SlideShare a Scribd company logo

Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - Shannon Lietz

Download as PPTX, PDF
S
SeniorStoryteller

Extended version of Shannon Lietz talk on Culture Hacking at RSAC 2017

Technology
1 of 32
SESSION ID:SESSION ID: #RSAC Shannon Lietz Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! PROF-T11 Director, DevSecOps Intuit @devsecops
#RSAC Take Responsibility. Give Credit. @seniorstoryteller <me /> 1984 1989 1996 2001 2011 DEVELOPER OPERATIONS “DEVSECOPS” “RUGGED” SECURITY PRESENT -- FOUNDER -- SAFER SOFTWARE SOONER
#RSAC How we’ll spend our time today… 3 Educate + Learn = Apply So that we can achieve safer software sooner in our lifetime. …the next generation of security is ours to ignite! In hopes of speeding up your journey and inspiring you to rebel in your own way… I have banged my head against the wall many times to bring you these lessons…
4 Most say it’s never a good idea to break the rules... Pixabay @ Pickit until the forces of change demand it.
#RSAC Software is eating the world!!! http://www.wsj.com/articles/SB10001424053111903480904576512250915629460 -Mark Andreessen, 2011
#RSAC DevOps is eating the world!!! Imagine solving the world’s problems faster by collaborating and taking responsibility. In connection with Cloud Computing, DevOps is the cultural enabler needed to scale creativity and innovation. With the goal of solving customer problems faster, no wonder DevOps is taking over. ~1500% increase In 2 years
#RSAC Cloud is eating the world!!! Public Cloud adoption is accelerating at a rapid pace… Software defined environments allow scale to happen and more decisions to be made daily… More people can experiment, learn and fail at a rapid pace to solve for customer demand…. Creativity is the next frontier… http://www.geekwire.com/2016/study-aws-45-share-public-cloud-infrastructure-market-microsoft-google-ibm-combined/
#RSAC Security is blocking the world!!! <- Say What???
#RSAC Security is viewed as the proctologist of the technology universe… and we really need to change this perception! http://www.flowmotioncafe.com @petecheslock
#RSAC https://www.flickr.com/photos/mjhagen/2973212926
WE MUST AVOID SECURITY EXTINCTION… http://donsmaps.com/images22/mutta1200.jpg Stock Unlimited 1288835 @ Pickit Security DNA DevOps Cloud Leader Mobile IoT End Users
#RSAC Culture Hacking Traditional Security Security is Everyone’s Responsibility DEVSECOPS
#RSAC Why is this necessary? evolution value compliance genesis customer custom- built product (+rental) commodity (+utility) devsecops visible invisible compute cloud compliance as code informational website domain names devops continuous deployment continuous integration transparent security rugged software fewer better suppliers security as code agile mobile customer-driven innovation traditional SDLC traditional security web app search engine red team penetration testing commodity bound growth emerging Catching up takes commitment
#RSAC How hard could it be? Source Code CI Server Artifacts MonitoringDeploy Test & Scan DevOps Code - Creating Value & Availability DevSecOps Code - Creating Trust & Confidence
#RSAC What type of skills are required? Dev Sec Ops Dev Sec Ops 15 Dev Sec Ops Developer Sys Admin Security Engineer competency needed skill; functional
#RSAC Is everyone bought in? Management has some firm requirements due to financial commitments and reporting DevOps and Innovation can easily live in 3 out of 4 boxes but hardly like Control Security practitioners tend to write policies and distrust everyone not them; rightfully so, 1% insider threat is a lot! CONTROLCOLLABORATION CULTIVATION COMPETENCE people company reality possibility
#RSAC Who can help? Forming the C.A.T. Team: Big bet 10 rare people in 6 months Hire for passion Remove barriers (logical and physical) Mixed skills and levels 17 P. Svangren @ Pickit C.A.T.T. aka Cyber Attack Tiger Team Bring big leadership skills if you want to wrangle big cats…
#RSAC At first, it looked a lot like this… Offices fostered the wrong culture • Break down the walls • Long flat tables • Lounge areas • Continuous Learning • Increase communication • Small teams with purpose • Take a walk • Difficult discussions • Dedicated to success
#RSAC How do I avoid being eaten by big CATTs? FROM AUTHORITY STRUCTURED POLICIES COMMAND & CONTROL RISK MITIGATED APPROVALS TO INSPIRATION FIRST PRINCIPLES VALUE DRIVEN RISK BALANCED LESSONS LEARNED
