SlideShare a Scribd company logo

Security and DevOps Overview

Download as PPTX, PDF
Adrian Sanabria
Adrian Sanabria

Put together for a Knoxville OWASP meeting.

Technology
1 of 32
SecDevOps DevSecOps DevOps Which is it? And what is DevOps? And where does security fit?
In case you didn’t already know...
Why are we here? • IT is changing fast. Attackers are changing fast. Defenders don’t. • Security tools must change • Security processes must change • Security practitioners must change
What is DevOps? (No really – what is it? Discuss.)
What is DevOps?
What is DevOps?
SPEED 7
Words: what do they mean? • ‘Full stack’ • Automation Engineer • DevOps Engineer • Agile • Waterfall • Lean • Cloud • DevOps
‘New’ IT
There is a new IT: what is it? 11 Agile/Lean Business Cloud DevOps people and processestools and products results
Welcome to the new IT: key trends Speed 10x faster to prod Agility Integration Automation Developers Convenience Resilience Going faster requires better safety Success Project success increases by 14%-28% 12 NOTE: Success metrics from 2013 Ambysoft and 2015 Chaos Manifesto survey data, comparing projects using Waterfall vs Agile. Agile project success improvements increase with project size.
Why DevOps? 13 DevOps Cloud Agile Business Agile Business DevOps Cloud
Where does security fit?
Pete Cheslock’s analogy https://twitter.com/petecheslock/status/595617204273618944
Stefan Streichsbier’s solution https://www.slideshare.net/StefanStreichsbier/application- security-in-an-agile-world-agile-singapore-2016
The new practitioner
The New Practitioner • Influence design, architecture standards, processes • Automate tasks • Forensics • Security assessments • Identify gaps and recommend fixes • API integration • Data science • Routing, load balancing, nw protocols The Traditional Practitioner • Monitoring security alerts • Manage network security • Manage endpoint security • IR/Forensics • Pentesting • Vulnerability Scanning • Policies/Standards • Compliance/Regs • Log management • DR/BCP and SecAware The Security Practitioner: old versus new
The New Practitioner • Influence design, architecture standards, processes • Automate tasks (code) • Forensics • Security assessments • Identify gaps and recommend fixes (code) • API integration (code) • Data science (code) • Routing, load balancing, network protocols The Traditional Practitioner • Monitoring security alerts • Manage network security • Manage endpoint security • IR/Forensics • Pentesting • Vulnerability Scanning • Policies/Standards • Compliance/Regs • Log management • DR/BCP and SecAware The Security Practitioner: old versus new
Understanding security’s role by understanding IT Traditional approach to security: • Security is always a secondary or enabling layer • Security must have direct knowledge and experience with the underlying layer in order to be effective at protecting it or recommending feasible solutions • Direct experience in core technical disciplines goes a long way in earning respect and cooperation Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
Understanding security’s role by understanding IT Issues with the traditional approach: • Few security teams can ever be ‘well-rounded’ enough • Security team isn’t qualified to advise much of IT • Adversarial/dysfunctional relationships common • IT changes often; attackers adapt quickly • Defenders and security tools adapt slowly Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
Security Security’s changing role An example: going ‘cloud-first’ • Lower-level IT layers are outsourced • Most security practitioner knowledge lies in these layers • Infrastructure-heavy security skillsets lose value • Concept of bi-modal IT further confuses things • As IT changes, so must security Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
Security’s changing role Cloud and DevOps – an opportunity to redesign security: • Smaller ‘well-rounded’ groups • Dev, ops, infrastructure and security roles are shared • Everyone working towards a clear, common goal • Relationship between security and developers is crucial • Security can’t impact delivery schedule Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security
Questions What should security’s future role be? • Security is redistributed into IT for all operational tasks • Dedicated security staff performs • high-level design, design/architectural input • monitor changes in risk/attackers/landscape • instruct/consult individual SMEs as needed Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security SME Internal Security Team Security SME Security SME Security SME
New rule: if you own it, own it “Whomever is responsible for an asset – be it data, infrastructure, code, or people – must secure it”
Why make asset owners responsible? • No one knows and understands the opportunities, constraints and dependencies of the asset better • Security becomes a bottleneck for performance, progress and often, even security • Little to no time wasted on remediation conflict: what to fix, how to fix it, when and at what priority level • Likely that fewer security issues will occur* • Drives the cost of securing systems down, in terms of labor, efficiency and efficacy** * I’ll explain later ** I’ll explain after that
Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson Reads like a short version of the Phoenix Project
Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson • Creating an independent testing group can encourage counterproductive culture • “Don’t do today what you can push off onto someone else’s plate” • Document and address low hanging fruit • Schedule time for developers to test and fix bugs • To improve code quality, stop the problem at the source • Everyone should understand what they’re building and why • Get testers involved earlier in the process • Bottleneck testing resources and developers are forced to ship higher quality code http://testobsessed.com/wp-content/uploads/2011/04/btwq.pdf
Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson • Could this apply to InfoSec? • Surely not. • In fact, it might be quite worse. • We’ve convinced everyone not just that security is our job, but that we’re the only ones that can do it properly. • What if they believed us?
Security and DevOps Overview

