SlideShare a Scribd company logo

DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec

Sonatype
Sonatype

DevOps Connect event: Josh Corman and Gene Kim discuss DevOpsSec / Rugged DevOps at special RSA Conference sessions for DevOps community.

Technology
1 of 86
Download to read offline
#RSAC SESSION ID: Gene Kim Joshua Corman Rugged DevOps Going Even Faster With Software Supply Chains CTO Sonatype @joshcorman Researcher and Author IT Revolution Press @RealGeneKim
@joshcorman @RealGeneKim Session ID: Gene Kim Total time: 45 minutes 15 min: where we’ve been (levelset the tribe) Josh: 7m Gene: 13m
@joshcorman @RealGeneKim Session  ID:   Session  Classifica0on:   Josh Corman, Gene Kim VERY ROUGH 1ST Draft Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed… CLD-106 Intermediate
@joshcorman @RealGeneKim 4   10/23/2013    @joshcorman   ~  Marc  Marc  Andreessen  2011  
@joshcorman @RealGeneKim 5  
@joshcorman @RealGeneKim 6   10/23/2013    @joshcorman   Trade  Offs   Costs  &   Benefits  
@joshcorman @RealGeneKim Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December) 7   §  CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM ß SEIMENS * §  CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM ß SEIMENS * §  CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM §  CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM §  CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM ß SEIMENS * §  CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH §  CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** §  CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM §  CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM §  CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM ß HeartBleed §  CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM §  CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM §  CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW §  CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM §  CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM §  CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM §  CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM §  … As  of  today,  internet  scans   by  MassScan    reveal  300,000   of  original  600,000  remain   unpatched  or  unpatchable  
@joshcorman @RealGeneKim Heartbleed + (UnPatchable) Internet of Things == ___ ? In  Our  Bodies   In  Our  Homes   In  Our  Infrastructure  In  Our  Cars  
@joshcorman @RealGeneKim Sarcsm: I’m shocked! 9  
@joshcorman @RealGeneKim
@joshcorman @RealGeneKim • The     The Cavalry isn’t coming… It falls to usı Problem  Statement   Our  society  is  adop0ng  connected   technology  faster  than  we  are  able  to   secure  it.   Mission  Statement   To  ensure  connected  technologies  with   the  poten0al  to  impact  public  safety   and  human  life  are  worthy  of  our  trust.    Collec9ng    exis0ng  research,  researchers,  and  resources    Connec9ng    researchers  with  each  other,  industry,  media,  policy,  and  legal    Collabora9ng    across  a  broad  range  of  backgrounds,  interests,  and  skillsets    Catalyzing    posi0ve  ac0on  sooner  than  it  would  have  happened  on  its  own    Why    Trust,  public  safety,  human  life    How    Educa0on,  outreach,  research    Who    Infosec  research  community        Who    Global,  grass  roots  ini0a0ve    What  Long-­‐term  vision  for  cyber  safety     Medical   Automo0ve   Connected   Home   Public   Infrastructure   I Am The Cavalryı
@joshcorman @RealGeneKim The Rugged Manifesto I am rugged... and more importantly, my code is rugged. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security. I recognize these things - and I choose to be rugged. I am rugged because I refuse to be a source of vulnerability or weakness. I am rugged because I assure my code will support its mission. I am rugged because my code can face these challenges and persist in spite of them. I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.    
