SlideShare uma empresa Scribd logo

Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock

Threat Stack
Threat Stack

As we see more companies undertake cloud initiatives, deploying new projects into places like Amazon, Google and Azure, Infosec teams become new barriers to progress. We should instead be providing deep insight into services, users, and activities that these companies need, and provide this information to Devs, Ops and Infosec users.

Tecnologia
1 de 36
Baixar para ler offline
Bringing InfoSec Into The DevOps Tribe Q&A with Gene Kim (founding CTO of Tripwire) and Pete Cheslock of Threat Stack
Introductions Gene Kim Founding CTO of Tripwire Gene Kim is co-author of "The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win", founder and former CTO of Tripwire, Inc., and is hosting the upcoming DevOps Enterprise Summit.
Introductions Pete Cheslock Senior Director of Operations and Support at Threat Stack Pete Cheslock is the Senior Director of Operations and Support for Threat Stack. He focuses relentlessly on the uptime of the Cloud Sight service and is passionate about supporting of the company’s ever growing customer base. Pete is a 15 year veteran of the technology industry and most recently built out the automation and release engineering teams at Dyn as well as for the Amazon-Backed cloud archiving company Sonian.
Q&A
Gene Kim kicks off the Q&A with a few questions for Pete:
Gene: “How in the world did a nice DevOps person like you end up in the bowels of Infosec? Usually it works the other way around — the smart Infosec people flee to saner grounds like DevOps.”
Pete: “I wasn’t specifically looking for a job in the Infosec field, but after getting introduced to Threat Stack, it opened my eyes to a whole new world I felt like I was missing out on.” “What I saw was…”
“…a convergence of Infosec and DevOps much like we saw when Dev and Ops teams needed to fundamentally change their thought process in order to win.”
“As we see more and more companies of all sizes undertake cloud initiatives, deploying net-new projects into places like Amazon, Google and Azure, Infosec teams become the new barriers to progress.”
“I see a world where we [Threat Stack] can provide deep insight into services, users, and activities that these companies need, and provide this information to DevOps, Ops and Infosec users alike.”
“We can then embed this visibility and monitoring into the workflow, allowing companies to deploy more scalable and elastic infrastructure.”
“It will become more and more critical that businesses continually monitor and analyze the scope of changes to their systems.” “And these monitors should be integrated early.”
Gene: Here’s a quote from Josh Corman: “If there’s one message that everyone in Infosec should know about the DevOps community, it’s this: DevOps is waiting for Infosec with open arms. Come on in, the water is awesome.” “Do you agree with his thesis?”
“It’s been an exciting time as DevOps and the overall community around that movement has matured over the past 5 years.” “Companies are making amazing organizational changes and fundamentally shifting how they do business online.”
“I see the same thing when it comes to Infosec teams and security-minded folks within companies.” “But at many of these companies, the Security teams don’t have a seat at the table. They are getting shot down while the rest of the organization is making changes at an incredible rate.”
“So how can we enable Security and Infosec teams to embrace this new world of continuous deployment and elastic infrastructure?”
“Much like how we saw for the DevOps world, it will come down to a mix of culture change and improved technical applications that will facilitate the integration of Infosec into DevOps.”
“Much like how Chef and Puppet enabled teams to more effectively build and deliver highly scalable systems.”
“I see Threat Stack poised to deliver the tools to allow deep insight and visibility into the applications and services being deployed.”
Pete then had some questions for Gene:
Pete: “It looks like enterprises like GE Capital, Macy’s, Target, and Nordstrom are early adopters of DevOps in the enterprise; how does Infosec need to change when more of the Dev to Ops value stream migrates to DevOps patterns?”
“My belief is that we’re going to see the Infosec function transform just like QA/Test is transforming.” “In other words, in high performing DevOps organizations, you very rarely see a QA department that is writing and running the tests.”
“Instead, QA is helping to coach Dev on how to write good test cases and ensures that the right feedback loops exist so that Dev can validate that they’re achieving the functional and non-functions requirements.”
“Infosec is not doing the security scans, nor is it pestering Dev and Ops to look at their reports.” “Instead, they are helping to create the automated tools so that Dev and Ops can get fast and constant feedback on if the code and environment are achieving security objectives.”
“My favorite example is the three-year transformation of the Twitter Infosec function, which started when @BarackObama was hacked, resulting in a FTC injunction requiring that Twitter be secure for the next 15 years.”
“They integrated Infosec into the daily work of Dev and Ops with the primary mission of not getting in their way.”
Pete: “How are fast-growing companies implementing the DevOps principles of ownership and accountability while requirements for access tighten (SOC2/FISMA/PCI, etc.)?”
“The main obstacle for DevOps adoption in large enterprises is Infosec and Compliance, and you can hardly blame them.” “For decades, both Dev and Ops seem to have done everything they could to fix security defects exposed late in the project lifecycle.”
“But what every Infosec and Compliance practitioner needs to know is that: DevOps is the best thing in at least 20 years to happen to our field.”
Here’s why:
“1. When Dev and Ops embrace DevOps principles, we fully embrace all the non-functional requirements, like performance, quality, reliability, and yes, security.” “We want to know when we’re writing or operating code or environments that aren’t secure.”
“2. Because DevOps organizations are constantly doing deployments, the “find to fix” cycle time is very short.” “So the days of Dev or Ops taking nine months to get an urgent change into production are coming to an end.”
“3. DevOps value streams that sustain tens, hundreds or even thousands of deployments per day (i.e. Netflix, Etsy, Google), can’t be done without a ton of effective controls.” “There are FAR MORE controls (i.e. security scans, performance testing, deployment validation) in a DevOps organization than in a traditional waterfall SDLC.”
Wrapping Up
Threat Stack is hosting Gene Kim at our AWS re:Invent booth (#742) on Wednesday, November 12, 2014 from 11am-12:30pm for a free book signing of The Phoenix Project. We look forward to seeing you then!
Start Implementing Continuous Code Security Today threatstack.com

