Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecOps The Evolution of DevOps


Published on

*** DevSecOps: The Evolution of DevOps ***
Have you ever asked yourself the following questions:
What does DevSecOps means?
How is this different from DevOps?
What can we learn from the DevOps movement?

Presentation by James Betteley who shares his experience of shaping DevOps and what he foresees will happen with DevSecOps.

Published in: Technology
  • Be the first to comment

DevSecOps The Evolution of DevOps

  1. 1. DevSecOps The Evolution of DevOps Or how I learned to start worrying and love security @jamesbetteley
  2. 2. Who is this guy? @jamesbetteley
  3. 3. What I’m going to talk about What I mean by DevSecOps and how we messed up DevOps What’ll inevitably happen next How we can influence the future of DevSecOps Who’s going to need DevSecOps? How we’re doing it right now The challenges we face
  4. 4. How we messed up DevOps
  5. 5. DevSecOps means... “Developers, testers, security architects, infrastructure, DBAs and many others collaborating to design, build, validate, deploy, operate and maintain software in a rapid, reliable, repeatable and secure fashion”
  6. 6. DevSecOps doesn’t mean... Compliance as code Security testing in your CD pipeline
  7. 7. Where is DevSecOps right now...
  8. 8. What’ll happen next... DevSecOps tooling DevSecOps engineers DevSecOps as a service DevSecOps frameworks DevSecOps Handbook
  9. 9. The future of DevSecOps “Our number one objective should be to educate the software delivery community on the importance of Security, and to help them adopt best practices for ensuring Security is baked into our applications and processes”
  10. 10. DevSecOps isn’t necessary, it’s inevitable!
  11. 11. How we’re doing DevSecOps Contino’s approach to applying DevSecOps in large, regulated enterprises.
  12. 12. We look at... ➔ People changes ◆ Upskilling ◆ Communities of practice ◆ Leadership & Coaching ◆ Cross-functional delivery teams with security SMEs embedded ➔ Process changes ◆ Security & Operability as first-class-citizens ◆ Security & Operability stories on backlog ◆ Security testing in dev domain ➔ Technology changes ◆ Security testing in CD pipeline ◆ IAST ◆ SAST & DAST ◆ Dependency scanning
  13. 13. Building DevSecOps teams
  14. 14. Who needs DevSecOps
  15. 15. Challenges... Large, regulated organisations NEED DevSecOps This doesn’t mean they’re READY for DevSecOps Org structures make DevSecOps very hard to achieve Existing cultures and empires hard to break down It’s as hard as selling Agile and DevOps
  16. 16. On selling DevSecOps... ● Cost reduction is achieved by detecting and fixing security issues during the development phases. ● Speed of delivery is increased as security bottlenecks are minimised or eliminated. ● Speed of recovery is enhanced ● Enhanced monitoring and auditing leads to improved threat hunting ● Immutable infrastructure reduces attack vectors ● Immutable infrastructure improves overall security by reducing vulnerabilities, and increasing code coverage and automation. ● Ensures the ‘secure by design’ principle by using automated security review of code ● Creates targeted customer value through secure iterative innovation at speed and scale. ● Security is federated and becomes the responsibility of everyone, not just a specialised team, or even individual. ● DevSecOps fosters a culture of openness and transparency from the earliest stages of development. ● Increased sales as it is much easier to sell a demonstrably secure product.