O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

DevSecOps - The big picture


Vídeos do YouTube não são mais aceitos pelo SlideShare

Visualizar original no YouTube

The big picture
Culture, Processes and Technologies on a high level
Stefan Streichsbier
Company: Vantage Point
Twitter: @s_streichsbier
Próximos SlideShares
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Carregando em…3

Confira estes a seguir

1 de 32 Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (20)


Semelhante a DevSecOps - The big picture (20)

Mais de Stefan Streichsbier (13)


Mais recentes (20)

DevSecOps - The big picture

  1. 1. The big picture Culture, Processes and Technologies on a high level
  2. 2. Stefan Streichsbier Company: Vantage Point Twitter: @s_streichsbier Why?
  3. 3. A Brief History of DevOps
  4. 4. In the beginning there was… Source: https://www.flickr.com/photos/37186408@N05/12162302775
  5. 5. Waterfall • Long release cycles • A lot of “WIP” • Functional silos • Incredibly rigid
  6. 6. …then there was Agile Source: https://i.ytimg.com/vi/8Hedq2d1H44/maxresdefault.jpg
  7. 7. Agile • Shorter release cycles • Smaller batch sizes • Cross-functional teams • “Incredibly” agile
  8. 8. Suddenly Ops was the bottleneck
  9. 9. Agile Ops Anyone? 2 major related trends: 1. Agile Operations/Infrastructure 2. Collaboration between dev and ops Ultimately led to the first DevOpsDays in 2009…
  10. 10. So, what is DevOps? • Set of principles and practices for efficient communication and collaboration. (Culture) • Automated deployment pipeline. (Processes) • Supporting tool chain (Technologies)
  11. 11. ”[…]it seems as though the problems are just between dev and ops, but test is in there, and you have security objectives. These are top-level concerns of Management […] and have become part of the DevOps picture. In other words, when you hear "DevOps" today, you should probably be thinking DevOpsQATestInfoSec." - Gene Kim
  12. 12. DevSecOps
  13. 13. Target State DevSecOps enables organisations to deliver inherently secure software at DevOps speed.
  14. 14. Security challenges in DevOps • It is clear why companies are moving to DevOps …but how can security keep up with this? Source: https://xebialabs.com/assets/files/whitepapers/ITRev_DevOps_Guide_5_2015.pdf
  15. 15. 3 key categories of DevSecOps 1. Culture 2. Processes 3. Technologies
  16. 16. Culture
  17. 17. Culture • Communication and transparency • High-trust environment “blameless postmortem” • Continuous improvement • Everyone is responsible for security • Automate as much as possible • Everything as code
  18. 18. Culture: Open Space Ideas • How did your org switch to Dev(Sec)Ops? • Continuous Improvement (Kaizen) • What are you automating at the moment?
  19. 19. Processes
  20. 20. Processes 1. Secure SDLC 2. Security Pipelines
  21. 21. Processes: Secure SDLC 1. Training 2. Requirements 3. Architecture & Design 4. Coding 5. Testing 6. Deployment 7. Post Deployment
  22. 22. Processes: Sec Pipelines • Opt. critical resource • Reduce friction • Increase visibility • Each step repeatable • Drive up consistency
  23. 23. Security Pipelines
  24. 24. Processes: Open Space Ideas • How are you managing security requirements? • How are you building security into the SDLC? • AppSec Pipelines in the wild • ChatSecOps
  25. 25. TechnologiesDevOps is not supposed to be about “tools”
  26. 26. DevSecOps Technologies 1. Requirements 2. Code: IDE Plugins, SAST 3. Test: Gauntlt, *AST 4. Configure: Sec as Code 5. Maintenance: Patch Management 6. Monitor: Auditing, Attack visibility, RASP Warning about *AST
  27. 27. Technologies: Open Space Ideas • Scaling security requirements • TDD and security in testing • Which *AST technologies have you been using? • Experience with IDE Plugins • Environment management (Dev/Prod parity) • Configuration management (configuration drift) • Patch Management and deployment strategies (e.g. Phoenix)
  28. 28. Summary • DevSecOps enable organisations to deliver inherently secure software at DevOps speed.
  29. 29. Questions?
  30. 30. Inspirations • http://itrevolution.com/heres-how-the-amazing-twitter-infosec-team-helps-devops/ • http://techbeacon.com/devsecops-9-ways-devops-automation-bolster-security-compliance • https://www.checkmarx.com/2015/11/13/devsecops-4-best-practices-the-pros-teach-us-about- security-and-devops/ • http://www.slideshare.net/zanelackey/effective-approaches-to-web-application-security • http://searchdatacenter.techtarget.com/feature/How-to-adopt-a-successful-DevOps-enterprise • https://opensource.com/business/14/7/devops-red-hat • http://www.infoq.com/news/2014/03/etsy-deploy-50-times-a-day • http://www.slideshare.net/mtesauro/taking-appsec-to-11-appsec-pipeline-devops-and-making- things-better • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