Recommended

Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilitiesMohit Dholakiya
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadarPencilData
 

Recommended

Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilitiesMohit Dholakiya
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadarPencilData
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesSlideTeam
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapDATA SECURITY SOLUTIONS
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modelingPrabath Siriwardena
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 

More Related Content

What's hot

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesSlideTeam
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapDATA SECURITY SOLUTIONS
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 

What's hot (20)

Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
Application Security
Application SecurityApplication Security
Application Security
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation Slides
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmap
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 

Similar to Security and DevOps Overview

ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Security Innovation
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
 
DevSecOps with Microsoft Tech
DevSecOps with Microsoft TechDevSecOps with Microsoft Tech
DevSecOps with Microsoft TechDarin Morris
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus WalshDevops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus WalshDrew Malone
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1Eelco Visser
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...Turja Narayan Chaudhuri
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Digital Bond
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 

Similar to Security and DevOps Overview (20)

ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
DevSecOps with Microsoft Tech
DevSecOps with Microsoft TechDevSecOps with Microsoft Tech
DevSecOps with Microsoft Tech
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus WalshDevops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
 

More from Adrian Sanabria

Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Adrian Sanabria
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaAdrian Sanabria
 
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...Adrian Sanabria
 
2019 InfoSec Buyer's Guide
2019 InfoSec Buyer's Guide2019 InfoSec Buyer's Guide
2019 InfoSec Buyer's GuideAdrian Sanabria
 
Equifax Breach Postmortem
Equifax Breach PostmortemEquifax Breach Postmortem
Equifax Breach PostmortemAdrian Sanabria
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
From due diligence to IoT disaster
From due diligence to IoT disasterFrom due diligence to IoT disaster
From due diligence to IoT disasterAdrian Sanabria
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?Adrian Sanabria
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsAdrian Sanabria
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 

More from Adrian Sanabria (20)

Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix Enigma
 
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
 
2019 InfoSec Buyer's Guide
2019 InfoSec Buyer's Guide2019 InfoSec Buyer's Guide
2019 InfoSec Buyer's Guide
 
Equifax Breach Postmortem
Equifax Breach PostmortemEquifax Breach Postmortem
Equifax Breach Postmortem
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
 
The Products We Deserve
The Products We DeserveThe Products We Deserve
The Products We Deserve
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
From due diligence to IoT disaster
From due diligence to IoT disasterFrom due diligence to IoT disaster
From due diligence to IoT disaster
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletin
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to Startups
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 

Recently uploaded

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Recently uploaded (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Security and DevOps Overview

