Submit Search
Upload
How to get the best out of DevSecOps - an operations perspective
•
Download as PPTX, PDF
•
0 likes
•
113 views
C
Colin Domoney
Follow
How to get the best out of DevSecOps - an operations perspective
Read less
Read more
Software
Report
Share
Report
Share
1 of 42
Download now
Recommended
DevSecOps at Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
James Wickett
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
DevOps or DevSecOps
DevOps or DevSecOps
Michelangelo van Dam
DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
Recommended
DevSecOps at Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
James Wickett
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
DevOps or DevSecOps
DevOps or DevSecOps
Michelangelo van Dam
DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real World
James Wickett
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
Yusuf Hadiwinata Sutandar
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
DevSecCon
Hacker Games & DevSecOps
Hacker Games & DevSecOps
lokori
The State of DevSecOps
The State of DevSecOps
DevOps Indonesia
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
DevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
Benefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
James Wickett
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
DevSecOps Days
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
SecureSoftwareDevOn SecureSoftwareDevOn
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
Colin Domoney
How to apply DevOps in a regulated organisation
How to apply DevOps in a regulated organisation
Colin Domoney
More Related Content
What's hot
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real World
James Wickett
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
Yusuf Hadiwinata Sutandar
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
DevSecCon
Hacker Games & DevSecOps
Hacker Games & DevSecOps
lokori
The State of DevSecOps
The State of DevSecOps
DevOps Indonesia
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
DevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
Benefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
James Wickett
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
DevSecOps Days
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
SecureSoftwareDevOn SecureSoftwareDevOn
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
What's hot
(20)
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real World
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
Hacker Games & DevSecOps
Hacker Games & DevSecOps
The State of DevSecOps
The State of DevSecOps
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
DevSecOps What Why and How
DevSecOps What Why and How
Benefits of DevSecOps
Benefits of DevSecOps
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
Similar to How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
Colin Domoney
How to apply DevOps in a regulated organisation
How to apply DevOps in a regulated organisation
Colin Domoney
DevOps: Security's Big Opportunity
DevOps: Security's Big Opportunity
Timothy Jarrett
How to get the best out of DevSecOps - a developers perspective
How to get the best out of DevSecOps - a developers perspective
Colin Domoney
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Compuware
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
DevOps.com
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
DevOps.com
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
Deborah Schalm
DevOps introduction
DevOps introduction
Christian F. Nissen
Industry Perspective: DevOps - What it Means for the Average Business
Industry Perspective: DevOps - What it Means for the Average Business
Michael Elder
Introduction to DevOps slides-converted (1).pptx
Introduction to DevOps slides-converted (1).pptx
aasssss1
DevOps: What, who, why and how?
DevOps: What, who, why and how?
Red Gate Software
DevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practices
ayoubbahaddouayoub
Introduction to DevOps slides.pdf
Introduction to DevOps slides.pdf
BoreVishnusai
IBM Innovate - Uderstanding DevOps
IBM Innovate - Uderstanding DevOps
Sanjeev Sharma
DevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems
intro to DevOps
intro to DevOps
Mujahed Al-Tahle
Deliver on the Promise of Agile and DevOps Transformations
Deliver on the Promise of Agile and DevOps Transformations
Tasktop
Back To Basics
Back To Basics
kamalikamj
Similar to How to get the best out of DevSecOps - an operations perspective
(20)
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
How to apply DevOps in a regulated organisation
How to apply DevOps in a regulated organisation
DevOps: Security's Big Opportunity
DevOps: Security's Big Opportunity
How to get the best out of DevSecOps - a developers perspective
How to get the best out of DevSecOps - a developers perspective
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
DevOps introduction
DevOps introduction
Industry Perspective: DevOps - What it Means for the Average Business
Industry Perspective: DevOps - What it Means for the Average Business
Introduction to DevOps slides-converted (1).pptx
Introduction to DevOps slides-converted (1).pptx
DevOps: What, who, why and how?
DevOps: What, who, why and how?
DevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practices
Introduction to DevOps slides.pdf
Introduction to DevOps slides.pdf
IBM Innovate - Uderstanding DevOps
IBM Innovate - Uderstanding DevOps
DevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a Startup
intro to DevOps
intro to DevOps
Deliver on the Promise of Agile and DevOps Transformations
Deliver on the Promise of Agile and DevOps Transformations
Back To Basics
Back To Basics
Recently uploaded
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
ThousandEyes
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
Andolasoft Inc
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
OnePlan Solutions
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
Fatema Valibhai
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
software pro Development
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
proinshot.com
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
ryanfarris8
Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid
Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid
Philip Schwarz
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
ComplianceQuest1
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
kalichargn70th171
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
ICS
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
HimanshiGarg82
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
kalichargn70th171
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
Mind IT Systems
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
Recently uploaded
(20)
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid
Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
How to get the best out of DevSecOps - an operations perspective
1.
© 2017 VERACODE
INC. 1© 2017 VERACODE INC. How to Get the Best Out Of DevSecOps The Operations Perspective
2.
© 2017 VERACODE
INC. 2© 2017 VERACODE INC. Introduction
3.
© 2017 VERACODE
INC. 3 About This Webinar https://www.brighttalk.com/webcast/12807/252395 Colin Domoney Senior Product Innovation Manager @colindomoney
4.
© 2017 VERACODE
INC. 4 Further Reading Kim, Gene, Kevin Behr, and George Spafford. 2013. The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. Kim, Gene, Patrick Debois, and John Willis. 2016. The Devops Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations Beyer, Betsy, Jennifer Petoff, Chris Jones, and Niall Richard Murphy. Site Reliability Engineering: How Google Runs Production Systems. 1 edition. O′Reilly, 2016. Humble, Jez, and David Farley. 2010. Continuous Delivery: Reliable Software Releases Through Build, Test, and Deployment Automation. ‘2016 State of DevOps Report’. 2017. Puppet. Accessed January 23. https://puppet.com/resources/white- paper/2016-state-of-devops-report.
5.
© 2017 VERACODE
INC. 6© 2017 VERACODE INC. What is Dev(Sec)Ops
6.
© 2017 VERACODE
INC. 7 A Cultural Clash
7.
© 2017 VERACODE
INC. 8 What is Dev(Sec) Ops? “DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.” “DevOps is also characterized by operations staff making use many of the same techniques as developers for their systems work.” Source : ‘What Is DevOps?’ 2010. The Agile Admin. August 2. https://theagileadmin.com/what-is-devops/.
8.
© 2017 VERACODE
INC. 9 The First Way : Systems Thinking Source : Kim, Gene. 2012. ‘The Three Ways: The Principles Underpinning DevOps’. IT Revolution. August 22. http://itrevolution.com/the-three-ways- principles-underpinning-devops/. • Never pass a known defect to downstream work centre • Never allow local optimization to create global degradation • Always seek to increase flow • Always seek to achieve profound understanding of the system (per Deming) The First Way emphasizes the performance of the entire system, as opposed to the performance of a specific silo of work or department
9.
© 2017 VERACODE
INC. 10 The Second Way : Amplify Feedback Loops Source : Kim, Gene. 2012. ‘The Three Ways: The Principles Underpinning DevOps’. IT Revolution. August 22. http://itrevolution.com/the-three-ways- principles-underpinning-devops/. The Second Way is about creating the right to left feedback loops. • Understand and respond to all customers, internal and external • Shorten and amplify all feedback loops • Embed knowledge where you need it
10.
© 2017 VERACODE
INC. 11 The Third Way : Continual Experimentation and Learning Source : Kim, Gene. 2012. ‘The Three Ways: The Principles Underpinning DevOps’. IT Revolution. August 22. http://itrevolution.com/the-three-ways- principles-underpinning-devops/. • Allocate time for the improvement of daily work • Create rituals that reward the team for taking risks • Introduce faults into the system to increase resilience The Third Way is about creating a culture that fosters two things: continual experimentation, taking risks and learning from failure; and understanding that repetition and practice is the prerequisite to mastery.
11.
© 2017 VERACODE
INC. 12 The Benefits of DevOps • High-performing organizations are decisively outperforming their lower-performing peers in terms of throughput. • High performers have better employee loyalty, as measured by employee Net Promoter Score (eNPS). • Improving quality is everyone’s job. • High performers spend 50 percent less time remediating security issues than low performers. • Taking an experimental approach to product development can improve your IT and organizational performance. • Undertaking a technology transformation initiative can produce sizeable cost savings for any organization. Source : ‘2016 State of DevOps Report’. 2017. Puppet. Accessed January 23. https://puppet.com/resources/white-paper/2016-state-of-devops-report.