Recomendados

New Relic BeenVerified Case Study
New Relic BeenVerified Case StudyNew Relic BeenVerified Case Study
New Relic BeenVerified Case Study
New Relic
 
2016 State of DevOps Report Webinar
2016 State of DevOps Report Webinar2016 State of DevOps Report Webinar
2016 State of DevOps Report Webinar
Puppet
 
Devops: A History
Devops: A HistoryDevops: A History
Devops: A History
Nell Shamrell-Harrington
 
IoT to Cloud the DevOps Way
IoT to Cloud the DevOps WayIoT to Cloud the DevOps Way
IoT to Cloud the DevOps Way
Mark Heckler
 
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPackCONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
DevOpsDays Tel Aviv
 
The Devops Handbook
The Devops HandbookThe Devops Handbook
The Devops Handbook
Harish Kamugakudi Marimuthu
 
Top Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps HandbookTop Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps Handbook
XebiaLabs
 
Embrace chatOps, stop installing deployment software by Geshan Manandhar at C...
Embrace chatOps, stop installing deployment software by Geshan Manandhar at C...Embrace chatOps, stop installing deployment software by Geshan Manandhar at C...
Embrace chatOps, stop installing deployment software by Geshan Manandhar at C...
Codemotion Dubai
 

Recomendados

New Relic BeenVerified Case Study
New Relic BeenVerified Case StudyNew Relic BeenVerified Case Study
New Relic BeenVerified Case Study
New Relic
 
2016 State of DevOps Report Webinar
2016 State of DevOps Report Webinar2016 State of DevOps Report Webinar
2016 State of DevOps Report Webinar
Puppet
 
Devops: A History
Devops: A HistoryDevops: A History
Devops: A History
Nell Shamrell-Harrington
 
IoT to Cloud the DevOps Way
IoT to Cloud the DevOps WayIoT to Cloud the DevOps Way
IoT to Cloud the DevOps Way
Mark Heckler
 
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPackCONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
DevOpsDays Tel Aviv
 
The Devops Handbook
The Devops HandbookThe Devops Handbook
The Devops Handbook
Harish Kamugakudi Marimuthu
 
Top Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps HandbookTop Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps Handbook
XebiaLabs
 
Embrace chatOps, stop installing deployment software by Geshan Manandhar at C...
Embrace chatOps, stop installing deployment software by Geshan Manandhar at C...Embrace chatOps, stop installing deployment software by Geshan Manandhar at C...
Embrace chatOps, stop installing deployment software by Geshan Manandhar at C...
Codemotion Dubai
 
Open is as Open does
Open is as Open doesOpen is as Open does
Open is as Open does
Andrew Shafer
 