@joshcorman @RealGeneKim The Rugged Manifesto I am rugged... and more importantly, my code is rugged. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security. I recognize these things - and I choose to be rugged. I am rugged because I refuse to be a source of vulnerability or weakness. I am rugged because I assure my code will support its mission. I am rugged because my code can face these challenges and persist in spite of them. I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.    
@joshcorman @RealGeneKim Our Goals § Play Mad Chemists § The Best & Brightest of DevOps § The Best & Brightest of Security § Cause High Value / High Connection § Merge our Tribes for Mutual Awesomeness § Catalyze New Patterns and Solutions
#RSAC SESSION ID: Where We’ve Been
@RealGeneKim The Downward Spiral…
@RealGeneKim
@RealGeneKim
@RealGeneKim IT Ops And Dev At War 19  
@RealGeneKim
@RealGeneKim There Is A Better Way…
@RealGeneKim Google, Amazon, Netflix, Spotify, Etsy, Spotify, Twitter, Facebook…
@RealGeneKim 10 deploys per day Dev & ops cooperation at Flickr John Allspaw & Paul Hammond Velocity 2009 Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
@RealGeneKim
Little bit weird Sits closer to the boss Thinks too hard Pulls levers & turns knobs Easily excited Yells a lot in emergencies Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
*  
@RealGeneKim Ops who think like devs Devs who think like ops Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
@RealGeneKim Dev and Ops Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
@RealGeneKimSource: Theo Schlossnagle (@postwait) DevOps is incomplete, is interpreted wrong, and is too isolated
@RealGeneKim .*Ops Source: Theo Schlossnagle (@postwait)
@RealGeneKim ^(?<dept>.+)Ops$ Source: Theo Schlossnagle (@postwait)
@RealGeneKim Justin Collins, Neil Matatall & Alex Smolen from Twitter *  
@RealGeneKim High Performers Are More Agile 30x 8,000x more frequent deployments faster lead times than their peers Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic
@RealGeneKim High Performers Are More Reliable 2x 12x the change success rate faster mean time to recover (MTTR) Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic
@RealGeneKim High Performers Win In The Marketplace 2x 50%more likely to exceed profitability, market share & productivity goals higher market capitalization growth over 3 years* Source: Puppet Labs 2014 State Of DevOps
@RealGeneKim Deploy Smaller Changes, More Frequently * Source: http://www.facebook.com/note.php?note_id=14218138919
@RealGeneKim “As a lifelong Ops practitioner, I know we need DevOps to make our work humane. In the past, I’ve worked every holiday, on my birthday, my spouse’s birthday, and even on the day my son was born.” Nathan Shimek Engineering Manager, New Context @nathan_shimek
@RealGeneKim The Three Ways
@RealGeneKim The First Way: Outcomes §  Creating single repository for code and environments §  All Ops artifacts in version control §  Determinism in the release process §  Consistent Dev, Test and Production environments, all properly built before deployment begins §  Developers checking in code daily, being productive §  Automated regression testing §  Features being deployed daily without catastrophic failures §  Decreased lead time §  Faster cycle time and release cadence
@RealGeneKim The Second Way: Outcomes §  Peer review of code and environment changes §  Disciplined automated testing enabling many simultaneous small, agile teams to work productively §  Proactive monitoring of the production environment §  Defects and security issues getting fixed faster than ever §  High trust culture §  All groups communicating and coordinating better §  Everybody is getting more work done
@RealGeneKim The Third Way: Outcomes*  
#RSAC SESSION ID: Why It’s “Go Time”
@joshcorman @RealGeneKim Session ID: Gene Kim 15 min: why we’re here, and why it’s “go time” Josh: 0m Gene: 7m
@joshcorman @RealGeneKim § we’ve seen what true integration of infosec into the daily work of Dev and Ops; and it is good § key learnings of the DevOps Enterprise 2015 § Ed Bellis example: Capital One: DevOpsSec § examples of practices: preventive, detective/ corrective
@joshcorman @RealGeneKim
@joshcorman @RealGeneKim New engineer to John Allspaw: “Is it okay for me to make this change?” John Allspaw: “I don’t know. Is it?”
