be of higher quality and delivered faster – we need to really understand the DevOps philosophy to do that well. • Security is often an afterthought in the IT systems lifecycle – that needs to change. • We need a common language – not buzzwords.
  • 4.
  • 5. DevOps and Security are very broad domains!
  • 6. SOMEONE ONCE TOLD ME NOT TO BITE OFF MORE THAN I COULD CHEW… I said I’d rather CHOKE ON GREATNESS THAN NIBBLE ON MEDIOCRITY.
  • 7. Let’s get to know each other a little better!
  • 8. Fun facts about me Most used programming languages: C#, JavaScript “SiliconCape Native” First PC: Pentium 1 with Windows 95 First programming language: Java (JDK 1.3)
  • 9. Professional background • I’m a self-taught “Technologist” and I solve problems using technology. • I've been a founder, manager, team lead and software engineer, in various sectors, and in teams of different shapes and sizes. • Microsoft Certified Professional • Certified ScrumMaster • In the process of completing CSSLP, ITIL and ISTQB certifications. • Member of a number of professional IT associations and bodies i.e. OWASP, ISACA, IITPSA • Fulltime full stack software engineer for the past 13 years, primarily focussed on web and cloud-native software.
  • 10. OK! Less about me. More about you!
  • 11. Sales or Relationship Management Does this sound like your role? Marketing Finance Leadership (C-Suite) Human Resources Business Analyst / Big Data Analyst General Administrator In-house Legal
  • 12. Project Manager or Coordinator Product Manager/Owner Software Architect Software Engineer Test Engineer Provision and Manage IT Infrastructure (IT Ops) Does this sound like your role? Dedicated Security or Compliance Something else? ?
  • 13. Let’s play a game!
  • 14. True or False? DevOps is only done by technical staff. Question #1
  • 15. True or False? DevOps is a Role. Question #2
  • 16. True or False? DevOps is a way of thinking about how we do work. Question #3
  • 17. It’s DevOps – not DevITOps (Nor is it BizDevOps or DevTestOps or OpsDev or even DevSecOps)
  • 18. Things DevOps is associated with
  • 19. What is DevOps really?
  • 20. • DevOps Principles and Practices are compatible with Agile • DevOps is a logical continuation of Agile • Agile serves as an effective enabler of DevOps Myth #1: DevOps replaces Agile
  • 21. • Can be made compatible - many areas just become automated. Myth #2: DevOps is incompatible with ITIL
  • 22. • Controls are integrated into every stage of daily work of the SDLC resulting in better quality and security and compliance outcomes. Myth #3: DevOps is incompatible with InfoSec and Compliance Image credit: Checkmarx Software Exposure platform (www.checkmarx.com)
  • 23. • Rarely the case. Nature of IT Operations work just changes. • Collaborates far earlier in SDLC with development. • Enables developer productivity through APIs and self-service platforms that create environments, test and deploy code, monitor and display production telemetry, etc. • IT Ops become more like Development • i.e. engaged in product development for developers. Myth #4: DevOps means eliminating IT Operations
  • 24. • “DevOps isn’t about automation, just as astronomy isn’t about telescopes” - Christopher Little Myth #5: DevOps is just Infrastructure as Code
  • 25. DevOps is about Team Work that enables efficient creation of value What DevOp really boils down to
  • 26. Not convinced? Read these books Gene KimPatrick Debois John Willis Jaz Humble Kevin Behr George Spafford
  • 28. Security and DevOps - DevSecOps? • Security is fundamentally about mitigating risk (you’ll never be 100% secure). • Mitigating risk is enabled by maintaining integrity, availability and confidentially. • Security principles haven’t changed, the way we implement security has.
  • 29. Security Fail Securely Minimize attack surface Least Privilege Auditing Keep Things Simple (Economy of mechanism) Confidentiality Psychological Acceptability Availability Single Point of Failure Defense in Depth Leverage Existing Components Open Design Complete Mediation Security Principles and Concepts Separation of duties/privilege Integrity
  • 30. Where is Security and Compliance applied?
  • 32. Key Take-aways! 1. DevOps is primarily about a culture of teamwork that enables efficient creation of value at all levels of an organization. 2. Security principles haven’t changed, security and compliance just happens more often and at more localized scale.

Notas do Editor

  1. Aims: 1.1. Cover key principles. 1.2. Take audience on a journey to my AHA moment. 2. Delve into the impact of DevOps on security Clarify Terms and Concepts (Information Technology, Technology, DevOps, QA, Security) Provoke reflection on the way the audience currently does work and thought about what can be done better. Drive home the importance of security in software
  2. Is a pen and paper information technology?
  3. Disclaimer 1: I’ve been thinking about this stuff a lot lately, but I’m probably ignorant to something. There is enough content to write about, never mind a short talk.
  4. Disclaimer 2: There is potentially a lot we could cover, but we have very little time.
  5. I make joke. Har har.
  6. Answer: False Reason: DevOps isn't any single person's job. It's everyone's job.
  7. Answer: False Reason: DevOps isn't any single person's job. It's everyone's job.
  8. Answer: False Reason: DevOps isn't any single person's job. It's everyone's job.
  9. DevOps is a lot like the Standard Model of particle physics.
  10. Agile Toronto Conference 2008 Patrick Debois coined to the term DevOps when he organized the first DevOpsDays conference in 2009.
  11. DevOps is a lot like the Standard Model of particle physics
  12. DevOps is a lot like the Standard Model of particle physics