The need for new paradigms in IT services provisioning
The need for new paradigms in IT services provisioningThe need for new paradigms in IT services provisioning
The need for new paradigms in IT services provisioning
Giovanna Roda
 
Lies Enterprise Architects Tell - Data Day Texas 2018 Keynote
Lies Enterprise Architects Tell - Data Day Texas 2018 Keynote Lies Enterprise Architects Tell - Data Day Texas 2018 Keynote
Lies Enterprise Architects Tell - Data Day Texas 2018 Keynote
Gwen (Chen) Shapira
 
DevOps Ground Zero
DevOps Ground ZeroDevOps Ground Zero
DevOps Ground Zero
Chris Jackson
 
WinOps Conf 2015 - Steve Thair - Why we need a DevOps on Windows Conference
WinOps Conf 2015 - Steve Thair - Why we need a DevOps on Windows ConferenceWinOps Conf 2015 - Steve Thair - Why we need a DevOps on Windows Conference
WinOps Conf 2015 - Steve Thair - Why we need a DevOps on Windows Conference
WinOps Conf
 
CampDevOps keynote - DevOps: Using 'Lean' to eliminate Bottlenecks
CampDevOps keynote - DevOps: Using 'Lean' to eliminate BottlenecksCampDevOps keynote - DevOps: Using 'Lean' to eliminate Bottlenecks
CampDevOps keynote - DevOps: Using 'Lean' to eliminate Bottlenecks
Sanjeev Sharma
 
DevOps Transformations
DevOps TransformationsDevOps Transformations
DevOps Transformations
Ernest Mueller
 
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementThe Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration Management
Jules Pierre-Louis
 
Five Ways Automation Has Increased Application Deployment and Changed Culture
Five Ways Automation Has Increased Application Deployment and Changed CultureFive Ways Automation Has Increased Application Deployment and Changed Culture
Five Ways Automation Has Increased Application Deployment and Changed Culture
XebiaLabs
 
An End to End Stack for a Container Age - Continuous Delivery London 2016
An End to End Stack for a Container Age - Continuous Delivery London 2016An End to End Stack for a Container Age - Continuous Delivery London 2016
An End to End Stack for a Container Age - Continuous Delivery London 2016
Chris Jackson
 
Distributed Teams
Distributed TeamsDistributed Teams
Distributed Teams
Kevin Goldsmith
 
About Motivation in DevOps Culture
About Motivation in DevOps CultureAbout Motivation in DevOps Culture
About Motivation in DevOps Culture
DreamLab
 
Zero to 12 Million
Zero to 12 MillionZero to 12 Million
Zero to 12 Million
VMware Tanzu
 
DevOps 101
DevOps 101DevOps 101
DevOps 101
Ernest Mueller
 
Continuous Documentation: The Best Time is Now
Continuous Documentation: The Best Time is NowContinuous Documentation: The Best Time is Now
Continuous Documentation: The Best Time is Now
Pronovix
 
Architecting govCMS: Australian Government as a Service -
Architecting govCMS: Australian Government as a Service - Architecting govCMS: Australian Government as a Service -
Architecting govCMS: Australian Government as a Service -
David Peterson
 
Top 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield EnvironmentsTop 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield Environments
Deborah Schalm
 
Leading A DevOps Transformation: Lessons Learned
Leading A DevOps Transformation: Lessons LearnedLeading A DevOps Transformation: Lessons Learned
Leading A DevOps Transformation: Lessons Learned
Gene Kim
 
Measure Your DevOps Success: Using Goal-based KPIs to Drive Results and Demon...
Measure Your DevOps Success: Using Goal-based KPIs to Drive Results and Demon...Measure Your DevOps Success: Using Goal-based KPIs to Drive Results and Demon...
Measure Your DevOps Success: Using Goal-based KPIs to Drive Results and Demon...
XebiaLabs
 
DevOps Gets Real
DevOps Gets RealDevOps Gets Real
DevOps Gets Real
DevOps.com
 
Dealing with Linux Malware
Dealing with Linux MalwareDealing with Linux Malware
Dealing with Linux Malware
Michael Boelen
 
Real Time Malware Defense System in LINUX
Real Time Malware Defense System in LINUXReal Time Malware Defense System in LINUX
Real Time Malware Defense System in LINUX
Dilip Jaiswal
 

