![”[…]it seems as though the problems are
just between dev and ops, but test is in
there, and you have security objectives.
...](https://image.slidesharecdn.com/devsecops-thebigpicturev1-161010065137/75/devsecops-the-big-picture-11-2048.jpg?cb=1668153432)
DevSecOps and the CI/CD Pipeline
Seu SlideShare está sendo baixado.
×
Confira estes a seguir
![](http://img.youtube.com/vi/["0KG9XRCKK78"]/1.jpg)
Recomendadas
Mais Conteúdo rRelacionado
Diapositivos para si (20)
Quem viu também gostou (20)
Semelhante a DevSecOps - The big picture (20)
Mais de Stefan Streichsbier (13)
Mais recentes (20)
DevSecOps - The big picture
- 1. The big picture Culture, Processes and Technologies on a high level
- 2. Stefan Streichsbier Company: Vantage Point Twitter: @s_streichsbier Why?
- 3. A Brief History of DevOps
- 4. In the beginning there was… Source: https://www.flickr.com/photos/37186408@N05/12162302775
- 5. Waterfall • Long release cycles • A lot of “WIP” • Functional silos • Incredibly rigid
- 6. …then there was Agile Source: https://i.ytimg.com/vi/8Hedq2d1H44/maxresdefault.jpg
- 7. Agile • Shorter release cycles • Smaller batch sizes • Cross-functional teams • “Incredibly” agile
- 8. Suddenly Ops was the bottleneck
- 9. Agile Ops Anyone? 2 major related trends: 1. Agile Operations/Infrastructure 2. Collaboration between dev and ops Ultimately led to the first DevOpsDays in 2009…
- 10. So, what is DevOps? • Set of principles and practices for efficient communication and collaboration. (Culture) • Automated deployment pipeline. (Processes) • Supporting tool chain (Technologies)
- 11. ”[…]it seems as though the problems are just between dev and ops, but test is in there, and you have security objectives. These are top-level concerns of Management […] and have become part of the DevOps picture. In other words, when you hear "DevOps" today, you should probably be thinking DevOpsQATestInfoSec." - Gene Kim
- 12. DevSecOps
- 13. Target State DevSecOps enables organisations to deliver inherently secure software at DevOps speed.
- 14. Security challenges in DevOps • It is clear why companies are moving to DevOps …but how can security keep up with this? Source: https://xebialabs.com/assets/files/whitepapers/ITRev_DevOps_Guide_5_2015.pdf
- 15. 3 key categories of DevSecOps 1. Culture 2. Processes 3. Technologies
- 16. Culture
- 17. Culture • Communication and transparency • High-trust environment “blameless postmortem” • Continuous improvement • Everyone is responsible for security • Automate as much as possible • Everything as code
- 18. Culture: Open Space Ideas • How did your org switch to Dev(Sec)Ops? • Continuous Improvement (Kaizen) • What are you automating at the moment?
- 19. Processes
- 20. Processes 1. Secure SDLC 2. Security Pipelines
- 21. Processes: Secure SDLC 1. Training 2. Requirements 3. Architecture & Design 4. Coding 5. Testing 6. Deployment 7. Post Deployment
- 22. Processes: Sec Pipelines • Opt. critical resource • Reduce friction • Increase visibility • Each step repeatable • Drive up consistency
- 23. Security Pipelines
- 24. Processes: Open Space Ideas • How are you managing security requirements? • How are you building security into the SDLC? • AppSec Pipelines in the wild • ChatSecOps
- 25. TechnologiesDevOps is not supposed to be about “tools”
- 26. DevSecOps Technologies 1. Requirements 2. Code: IDE Plugins, SAST 3. Test: Gauntlt, *AST 4. Configure: Sec as Code 5. Maintenance: Patch Management 6. Monitor: Auditing, Attack visibility, RASP Warning about *AST
- 27. Technologies: Open Space Ideas • Scaling security requirements • TDD and security in testing • Which *AST technologies have you been using? • Experience with IDE Plugins • Environment management (Dev/Prod parity) • Configuration management (configuration drift) • Patch Management and deployment strategies (e.g. Phoenix)
- 28. Summary • DevSecOps enable organisations to deliver inherently secure software at DevOps speed.
- 29. Questions?
- 30. Inspirations • http://itrevolution.com/heres-how-the-amazing-twitter-infosec-team-helps-devops/ • http://techbeacon.com/devsecops-9-ways-devops-automation-bolster-security-compliance • https://www.checkmarx.com/2015/11/13/devsecops-4-best-practices-the-pros-teach-us-about- security-and-devops/ • http://www.slideshare.net/zanelackey/effective-approaches-to-web-application-security • http://searchdatacenter.techtarget.com/feature/How-to-adopt-a-successful-DevOps-enterprise • https://opensource.com/business/14/7/devops-red-hat • http://www.infoq.com/news/2014/03/etsy-deploy-50-times-a-day • http://www.slideshare.net/mtesauro/taking-appsec-to-11-appsec-pipeline-devops-and-making- things-better • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
