Successfully reported this slideshow.

Devops, Secops, Opsec, DevSec *ops *.* ?

18

Share

Jan. 26, 2012
18 likes 21,039 views
Upcoming SlideShare
DevOps & Security: Here & Now
DevOps & Security: Here & Now
Loading in …3
×
1 of 56
1 of 56

Devops, Secops, Opsec, DevSec *ops *.* ?

Jan. 26, 2012
18 likes 21,039 views

18

Share

Download to read offline

Technology Business

What's devops, and why does it matter for Security folks.
My talk for the OWASP BE Chapter

What's devops, and why does it matter for Security folks.
My talk for the OWASP BE Chapter

Technology Business

Recommended

More Related Content

Viewers also liked

Integrating DevOps and Security
Stijn Muylle
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
Automating security tests for Continuous Integration
Stephen de Vries
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
DevSecCon
Continuous integration
hugo lu
Security Implications for a DevOps Transformation
DevOps.com
DevSecOps
Cheah Eng Soon
Standardizing Jenkins with CloudBees Jenkins Team
Deborah Schalm
Continuous Delivery
Vishal Sahasrabuddhe
DevOps, Common use cases, Architectures, Best Practices
Shiva Narayanaswamy
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon
Software architecture in a DevOps world
Bert Jan Schrijver
Software architecture in a DevOps world
Bert Jan Schrijver
BsidesMCR_2016-what-can-infosec-learn-from-devops
James '​-- Mckinlay
Continuous integration, delivery & deployment
Martijn van der Kamp
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
Debugging distributed systems
Bert Jan Schrijver
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro

Similar to Devops, Secops, Opsec, DevSec *ops *.* ?

Devops Devops Devops, at Froscon
Kris Buytaert
Devops, the future is here it's not evenly distributed yet
Kris Buytaert
Devops is not about Tooling
Kris Buytaert
Let's bring the teams back together
Kris Buytaert
Dev secops opsec, devsec, devops ?
Kris Buytaert
Devops For Drupal
Kris Buytaert
Development Doesn't Stop at the Last Commit
Kris Buytaert
Devops 4 Saas
Kris Buytaert
Devops is a Security Requirement
Kris Buytaert
Drupal and Devops , the Survey Results
Kris Buytaert
No, we can't do continuous delivery
Kris Buytaert
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Nick Galbreath
Devops - why, what and how?
Malinda Kapuruge
DevOps, beyond agile
Julien Pivotto
From devoops to devops
Kris Buytaert
JavaOne 2015 - Swimming upstream in the container revolution
Bert Jan Schrijver
DevOps, Performance Optimization and the Green Life with Magento
Luis Tineo
Fixing security by fixing software development
Nick Galbreath
DevOps, Cloud, and the Death of Backup Tape Changers
ke4qqq
CI/CD For The Enterprise
Patrick Easters

More from Kris Buytaert

Pipeline all the Dashboards as Code
Kris Buytaert
Help , My Datacenter is on fire
Kris Buytaert
GitOps , done Right
Kris Buytaert
Devops is Dead, Long live Devops
Kris Buytaert
10 years of #devopsdays, but what have we really learned ?
Kris Buytaert
Continuous Infrastructure First
Kris Buytaert
Is there a Future for devops ?
Kris Buytaert
10 Years of #devopsdays weirdness
Kris Buytaert
ADDO 2019: Looking back at over 10 years of Devops
Kris Buytaert
Can we fix dev-oops ?
Kris Buytaert
Continuous Infrastructure First Ignite Edition
Kris Buytaert
Continuous Infrastructure First
Kris Buytaert
Open Source Monitoring in 2019
Kris Buytaert
Migrating to Puppet 5
Kris Buytaert
Repositories as Code
Kris Buytaert
Is there a future for devops ?
Kris Buytaert
Deploying your SaaS stack OnPrem
Kris Buytaert
Looking back at 5 years of #cfgmgmtcamp
Kris Buytaert
Pipeline as code for your infrastructure as Code
Kris Buytaert
Automating MySQL operations with Puppet
Kris Buytaert

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Believe IT: How to Go from Underestimated to Unstoppable Jamie Kern Lima
(4.5/5)
Free
We Should All Be Millionaires: A Woman’s Guide to Earning More, Building Wealth, and Gaining Economic Power Rachel Rodgers
(4.5/5)
Free
Authentic: A Memoir by the Founder of Vans Louise Maclellan
(4.5/5)
Free
Made in China: A Prisoner, an SOS Letter, and the Hidden Cost of America's Cheap Goods Amelia Pang
(4.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
Spooked: The Trump Dossier, Black Cube, and the Rise of Private Spies Barry Meier
(4/5)
Free
Second Nature: Scenes from a World Remade Nathaniel Rich
(5/5)
Free
Test Gods: Virgin Galactic and the Making of a Modern Astronaut Nicholas Schmidle
(5/5)
Free
Driven: The Race to Create the Autonomous Car Alex Davies
(4.5/5)
Free
Dignity in a Digital Age: Making Tech Work for All of Us Ro Khanna
(4/5)
Free
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free

Devops, Secops, Opsec, DevSec *ops *.* ?