Notas do Editor

  • Architecting Enterprise wide security programs
    Integrating security activities into the SDLC
    Achieving security at DevOps speed
    How many have been at the devopsdays singapore last year?
  • Us security guys typically only mingle in dedicated security meetups and conferences and talk about the latest way of how to break stuff, but as most of my work is spent in development teams I really enjoy the conversations with people that build software and I don’t just mean devs. So when I heard that devopsdays are being hosted in Singapore I was very excited, their line up of speakers was fantastic we even had John Willis giving a keynote. As with every DevOpsDays conference the whole afternoon was dedicated to openspace topics and I was really keen to know about others are integrating security into agile and devops. The topic was eventually selected and I counted 40+ people that joined the session. And even though we had some people share their experiences, what really struck me was the fact that so many people were genuinely interested in how to integrate security but there weren’t many concrete answers given. So that’s why, in the spirit of devops, I wanted to contribute to the community and created devsecops to achieve exactly that. Find solutions that help create secure applications at the speed of DevOps.
  • WIP: Work that you have started, but that isn’t completed yet.
  • Infrastructure wasn’t able to deal with rapid changes coming out of production
  • Understanding of the value of throughout SDLC
    And since then has spread around the globe.
  • Starts with agile, but goes well beyond
    Amplify Feedback loops
  • And everyone’s job is to enable the business!
  • In fact, many believe that it’s not a matter of if your company is adopting devops, but when.
    This is quite interesting because devXops is still evolving.especially in the area of devSecOps.
    The exciting thing is that DevSecOps is still very young and great new ideas of how to improve things are being discovered daily.
    Every single conversation we have can push the envelope.
  • “DevOps works because dev and ops teams understand each other better and can make more informed decisions. Rather than solving problems in silos, they’re solving for the stream of activity and the goal. If you show DevOps teams how security can make them better, then as a reciprocation they tend to ask, “Well, are there any choices we make that would make your life easier?”
    Companies like the Etsy online marketplace have also demonstrated that providing an environment in which it's safe to talk about failure makes it much more likely that problems are discovered early and information gets shared more quickly and more widely.
    Josh is talking about how the culture of transparency and sharing information between teams has allowed the development and operations teams to better understand where the other team is coming from – allowing everyone to be on the same page. Especially in an environment where speed is of utmost importance, knowing exactly what is going on at any given time is going to be essential for the health of organization as a whole.
    Transparency is an essential part of the DevSecOps world, and security processes and monitoring has to be seen by all stakeholders if it is going to thrive in a DevOps world.
    See more at: https://www.checkmarx.com/2015/11/13/devsecops-4-best-practices-the-pros-teach-us-about-security-and-devops/?utm_content=buffer04d69&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer#sthash.mRgdPnKn.dpuf
  • You don’t start with
  • Everyone is responsible for security, make it easy to “win”
  • In order to deliver inherently secure applications at devops speed, we need to have team members that embrace security.
    Failing unit tests
  • Fix things quickly.
    An AppSec Pipelines takes the principles of DevOps and Lean and applies that to an application security program.
  • We could probably spend the next 6 sessions talking about this alone
  • You don’t start with
  • A quick word on *AST, only covers about 50% of the potential findings. It’s important to understand what they can identify and what they can’t.
  • You don’t start with
  • So in order for devsecops to live up to its full potential and enable organisations to deliver inherently secure software at devops speed, Culture, Processes and Technologies have to come together as one towards the same goal.
    Thank you