SlideShare a Scribd company logo

How Security can be the Next Force Multiplier in DevOps

Andrew Storms
Andrew Storms

RSA 2015 Conference Presentation DevOps is the hottest moving target when it comes to software development methodologies. Many people fear that this fast paced, barrier breaking movement will leave information security best practices in the dust. Turn the equation upside down and make security a force multiplier for DevOps. - See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1540/how-security-can-be-the-next-force-multiplier-in#sthash.jg6O44Yv.dpuf

Technology
1 of 40
Download to read offline
SESSION ID: #RSAC Andrew Storms How Security can be the Next Force Multiplier in DevOps ASD-F01 VP, Security Services New Context @St0rmz
#RSAC Make security the reason for DevOps adoption u  Software development challenges u  DevOps doesn’t address secure coding challenges u  Its our duty to affect change in DevOps u  Security embedded in DevOps, makes DevOps better u  Don’t fear DevOps – Know the people, processes and tools u  Find your positive entry points u  Making a plan 2
#RSAC Software Development Challenges 3 Plan   Code   Test   Release   Deploy   Operate   PM Dev QA Release Mgmt Ops Ops Security u  Non DevOps software development environment u  Everything is separate Process Step Owner
#RSAC Software Development Challenges 4 Plan   Code   Test   Release   Deploy   Operate   PM Dev QA Release Mgmt Ops Ops Security Time To Market Changing Requirements Tech Debt Control Costs Risk ReductionReporting u  Downward business pressures Process Step Owner
#RSAC Software Development Challenges 5 Plan   Code   Test   Release   Deploy   Operate   PM Dev QA Release Mgmt Ops Ops Security Time To Market Changing Requirements Tech Debt Control Costs Risk Reduction Threat Mgmt Risk Reduction Reporting u  Upward security pressures Process Step Owner
#RSAC Software Development Challenges 6 Plan   Code   Test   Release   Deploy   Operate   PM Dev QA Release Mgmt Ops Ops Security Governance Policy Audit Compliance Time To Market Changing Requirements Tech Debt Control Costs Risk Reduction Threat Mgmt Risk Reduction Reporting Program Management Business & Product Security & Compliance Software Dev Pressure Pressure
#RSAC Software Development Challenges 7 u  External pressures u  Disjointed u  Costly u  Siloed u  Opaque u  Complex u  Always late, out of sync, fragile
#RSAC Then along came the DevOps Non DevOps u  Disjointed u  Costly u  Opaque u  Always late DevOps u  Conjoined u  Lean u  Transparent u  Agile 8
#RSAC Then along came the DevOps 9 Governance Compliance Plan   Code   Test   Release   Deploy   Operate   DevOps Ops Security Policy Audit Time To Market Changing Requirements Tech Debt Control Costs Risk Reduction Threat Mgmt Risk Reduction Reporting Agile Green = DevOps
#RSAC Then along came the DevOps u  Meets business & product needs u  On time within budget u  Meets ops and dev needs u  Agile, harmonious, consistent u  Fails to meet security needs u  No attempt to deliver secure application code u  Security still left out and left last 10
#RSAC Then along came the DevOps 11 Governance Compliance Plan   Code   Test   Release   Deploy   Operate   DevOps Ops Security Policy Audit Time To Market Changing Requirements Tech Debt Control Costs Risk Reduction Threat Mgmt Risk Reduction Reporting Agile Business & Product needs Operational & Dev needs
#RSAC Then along came the DevOps 12 Governance Compliance Plan   Code   Test   Release   Deploy   Operate   DevOps Ops Security Policy Audit Time To Market Changing Requirements Tech Debt Control Costs Risk Reduction Threat Mgmt Risk Reduction Reporting Agile Business & Product needs Operational & Dev needs Security, Audit Compliance Needs Unmet
#RSAC Then along came the DevOps 13 Governance Compliance Plan   Code   Test   Release   Deploy   Operate   DevOps Ops Security Policy Audit Time To Market Changing Requirements Tech Debt Control Costs Risk Reduction Threat Mgmt Risk Reduction Reporting Agile Pressure Pressure
#RSAC How popular is DevOps? u  Oct 2014 CA Technologies Survey u  88% respondents already have or plan to adopt DevOps in the next 5 years. (up from 66% on prior year) u  Top obstacle (28%) to DevOps in their organization were security or compliance concerns u  Oct 2014 Rackspace Survey u  55% already implemented DevOps. 31% planning to implement DevOps within 3 years. u  Primary driver for DevOps? Only 2% said audit or compliance 14 http://rewrite.ca.com/us/articles/devops/research-report--devops-the-worst-kept-secret-to-winning-in-the-application-economy.aspx http://www.rackspace.co.uk/sites/default/files/devops-automation-report.pdf
#RSAC DevOps Kicks The Security Can Down The Road 15 Plan   Code   Test   Release   Deploy   Operate   DevOps Ops Security PM Dev QA Release Mgmt Ops Ops SecurityOld Way DevOps Way Security is still the last guy
#RSAC DevOps Is Bad For Security u  Fast u  ~50 deploys a day! u  Faster to production = faster to be pwned u  Too much complexity u  Unwieldy u  Everyone has access to everything u  Full stack engineers u  Fewer test cases u  Deplorable u  No audit u  No control points u  No process 16
#RSAC DevOps Is Good For Security u  Increases process insertion points u  Increases consistency u  Increases predictability u  Decreases time to change u  Increases audit ability u  Reduces costs u  Reduces waste 17 Simple   Manageable   Automatable   Testable  
#RSAC Security Is Good For DevOps u  Business enabler u  Transparency u  Trust u  Protects privacy u  Accountability u  Regulatory & audit 18 Security DevOps Let the people focus on their core competencies
#RSAC Know Your Nemesis Security Team u  Compliance u  Silos u  Change control u  FUD masters DevOps Teams u  Security != compliance u  Open u  Lots of change u  Data scientists 19 “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu
#RSAC How do we get these teams to work together? (Every DevOps presentation must have random gears image) 20
#RSAC Action Plan u  Pipeline u  Tools u  Processes u  Today’s todos 21 Long    term   Short  term   Know  your  DevOps  
#RSAC Apply Security Expertise to DevOps Pipeline 22 InstrumentationLogAnalysis Logging Functional Tests Security Tests Other Tests statsd Jenkins App Code Inf Code Templates Dev Git Chef Stage Prod
#RSAC Security Makes DevOps Better - Tools u  Git (Source Code Management) u  Make it the source of truth for everything u  Sometimes people use Chef for revision control u  Separate repositories for each cookbook u  Branching strategy needs to support isolation, rollback, logging u  Git Hooks u  Enforce policy at commit time u  Commit message, additional logging 23
#RSAC Security Makes DevOps Better - Tools u  Chef (IT Automation) u  Continuous configuration & compliance u  Write some code! u  Map security controls to recipes u  Apply technical controls. Ex: https://cipherli.st/ u  Add logging u  Reduces complexity and helps out everyone u  Ensures consistency (dev, stage, prod) u  Makes audits easier (most of the time) 24
#RSAC Security Makes DevOps Better - Tools u  Jenkins (Continuous Integration) u  Automated code security test suites u  Gauntlt (Ruby), Mittn (Python), BDD-Security (Java) u  Infrastructure code too u  Chefspec, test-kitchen u  External security systems orchestration u  Network scanners, fuzzers, sqlmappers u  Test security policies and controls u  No pass = no go 25
#RSAC Security Makes DevOps Better - Tools u  Instrumentation u  Business logic metrics also good for security u  Number failed logins in last 24 hours u  Site performance & availability u  How do you measure risk management in DevOps? u  Benchmarking u  Security test coverage u  Time to audit u  Mean time to remediate 26
#RSAC Security Makes DevOps Better - Tools u  Monitoring u  New Relic, PagerDuty, Boundry, Pingdom u  Performance & availability u  Create useful alerts and alert the right people u  Logging u  Splunk, SumoLogic u  Get your app team to log useful events u  “There was an error” u  “RabbitMQ tried to write to DB, but got error…” 27
#RSAC Apply Security Expertise to DevOps Process 28 Plan Code Test Release Deploy Operate
#RSAC Security Makes DevOps Better - Process u  Policy u  Does your SDLC include DevOps tools and process? u  Definition of done u  How do devs know they are meeting security requirements? u  Moving security earlier u  Story review u  Threat vector analysis u  Security training u  Design & architecture 29 Plan Moving  security  leA   Plan   Code   Test   Release   Deploy   Operate  
#RSAC Security Makes DevOps Better - Process Standards Enforcement u  Lint checkers u  Branching strategy u  Peer review Get Involved u  Write code u  Attend stand ups u  Peer review u  Pair programming 30 Code Security experts can’t expect software experts to be security experts.
#RSAC Security Makes DevOps Better - Process Security Tests u  Behaviors u  Lock the user out after x failures u  Must use SHA-256 u  Infrastructure u  Port scans u  User accounts Non Functional Tests u  Performance (Availability) u  System readiness u  Deploying using latest AMI u  Latest OpenSSL 31 Test Functional Tests Security Tests Other Tests
#RSAC Security Makes DevOps Better - Process u  Make tests automated u  Continuous integration with Jenkins u  Pick a pluggable framework u  Use TDD u  Automate security tests up front u  Done-Done includes security u  What’s the definition of done? 32 Test Functional Tests Security Tests Other Tests
#RSAC Security Makes DevOps Better - Process Release u  Separation u  Systems u  Duties u  “Here be dragons” u  Oversight u  Approvals u  2-man rule Deploy u  Change control mgmt u  “Here be more dragons” u  Convey assurance u  Convey trust u  What’s in the change log? u  What tests were run? 33 Release Deploy
#RSAC What You Can Do Today u  Get acquainted with popular tools u  Git, Jenkins, Chef, Statsd, New Relic, PagerDuty u  Read about new concepts u  Agile, continuous integration, continuous deployment u  Test driven development u  Think about metrics u  What metrics are valuable to both DevOps & Security u  Get involved 34
#RSAC u  Security people are secretive u  DevOps people LOVE to talk and SHARE u  Watch some videos on YouTube u  Attend a DevOps conference u  Read some articles at devops.com Do Some Industry Research 35
#RSAC Remember To u  Be transparent u  Good security is always transparent. DevOps will amplify opaqueness. u  Be measurable u  DevOps breeds automation. Find where you can automate metrics. u  Embrace feedback loops u  Attend retrospectives. Request feedback. Adjust as needed. u  Embrace iterations u  Nothing is ever 100% done or 100% perfect. 36
#RSAC Make DevOps Work For You DevOps Says u  Collaboration u  Automation u  Agile Security Says u  Everyone’s responsibility u  Standards, reporting, benchmarks u  Risk management 37 Use DevOps to create the next generation information security program. It might just be your only hope in combating the next cyber threat.
#RSAC Make DevOps Work For You Self  Study   Discovery   Plan  Measure   Feedback   38 Today’s Assignment Reading: Etsy, NetFlix Next Week What tools, people and processes are in use? Next Month How can you impact DevOps in a positive way? 3 Months Have you made an impact? 3 Months What can you do better?
#RSAC Summary u  For many, Security is the after thought in DevOps u  Its your duty to affect change in DevOps u  Security embedded in DevOps, makes DevOps better u  Get to know the people, processes and tools u  Find your positive entry points u  Make a plan & measure the outcome 39 Gears   More   Needs  
#RSAC Q & A Andrew Storms @St0rmz storms@newcontext.com Devops.com 40

