Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SecDevOps: The New Black of IT
Andrew Storms
CloudPassage
Director of DevOps
Alan Shimmel
DevOps.com
CEO & Co-founder
1994 1995 2009
Cloud or Not – Still the Same
• Infrastructure
• Data & Storage
• Identity & Access Controls
• Privacy
• Governance
• Audi...
Infrastructure as code
Instrumentation
What about DevOps?
Orchestration
Continuous everything
about
security
DevOps?
What
with
DevOps & Security Division
6
This is NOT how we do DevOps at CloudPassage.
Collaboration Division
DevOps Security
Plan Cod...
SecDevOps
• Less division
– More collaboration
• Less silos
– More sharing
• Less pipeline
– More chains & links
• Less ma...
Plan
• Release Sherpa
– Ops, Dev, QA
– See a release thru from start to finish
• Change risk management
– What infrastruct...
Code
• Standards enforcement
– Rubocop, Food Critic, Knife-Spork
• Review Process
– Peer & code review
– Continuous applic...
Test
• Automated code testing
– Over 10k tests run automatically
at check in
– Over 10k QA assertions
– Over 130 smoke tes...
Release & Deploy
• Stakeholders approval
• Standardized tools
– Capistrano, Chef
• Deploy testing
– 2-man rule
• System se...
• Continuous compliance monitoring
– All systems (prod & non-prod)
– Hourly & daily
– Halo
• Infrastructure security orche...
JIRAgitChefCapistranoHalo
Initiate Approve
Implement
Audit
Records
Deploy
(Infrastructure)
Audit
Records
Deploy
(App Code)...
Practical SecDevOps Examples
• Security automation potential
– Cloud APIs have exploded
• Latch on to DevOps momentum
– Ta...
Practical SecDevOps Automation
15
Practical SecDevOps Automation
16
git-push
Practical SecDevOps Automation
17
Practical SecDevOps Automation
18
SecDevOps in Summary
19
Old is new
Still solving the same problems,
but in new ways
SecDevOps
Automation
DevOps is here
Se...
More Resources
20
Explore: www.DevOps.com
Learn: blog.cloudpassage.com
Start: www.cloudpassage.com/halo
Thank you!
21
Q&A
Upcoming SlideShare
Loading in …5
×

SecDevOps: The New Black of IT

3,426 views

Published on

Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of DevOps.com will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security:

Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps
Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities
Examples of security automation, case situations minimizing risk and driving flexibility for DevOps
See how SaaS provider CloudPassage integrates security into its own development and operations workflows

Published in: Technology
  • Dating direct: ❶❶❶ http://bit.ly/2F7hN3u ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: ❶❶❶ http://bit.ly/2F7hN3u ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

SecDevOps: The New Black of IT

  1. 1. SecDevOps: The New Black of IT Andrew Storms CloudPassage Director of DevOps Alan Shimmel DevOps.com CEO & Co-founder
  2. 2. 1994 1995 2009
  3. 3. Cloud or Not – Still the Same • Infrastructure • Data & Storage • Identity & Access Controls • Privacy • Governance • Audit & Compliance 3
  4. 4. Infrastructure as code Instrumentation What about DevOps? Orchestration Continuous everything
  5. 5. about security DevOps? What with
  6. 6. DevOps & Security Division 6 This is NOT how we do DevOps at CloudPassage. Collaboration Division DevOps Security Plan Code Test Release Deploy Operate
  7. 7. SecDevOps • Less division – More collaboration • Less silos – More sharing • Less pipeline – More chains & links • Less manual – More automation 7 Security Plan Release Code Test Operate Deploy
  8. 8. Plan • Release Sherpa – Ops, Dev, QA – See a release thru from start to finish • Change risk management – What infrastructure changes? – Unexpected or large code changes? – Security risk assessment – Threat vector analysis Security Plan Release Code Test Operate Deploy
  9. 9. Code • Standards enforcement – Rubocop, Food Critic, Knife-Spork • Review Process – Peer & code review – Continuous application & infrastructure testing • Git feature branching – Change control & isolation Security Plan Release Code Test Operate Deploy
  10. 10. Test • Automated code testing – Over 10k tests run automatically at check in – Over 10k QA assertions – Over 130 smoke test suites • All the modules & third party integrations • Deploy verifications • External automated testing • External code review Security Plan Release Code Test Operate Deploy
  11. 11. Release & Deploy • Stakeholders approval • Standardized tools – Capistrano, Chef • Deploy testing – 2-man rule • System segregation – Only Ops has production access Security Plan Release Code Test Operate Deploy
  12. 12. • Continuous compliance monitoring – All systems (prod & non-prod) – Hourly & daily – Halo • Infrastructure security orchestration – Thousands of control/change points enforced hourly (Chef) – Validated by Halo • Continuous risk assessment – Third-party vulnerability testing of all systems Operate Security Plan Release Code Test Operate Deploy
  13. 13. JIRAgitChefCapistranoHalo Initiate Approve Implement Audit Records Deploy (Infrastructure) Audit Records Deploy (App Code) Audit Records Audit Records Update Baselines Continuous Monitoring Audit Records End to end audit trail, built into the agile process… “AGILE ASSURANCE”
  14. 14. Practical SecDevOps Examples • Security automation potential – Cloud APIs have exploded • Latch on to DevOps momentum – Take advantage of change – Make Dev and Ops security stakeholders • Use IFTTT thinking – Channels, Triggers, Actions, Ingredients  Recipes 14
  15. 15. Practical SecDevOps Automation 15
  16. 16. Practical SecDevOps Automation 16 git-push
  17. 17. Practical SecDevOps Automation 17
  18. 18. Practical SecDevOps Automation 18
  19. 19. SecDevOps in Summary 19 Old is new Still solving the same problems, but in new ways SecDevOps Automation DevOps is here SecDevOps is required Security automation is here And is required in the cloud
  20. 20. More Resources 20 Explore: www.DevOps.com Learn: blog.cloudpassage.com Start: www.cloudpassage.com/halo
  21. 21. Thank you! 21 Q&A

×