Mais conteúdo relacionado

Mais procurados

Five Ways Automation Has Increased Application Deployment and Changed Culture
Five Ways Automation Has Increased Application Deployment and Changed CultureFive Ways Automation Has Increased Application Deployment and Changed Culture
Five Ways Automation Has Increased Application Deployment and Changed Culture
XebiaLabs
 
An End to End Stack for a Container Age - Continuous Delivery London 2016
An End to End Stack for a Container Age - Continuous Delivery London 2016An End to End Stack for a Container Age - Continuous Delivery London 2016
An End to End Stack for a Container Age - Continuous Delivery London 2016
Chris Jackson
 

Mais procurados (20)

Open is as Open does
Open is as Open doesOpen is as Open does
Open is as Open does
 
The need for new paradigms in IT services provisioning
The need for new paradigms in IT services provisioningThe need for new paradigms in IT services provisioning
The need for new paradigms in IT services provisioning
 
Lies Enterprise Architects Tell - Data Day Texas 2018 Keynote
Lies Enterprise Architects Tell - Data Day Texas 2018 Keynote Lies Enterprise Architects Tell - Data Day Texas 2018 Keynote
Lies Enterprise Architects Tell - Data Day Texas 2018 Keynote
 
DevOps Ground Zero
DevOps Ground ZeroDevOps Ground Zero
DevOps Ground Zero
 
WinOps Conf 2015 - Steve Thair - Why we need a DevOps on Windows Conference
WinOps Conf 2015 - Steve Thair - Why we need a DevOps on Windows ConferenceWinOps Conf 2015 - Steve Thair - Why we need a DevOps on Windows Conference
WinOps Conf 2015 - Steve Thair - Why we need a DevOps on Windows Conference
 
CampDevOps keynote - DevOps: Using 'Lean' to eliminate Bottlenecks
CampDevOps keynote - DevOps: Using 'Lean' to eliminate BottlenecksCampDevOps keynote - DevOps: Using 'Lean' to eliminate Bottlenecks
CampDevOps keynote - DevOps: Using 'Lean' to eliminate Bottlenecks
 
DevOps Transformations
DevOps TransformationsDevOps Transformations
DevOps Transformations
 
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementThe Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration Management
 
Five Ways Automation Has Increased Application Deployment and Changed Culture
Five Ways Automation Has Increased Application Deployment and Changed CultureFive Ways Automation Has Increased Application Deployment and Changed Culture
Five Ways Automation Has Increased Application Deployment and Changed Culture
 
An End to End Stack for a Container Age - Continuous Delivery London 2016
An End to End Stack for a Container Age - Continuous Delivery London 2016An End to End Stack for a Container Age - Continuous Delivery London 2016
An End to End Stack for a Container Age - Continuous Delivery London 2016
 
Distributed Teams
Distributed TeamsDistributed Teams
Distributed Teams
 
About Motivation in DevOps Culture
About Motivation in DevOps CultureAbout Motivation in DevOps Culture
About Motivation in DevOps Culture
 
Zero to 12 Million
Zero to 12 MillionZero to 12 Million
Zero to 12 Million
 
DevOps 101
DevOps 101DevOps 101
DevOps 101
 
Continuous Documentation: The Best Time is Now
Continuous Documentation: The Best Time is NowContinuous Documentation: The Best Time is Now
Continuous Documentation: The Best Time is Now
 
Architecting govCMS: Australian Government as a Service -
Architecting govCMS: Australian Government as a Service - Architecting govCMS: Australian Government as a Service -
Architecting govCMS: Australian Government as a Service -
 
Top 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield EnvironmentsTop 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield Environments
 
Leading A DevOps Transformation: Lessons Learned
Leading A DevOps Transformation: Lessons LearnedLeading A DevOps Transformation: Lessons Learned
Leading A DevOps Transformation: Lessons Learned
 
Measure Your DevOps Success: Using Goal-based KPIs to Drive Results and Demon...
Measure Your DevOps Success: Using Goal-based KPIs to Drive Results and Demon...Measure Your DevOps Success: Using Goal-based KPIs to Drive Results and Demon...
Measure Your DevOps Success: Using Goal-based KPIs to Drive Results and Demon...
 