@joshcorman @RealGeneKim One Of The Highest Predictors Of Performance Source: Typology Of Organizational Culture (Westrum, 2004)
@joshcorman @RealGeneKim One Of The Highest Predictors Of Performance Source: Typology Of Organizational Culture (Westrum, 2004)
@joshcorman @RealGeneKim DevOps Enterprise: Lessons Learned § On Oct 21-23, we held the DevOps Enterprise Summit, a conference for horses, by horses § Speakers included leaders from: § Macy’s, Disney, GE Capital, Blackboard, Telstra, US Department of Homeland Security, CSG, Raytheon, Ticketmaster, Union Bank of California
@joshcorman @RealGeneKim Observations § They were using the same technical practices and getting the same sort of metrics as the unicorns § Target: 10+ deploys per day, < 10 incidents per month § Capital One: 100s of deploys per day, lead time of minutes § Macy’s: 1,500 manual tests every 10 days, now 100Ks automated tests run daily § Nationwide Insurance: Retirement Plans app (COBOL on mainframe)
@joshcorman @RealGeneKim Observations § The transformation stories are among the most courageous I’ve ever heard – § Often the transformation leader was putting themselves in personal jeopardy § Why? Absolute clarity and conviction that it was the right thing for the organization *  
@joshcorman @RealGeneKim 52  Source: Lean Enterprise (upcoming): Jez Humble, Joanne Molesky, and Barry O’Reilly
@RealGeneKim Capital One: DevOpsSec Source: Tapabrata Pal, Capital One *  
@joshcorman @RealGeneKim Heather Mickman, Target, Inc. § Abolished the TEP-LARB process § As a result, she won the Lifetime Achievement Award from her grateful team
@joshcorman @RealGeneKim What About Infosec? § Ed Bellis § Former CISO of Orbitz § VP Information Security at Bank of America § Currently CEO of Risk I/O
@joshcorman @RealGeneKim Risk I/O DevOps By the Numbers Small & Frequent Commits • Average between 75 & 125 commits commits to Master/week • Simplicity is your friend
@joshcorman @RealGeneKim Risk I/O DevOps By the Numbers Small & Frequent Commits • Average between 75 & 125 commits commits to Master/week • Simplicity is your friend Security Automation at Risk I/O Chef All the Things! Test All the Things! (including security) Static + Dynamic Throughout Continuous Integration via CircleCI Open-Sourced Cookbooks ModSecurity (airbag) Nessus (air bag ctrl) Nmap (brakes) SSH iptables (shoulder belt) encrypted volumes Duo 2FA openVPN ChatOps = Slack + graphite + logstash + sensu + pagerduty
@joshcorman @RealGeneKim Risk I/O DevOps By the Numbers Small & Frequent Commits • Average between 75 & 125 commits commits to Master/week • Simplicity is your friend Security Automation at Risk I/O Chef All the Things! Test All the Things! (including security) Static + Dynamic Throughout Continuous Integration via CircleCI Open-Sourced Cookbooks ModSecurity (airbag) Nessus (air bag ctrl) Nmap (brakes) SSH iptables (shoulder belt) encrypted volumes Duo 2FA openVPN ChatOps = Slack + graphite + logstash + sensu + pagerduty DevOps as a Compliance Enabler Automation as Evidence & Doc Cookbooks Leveraging the ELK Stack Elasticsearch Logstash Kibana Github + Code Climate + Risk I/O Compliance Automation Extra Credit: https:// telekomlabs.github.io/ @Eellis
@RealGeneKim The  DevOps  Audit  Defense  Toolkit   h]p://bit.ly/DevOpsAudit         James  DeLuccia  IV   Jeff  Gallimore   Gene  Kim   Byron  Miller  
@RealGeneKim Breaking The Bottlenecks In The Flow § Environment creation § Code deployment § Test setup and run (mention @rohansingh) § Overly tight architecture § Development § Product management
@RealGeneKim
@RealGeneKim “deploys / day” “deploys / day / dev”
#RSAC SESSION ID: Where We Want To Go
@joshcorman @RealGeneKim Session ID: Gene Kim 15 min: where we want to go Gene: 0m Josh: 10m
@joshcorman @RealGeneKim §  outline concrete tangible things that can be done together to fulfill it §  Accelerating to transition from here to there §  Deming -> SW Supply Chain Rigor §  Better/Fewer suppliers. §  Better Supply §  Traceability/Visibility throughout for Prompt/Agile recall §  “Congressional Bill” - now or never (Jim Routh) §  Expanding the DevOps Enterprise community §  we can have mutual benefit through DevOps and software supply chains §  legislation
