O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a navegar o site, você aceita o uso de cookies. Leia nosso Contrato do Usuário e nossa Política de Privacidade.
O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a utilizar o site, você aceita o uso de cookies. Leia nossa Política de Privacidade e nosso Contrato do Usuário para obter mais detalhes.
The Journey to DevSecOps^
Always an Early Adopter
• DevOps.com was bought in
• Google searches for “DevOps”
started to rise in 2010
• Major influences:
– Saving your Infrastructure from
DevOps / Chicago Tribune
– DevOps: A Culture Shift, Not a
Technology / Information Week
– DevOps: A Sharder’s Tale from
– DevOps.com articles
• RuggedSoftware.org was
bought in 2010
Which means, spending most of your
career doing this…
This is the End of Security as We Know It…
6+ years later, it’s hard to believe
we’re still shocked by this quote!
This talk will provide you with a
And a survival kit...
An Ugly Little Secret
• DevOps teams make security
decisions… several times,
• Hackers find security issues and
exploit them... several times,
• Security teams hardly ever make
security decisions... and really only
when risks need to be officially
In a Deming World…
• Most decisions are made within the
software supply chain by engineering
• Security decisions are usually made as a
result of attempting to balance design
• Gating processes are not Deming-like; but
it is hard to avoid business catastrophes by
applying measure ahead strategies for
• Most security defects are identified during
a major event triggering the equivalent of
a security “recall”
design build deploy operate
How do I
How do I
Is my app
Typical gates for security
checks & balances
Mistakes and drift often happen
after design and build phases
Most costly mistakes
Happen during design
Missing and much-needed feedback loop
Hackers have lots of opportunities…
• Susceptible to phishing and email scams
• Can be social engineered
• Humans make mistakes, because they are human (6 Sigma)
• Process gaps provide room for fraud
• Software complexity increases with reusable components
• Technology providers have to do their part, or everyone fails!
Get Grounded in Reality
• Secure business is the new black! KTLO!
• Everyone must be responsible for security!
• Perfection is over-rated… Mistakes are
• Reacting can be costly… build security in.
• Compliance is important but it’s not security!
• A blaming culture is dangerous, avoid it!
• Continuously test, detect, measure and
Keep The Lights On!
• Keeping the Lights on includes
• 66% of companies adopting
• DevOps teams need guardrails
and guidelines to move fast
• Security decisions that haven’t
been made before likely
• Common ratio for Dev, Ops
and Sec => 100, 10, 1
• Numbers matter against
• Skills help, but anyone can
identify an anomaly.
• Everyone needs to help
with security; everyone has
a role to play. And this is hard to find...
• DevOps utilize customer-driven
development processes with
• But because of frequent
changes, teams have more
opportunities to correct
defects, on average 30x more
• Teams need help deciphering
how to self-correct
Protection is ideal; Detection is a must!
• The faster a defect is
discovered, the faster it can
be dealt with.
• DevOps has 50% faster MTTR
• Transforming security events
into incidents and problems
helps with resolution rates https://www.flickr.com/photos/daoro
Compliance Programs won’t stop a breach
• Point in time assessments
don’t go far enough
• 0 companies (in 10 years)
have been found compliant
after a breach
• Compliance needs to be
paired with rugged security
High Performing is where it’s at!
• High performing teams that
focus on a blameless culture
improve on average 50% better
• Blaming cultures create less
engagement, 30% less efficient
• MTTR is 5x faster in blameless
teams that focus on
• Continuous improvement has
been a goal for an endless
amount of years
• Teams that focus on testing,
early detection, and measuring
progress have 30% fewer
defects in production
• Tests are often added to
continuous delivery to achieve
better results throughout the
continuous delivery pipeline
Great! What does this look like in practice for a
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
Get Involved and Join the Community
• @devsecops on Twitter
• DevSecOps on LinkedIn
• DevSecOps on Github
• Compliance at Velocity
• Join Us !!!
• Spread the word!!!