#RSAC Goals matter… Without a goal you are neither a great leader nor a good follower… 20 0 15 years5 10 “Security is done!” J. Ekstam @ Pickit
#RSAC HPO starts with team principles… • Everyone is learning • No one left behind • Don’t hug your code • Check your ego at the door • One for all 21 S. Khuntale 1434620403900 @ Pickit Measure for crunchiness once a week…
#RSAC Confidence is critical… Operating model must increase confidence at all stages Opt for Coaching vs. Managing Increase communication Patience pays off Keep it blameless 22 confidence
#RSAC Does your team keep score? Everyone can be a hero! Keeping score is fun! Outcomes driven by the team provide greater value Understanding how to score is empowering Brings us together… 23 http://www.4dxbook.com/blog/people-play-differently-when-theyre-keeping-score/ S. Zahnfee @ Pickit
#RSAC This path gave us DevSecOps… DevSecOps Security Engineering Experiment, Automate, Test Security Operations Hunt, Detect, Contain Compliance Operations Respond, Manage, Train Security Science Learn, Measure, Forecast
#RSAC Enabled us to understand the problem space… Gating processes are not Deming-like Security is a design constraint Decisions made by engineering teams Hard to avoid business catastrophes by applying one-size-fits-all strategies Security defects is more like a security “recall” design build deploy operate How do I secure my app? What component is secure enough? How do I secure secrets for the app? Is my app getting attacked? How? Typical gates for security checks & balances Mistakes and drift often happen after design and build phases that result in weaknesses and potentially exploits Most costly mistakes Happen during design Faster security feedback loop
#RSAC Gave us the courage to question everything… Determine defect and feature flows for Security to funnel to distributed teams Inventory work processes, guidelines, policies, experiments, data and tools Identify groups, roles and skills required to support processes Identify friction and measure speed of MTTR Identify types of decisions Identify metrics for measuring experiments and adapting processes • Implement Code & Infrastructure Guidelines • Implement Rules Engineering Processes • Implement Security Defect Reporting • Implement Consulting and Requests Process • Implement Infrastructure Templates • Implement Red Team & SOC Processes • Implement Manual Staging Processes • Implement a Decisions Process • Implement an Escalation Process with clear stakeholders • All systems should be run with API inspection available via a Security Fabric. (Systems without inspection require manual intervention.) • Implement Security Portal for feedback consolidation across security processes • Implement Case Management for Requests, Defects, and Incidents • Implement Testing framework • Implement Correlation engine • Implement foundational security controls • Integrate with core organizational systems Operating Model Processes Tooling n number of experiments to refine processes and automate where possible • Identified opportunities to develop capacity without increasing risk to too high a level • Inventory provides information for Decisions board to help with risk decisions outcomes • Decisions board with clear escalation path by type of decision • Ability to Communicate and Train on initial processes • Consistent Ins/Outs of Dynamic Work with standard templates • SDE helps with reducing manual efforts • Ability to build up capacity for Stage Two Expected Issues: Communication changes, adaptation of skills, decisions processes, expectations, audits and risk guidelines mismatch
#RSAC Empowered us to challenge the status quo… API KEY EXPOSURE -> 8 HRS DEFAULT CONFIGS -> 24 HRS SECURITY GROUPS -> 24 HRS ESCALATION OF PRIVS -> 5 D KNOWN VULN -> 8 HRS
#RSAC Got us to communicate with developers like a developer…
#RSAC Made us think about how to shift left… Everyone knows Maslow… If you can remember 5 things, remember these -> “Apps & data are as safe as where you put it, what’s in it, how you inspect it, who talks to it, and how its protected…”
#RSAC Helped us blaze a trail so others could succeed too… 30 Stock Unlimited 1515599 @ Pickit
#RSAC How do I learn more about this?
#RSAC It is time to change… 32 Get involved. Write an article. Give and take feedback. Contribute to Open Source. Give feedback. Volunteer.