12.
© 2017 VERACODE
INC. 13 DevOps Maturity Model Initial • Poor, ad hoc communication • No automation • Unpredictable, uncontrolled reactive process Managed • Managed communication, some shared decision making • Siloed automation, no central infrastructure • Processes are managed but not standardised Defined • Collaboration, shared decision making and accountability • Central automated processes across the application lifecycle • Processes are standardised across the organisation Measured • Collaboration-based processes are measured to identify inefficiencies and bottlenecks • Collect and analyse metrics of the automated processes and measure against the business goals • Visibility and predictability of entire process quality and performance Optimised • Effective knowledge sharing and individual empowerment • Self-service automation, self-learning using analytics and self-remediation • Process risk and cost optimisation
13.
© 2017 VERACODE
INC. 14© 2017 VERACODE INC. The Move to DevOps Market trends and enabling technologies
14.
© 2017 VERACODE
INC. 15 Before We Had DevOps
15.
© 2017 VERACODE
INC. 16 Cloud Technology and CI/CD Platforms Cloud Technology CI/CD Platforms
16.
© 2017 VERACODE
INC. 17 Configuration Management Tools
17.
© 2017 VERACODE
INC. 18 What Makes a Good DevSecOps Solution? •Provide security feedback as early as possible, in DevOps tools Fail quickly, through automation •Ease of use, actionable findings, speed, low FPs Limit time-to-market impact •Provide privacy early in SDLC, measure and assess teams, compliance and risk later Support team autonomy with enterprise orchestration •Microservices, Infrastructure as Code, leading edge languages and frameworks, Containerization Adapt to latest practices & technologies •Developer communities, small, consumable courses, open documentation, integrations in marketplaces Support culture of learning & openness •Provide feedback from Ops (Prod & QA) about risks/attacks in a way that is consumable by development Provide operational visibility
18.
© 2017 VERACODE
INC. 19© 2017 VERACODE INC. The Impact to Operations
19.
© 2017 VERACODE
INC. 20 Three Cornerstones • Collaboration – Very little crossover between teams, specific roles and responsibilities – Collaborate flexibly through flexible tools (i.e.. Slack) • Flexibility – Previously focused on stability over everything else – Modern organisations need to be flexible and responsive • Automation – Manual changes cannot keep pace with rapid turnaround times required – Frees up resources for critical thinking tasks and problem solving
20.
© 2017 VERACODE
INC. 21 “Infrastructure as Code” https://puppet.com/blog/what-is-infrastructure-as-code
21.
© 2017 VERACODE
INC. 22 Site Reliability Engineering - It’s all Software Now • Defined by Ben Treynor: "what happens when a software engineer is tasked with what used to be called operations. • The ideal SRE candidate is a coder who also has operational and systems knowledge and likes to whittle down complex tasks. • Typically spend their time as follows: – up to 50% of their time doing "ops" related work – up to 50% of their time on development tasks such as new features, scaling or automation https://en.wikipedia.org/wiki/Site_reliability_engineering
22.
© 2017 VERACODE
INC. 23© 2017 VERACODE INC. Best Practices for Securing Operations
23.
© 2017 VERACODE
INC. 24 Control Your Source Code Repositories • Continuous Deployment means any code checked in can potentially reach production within minutes • Best practices include: – Splitting repositories – Using Perforce for fine grained control – Performing peer reviews on ‘pull requests’ to critical code
24.
© 2017 VERACODE
INC. 25 Protect Your Deployment Pipeline • Continuous Deployment means that your pipeline is a critical piece of infrastructure • Best practices include: – Hardening CI/CD systems to prevent compromise – Review changes to prevent execution of unwanted code – Test for suspicious API calls in unit tests or scripts – Ensure CI/CD runs in isolated containers – Ensure VCS credentials are ‘read only’
25.
© 2017 VERACODE
INC. 26 Using Security Testing Tools Behavioural Driven Development Security Testing IDE Integrations for Security Testing
26.
© 2017 VERACODE
INC. 27 Integrate Security Into Your Deployment Pipeline – VSTS/TFS
27.
© 2017 VERACODE
INC. 28 Integrate Security Into Your Deployment Pipeline - Jenkins
28.