DevOps Gets Real
DevOps Gets RealDevOps Gets Real
DevOps Gets Real
 

Destaque

MR201501 Latest trends in Linux Malware
MR201501 Latest trends in Linux MalwareMR201501 Latest trends in Linux Malware
MR201501 Latest trends in Linux Malware
FFRI, Inc.
 
Malware Defense-in-Depth 2.0
Malware Defense-in-Depth 2.0Malware Defense-in-Depth 2.0
Malware Defense-in-Depth 2.0
Ayed Al Qartah
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
Giuseppe Paterno'
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise Edition
Olivier DASINI
 

Destaque (20)

Dealing with Linux Malware
Dealing with Linux MalwareDealing with Linux Malware
Dealing with Linux Malware
 
Real Time Malware Defense System in LINUX
Real Time Malware Defense System in LINUXReal Time Malware Defense System in LINUX
Real Time Malware Defense System in LINUX
 
MR201501 Latest trends in Linux Malware
MR201501 Latest trends in Linux MalwareMR201501 Latest trends in Linux Malware
MR201501 Latest trends in Linux Malware
 
Malware Defense-in-Depth 2.0
Malware Defense-in-Depth 2.0Malware Defense-in-Depth 2.0
Malware Defense-in-Depth 2.0
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
SHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditDSHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditD
 
Audit
AuditAudit
Audit
 
Linux audit framework
Linux audit frameworkLinux audit framework
Linux audit framework
 
Open Audit
Open AuditOpen Audit
Open Audit
 
How To Train Your Python
How To Train Your PythonHow To Train Your Python
How To Train Your Python
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
 
Whitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisWhitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and Solaris
 
Linux Malware Analysis
Linux Malware Analysis Linux Malware Analysis
Linux Malware Analysis
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise Edition
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Network Security and Analysis with Python
Network Security and Analysis with PythonNetwork Security and Analysis with Python
Network Security and Analysis with Python
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with Lynis
 
Handling of compromised Linux systems
Handling of compromised Linux systemsHandling of compromised Linux systems
Handling of compromised Linux systems
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
 

Semelhante a Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock

DevOps Torino Meetup Group Kickoff Meeting - Why a meetup group on DevOps, wh...
DevOps Torino Meetup Group Kickoff Meeting - Why a meetup group on DevOps, wh...DevOps Torino Meetup Group Kickoff Meeting - Why a meetup group on DevOps, wh...
DevOps Torino Meetup Group Kickoff Meeting - Why a meetup group on DevOps, wh...
Rauno De Pasquale
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
Ori Pekelman
 
Winnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsWinnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOps
Gene Kim
 
DevOps_Automation White Paper
DevOps_Automation White PaperDevOps_Automation White Paper
DevOps_Automation White Paper
Toby Thorslund
 

Semelhante a Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock (20)

DevOps Torino Meetup Group Kickoff Meeting - Why a meetup group on DevOps, wh...
DevOps Torino Meetup Group Kickoff Meeting - Why a meetup group on DevOps, wh...DevOps Torino Meetup Group Kickoff Meeting - Why a meetup group on DevOps, wh...
DevOps Torino Meetup Group Kickoff Meeting - Why a meetup group on DevOps, wh...
 
stackconf 2023 | Better Living by Changing Less – IncrativeOps by Michael Cot...
stackconf 2023 | Better Living by Changing Less – IncrativeOps by Michael Cot...stackconf 2023 | Better Living by Changing Less – IncrativeOps by Michael Cot...
stackconf 2023 | Better Living by Changing Less – IncrativeOps by Michael Cot...
 
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical StepsDevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
 
451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...
451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...
451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...
 
Introducing DevOps, IT Sharing Session 20 Nov 2017
Introducing DevOps, IT Sharing Session 20 Nov 2017Introducing DevOps, IT Sharing Session 20 Nov 2017
Introducing DevOps, IT Sharing Session 20 Nov 2017
 
apidays LIVE Australia 2021 - Why are some organisations slower than their co...
apidays LIVE Australia 2021 - Why are some organisations slower than their co...apidays LIVE Australia 2021 - Why are some organisations slower than their co...
apidays LIVE Australia 2021 - Why are some organisations slower than their co...
 
