SecDevOps: The New Black of IT


Published on

Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security:

Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps
Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities
Examples of security automation, case situations minimizing risk and driving flexibility for DevOps
See how SaaS provider CloudPassage integrates security into its own development and operations workflows

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Apply IFTTT thinking
    If This Then That
    Channels, Triggers, Actions, Ingredients Recipes
    (need a graphic here. Something like a funnel or other where Channels, Triggers, Actions, Ingredients converge to make a recipe)
  • Examples
    (The same graphic from previous slide, but small)
    If code gets checked in, then run static analysis
  • Examples
    If firewall policy changes, then initiate remote scanner
  • Examples
    If breach, then quarantine
  • Feel free to change these points to you sales next steps.
  • Feel free to change these points to you sales next steps.
  • SecDevOps: The New Black of IT

    1. 1. SecDevOps: The New Black of IT Andrew Storms CloudPassage Director of DevOps Alan Shimmel CEO & Co-founder
    2. 2. 1994 1995 2009
    3. 3. Cloud or Not – Still the Same • Infrastructure • Data & Storage • Identity & Access Controls • Privacy • Governance • Audit & Compliance 3
    4. 4. Infrastructure as code Instrumentation What about DevOps? Orchestration Continuous everything
    5. 5. about security DevOps? What with
    6. 6. DevOps & Security Division 6 This is NOT how we do DevOps at CloudPassage. Collaboration Division DevOps Security Plan Code Test Release Deploy Operate
    7. 7. SecDevOps • Less division – More collaboration • Less silos – More sharing • Less pipeline – More chains & links • Less manual – More automation 7 Security Plan Release Code Test Operate Deploy
    8. 8. Plan • Release Sherpa – Ops, Dev, QA – See a release thru from start to finish • Change risk management – What infrastructure changes? – Unexpected or large code changes? – Security risk assessment – Threat vector analysis Security Plan Release Code Test Operate Deploy
    9. 9. Code • Standards enforcement – Rubocop, Food Critic, Knife-Spork • Review Process – Peer & code review – Continuous application & infrastructure testing • Git feature branching – Change control & isolation Security Plan Release Code Test Operate Deploy
    10. 10. Test • Automated code testing – Over 10k tests run automatically at check in – Over 10k QA assertions – Over 130 smoke test suites • All the modules & third party integrations • Deploy verifications • External automated testing • External code review Security Plan Release Code Test Operate Deploy
    11. 11. Release & Deploy • Stakeholders approval • Standardized tools – Capistrano, Chef • Deploy testing – 2-man rule • System segregation – Only Ops has production access Security Plan Release Code Test Operate Deploy
    12. 12. • Continuous compliance monitoring – All systems (prod & non-prod) – Hourly & daily – Halo • Infrastructure security orchestration – Thousands of control/change points enforced hourly (Chef) – Validated by Halo • Continuous risk assessment – Third-party vulnerability testing of all systems Operate Security Plan Release Code Test Operate Deploy
    13. 13. JIRAgitChefCapistranoHalo Initiate Approve Implement Audit Records Deploy (Infrastructure) Audit Records Deploy (App Code) Audit Records Audit Records Update Baselines Continuous Monitoring Audit Records End to end audit trail, built into the agile process… “AGILE ASSURANCE”
    14. 14. Practical SecDevOps Examples • Security automation potential – Cloud APIs have exploded • Latch on to DevOps momentum – Take advantage of change – Make Dev and Ops security stakeholders • Use IFTTT thinking – Channels, Triggers, Actions, Ingredients  Recipes 14
    15. 15. Practical SecDevOps Automation 15
    16. 16. Practical SecDevOps Automation 16 git-push
    17. 17. Practical SecDevOps Automation 17
    18. 18. Practical SecDevOps Automation 18
    19. 19. SecDevOps in Summary 19 Old is new Still solving the same problems, but in new ways SecDevOps Automation DevOps is here SecDevOps is required Security automation is here And is required in the cloud
    20. 20. More Resources 20 Explore: Learn: Start:
    21. 21. Thank you! 21 Q&A