© 2017 VERACODE
INC. 29 Security Telemetry in Applications • Record all security relevant events such as: – Successful and unsuccessful logins – User password resets – User e-mail address resets – User credit card changes • Monitor changes in ratios of success to failures • Alert on events such as: – Anomalous behaviour – Sudden changes in values
29.
© 2017 VERACODE
INC. 30 Security Telemetry in the Environment • Monitor environmental items and events such as: – OS changes – Security group changes – Changes to configurations – Cloud infrastructure changes – Web server errors
30.
© 2017 VERACODE
INC. 31 Use the Right Tool for Job https://www.slideshare.net/YuryChemerkin/zane-lackey-security-at-scale-web-application-security-in-a- continuous-deployment-environment
31.
© 2017 VERACODE
INC. 32 Use the Right Tool for Job https://www.slideshare.net/YuryChemerkin/zane-lackey-security-at-scale-web-application-security-in-a- continuous-deployment-environment
32.
© 2017 VERACODE
INC. 33 Case Study : Security Telemetry at Etsy • Nick Galbreath (Director of Engineering at Etsy, 2010): – No dedicated fraud control or Infosec team – Embedded telemetry with entire DevOps value stream – Everyone was responsible for monitoring and alerting • Example events: – Abnormal program termination (segfaults) – Database syntax error – Indications of SQL attack
33.
© 2017 VERACODE
INC. 34 Automated Dashboards – “Measure All The Things”
34.
© 2017 VERACODE
INC. 35 “Security Is Not A Binary Event” https://www.slideshare.net/nickgsuperstar/devopssec-apply-devops- principles-to-security
35.
© 2017 VERACODE
INC. 36 Logging for Security • Logs are the ‘bread and butter’ of an IT Operations team • Challenges when used in a security context: – Delayed response to identity issues (delays in alerting) – Limited data (no POST body, no header data) – Limited context (disparate events in several locations) Phillip Maddux, https://medium.com/@foospidy
36.
© 2017 VERACODE
INC. 37 Destructive Testing / Chaos Engineering Chaos Engineering is the discipline of experimenting on a distributed system in order to build confidence in the system’s capability to withstand turbulent conditions in production. Four steps as follows: • Build a hypothesis around steady-state behaviour. • Vary real-world events. • Run experiments in production. • Automate experiments to run continuously. “The best way to avoid failure is to fail constantly.” - Jeff Atwood
37.
© 2017 VERACODE
INC. 38 Case Study : Netflix
38.
© 2017 VERACODE
INC. 40 Operating System Hardening • Disable unused and/or guest accounts • Run at level of least privilege • Disable unused services • Ensure automatic updates are enabled • Ensure strong passwords are used • Disable overly verbose logging • Ensure backups are performed
39.
© 2017 VERACODE
INC. 41 Runtime Application Self Protection • Very low false positives and false negatives. • Requires no modification to application source code. • Can report attack information into SIEM. • Can be deployed onto legacy applications and platforms. • Can execute in ‘monitor’ or ‘alert’ mode to identify attacks without protecting the application (IAST) Benefits of RASP • An ‘agent’ that executes in parallel with an application and provides run-time protection by monitoring traffic through the application. • Data propagation through the application to determine whether input data is ‘tainted’ in its lifetime. • If data is tainted then it is possible that the application is under attack and the agent can then protect the application at run-time. What is RASP?
40.
© 2017 VERACODE
INC. 42 Change Management Process • ITIL change management process defines three types of change: – Standard (low-risk, follow standard process, can be automated) – Normal (require approval by CAB, manual process) – Emergency (high priority CAB) • Too many changes are classified as ‘normal’ • DevOps best practice suggests: – Try and make as much as possible ‘standard’ and auto-approve – Optimise the CAB process for requests that remain as ‘normal’
41.
© 2017 VERACODE
INC. 43 Make a Commitment • Learn how to code! • Learn the ‘tools of the trade’ (Git, Ansible, etc.) • Learn the basics with a test application i.e. WebGoat.Net • Learn how a Version Control System works • Automate a repetitive task • Experience a ‘Day in the Life’ of a Developer Security is Everyone’s Responsibility
42.
© 2017 VERACODE
INC. 45 Thank You! © 2017 VERACODE INC.
Download now