DevOps
to
DevSecOps
Siddharth Joshi

What is DevOps ?
Is DevOps a Methodology ?
Is DevOps a Technology ?
Is DevOps a Process ?

If…then. What ?

DevOps is all about..

How to follow DevOps culture?
Devops is a Culture which needs to be Practiced in order to do achieve organizational
goals in a better and quicker way.
In Technical Aspect …
“Devops is a set of practices and cultural changes – supported by automation tools and
Lean Processes – that creates an automated software delivery pipeline, enabling
organizations to deliver better – quality services and applications faster”.

Why DevOps ?

DevOps CALMS Model

DevOps Best Practices

Infrastructure as code (IaC)
What is meant by IAC ?
It is a method to provision and
manage IT infrastructure through the
use of source code, rather than
through standard operating
procedures and manual processes.

6 C’s of DevOps Adoption

Buzzword “Pipeline”

Continuous Delivery?
Still you have
any doubts
about CI/CD ?
Yes, what
about
Continuous
Delivery ?

 It is a state of being ready and able to
release any version at any time on any
platform.
 This does not mean the code or project
is 100% complete, but the feature sets
that are available are vetted, tested,
debugged and ready to deploy,
although you may not deploy at that
moment.
 Continuous Delivery is a small build
cycle with short sprints.
 It is being able to continually deploy.
 With Continuous Deployment, every
change that is made is automatically
deployed to production. This
approach works well in enterprise
environments where you plan to use
the user as the actual tester and it can
be quicker to release.
Continuous Delivery Continuous
Deployment

Delivery vs Deployment

Containerization
Containerization is a
lightweight alternative to a
virtual machine that involves
encapsulating an application in
a container with its own
operating system and to run on
every environment from
physical computers to virtual
machines, from bare-metal,
Clouds, etc

Orchestration
Container orchestration is the automatic
process of managing or scheduling the work of
individual containers for applications based
on microservice within multiple clusters.
1.Configuring and scheduling of containers.
2.Provisioning and deployments of containers.
3.Availability of containers.
4.Scaling of containers.
5.Allocation of resources between containers.
6.Load balancing, traffic routing and service
discovery of containers.
7.Health monitoring of containers.
8.Securing the interactions between
containers.

Netflix - DevOps
Transformation
 Netflix : From moving DVD sales
to world’s leading internet
television company.
 With more than 100 million
members worldwide enjoying
125 million hours of TV shows
and movies each day.
 Netflix operates a cloud-based infrastructure comprised of hundreds of
microservices.
 Developers can automatically build pieces of code into deployable web images
without relying on IT operations.
 Using more than 100000 instances on AWS.
 Centralizing Flow Logs Using Amazon Kinesis Streams.
 Netflix Realizes Multi-Region Resiliency Using Amazon Route 53.
 Netflix Tunes Amazon EC2 Instances for Performance.
 Journey to the cloud at Netflix began in August of 2008.
 Experienced a major database corruption.
 Realized that they had to move to relational databases
in their datacenter, towards highly reliable, horizontally-
scalable, distributed systems in the cloud.

Transition to DevSecOps
DevSecOps was founded by Security
Practitioners dedicated to the
science of how to incorporate
Security within Agile and DevOps
practices.
DevSecOps is the practice of
integrating automated security tasks
within DevOps processes. It is about
going fast and safe.
DevSecOps is about creating a
#SecurityFirst culture, where
security is a part of everyone’s job

Why DevSecOps ?
It’s tough to get important
security fixes, controls, and
coding standards into a project
that's "done and dusted" as far as
the development team is
concerned. So what happens? The
product goes out the door with
known, and unknown, security
vulnerabilities with possibly some
promise to "fix them in the next
release." This is what you get
when you put security after
development — "Dev" then "Sec"
then "Ops."

“Sec” “Dev” “Ops”
Security controls, guidelines,
coding standards, and policies
must be integrated completely
into the software development
process. This is done by making
security part of the process and
pipeline from the beginning —
"Sec" then "Dev" then "Ops."
With automation, you can shift-
left your approach to security for
a SecDevOps strategy

Security as Code (SaC)
Security as Code (SaC) is
managing the security through
code.
 Privilege management
 Define Policies
 Internal Build and
Deployment Security
 Test policies regularly

Exploring DevSecOps Workflow
 Developers create the code and tests, which are managed by a version control system like Git.
 Changes are committed to the Git.
 Jenkins pulls the code from the repo. and builds and runs unit tests, as well as static code analysis to identify code
quality bugs and security defects.
 An IaC tool, like Chef, provisions an environment, deploys the application, and applies security configurations to the
system.
 Jenkins runs a test automation suite against the newly deployed application, including UI, back-end, integration, API,
and security tests.
 If the application successfully passes all tests, the application is deployed to production using the same
infrastructure-as-code tool used in the previous environments.
 The production environment is continuously monitored by tools like New Relic and Splunk to detect active cyber
security threats.