SecDevOps: The New Black of IT
Andrew Storms
CloudPassage
Director of DevOps
Alan Shimmel
DevOps.com
CEO & Co-founder
1994 1995 2009
Cloud or Not – Still the Same
• Infrastructure
• Data & Storage
• Identity & Access Controls
• Privacy
• Governance
• Audi...
Infrastructure as code
Instrumentation
What about DevOps?
Orchestration
Continuous everything
about
security
DevOps?
What
with
DevOps & Security Division
6
This is NOT how we do DevOps at CloudPassage.
Collaboration Division
DevOps Security
Plan Cod...
SecDevOps
• Less division
– More collaboration
• Less silos
– More sharing
• Less pipeline
– More chains & links
• Less ma...
Plan
• Release Sherpa
– Ops, Dev, QA
– See a release thru from start to finish
• Change risk management
– What infrastruct...
Code
• Standards enforcement
– Rubocop, Food Critic, Knife-Spork
• Review Process
– Peer & code review
– Continuous applic...
Test
• Automated code testing
– Over 10k tests run automatically
at check in
– Over 10k QA assertions
– Over 130 smoke tes...
Release & Deploy
• Stakeholders approval
• Standardized tools
– Capistrano, Chef
• Deploy testing
– 2-man rule
• System se...
• Continuous compliance monitoring
– All systems (prod & non-prod)
– Hourly & daily
– Halo
• Infrastructure security orche...
JIRAgitChefCapistranoHalo
Initiate Approve
Implement
Audit
Records
Deploy
(Infrastructure)
Audit
Records
Deploy
(App Code)...
Practical SecDevOps Examples
• Security automation potential
– Cloud APIs have exploded
• Latch on to DevOps momentum
– Ta...
Practical SecDevOps Automation
15
Practical SecDevOps Automation
16
git-push
Practical SecDevOps Automation
17
Practical SecDevOps Automation
18
SecDevOps in Summary
19
Old is new
Still solving the same problems,
but in new ways
SecDevOps
Automation
DevOps is here
Se...
More Resources
20
Explore: www.DevOps.com
Learn: blog.cloudpassage.com
Start: www.cloudpassage.com/halo
Thank you!
21
Q&A
Upcoming SlideShare
Loading in...5
×

SecDevOps: The New Black of IT

907

Published on

Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of DevOps.com will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security:

Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps
Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities
Examples of security automation, case situations minimizing risk and driving flexibility for DevOps
See how SaaS provider CloudPassage integrates security into its own development and operations workflows

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
907
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
23
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Apply IFTTT thinking
    If This Then That
    Channels, Triggers, Actions, Ingredients Recipes
    (need a graphic here. Something like a funnel or other where Channels, Triggers, Actions, Ingredients converge to make a recipe)
  • Examples
    (The same graphic from previous slide, but small)
    If code gets checked in, then run static analysis
  • Examples
    If firewall policy changes, then initiate remote scanner
  • Examples
    If breach, then quarantine
  • Feel free to change these points to you sales next steps.
  • Feel free to change these points to you sales next steps.
  • SecDevOps: The New Black of IT

    1. 1. SecDevOps: The New Black of IT Andrew Storms CloudPassage Director of DevOps Alan Shimmel DevOps.com CEO & Co-founder
    2. 2. 1994 1995 2009
    3. 3. Cloud or Not – Still the Same • Infrastructure • Data & Storage • Identity & Access Controls • Privacy • Governance • Audit & Compliance 3
    4. 4. Infrastructure as code Instrumentation What about DevOps? Orchestration Continuous everything
    5. 5. about security DevOps? What with
    6. 6. DevOps & Security Division 6 This is NOT how we do DevOps at CloudPassage. Collaboration Division DevOps Security Plan Code Test Release Deploy Operate
    7. 7. SecDevOps • Less division – More collaboration • Less silos – More sharing • Less pipeline – More chains & links • Less manual – More automation 7 Security Plan Release Code Test Operate Deploy
    8. 8. Plan • Release Sherpa – Ops, Dev, QA – See a release thru from start to finish • Change risk management – What infrastructure changes? – Unexpected or large code changes? – Security risk assessment – Threat vector analysis Security Plan Release Code Test Operate Deploy
    9. 9. Code • Standards enforcement – Rubocop, Food Critic, Knife-Spork • Review Process – Peer & code review – Continuous application & infrastructure testing • Git feature branching – Change control & isolation Security Plan Release Code Test Operate Deploy
    10. 10. Test • Automated code testing – Over 10k tests run automatically at check in – Over 10k QA assertions – Over 130 smoke test suites • All the modules & third party integrations • Deploy verifications • External automated testing • External code review Security Plan Release Code Test Operate Deploy
    11. 11. Release & Deploy • Stakeholders approval • Standardized tools – Capistrano, Chef • Deploy testing – 2-man rule • System segregation – Only Ops has production access Security Plan Release Code Test Operate Deploy
    12. 12. • Continuous compliance monitoring – All systems (prod & non-prod) – Hourly & daily – Halo • Infrastructure security orchestration – Thousands of control/change points enforced hourly (Chef) – Validated by Halo • Continuous risk assessment – Third-party vulnerability testing of all systems Operate Security Plan Release Code Test Operate Deploy
    13. 13. JIRAgitChefCapistranoHalo Initiate Approve Implement Audit Records Deploy (Infrastructure) Audit Records Deploy (App Code) Audit Records Audit Records Update Baselines Continuous Monitoring Audit Records End to end audit trail, built into the agile process… “AGILE ASSURANCE”
    14. 14. Practical SecDevOps Examples • Security automation potential – Cloud APIs have exploded • Latch on to DevOps momentum – Take advantage of change – Make Dev and Ops security stakeholders • Use IFTTT thinking – Channels, Triggers, Actions, Ingredients  Recipes 14
    15. 15. Practical SecDevOps Automation 15
    16. 16. Practical SecDevOps Automation 16 git-push
    17. 17. Practical SecDevOps Automation 17
    18. 18. Practical SecDevOps Automation 18
    19. 19. SecDevOps in Summary 19 Old is new Still solving the same problems, but in new ways SecDevOps Automation DevOps is here SecDevOps is required Security automation is here And is required in the cloud
    20. 20. More Resources 20 Explore: www.DevOps.com Learn: blog.cloudpassage.com Start: www.cloudpassage.com/halo
    21. 21. Thank you! 21 Q&A
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×