Recommended

Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsSeniorStoryteller
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenSeniorStoryteller
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureDevSecOpsSg
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
 

Recommended

Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsSeniorStoryteller
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenSeniorStoryteller
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureDevSecOpsSg
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareSeniorStoryteller
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresPriyanka Aash
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOpsMichelangelo van Dam
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementShriniKulkarni
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsTushar Gupta
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemWhiteSource
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...SeniorStoryteller
 
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and DockerHero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and DockerSeniorStoryteller
 

More Related Content

What's hot

DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareSeniorStoryteller
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresPriyanka Aash
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementShriniKulkarni
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsTushar Gupta
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemWhiteSource
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 

What's hot (20)

DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident Management
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps Automated
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOps
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 

Viewers also liked

Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...SeniorStoryteller
 
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and DockerHero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and DockerSeniorStoryteller
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanWhere Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanSeniorStoryteller
 
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...SeniorStoryteller
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 
Git in the Enterprise: How to succeed at DevOps using Git and a monorepo
Git in the Enterprise: How to succeed at DevOps using Git and a monorepo Git in the Enterprise: How to succeed at DevOps using Git and a monorepo
Git in the Enterprise: How to succeed at DevOps using Git and a monorepo Perforce
 
Enterprise Docker Requires a Private Registry
Enterprise Docker Requires a Private RegistryEnterprise Docker Requires a Private Registry
Enterprise Docker Requires a Private RegistryChris Riley ☁
 
Git/Gerrit with TeamForge
Git/Gerrit with TeamForgeGit/Gerrit with TeamForge
Git/Gerrit with TeamForgeCollabNet
 
Inside GitHub
Inside GitHubInside GitHub
Inside GitHuberr
 
Breaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John WillisBreaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John WillisSeniorStoryteller
 
Locally it worked! virtualizing docker
Locally it worked! virtualizing dockerLocally it worked! virtualizing docker
Locally it worked! virtualizing dockerSascha Brinkmann
 
Continuous delivery with jenkins, docker and exoscale
Continuous delivery with jenkins, docker and exoscaleContinuous delivery with jenkins, docker and exoscale
Continuous delivery with jenkins, docker and exoscaleJulia Mateo
 
Building and deploying a distributed application with Docker, Mesos and Marathon
Building and deploying a distributed application with Docker, Mesos and MarathonBuilding and deploying a distributed application with Docker, Mesos and Marathon
Building and deploying a distributed application with Docker, Mesos and MarathonJulia Mateo
 
Deploying Docker Containers at Scale with Mesos and Marathon
Deploying Docker Containers at Scale with Mesos and MarathonDeploying Docker Containers at Scale with Mesos and Marathon
Deploying Docker Containers at Scale with Mesos and MarathonDiscover Pinterest
 
Building Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh RaghavanBuilding Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh RaghavanSeniorStoryteller
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedRelease Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedSeniorStoryteller
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon
 
Transforming Organizations with CI/CD
Transforming Organizations with CI/CDTransforming Organizations with CI/CD
Transforming Organizations with CI/CDCprime
 
Docker Continuous Delivery Workshop
Docker Continuous Delivery WorkshopDocker Continuous Delivery Workshop
Docker Continuous Delivery WorkshopJirayut Nimsaeng
 

Viewers also liked (20)

Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
 
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and DockerHero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanWhere Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
 