  • 1. SecDevOps DevSecOps DevOps Which is it? And what is DevOps? And where does security fit?
  • 2. In case you didn’t already know...
  • 3. Why are we here? • IT is changing fast. Attackers are changing fast. Defenders don’t. • Security tools must change • Security processes must change • Security practitioners must change
  • 4. What is DevOps? (No really – what is it? Discuss.)
  • 8. Words: what do they mean? • ‘Full stack’ • Automation Engineer • DevOps Engineer • Agile • Waterfall • Lean • Cloud • DevOps
  • 9.
  • 11. There is a new IT: what is it? 11 Agile/Lean Business Cloud DevOps people and processestools and products results
  • 12. Welcome to the new IT: key trends Speed 10x faster to prod Agility Integration Automation Developers Convenience Resilience Going faster requires better safety Success Project success increases by 14%-28% 12 NOTE: Success metrics from 2013 Ambysoft and 2015 Chaos Manifesto survey data, comparing projects using Waterfall vs Agile. Agile project success improvements increase with project size.
  • 15.
  • 19. The New Practitioner • Influence design, architecture standards, processes • Automate tasks • Forensics • Security assessments • Identify gaps and recommend fixes • API integration • Data science • Routing, load balancing, nw protocols The Traditional Practitioner • Monitoring security alerts • Manage network security • Manage endpoint security • IR/Forensics • Pentesting • Vulnerability Scanning • Policies/Standards • Compliance/Regs • Log management • DR/BCP and SecAware The Security Practitioner: old versus new
  • 20. The New Practitioner • Influence design, architecture standards, processes • Automate tasks (code) • Forensics • Security assessments • Identify gaps and recommend fixes (code) • API integration (code) • Data science (code) • Routing, load balancing, network protocols The Traditional Practitioner • Monitoring security alerts • Manage network security • Manage endpoint security • IR/Forensics • Pentesting • Vulnerability Scanning • Policies/Standards • Compliance/Regs • Log management • DR/BCP and SecAware The Security Practitioner: old versus new
  • 21.
  • 22. Understanding security’s role by understanding IT Traditional approach to security: • Security is always a secondary or enabling layer • Security must have direct knowledge and experience with the underlying layer in order to be effective at protecting it or recommending feasible solutions • Direct experience in core technical disciplines goes a long way in earning respect and cooperation Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
  • 23. Understanding security’s role by understanding IT Issues with the traditional approach: • Few security teams can ever be ‘well-rounded’ enough • Security team isn’t qualified to advise much of IT • Adversarial/dysfunctional relationships common • IT changes often; attackers adapt quickly • Defenders and security tools adapt slowly Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
  • 24. Security Security’s changing role An example: going ‘cloud-first’ • Lower-level IT layers are outsourced • Most security practitioner knowledge lies in these layers • Infrastructure-heavy security skillsets lose value • Concept of bi-modal IT further confuses things • As IT changes, so must security Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
  • 25. Security’s changing role Cloud and DevOps – an opportunity to redesign security: • Smaller ‘well-rounded’ groups • Dev, ops, infrastructure and security roles are shared • Everyone working towards a clear, common goal • Relationship between security and developers is crucial • Security can’t impact delivery schedule Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security
  • 26. Questions What should security’s future role be? • Security is redistributed into IT for all operational tasks • Dedicated security staff performs • high-level design, design/architectural input • monitor changes in risk/attackers/landscape • instruct/consult individual SMEs as needed Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security SME Internal Security Team Security SME Security SME Security SME
  • 27. New rule: if you own it, own it “Whomever is responsible for an asset – be it data, infrastructure, code, or people – must secure it”
  • 28. Why make asset owners responsible? • No one knows and understands the opportunities, constraints and dependencies of the asset better • Security becomes a bottleneck for performance, progress and often, even security • Little to no time wasted on remediation conflict: what to fix, how to fix it, when and at what priority level • Likely that fewer security issues will occur* • Drives the cost of securing systems down, in terms of labor, efficiency and efficacy** * I’ll explain later ** I’ll explain after that
  • 29. Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson Reads like a short version of the Phoenix Project
  • 30. Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson • Creating an independent testing group can encourage counterproductive culture • “Don’t do today what you can push off onto someone else’s plate” • Document and address low hanging fruit • Schedule time for developers to test and fix bugs • To improve code quality, stop the problem at the source • Everyone should understand what they’re building and why • Get testers involved earlier in the process • Bottleneck testing resources and developers are forced to ship higher quality code http://testobsessed.com/wp-content/uploads/2011/04/btwq.pdf
  • 31. Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson • Could this apply to InfoSec? • Surely not. • In fact, it might be quite worse. • We’ve convinced everyone not just that security is our job, but that we’re the only ones that can do it properly. • What if they believed us?

Editor's Notes

  1. Just read the tweet.
  2. DevOps is a combination of culture, processes and principles. This is the most challenging aspect of what we’re talking about today, because it fundamentally transforms how IT works And ultimately the combination of DevOps and new technologies like cloud are having a permanent impact on how businesses operate.
  3. Speed: First production release going out in the time it took hardware to ship to our doorsteps Agility: The ability to add/remove/change infrastructure at will without significant capital expense Resilience: Could also be thought of as “survivability”. With this much automation, the application must be resilient, and IT must plan for a range of contingencies. Bonus: you’ve planned for DR/BCP simultaneously! Success
  4. Why DevOps? It isn't a fad, it is simply the most efficient, reliable and successful way we've found so far to build and run software. In the beginning, IT led the charge as an experiment and a way to fix/alleviate issues. Now that the business has seen the value in it, it has gone from fad/trend to requirement and permanent change. There’s no going back.
  5. I'm talking about people, but this is all text, it's a list Focus on the message - again, try to use icons Right now, the slide doesn't show the differences very well Don't necessarily need to use the lists Could ask the audience what differences they see, and then reveal the actual differences - look at how diff tools show the difference visually
  6. I'm talking about people, but this is all text, it's a list Focus on the message - again, try to use icons Right now, the slide doesn't show the differences very well Don't necessarily need to use the lists Could ask the audience what differences they see, and then reveal the actual differences - look at how diff tools show the difference visually
  7. We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
  8. We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
  9. We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
  10. We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
  11. Just an idea – doesn’t have to be precisely like this. Depends on the business, the culture, trial/error and a hundred other factors. The general idea though, is to get security responsibility and expertise closer to where the work is done.
  12. Introduced an independent test unit, which made the number of bugs go up and software quality go down.
  13. Findings More QA = more bugs and longer cycles Created the psychological impact of telling developers that quality is someone else’s problem Insulting; percieved lack of empathy and respect for the developer Solution Tight relationships necessary between QA and Dev QA remains, but with an artificial bottleneck Developers still responsible for deadlines and therefore have to ‘budget’ time for QA Devs write better code to ensure it goes through QA quickly Devs need to be given 10% extra time to ensure better quality code.
  14. Also, remember – the two are inseparably linked. When we talk about code quality, we’re also often talking about security - issues with quality is where vulnerabilities come from, right?