Recommended

DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDag Rowe
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
How a Mortgage Company is Transforming Their Business with Continuous Delivery
How a Mortgage Company is Transforming Their Business with Continuous DeliveryHow a Mortgage Company is Transforming Their Business with Continuous Delivery
How a Mortgage Company is Transforming Their Business with Continuous DeliveryXebiaLabs
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 

Recommended

DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDag Rowe
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
How a Mortgage Company is Transforming Their Business with Continuous Delivery
How a Mortgage Company is Transforming Their Business with Continuous DeliveryHow a Mortgage Company is Transforming Their Business with Continuous Delivery
How a Mortgage Company is Transforming Their Business with Continuous DeliveryXebiaLabs
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessMohammed A. Imran
 
Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps TransformationDevOps.com
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresPriyanka Aash
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart wayEficode
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoDJamesHarmison
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataHananto Wibowo Soenarto
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityEficode
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon
 
The Anti-Transformation transformation @DevOps Summit Amsterdam
The Anti-Transformation transformation @DevOps Summit AmsterdamThe Anti-Transformation transformation @DevOps Summit Amsterdam
The Anti-Transformation transformation @DevOps Summit AmsterdamMirco Hering
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or lessMohammed A. Imran
 

More Related Content

What's hot

Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessMohammed A. Imran
 
Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps TransformationDevOps.com
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresPriyanka Aash
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart wayEficode
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoDJamesHarmison
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataHananto Wibowo Soenarto
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityEficode
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon
 
The Anti-Transformation transformation @DevOps Summit Amsterdam
The Anti-Transformation transformation @DevOps Summit AmsterdamThe Anti-Transformation transformation @DevOps Summit Amsterdam
The Anti-Transformation transformation @DevOps Summit AmsterdamMirco Hering
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 

What's hot (20)

Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps Transformation
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart way
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoD
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and Observability
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...
 