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
Git in the Enterprise: How to succeed at DevOps using Git and a monorepo
Git in the Enterprise: How to succeed at DevOps using Git and a monorepo Git in the Enterprise: How to succeed at DevOps using Git and a monorepo
Git in the Enterprise: How to succeed at DevOps using Git and a monorepo
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
 
Enterprise Docker Requires a Private Registry
Enterprise Docker Requires a Private RegistryEnterprise Docker Requires a Private Registry
Enterprise Docker Requires a Private Registry
 
Git/Gerrit with TeamForge
Git/Gerrit with TeamForgeGit/Gerrit with TeamForge
Git/Gerrit with TeamForge
 
Inside GitHub
Inside GitHubInside GitHub
Inside GitHub
 
Breaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John WillisBreaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John Willis
 
Locally it worked! virtualizing docker
Locally it worked! virtualizing dockerLocally it worked! virtualizing docker
Locally it worked! virtualizing docker
 
Continuous delivery with jenkins, docker and exoscale
Continuous delivery with jenkins, docker and exoscaleContinuous delivery with jenkins, docker and exoscale
Continuous delivery with jenkins, docker and exoscale
 
Building and deploying a distributed application with Docker, Mesos and Marathon
Building and deploying a distributed application with Docker, Mesos and MarathonBuilding and deploying a distributed application with Docker, Mesos and Marathon
Building and deploying a distributed application with Docker, Mesos and Marathon
 
Deploying Docker Containers at Scale with Mesos and Marathon
Deploying Docker Containers at Scale with Mesos and MarathonDeploying Docker Containers at Scale with Mesos and Marathon
Deploying Docker Containers at Scale with Mesos and Marathon
 
Building Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh RaghavanBuilding Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh Raghavan
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedRelease Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
 
Transforming Organizations with CI/CD
Transforming Organizations with CI/CDTransforming Organizations with CI/CD
Transforming Organizations with CI/CD
 
Docker Continuous Delivery Workshop
Docker Continuous Delivery WorkshopDocker Continuous Delivery Workshop
Docker Continuous Delivery Workshop
 

Similar to Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - Shannon Lietz

Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOpJames Wickett
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security peoplePriyanka Aash
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
 
DevSecOpsMaturityModel.pdf
DevSecOpsMaturityModel.pdfDevSecOpsMaturityModel.pdf
DevSecOpsMaturityModel.pdfcdsk335
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Eturnti Consulting Pvt Ltd
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Deliverydevopsdaysaustin
 
Working on DevSecOps culture - a team centric view
Working on DevSecOps culture - a team centric viewWorking on DevSecOps culture - a team centric view
Working on DevSecOps culture - a team centric viewPatrick Debois
 
Introducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsIntroducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsPriyanka Aash
 
AppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture ChangeAppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture ChangePriyanka Aash
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019Stefan Streichsbier
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenNadira Bajrei
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Yazad Khandhadia
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 

Similar to Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - Shannon Lietz (20)

Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
 
How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security people
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
DevSecOpsMaturityModel.pdf
DevSecOpsMaturityModel.pdfDevSecOpsMaturityModel.pdf
DevSecOpsMaturityModel.pdf
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
Working on DevSecOps culture - a team centric view
Working on DevSecOps culture - a team centric viewWorking on DevSecOps culture - a team centric view
Working on DevSecOps culture - a team centric view
 
Introducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsIntroducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy Products
 
AppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture ChangeAppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture Change
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 

More from SeniorStoryteller

NuGet Package Management Done Right
NuGet Package Management Done RightNuGet Package Management Done Right
NuGet Package Management Done RightSeniorStoryteller
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
 
Heroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps TransformationsHeroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps TransformationsSeniorStoryteller
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessSeniorStoryteller
 
Create Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply ChainCreate Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply ChainSeniorStoryteller
 
Aligning Your Team and Your Powers for Success
Aligning Your Team and Your Powers for SuccessAligning Your Team and Your Powers for Success
Aligning Your Team and Your Powers for SuccessSeniorStoryteller
 