@joshcorman @RealGeneKim Innovate!   PRODUCTIVITY   TIME  
@joshcorman @RealGeneKim67   4/20/15   Product Vulnerability Disclosures Following the HeartBleed Announcement (Circle Size Indicates CVSS Severity Score) F5 New OpenSSL Disclosures (Both CVSS Level 10) Here IBM Cisco IBM McAfee Initial 'HeartBleed' OpenSSL Disclosure (CVSS Level 5 (underscored)) NumberofProductsIncludedinAnnouncement 0 10 20 30 40 50 60 70 80 90 100 110 120 Days Since HeartBeed Announcement 0 10 20 30 40 50 60 70 80 90 100 110 120     X  Axis:    Time  (Days)  following  ini0al  HeartBleed  disclosure  and  patch  availability   Y  Axis:    Number  of  products  included  in  the  vendor  vulnerability  disclosure   Z  Axis  (circle  size):    Exposure  as  measured  by  the  CVE  CVSS  score     COMMERCIAL  RESPONSES  TO  OPENSSL  
@joshcorman @RealGeneKim h]ps://www.usenix.org/system/files/login/ar0cles/15_geer_0.pdf     For  the  41%     390  days   CVSS  10s  224  days    
@joshcorman @RealGeneKim True Costs & Least Cost Avoiders ACME   Enterprise   Bank   Retail    Manufacturing   BioPharma   Educa0on   High  Tech   Enterprise   Bank   Retail    Manufacturing   BioPharma   Educa0on   High  Tech   Enterprise   Bank   Retail   Manufacturing   BioPharma   Educa0on   High  Tech                                                                  
@joshcorman @RealGeneKim 70  
@joshcorman @RealGeneKim ON  TIME     ON  BUDGET   ACCEPTABLE   QUALITY/RISK  
@joshcorman @RealGeneKim 72  
@joshcorman @RealGeneKim
@joshcorman @RealGeneKim ON  TIME.     Faster  builds.     Fewer  interrup9ons.   More  innova9on.     ON  BUDGET.   More  efficient.     More  profitable.   More  compe99ve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protec9on.  
@joshcorman @RealGeneKim
@joshcorman @RealGeneKim ON  TIME.     Faster  builds.     Fewer  interrup9ons.   More  innova9on.     ON  BUDGET.   More  efficient.     More  profitable.   More  compe99ve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protec9on.   Agile  /  CI  
@joshcorman @RealGeneKim DevOps
@joshcorman @RealGeneKim ON  TIME.     Faster  builds.     Fewer  interrup9ons.   More  innova9on.     ON  BUDGET.   More  efficient.     More  profitable.   More  compe99ve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protec9on.   DevOps  /  CD   Agile  /  CI  
@joshcorman @RealGeneKim SW Supply Chains
@joshcorman @RealGeneKim ON  TIME.     Faster  builds.     Fewer  interrup9ons.   More  innova9on.     ON  BUDGET.   More  efficient.     More  profitable.   More  compe99ve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protec9on.   SW  Supply  Chain   DevOps  /  CD   Agile  /  CI  
@joshcorman @RealGeneKim SW Supply Chains
@joshcorman @RealGeneKim Toyota   Advantage   Toyota   Prius   Chevy   Volt   Unit  Cost   61%   $24,200   $39,900   Units  Sold   13x   23,294   1,788   In-­‐House   Produc0on   50%   27%   54%   Plant  Suppliers   16%     (10x  per)   125   800   Firm-­‐Wide   Suppliers   4%   224   5,500   Comparing the Prius and the Volt
@joshcorman @RealGeneKim83  
@joshcorman @RealGeneKim H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014” §  Elegant Procurement Trio 1) Ingredients: §  Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk: §  …and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY) 3) Remediation: §  …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
#RSAC SESSION ID: Go Forth… …and be Rugged @joshcorman @RealGeneKim @RuggedSoftware
@joshcorman @RealGeneKim Want More Learn More? To receive the following: §  A copy of this presentation §  The 140 page excerpt of The Phoenix Project §  Videos and slides from DevOps Enterprise 2014 §  Information on DevOps Enterprise 2015 §  Link to the DevOps Audit Defense Toolkit §  Announcement of The Phoenix Project audiobook §  See early drafts of our upcoming DevOps Cookbook Just pick up your phone, and send an email: To: realgenekim@SendYourSlides.com Subject: devops realgenekim@SendYourSlides.com   devops  