The Anti-Transformation transformation @DevOps Summit Amsterdam
The Anti-Transformation transformation @DevOps Summit AmsterdamThe Anti-Transformation transformation @DevOps Summit Amsterdam
The Anti-Transformation transformation @DevOps Summit Amsterdam
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management Teams
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 

Similar to How Security can be the Next Force Multiplier in DevOps

Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or lessMohammed A. Imran
 
Introducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsIntroducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsPriyanka Aash
 
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...Siva Rama Krishna Chunduru
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
Dev secops
Dev secopsDev secops
Dev secopsamrit69
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudAmazon Web Services
 
Agile Security—Field of Dreams
Agile Security—Field of DreamsAgile Security—Field of Dreams
Agile Security—Field of DreamsPriyanka Aash
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Testing and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedTesting and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedLB Denker
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...CA Technologies
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsPriyanka Aash
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Enov8
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introductionSridhara T V
 

Similar to How Security can be the Next Force Multiplier in DevOps (20)

Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
Introducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsIntroducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy Products
 
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
Dev secops
Dev secopsDev secops
Dev secops
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
 
Agile Security—Field of Dreams
Agile Security—Field of DreamsAgile Security—Field of Dreams
Agile Security—Field of Dreams
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Testing and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedTesting and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons Learned
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introduction
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