Leveraging Nexus Repository Manager at the Heart of DevOps
Leveraging Nexus Repository Manager at the Heart of DevOpsLeveraging Nexus Repository Manager at the Heart of DevOps
Leveraging Nexus Repository Manager at the Heart of DevOpsSeniorStoryteller
 
The DevOps Hero Toolkit: Nexus, Jenkins and Docker
The DevOps Hero Toolkit: Nexus, Jenkins and DockerThe DevOps Hero Toolkit: Nexus, Jenkins and Docker
The DevOps Hero Toolkit: Nexus, Jenkins and DockerSeniorStoryteller
 
Guns, Germs and Microservices w/ John Willis and Josh Corman
Guns, Germs and Microservices w/ John Willis and Josh CormanGuns, Germs and Microservices w/ John Willis and Josh Corman
Guns, Germs and Microservices w/ John Willis and Josh CormanSeniorStoryteller
 
What We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsWhat We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsSeniorStoryteller
 
Release Engineering and Rugged DevOps: An Intersection?
Release Engineering and Rugged DevOps: An Intersection?Release Engineering and Rugged DevOps: An Intersection?
Release Engineering and Rugged DevOps: An Intersection?SeniorStoryteller
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WaySeniorStoryteller
 
What We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsWhat We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsSeniorStoryteller
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 

More from SeniorStoryteller (15)

NuGet Package Management Done Right
NuGet Package Management Done RightNuGet Package Management Done Right
NuGet Package Management Done Right
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
 
Heroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps TransformationsHeroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps Transformations
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for Success
 
Create Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply ChainCreate Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply Chain
 
Aligning Your Team and Your Powers for Success
Aligning Your Team and Your Powers for SuccessAligning Your Team and Your Powers for Success
Aligning Your Team and Your Powers for Success
 
Leveraging Nexus Repository Manager at the Heart of DevOps
Leveraging Nexus Repository Manager at the Heart of DevOpsLeveraging Nexus Repository Manager at the Heart of DevOps
Leveraging Nexus Repository Manager at the Heart of DevOps
 
The DevOps Hero Toolkit: Nexus, Jenkins and Docker
The DevOps Hero Toolkit: Nexus, Jenkins and DockerThe DevOps Hero Toolkit: Nexus, Jenkins and Docker
The DevOps Hero Toolkit: Nexus, Jenkins and Docker
 
Guns, Germs and Microservices w/ John Willis and Josh Corman
Guns, Germs and Microservices w/ John Willis and Josh CormanGuns, Germs and Microservices w/ John Willis and Josh Corman
Guns, Germs and Microservices w/ John Willis and Josh Corman
 
What We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsWhat We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOps
 
Release Engineering and Rugged DevOps: An Intersection?
Release Engineering and Rugged DevOps: An Intersection?Release Engineering and Rugged DevOps: An Intersection?
Release Engineering and Rugged DevOps: An Intersection?
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
 
What We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsWhat We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOps
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - Shannon Lietz