  1. Devops, Secops, Opsec, DevSec *ops *.* ? Kris Buytaert OWASP Belgium
  2. Kris Buytaert ● I used to be a Dev, ● Then Became an Op ● Even did Security (OSSTM etc) ● Chief Trolling Officer and Open Source Consultant @inuits.eu ● Everything is an effing DNS Problem ● Building Clouds since before the bookstore ● Some books, some papers, some blogs ● But mostly, trying to be good at my job
  3. Devop, definition ● 30 something ● Senior Infrastructure guy ● Development background ● Open Source Expcerience ● Mostly European (.be / .uk) ● Likes Belgian Beer ● Likes Sushi
  4. What's this Devops thing really about ?
  5. World , 200X-2009 Patrick Debois, Gildas Le Nadan, Andrew Clay Shafer, Kris Buytaert, Jezz Humble, Lindsay Holmwood, John Willis, Chris Read, Julian Simpson, and lots of others .. Gent , October 2009 Mountain View , June 2010 Hamburg , October 2010 Boston, March 2011 Mountain View, June 2011 Bangalore, Melbourne, Goteborg , October 2011
  6. ● Devops is a growing movement ● We don't have all the answers yet ● We are reaching out to different communities ● We will point out problems we see.. ● Only the name is new While we are still working out the solutions
  7. What's the problem ? The community of developers whose work you see on the Web, who probably don’t know what ADO or UML or JPA even stand for, deploy better systems at less cost in less time at lower risk than we see in the Enterprise. This is true even when you factor in the greater flexibility and velocity of startups. Tim Bray , on his blog January 2010
  8. ● Adopt the new philosophy. We are in a new economic age. Western management must awaken to the challenge, must learn their responsibilities, and take on leadership for change. ● Cease dependence on inspection to achieve quality. Eliminate the need for massive inspection by building quality into the product in the first place. ● Improve constantly and forever the system of production and service, to improve quality and productivity, and thus constantly decrease costs. ● Institute training on the job. ● Institute leadership The aim of supervision should be to help people and machines and gadgets do a better job. ● Drive out fear, so that everyone may work effectively for the company. ● Break down barriers between departments. People in research, design, sales, and production must work as a team, in order to foresee problems of production and usage that may be encountered with the product or service. ● Eliminate slogans, exhortations, and targets for the work force asking for zero defects and new levels of productivity. Such exhortations only create adversarial relationships, as the bulk of the causes of low quality and low productivity belong to the system and thus lie beyond the power of the work force. ● Eliminate management by objective. Eliminate management by numbers and numerical goals. Instead substitute with leadership. ● Remove barriers that rob the hourly worker of his right to pride of workmanship. The responsibility of supervisors must be changed from sheer numbers to quality. ● Remove barriers that rob people in management and in engineering of their right to pride of workmanship. ● Institute a vigorous program of education and self-improvement. ● Put everybody in the company to work to accomplish the transformation. The transformation is everybody's job.
  9. William Edwards Deming 1986, Out of the Crisis. http://en.wikipedia.org/wiki/W._Edwards_Deming
  10. CAMS ● Culture ● Automation ● Measurement ● Sharing Damon Edwards and John Willis
  11. “DevOps is a cultural and professional movement” Adam Jacob
  12. How did we get here ?
  13. The Old Days ● “Put this Code Live, here's a tarball” NOW! ● What dependencies ? ● No machines available ? ● What database ? ● Security ? ● High Availability ? ● Scalability ? ● My computer can't install this ?
  14. Devs vs Ops
  15. People hate Sysadmins Because •They slow stuff down •The say no •They say no again •They refuse to break stuff •They care about uptime •They don't care about fancy new features
  16. People hate Security Officers Because •They slow stuff down •The say no •They say no again •They refuse to leave holes open •They care about security •They don't care about fancy new features •Security Officers have an expiry date
  17. 10 days into operation ● What High Load ? What Memory usage ? ● Are these Logs ? Or this is actualy customer data ? ● How many users are there , should they launch 100 queries each ?? Oh we're having 10K users ● Why is debugging enabled ? ● Who wrote this ?
  18. 11 days into operations
  19. 12 days into operations
  20. 13 days into operations
  21. We can solve this ! ● We are not here to block ● Some people think the Security / Operations work starts on deployment ● It starts much earlier ● Start talking asap