Micro services
Micro servicesMicro services
Micro services
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released
 
Gartner starting and scaling dev ops
Gartner starting and scaling dev opsGartner starting and scaling dev ops
Gartner starting and scaling dev ops
 
The Business Value of PaaS Automation - Kieron Sambrook-Smith - Presentation ...
The Business Value of PaaS Automation - Kieron Sambrook-Smith - Presentation ...The Business Value of PaaS Automation - Kieron Sambrook-Smith - Presentation ...
The Business Value of PaaS Automation - Kieron Sambrook-Smith - Presentation ...
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
 
DevOps offerings by Brainstack Technologies
DevOps offerings by Brainstack TechnologiesDevOps offerings by Brainstack Technologies
DevOps offerings by Brainstack Technologies
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
 
What is DevOps?
What is DevOps?What is DevOps?
What is DevOps?
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
 
Rapidly Evolving IT Trends Make Open, Agile Integration More Important than Ever
Rapidly Evolving IT Trends Make Open, Agile Integration More Important than EverRapidly Evolving IT Trends Make Open, Agile Integration More Important than Ever
Rapidly Evolving IT Trends Make Open, Agile Integration More Important than Ever
 
Winnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsWinnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOps
 
DevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratchDevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratch
 
Introduction to DevOps slides.pdf
Introduction to DevOps slides.pdfIntroduction to DevOps slides.pdf
Introduction to DevOps slides.pdf
 
DevOps_Automation White Paper
DevOps_Automation White PaperDevOps_Automation White Paper
DevOps_Automation White Paper
 

Mais de Threat Stack

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
The Case For Continuous Security
The Case For Continuous SecurityThe Case For Continuous Security
The Case For Continuous Security
Threat Stack
 

Mais de Threat Stack (8)

It All Started With a Wager About System Upgrades
It All Started With a Wager About System UpgradesIt All Started With a Wager About System Upgrades
It All Started With a Wager About System Upgrades
 
Should You Use Security Point Solutions?
Should You Use Security Point Solutions?Should You Use Security Point Solutions?
Should You Use Security Point Solutions?
 
3 Reasons Why The Host Rules Intrusion Detection in The Cloud
3 Reasons Why The Host Rules Intrusion Detection in The Cloud 3 Reasons Why The Host Rules Intrusion Detection in The Cloud
3 Reasons Why The Host Rules Intrusion Detection in The Cloud
 
4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices
4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices
4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices
 
Preparing for the Next Shellshock
Preparing for the Next ShellshockPreparing for the Next Shellshock
Preparing for the Next Shellshock
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
The Case For Continuous Security
The Case For Continuous SecurityThe Case For Continuous Security
The Case For Continuous Security
 
Detection, Response and the Azazel Rootkit
Detection, Response and the Azazel RootkitDetection, Response and the Azazel Rootkit
Detection, Response and the Azazel Rootkit
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Último (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock

  • 1. Bringing InfoSec Into The DevOps Tribe Q&A with Gene Kim (founding CTO of Tripwire) and Pete Cheslock of Threat Stack
  • 2. Introductions Gene Kim Founding CTO of Tripwire Gene Kim is co-author of "The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win", founder and former CTO of Tripwire, Inc., and is hosting the upcoming DevOps Enterprise Summit.
  • 3. Introductions Pete Cheslock Senior Director of Operations and Support at Threat Stack Pete Cheslock is the Senior Director of Operations and Support for Threat Stack. He focuses relentlessly on the uptime of the Cloud Sight service and is passionate about supporting of the company’s ever growing customer base. Pete is a 15 year veteran of the technology industry and most recently built out the automation and release engineering teams at Dyn as well as for the Amazon-Backed cloud archiving company Sonian.
  • 4. Q&A
  • 5. Gene Kim kicks off the Q&A with a few questions for Pete:
  • 6. Gene: “How in the world did a nice DevOps person like you end up in the bowels of Infosec? Usually it works the other way around — the smart Infosec people flee to saner grounds like DevOps.”
  • 7. Pete: “I wasn’t specifically looking for a job in the Infosec field, but after getting introduced to Threat Stack, it opened my eyes to a whole new world I felt like I was missing out on.” “What I saw was…”
  • 8. “…a convergence of Infosec and DevOps much like we saw when Dev and Ops teams needed to fundamentally change their thought process in order to win.”
  • 9. “As we see more and more companies of all sizes undertake cloud initiatives, deploying net-new projects into places like Amazon, Google and Azure, Infosec teams become the new barriers to progress.”
  • 10. “I see a world where we [Threat Stack] can provide deep insight into services, users, and activities that these companies need, and provide this information to DevOps, Ops and Infosec users alike.”
  • 11. “We can then embed this visibility and monitoring into the workflow, allowing companies to deploy more scalable and elastic infrastructure.”
  • 12. “It will become more and more critical that businesses continually monitor and analyze the scope of changes to their systems.” “And these monitors should be integrated early.”
  • 13. Gene: Here’s a quote from Josh Corman: “If there’s one message that everyone in Infosec should know about the DevOps community, it’s this: DevOps is waiting for Infosec with open arms. Come on in, the water is awesome.” “Do you agree with his thesis?”
  • 14. “It’s been an exciting time as DevOps and the overall community around that movement has matured over the past 5 years.” “Companies are making amazing organizational changes and fundamentally shifting how they do business online.”
  • 15. “I see the same thing when it comes to Infosec teams and security-minded folks within companies.” “But at many of these companies, the Security teams don’t have a seat at the table. They are getting shot down while the rest of the organization is making changes at an incredible rate.”
  • 16. “So how can we enable Security and Infosec teams to embrace this new world of continuous deployment and elastic infrastructure?”
  • 17. “Much like how we saw for the DevOps world, it will come down to a mix of culture change and improved technical applications that will facilitate the integration of Infosec into DevOps.”
  • 18. “Much like how Chef and Puppet enabled teams to more effectively build and deliver highly scalable systems.”
  • 19. “I see Threat Stack poised to deliver the tools to allow deep insight and visibility into the applications and services being deployed.”
  • 20. Pete then had some questions for Gene:
  • 21. Pete: “It looks like enterprises like GE Capital, Macy’s, Target, and Nordstrom are early adopters of DevOps in the enterprise; how does Infosec need to change when more of the Dev to Ops value stream migrates to DevOps patterns?”
  • 22. “My belief is that we’re going to see the Infosec function transform just like QA/Test is transforming.” “In other words, in high performing DevOps organizations, you very rarely see a QA department that is writing and running the tests.”
  • 23. “Instead, QA is helping to coach Dev on how to write good test cases and ensures that the right feedback loops exist so that Dev can validate that they’re achieving the functional and non-functions requirements.”
  • 24. “Infosec is not doing the security scans, nor is it pestering Dev and Ops to look at their reports.” “Instead, they are helping to create the automated tools so that Dev and Ops can get fast and constant feedback on if the code and environment are achieving security objectives.”
  • 25. “My favorite example is the three-year transformation of the Twitter Infosec function, which started when @BarackObama was hacked, resulting in a FTC injunction requiring that Twitter be secure for the next 15 years.”
  • 26. “They integrated Infosec into the daily work of Dev and Ops with the primary mission of not getting in their way.”
  • 27. Pete: “How are fast-growing companies implementing the DevOps principles of ownership and accountability while requirements for access tighten (SOC2/FISMA/PCI, etc.)?”
  • 28. “The main obstacle for DevOps adoption in large enterprises is Infosec and Compliance, and you can hardly blame them.” “For decades, both Dev and Ops seem to have done everything they could to fix security defects exposed late in the project lifecycle.”
  • 29. “But what every Infosec and Compliance practitioner needs to know is that: DevOps is the best thing in at least 20 years to happen to our field.”
  • 31. “1. When Dev and Ops embrace DevOps principles, we fully embrace all the non-functional requirements, like performance, quality, reliability, and yes, security.” “We want to know when we’re writing or operating code or environments that aren’t secure.”
  • 32. “2. Because DevOps organizations are constantly doing deployments, the “find to fix” cycle time is very short.” “So the days of Dev or Ops taking nine months to get an urgent change into production are coming to an end.”
  • 33. “3. DevOps value streams that sustain tens, hundreds or even thousands of deployments per day (i.e. Netflix, Etsy, Google), can’t be done without a ton of effective controls.” “There are FAR MORE controls (i.e. security scans, performance testing, deployment validation) in a DevOps organization than in a traditional waterfall SDLC.”
  • 35. Threat Stack is hosting Gene Kim at our AWS re:Invent booth (#742) on Wednesday, November 12, 2014 from 11am-12:30pm for a free book signing of The Phoenix Project. We look forward to seeing you then!
  • 36. Start Implementing Continuous Code Security Today threatstack.com