  • 1. SESSION ID:SESSION ID: #RSAC Shannon Lietz Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! PROF-T11 Director, DevSecOps Intuit @devsecops
  • 2. #RSAC Take Responsibility. Give Credit. @seniorstoryteller <me /> 1984 1989 1996 2001 2011 DEVELOPER OPERATIONS “DEVSECOPS” “RUGGED” SECURITY PRESENT -- FOUNDER -- SAFER SOFTWARE SOONER
  • 3. #RSAC How we’ll spend our time today… 3 Educate + Learn = Apply So that we can achieve safer software sooner in our lifetime. …the next generation of security is ours to ignite! In hopes of speeding up your journey and inspiring you to rebel in your own way… I have banged my head against the wall many times to bring you these lessons…
  • 4. 4 Most say it’s never a good idea to break the rules... Pixabay @ Pickit until the forces of change demand it.
  • 5. #RSAC Software is eating the world!!! http://www.wsj.com/articles/SB10001424053111903480904576512250915629460 -Mark Andreessen, 2011
  • 6. #RSAC DevOps is eating the world!!! Imagine solving the world’s problems faster by collaborating and taking responsibility. In connection with Cloud Computing, DevOps is the cultural enabler needed to scale creativity and innovation. With the goal of solving customer problems faster, no wonder DevOps is taking over. ~1500% increase In 2 years
  • 7. #RSAC Cloud is eating the world!!! Public Cloud adoption is accelerating at a rapid pace… Software defined environments allow scale to happen and more decisions to be made daily… More people can experiment, learn and fail at a rapid pace to solve for customer demand…. Creativity is the next frontier… http://www.geekwire.com/2016/study-aws-45-share-public-cloud-infrastructure-market-microsoft-google-ibm-combined/
  • 8. #RSAC Security is blocking the world!!! <- Say What???
  • 9. #RSAC Security is viewed as the proctologist of the technology universe… and we really need to change this perception! http://www.flowmotioncafe.com @petecheslock
  • 11. WE MUST AVOID SECURITY EXTINCTION… http://donsmaps.com/images22/mutta1200.jpg Stock Unlimited 1288835 @ Pickit Security DNA DevOps Cloud Leader Mobile IoT End Users
  • 13. #RSAC Why is this necessary? evolution value compliance genesis customer custom- built product (+rental) commodity (+utility) devsecops visible invisible compute cloud compliance as code informational website domain names devops continuous deployment continuous integration transparent security rugged software fewer better suppliers security as code agile mobile customer-driven innovation traditional SDLC traditional security web app search engine red team penetration testing commodity bound growth emerging Catching up takes commitment
  • 14. #RSAC How hard could it be? Source Code CI Server Artifacts MonitoringDeploy Test & Scan DevOps Code - Creating Value & Availability DevSecOps Code - Creating Trust & Confidence
  • 15. #RSAC What type of skills are required? Dev Sec Ops Dev Sec Ops 15 Dev Sec Ops Developer Sys Admin Security Engineer competency needed skill; functional
  • 16. #RSAC Is everyone bought in? Management has some firm requirements due to financial commitments and reporting DevOps and Innovation can easily live in 3 out of 4 boxes but hardly like Control Security practitioners tend to write policies and distrust everyone not them; rightfully so, 1% insider threat is a lot! CONTROLCOLLABORATION CULTIVATION COMPETENCE people company reality possibility
  • 17. #RSAC Who can help? Forming the C.A.T. Team: Big bet 10 rare people in 6 months Hire for passion Remove barriers (logical and physical) Mixed skills and levels 17 P. Svangren @ Pickit C.A.T.T. aka Cyber Attack Tiger Team Bring big leadership skills if you want to wrangle big cats…
  • 18. #RSAC At first, it looked a lot like this… Offices fostered the wrong culture • Break down the walls • Long flat tables • Lounge areas • Continuous Learning • Increase communication • Small teams with purpose • Take a walk • Difficult discussions • Dedicated to success
  • 19. #RSAC How do I avoid being eaten by big CATTs? FROM AUTHORITY STRUCTURED POLICIES COMMAND & CONTROL RISK MITIGATED APPROVALS TO INSPIRATION FIRST PRINCIPLES VALUE DRIVEN RISK BALANCED LESSONS LEARNED
  • 20. #RSAC Goals matter… Without a goal you are neither a great leader nor a good follower… 20 0 15 years5 10 “Security is done!” J. Ekstam @ Pickit
  • 21. #RSAC HPO starts with team principles… • Everyone is learning • No one left behind • Don’t hug your code • Check your ego at the door • One for all 21 S. Khuntale 1434620403900 @ Pickit Measure for crunchiness once a week…
  • 22. #RSAC Confidence is critical… Operating model must increase confidence at all stages Opt for Coaching vs. Managing Increase communication Patience pays off Keep it blameless 22 confidence
