DevOps & Security   James Turnbull    Puppet Labs     DEVOPSDAYS AUSTIN 2012
Who me?•   Puppet Labs employee•   Security boffin•   Open source fan•   Author•   Australian•   Expletives               ...
More introductionsDoes anyone here work in Security?            DEVOPSDAYS AUSTIN 2012
Three things I hated about Security1. Not being liked2. Not being effective3. Not being happy                   DEVOPSDAYS...
Meme theft…  DEVOPSDAYS AUSTIN 2012
What IT think Security do        DEVOPSDAYS AUSTIN 2012
What the business think Security do             DEVOPSDAYS AUSTIN 2012
What Security people think they do             DEVOPSDAYS AUSTIN 2012
What Security Isn’t     DEVOPSDAYS AUSTIN 2012
What Security Is (or Should Be)•   Partnership not conflict•   Servicing and Protecting all customers•   Allowing increase...
The Intersection    DEVOPSDAYS AUSTIN 2012
Security people are people too           DEVOPSDAYS AUSTIN 2012
Security people are people too•   Developer People•   Ops People•   DBA People•   Network People•   Storage People        ...
DevOps & SecurityYou should care about security too!            DEVOPSDAYS AUSTIN 2012
DevOps & Security  Evolution is mutual      DEVOPSDAYS AUSTIN 2012
Getting Security to Listen It’s all about the culture         DEVOPSDAYS AUSTIN 2012
Getting Security to ListenDestroy the blame culture         DEVOPSDAYS AUSTIN 2012
Getting Security to Listen Speak the same language         DEVOPSDAYS AUSTIN 2012
Getting Security to Listen      "Risk management is the process of identifying vulnerabilities and threats to the       in...
Getting Security to ListenLet the business do business with the            right controls              DEVOPSDAYS AUSTIN 2...
Talking Controls• Provisioning & Deployment: Efficiency• Configuration Management: Inconsistency is  the enemy of security...
Ideas for Collaboration       DEVOPSDAYS AUSTIN 2012
DevOps & Security• Get roles and responsibilities right• Security people are (skilled) people too• Risk Register diving   ...
Dev & Security• Put Security people into Dev• Gather security requirements early• Designed for security == Deployed sanely...
Ops & Security• Embed Security into Ops escalation• Invite Security to post-mortems• Expose Security to your metrics & dat...
Thanks     James Turnbulljames@puppetlabs.com        @kartar http://www.kartar.net      DEVOPSDAYS AUSTIN 2012
Upcoming SlideShare
Loading in …5
×

Security Loves DevOps: DevOpsDays Austin 2012

3,601 views

Published on

Discusses the intersection between security and DevOps and how Security people can leverage DevOps and vice versa.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,601
On SlideShare
0
From Embeds
0
Number of Embeds
403
Actions
Shares
0
Downloads
29
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • ----- Meeting Notes (4/1/12 15:14) -----1. Firewall rules faster2. Three things: - Information: What's vuln - Remediation: Fix it once and fast. - Consistency - things stay fixed
  • Security Loves DevOps: DevOpsDays Austin 2012

    1. 1. DevOps & Security James Turnbull Puppet Labs DEVOPSDAYS AUSTIN 2012
    2. 2. Who me?• Puppet Labs employee• Security boffin• Open source fan• Author• Australian• Expletives DEVOPSDAYS AUSTIN 2012
    3. 3. More introductionsDoes anyone here work in Security? DEVOPSDAYS AUSTIN 2012
    4. 4. Three things I hated about Security1. Not being liked2. Not being effective3. Not being happy DEVOPSDAYS AUSTIN 2012
    5. 5. Meme theft… DEVOPSDAYS AUSTIN 2012
    6. 6. What IT think Security do DEVOPSDAYS AUSTIN 2012
    7. 7. What the business think Security do DEVOPSDAYS AUSTIN 2012
    8. 8. What Security people think they do DEVOPSDAYS AUSTIN 2012
    9. 9. What Security Isn’t DEVOPSDAYS AUSTIN 2012
    10. 10. What Security Is (or Should Be)• Partnership not conflict• Servicing and Protecting all customers• Allowing increased risk appetite• Enabling the business to do business DEVOPSDAYS AUSTIN 2012
    11. 11. The Intersection DEVOPSDAYS AUSTIN 2012
    12. 12. Security people are people too DEVOPSDAYS AUSTIN 2012
    13. 13. Security people are people too• Developer People• Ops People• DBA People• Network People• Storage People DEVOPSDAYS AUSTIN 2012
    14. 14. DevOps & SecurityYou should care about security too! DEVOPSDAYS AUSTIN 2012
    15. 15. DevOps & Security Evolution is mutual DEVOPSDAYS AUSTIN 2012
    16. 16. Getting Security to Listen It’s all about the culture DEVOPSDAYS AUSTIN 2012
    17. 17. Getting Security to ListenDestroy the blame culture DEVOPSDAYS AUSTIN 2012
    18. 18. Getting Security to Listen Speak the same language DEVOPSDAYS AUSTIN 2012
    19. 19. Getting Security to Listen "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducingrisk to an acceptable level, based on the value of the information resource to the organization.” DEVOPSDAYS AUSTIN 2012 - CISA
    20. 20. Getting Security to ListenLet the business do business with the right controls DEVOPSDAYS AUSTIN 2012
    21. 21. Talking Controls• Provisioning & Deployment: Efficiency• Configuration Management: Inconsistency is the enemy of security• Incident Management: Information is King• Audit: Magic away auditors DEVOPSDAYS AUSTIN 2012
    22. 22. Ideas for Collaboration DEVOPSDAYS AUSTIN 2012
    23. 23. DevOps & Security• Get roles and responsibilities right• Security people are (skilled) people too• Risk Register diving DEVOPSDAYS AUSTIN 2012
    24. 24. Dev & Security• Put Security people into Dev• Gather security requirements early• Designed for security == Deployed sanely & securely DEVOPSDAYS AUSTIN 2012
    25. 25. Ops & Security• Embed Security into Ops escalation• Invite Security to post-mortems• Expose Security to your metrics & data DEVOPSDAYS AUSTIN 2012
    26. 26. Thanks James Turnbulljames@puppetlabs.com @kartar http://www.kartar.net DEVOPSDAYS AUSTIN 2012

    ×