How Security can be the Next Force Multiplier in DevOps

  • 1. SESSION ID: #RSAC Andrew Storms How Security can be the Next Force Multiplier in DevOps ASD-F01 VP, Security Services New Context @St0rmz
  • 2. #RSAC Make security the reason for DevOps adoption u  Software development challenges u  DevOps doesn’t address secure coding challenges u  Its our duty to affect change in DevOps u  Security embedded in DevOps, makes DevOps better u  Don’t fear DevOps – Know the people, processes and tools u  Find your positive entry points u  Making a plan 2
  • 3. #RSAC Software Development Challenges 3 Plan   Code   Test   Release   Deploy   Operate   PM Dev QA Release Mgmt Ops Ops Security u  Non DevOps software development environment u  Everything is separate Process Step Owner
  • 4. #RSAC Software Development Challenges 4 Plan   Code   Test   Release   Deploy   Operate   PM Dev QA Release Mgmt Ops Ops Security Time To Market Changing Requirements Tech Debt Control Costs Risk ReductionReporting u  Downward business pressures Process Step Owner
  • 5. #RSAC Software Development Challenges 5 Plan   Code   Test   Release   Deploy   Operate   PM Dev QA Release Mgmt Ops Ops Security Time To Market Changing Requirements Tech Debt Control Costs Risk Reduction Threat Mgmt Risk Reduction Reporting u  Upward security pressures Process Step Owner
  • 6. #RSAC Software Development Challenges 6 Plan   Code   Test   Release   Deploy   Operate   PM Dev QA Release Mgmt Ops Ops Security Governance Policy Audit Compliance Time To Market Changing Requirements Tech Debt Control Costs Risk Reduction Threat Mgmt Risk Reduction Reporting Program Management Business & Product Security & Compliance Software Dev Pressure Pressure
  • 7. #RSAC Software Development Challenges 7 u  External pressures u  Disjointed u  Costly u  Siloed u  Opaque u  Complex u  Always late, out of sync, fragile
  • 8. #RSAC Then along came the DevOps Non DevOps u  Disjointed u  Costly u  Opaque u  Always late DevOps u  Conjoined u  Lean u  Transparent u  Agile 8
  • 9. #RSAC Then along came the DevOps 9 Governance Compliance Plan   Code   Test   Release   Deploy   Operate   DevOps Ops Security Policy Audit Time To Market Changing Requirements Tech Debt Control Costs Risk Reduction Threat Mgmt Risk Reduction Reporting Agile Green = DevOps
  • 10. #RSAC Then along came the DevOps u  Meets business & product needs u  On time within budget u  Meets ops and dev needs u  Agile, harmonious, consistent u  Fails to meet security needs u  No attempt to deliver secure application code u  Security still left out and left last 10
  • 11. #RSAC Then along came the DevOps 11 Governance Compliance Plan   Code   Test   Release   Deploy   Operate   DevOps Ops Security Policy Audit Time To Market Changing Requirements Tech Debt Control Costs Risk Reduction Threat Mgmt Risk Reduction Reporting Agile Business & Product needs Operational & Dev needs
  • 12. #RSAC Then along came the DevOps 12 Governance Compliance Plan   Code   Test   Release   Deploy   Operate   DevOps Ops Security Policy Audit Time To Market Changing Requirements Tech Debt Control Costs Risk Reduction Threat Mgmt Risk Reduction Reporting Agile Business & Product needs Operational & Dev needs Security, Audit Compliance Needs Unmet
  • 13. #RSAC Then along came the DevOps 13 Governance Compliance Plan   Code   Test   Release   Deploy   Operate   DevOps Ops Security Policy Audit Time To Market Changing Requirements Tech Debt Control Costs Risk Reduction Threat Mgmt Risk Reduction Reporting Agile Pressure Pressure
  • 14. #RSAC How popular is DevOps? u  Oct 2014 CA Technologies Survey u  88% respondents already have or plan to adopt DevOps in the next 5 years. (up from 66% on prior year) u  Top obstacle (28%) to DevOps in their organization were security or compliance concerns u  Oct 2014 Rackspace Survey u  55% already implemented DevOps. 31% planning to implement DevOps within 3 years. u  Primary driver for DevOps? Only 2% said audit or compliance 14 http://rewrite.ca.com/us/articles/devops/research-report--devops-the-worst-kept-secret-to-winning-in-the-application-economy.aspx http://www.rackspace.co.uk/sites/default/files/devops-automation-report.pdf
  • 15. #RSAC DevOps Kicks The Security Can Down The Road 15 Plan   Code   Test   Release   Deploy   Operate   DevOps Ops Security PM Dev QA Release Mgmt Ops Ops SecurityOld Way DevOps Way Security is still the last guy
  • 16. #RSAC DevOps Is Bad For Security u  Fast u  ~50 deploys a day! u  Faster to production = faster to be pwned u  Too much complexity u  Unwieldy u  Everyone has access to everything u  Full stack engineers u  Fewer test cases u  Deplorable u  No audit u  No control points u  No process 16
  • 17. #RSAC DevOps Is Good For Security u  Increases process insertion points u  Increases consistency u  Increases predictability u  Decreases time to change u  Increases audit ability u  Reduces costs u  Reduces waste 17 Simple   Manageable   Automatable   Testable  
  • 18. #RSAC Security Is Good For DevOps u  Business enabler u  Transparency u  Trust u  Protects privacy u  Accountability u  Regulatory & audit 18 Security DevOps Let the people focus on their core competencies
  • 19. #RSAC Know Your Nemesis Security Team u  Compliance u  Silos u  Change control u  FUD masters DevOps Teams u  Security != compliance u  Open u  Lots of change u  Data scientists 19 “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu
  • 20. #RSAC How do we get these teams to work together? (Every DevOps presentation must have random gears image) 20
  • 21. #RSAC Action Plan u  Pipeline u  Tools u  Processes u  Today’s todos 21 Long    term   Short  term   Know  your  DevOps  