  • 23. #RSAC Does your team keep score? Everyone can be a hero! Keeping score is fun! Outcomes driven by the team provide greater value Understanding how to score is empowering Brings us together… 23 http://www.4dxbook.com/blog/people-play-differently-when-theyre-keeping-score/ S. Zahnfee @ Pickit
  • 24. #RSAC This path gave us DevSecOps… DevSecOps Security Engineering Experiment, Automate, Test Security Operations Hunt, Detect, Contain Compliance Operations Respond, Manage, Train Security Science Learn, Measure, Forecast
  • 25. #RSAC Enabled us to understand the problem space… Gating processes are not Deming-like Security is a design constraint Decisions made by engineering teams Hard to avoid business catastrophes by applying one-size-fits-all strategies Security defects is more like a security “recall” design build deploy operate How do I secure my app? What component is secure enough? How do I secure secrets for the app? Is my app getting attacked? How? Typical gates for security checks & balances Mistakes and drift often happen after design and build phases that result in weaknesses and potentially exploits Most costly mistakes Happen during design Faster security feedback loop
  • 26. #RSAC Gave us the courage to question everything… Determine defect and feature flows for Security to funnel to distributed teams Inventory work processes, guidelines, policies, experiments, data and tools Identify groups, roles and skills required to support processes Identify friction and measure speed of MTTR Identify types of decisions Identify metrics for measuring experiments and adapting processes • Implement Code & Infrastructure Guidelines • Implement Rules Engineering Processes • Implement Security Defect Reporting • Implement Consulting and Requests Process • Implement Infrastructure Templates • Implement Red Team & SOC Processes • Implement Manual Staging Processes • Implement a Decisions Process • Implement an Escalation Process with clear stakeholders • All systems should be run with API inspection available via a Security Fabric. (Systems without inspection require manual intervention.) • Implement Security Portal for feedback consolidation across security processes • Implement Case Management for Requests, Defects, and Incidents • Implement Testing framework • Implement Correlation engine • Implement foundational security controls • Integrate with core organizational systems Operating Model Processes Tooling n number of experiments to refine processes and automate where possible • Identified opportunities to develop capacity without increasing risk to too high a level • Inventory provides information for Decisions board to help with risk decisions outcomes • Decisions board with clear escalation path by type of decision • Ability to Communicate and Train on initial processes • Consistent Ins/Outs of Dynamic Work with standard templates • SDE helps with reducing manual efforts • Ability to build up capacity for Stage Two Expected Issues: Communication changes, adaptation of skills, decisions processes, expectations, audits and risk guidelines mismatch
  • 27. #RSAC Empowered us to challenge the status quo… API KEY EXPOSURE -> 8 HRS DEFAULT CONFIGS -> 24 HRS SECURITY GROUPS -> 24 HRS ESCALATION OF PRIVS -> 5 D KNOWN VULN -> 8 HRS
  • 28. #RSAC Got us to communicate with developers like a developer…
  • 29. #RSAC Made us think about how to shift left… Everyone knows Maslow… If you can remember 5 things, remember these -> “Apps & data are as safe as where you put it, what’s in it, how you inspect it, who talks to it, and how its protected…”
  • 30. #RSAC Helped us blaze a trail so others could succeed too… 30 Stock Unlimited 1515599 @ Pickit
  • 31. #RSAC How do I learn more about this?
  • 32. #RSAC It is time to change… 32 Get involved. Write an article. Give and take feedback. Contribute to Open Source. Give feedback. Volunteer.

Editor's Notes

  1. The hockey stick of change has begun to reach it’s inflection point… no one wants to get hit upside the head with it. So why must we change?
  2. 2011
  3. 2012
  4. 2016
  5. 2013 - As security practitioners, there has never been a better time to get involved in transforming what doesn’t work.
  6. 2013 – Security DNA exists within a large practitioner base and it is time to consider how to extend it to others… whether by lab manipulation or other means.
  7. That’s a lot of skills to build…. Products aren’t ready… Processes haven’t been developed…. Metrics don’t exist.
  8. Everyone shares in their love for competency…
  9. 3 years ago, this series did not exist.