  22. Talk about Non functional Reqs NOW! ● Security ● Backups ● High Availability ● Upgradability ● Deployment ● Monitoring ● Scale
  23. Breaking the Silos Devs Ops Getting Along
  24. Nirvana An “ecosystem” that supports continuous delivery, from infrastructure, data and configuration management to business. Through automation of the build, deployment, and testing process, and improved collaboration between developers, testers, and operations, delivery teams can get changes released in a matter of hours — sometimes even minutes–no matter what the size of a project or the complexity of its code base. Continuous Delivery , Jez Humble
  25. How many times a day ? ● 10 @ Flickr ● Deployments used to be pain ● Nobody dared to deploy a site ● Practice makes perfect ● Knowing you can vs constantly doing it
  26. " Our job as engineers (and ops, dev-ops, QA, support, everyone in the company actually) is to enable the business goals. We strongly feel that in order to do that you must have the ability to deploy code quickly and safely. Even if the business goals are to deploy strongly QA’d code once a month at 3am (it’s not for us, we push all the time), having a reliable and easy deployment should be non-negotiable." Etsy Blog upon releasing Deployinator http://codeascraft.etsy.com/2010/05/20/quantum-of-deployment/
  27. How do we get there ?
  28. CI Tools ● Hudson ● Jenkins •A zillion plugins ● Make your builds reproducible ! ● Test your (Puppet/Chef/CFengine)
  29. Todays Enviroments For Devs For Ops ● Scrum ● Kanban ● Version Control ● Version Control ● Automated Build ● Automated Build ● Bugtracking ● Bugtracking ● Continous integration ● Continous integration ● Integrated testing ● Integrated testing ● Automated ● Automated deployment deployment
  30. Everybody is a developer ● Yes we write code also •Httpd.conf, squid.conf, my.cnf •Just crappy languages :) •Shell, perl, ruby, python, puppet ● Everyone is a developer these days •Automate your infrastructure ! ● So those rules apply for Everyone
  31. Deploying ● Automated Deployments ● “If my computer can't install it , the installer is borken” Luke at Fosdem (200X) ● Reproducable ● Think: •Kickstart, FAI, Preseeding, SystemImager Suite
  32. Looking for ? “As a system administrator, I can tell when software vendors hate me. It shows in their products.” “DON'T make the administrative interface a GUI. System administrators need a command-line tool for constructing repeatable processes. Procedures are best documented by providing commands that we can copy and paste from the procedure document to the command line. We cannot achieve the same repeatability when the instructions are: "Checkmark the 3rd and 5th options, but not the 2nd option, then click OK." Sysadmins do not want a GUI that requires 25 clicks for each new user.” Thomas A. Limoncelli in ACM Queue December 2010 http://queue.acm.org/detail.cfm?id=1921361
  33. How do security tools score ? ● Very little (security) vendors succeed at this ● Automation is key ● Plenty of #Fail
  34. Configuration Mgmt ● Configure 1000 nodes, ● Modify 2000 files, ● Together ● Think : •Cfengine,Puppet, Chef ● Put configs under version control ● Please don't roll your own ...
  35. So eh .. Security ? ● Version control => Auditing ● CI => Add security IN the pipeline ● Configuration Mgmt •Policy Definition •Auditing & Enforcing ● Monitoring
  36. Puppet in Action
  37. Deployment isn't the End
  38. Orchestration ● Manage 1000 nodes, ● Trigger •Upgrades •Config Runs •Service Changes ●Think : •Mcollective •Noah •Rundeck
  39. High Availabilty
  40. Scalability
  41. Monitor
  42. But Monitoring Stinks ! ● #monitoringsucks trending ● https://github.com/monitoringsucks/ ● 2008 Study :Nagios + Friends ● 2011 Conclusion : Nagios/Icinga are the only automatable alternatives ● Monitoring and trending at Scale , new kids Graphite, flapjack, etc ● What about Logging ? : Logstash, Graylog2
  43. Logstash in Action
  44. Devop, definition ● There is no definition ● It certainly isn't a person ● No strict rules ● No strict tools ● It's not even new ● If you aren't doing it already ... ... you are doing it wrong
  45. Debunking the Critics Security not included ? Everyone is Included: security, dba, devs, ops, designer, analysts, We are solving a busines problem, Not a technology problem
  46. *ops *.*
  47. It's not about the tools It's about change It's about the people
  48. Surviving the test ! ● After 7+ years of preaching I`m not alone anymore ● Devops, a new Movement ! ● Join the movement ! •Devopsdays.org •Agile System Adminstration GoogleGroups
  49. Contact Kris Buytaert Kris.Buytaert@inuits.be Further Reading @krisbuytaert http://www.krisbuytaert.be/blog/ http://www.inuits.be/ Inuits 't Hemeltje Duboistraat 50 2060 Antwerpen Belgium 891.514.231 +32 475 961221

×