  • 22. #RSAC Apply Security Expertise to DevOps Pipeline 22 InstrumentationLogAnalysis Logging Functional Tests Security Tests Other Tests statsd Jenkins App Code Inf Code Templates Dev Git Chef Stage Prod
  • 23. #RSAC Security Makes DevOps Better - Tools u  Git (Source Code Management) u  Make it the source of truth for everything u  Sometimes people use Chef for revision control u  Separate repositories for each cookbook u  Branching strategy needs to support isolation, rollback, logging u  Git Hooks u  Enforce policy at commit time u  Commit message, additional logging 23
  • 24. #RSAC Security Makes DevOps Better - Tools u  Chef (IT Automation) u  Continuous configuration & compliance u  Write some code! u  Map security controls to recipes u  Apply technical controls. Ex: https://cipherli.st/ u  Add logging u  Reduces complexity and helps out everyone u  Ensures consistency (dev, stage, prod) u  Makes audits easier (most of the time) 24
  • 25. #RSAC Security Makes DevOps Better - Tools u  Jenkins (Continuous Integration) u  Automated code security test suites u  Gauntlt (Ruby), Mittn (Python), BDD-Security (Java) u  Infrastructure code too u  Chefspec, test-kitchen u  External security systems orchestration u  Network scanners, fuzzers, sqlmappers u  Test security policies and controls u  No pass = no go 25
  • 26. #RSAC Security Makes DevOps Better - Tools u  Instrumentation u  Business logic metrics also good for security u  Number failed logins in last 24 hours u  Site performance & availability u  How do you measure risk management in DevOps? u  Benchmarking u  Security test coverage u  Time to audit u  Mean time to remediate 26
  • 27. #RSAC Security Makes DevOps Better - Tools u  Monitoring u  New Relic, PagerDuty, Boundry, Pingdom u  Performance & availability u  Create useful alerts and alert the right people u  Logging u  Splunk, SumoLogic u  Get your app team to log useful events u  “There was an error” u  “RabbitMQ tried to write to DB, but got error…” 27
  • 28. #RSAC Apply Security Expertise to DevOps Process 28 Plan Code Test Release Deploy Operate
  • 29. #RSAC Security Makes DevOps Better - Process u  Policy u  Does your SDLC include DevOps tools and process? u  Definition of done u  How do devs know they are meeting security requirements? u  Moving security earlier u  Story review u  Threat vector analysis u  Security training u  Design & architecture 29 Plan Moving  security  leA   Plan   Code   Test   Release   Deploy   Operate  
  • 30. #RSAC Security Makes DevOps Better - Process Standards Enforcement u  Lint checkers u  Branching strategy u  Peer review Get Involved u  Write code u  Attend stand ups u  Peer review u  Pair programming 30 Code Security experts can’t expect software experts to be security experts.
  • 31. #RSAC Security Makes DevOps Better - Process Security Tests u  Behaviors u  Lock the user out after x failures u  Must use SHA-256 u  Infrastructure u  Port scans u  User accounts Non Functional Tests u  Performance (Availability) u  System readiness u  Deploying using latest AMI u  Latest OpenSSL 31 Test Functional Tests Security Tests Other Tests
  • 32. #RSAC Security Makes DevOps Better - Process u  Make tests automated u  Continuous integration with Jenkins u  Pick a pluggable framework u  Use TDD u  Automate security tests up front u  Done-Done includes security u  What’s the definition of done? 32 Test Functional Tests Security Tests Other Tests
  • 33. #RSAC Security Makes DevOps Better - Process Release u  Separation u  Systems u  Duties u  “Here be dragons” u  Oversight u  Approvals u  2-man rule Deploy u  Change control mgmt u  “Here be more dragons” u  Convey assurance u  Convey trust u  What’s in the change log? u  What tests were run? 33 Release Deploy
  • 34. #RSAC What You Can Do Today u  Get acquainted with popular tools u  Git, Jenkins, Chef, Statsd, New Relic, PagerDuty u  Read about new concepts u  Agile, continuous integration, continuous deployment u  Test driven development u  Think about metrics u  What metrics are valuable to both DevOps & Security u  Get involved 34
  • 35. #RSAC u  Security people are secretive u  DevOps people LOVE to talk and SHARE u  Watch some videos on YouTube u  Attend a DevOps conference u  Read some articles at devops.com Do Some Industry Research 35
  • 36. #RSAC Remember To u  Be transparent u  Good security is always transparent. DevOps will amplify opaqueness. u  Be measurable u  DevOps breeds automation. Find where you can automate metrics. u  Embrace feedback loops u  Attend retrospectives. Request feedback. Adjust as needed. u  Embrace iterations u  Nothing is ever 100% done or 100% perfect. 36
  • 37. #RSAC Make DevOps Work For You DevOps Says u  Collaboration u  Automation u  Agile Security Says u  Everyone’s responsibility u  Standards, reporting, benchmarks u  Risk management 37 Use DevOps to create the next generation information security program. It might just be your only hope in combating the next cyber threat.
  • 38. #RSAC Make DevOps Work For You Self  Study   Discovery   Plan  Measure   Feedback   38 Today’s Assignment Reading: Etsy, NetFlix Next Week What tools, people and processes are in use? Next Month How can you impact DevOps in a positive way? 3 Months Have you made an impact? 3 Months What can you do better?
  • 39. #RSAC Summary u  For many, Security is the after thought in DevOps u  Its your duty to affect change in DevOps u  Security embedded in DevOps, makes DevOps better u  Get to know the people, processes and tools u  Find your positive entry points u  Make a plan & measure the outcome 39 Gears   More   Needs  
  • 40. #RSAC Q & A Andrew Storms @St0rmz storms@newcontext.com Devops.com 40