Recommended

Continuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecurityContinuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecuritySonatype
 
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...Burr Sutter
 
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014Puppet
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryJames Wickett
 
Why Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimWhy Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimDynatrace
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentTom Stiehm
 

Recommended

Continuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecurityContinuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecuritySonatype
 
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...Burr Sutter
 
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014Puppet
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryJames Wickett
 
Why Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimWhy Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimDynatrace
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentTom Stiehm
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
 
My 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary JourneyMy 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary JourneyBurr Sutter
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
DevOps and Audit
DevOps and AuditDevOps and Audit
DevOps and AuditJeff Gallimore
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsC4Media
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Burr Sutter
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionKeet Sugathadasa
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCTom Stiehm
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
 
Designing a secure software development process with DevOps
Designing a secure software development process with DevOpsDesigning a secure software development process with DevOps
Designing a secure software development process with DevOpsMike Long
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WaySeniorStoryteller
 
Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Phillip Maddux
 
Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachSonatype
 
DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos Perforce
 

More Related Content

What's hot

Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
 
My 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary JourneyMy 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary JourneyBurr Sutter
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsC4Media
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Burr Sutter
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionKeet Sugathadasa
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCTom Stiehm
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
 
Designing a secure software development process with DevOps
Designing a secure software development process with DevOpsDesigning a secure software development process with DevOps
Designing a secure software development process with DevOpsMike Long
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WaySeniorStoryteller
 
Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Phillip Maddux
 

What's hot (20)

Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
 
My 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary JourneyMy 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary Journey
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
DevOps and Audit
DevOps and AuditDevOps and Audit
DevOps and Audit
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDC
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the World
 
Designing a secure software development process with DevOps
Designing a secure software development process with DevOpsDesigning a secure software development process with DevOps
Designing a secure software development process with DevOps
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
 
Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!
 

Similar to DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec

Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachSonatype
 
DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos Perforce
 
Leading Your DevOps Enterprise Journey
Leading Your DevOps Enterprise JourneyLeading Your DevOps Enterprise Journey
Leading Your DevOps Enterprise JourneyCA Technologies
 
Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps Gene Kim
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)Gene Kim
 
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology OrgsWhy Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology OrgsGene Kim
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysOri Pekelman
 
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6aSecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6aGene Kim
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️Ori Pekelman
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OMichael Roytman
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
My Top Five DevOps Learnings
My Top Five DevOps LearningsMy Top Five DevOps Learnings
My Top Five DevOps LearningsPredix
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
DevOps: From Adoption to Performance
DevOps: From Adoption to PerformanceDevOps: From Adoption to Performance
DevOps: From Adoption to PerformanceDynatrace
 
DevOps Done Right The How and Why of Versioning Environment Artifacts
DevOps Done Right The How and Why of Versioning Environment ArtifactsDevOps Done Right The How and Why of Versioning Environment Artifacts
DevOps Done Right The How and Why of Versioning Environment ArtifactsPerforce
 
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev opsKim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev opsGene Kim
 
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOpsServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOpsGene Kim
 
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical StepsDevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical StepsCA Technologies
 
Top Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps HandbookTop Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps HandbookXebiaLabs
 
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6aKim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6aGene Kim
 

Similar to DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec (20)

Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain Approach
 
DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos 
 
Leading Your DevOps Enterprise Journey
Leading Your DevOps Enterprise JourneyLeading Your DevOps Enterprise Journey
Leading Your DevOps Enterprise Journey
 
Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)
 
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology OrgsWhy Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
 
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6aSecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/O
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
 
My Top Five DevOps Learnings
My Top Five DevOps LearningsMy Top Five DevOps Learnings
My Top Five DevOps Learnings
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
DevOps: From Adoption to Performance
DevOps: From Adoption to PerformanceDevOps: From Adoption to Performance
DevOps: From Adoption to Performance
 
DevOps Done Right The How and Why of Versioning Environment Artifacts
DevOps Done Right The How and Why of Versioning Environment ArtifactsDevOps Done Right The How and Why of Versioning Environment Artifacts
DevOps Done Right The How and Why of Versioning Environment Artifacts
 
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev opsKim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
 
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOpsServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
 
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical StepsDevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
 
Top Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps HandbookTop Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps Handbook
 
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6aKim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
 

More from Sonatype

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019Sonatype
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOpsSonatype
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps SurveySonatype
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseSonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandSonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealSonatype
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way ForwardSonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizSonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsSonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsSonatype
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure AutomationSonatype
 

More from Sonatype (20)

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
 

Recently uploaded

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec

  • 1. #RSAC SESSION ID: Gene Kim Joshua Corman Rugged DevOps Going Even Faster With Software Supply Chains CTO Sonatype @joshcorman Researcher and Author IT Revolution Press @RealGeneKim
  • 2. @joshcorman @RealGeneKim Session ID: Gene Kim Total time: 45 minutes 15 min: where we’ve been (levelset the tribe) Josh: 7m Gene: 13m
  • 3. @joshcorman @RealGeneKim Session  ID:   Session  Classifica0on:   Josh Corman, Gene Kim VERY ROUGH 1ST Draft Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed… CLD-106 Intermediate
  • 4. @joshcorman @RealGeneKim 4   10/23/2013    @joshcorman   ~  Marc  Marc  Andreessen  2011  
  • 6. @joshcorman @RealGeneKim 6   10/23/2013    @joshcorman   Trade  Offs   Costs  &   Benefits  
  • 7. @joshcorman @RealGeneKim Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December) 7   §  CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM ß SEIMENS * §  CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM ß SEIMENS * §  CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM §  CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM §  CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM ß SEIMENS * §  CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH §  CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** §  CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM §  CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM §  CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM ß HeartBleed §  CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM §  CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM §  CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW §  CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM §  CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM §  CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM §  CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM §  … As  of  today,  internet  scans   by  MassScan    reveal  300,000   of  original  600,000  remain   unpatched  or  unpatchable  
  • 8. @joshcorman @RealGeneKim Heartbleed + (UnPatchable) Internet of Things == ___ ? In  Our  Bodies   In  Our  Homes   In  Our  Infrastructure  In  Our  Cars  
  • 11. @joshcorman @RealGeneKim • The     The Cavalry isn’t coming… It falls to usı Problem  Statement   Our  society  is  adop0ng  connected   technology  faster  than  we  are  able  to   secure  it.   Mission  Statement   To  ensure  connected  technologies  with   the  poten0al  to  impact  public  safety   and  human  life  are  worthy  of  our  trust.    Collec9ng    exis0ng  research,  researchers,  and  resources    Connec9ng    researchers  with  each  other,  industry,  media,  policy,  and  legal    Collabora9ng    across  a  broad  range  of  backgrounds,  interests,  and  skillsets    Catalyzing    posi0ve  ac0on  sooner  than  it  would  have  happened  on  its  own    Why    Trust,  public  safety,  human  life    How    Educa0on,  outreach,  research    Who    Infosec  research  community        Who    Global,  grass  roots  ini0a0ve    What  Long-­‐term  vision  for  cyber  safety     Medical   Automo0ve   Connected   Home   Public   Infrastructure   I Am The Cavalryı
  • 12. @joshcorman @RealGeneKim The Rugged Manifesto I am rugged... and more importantly, my code is rugged. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security. I recognize these things - and I choose to be rugged. I am rugged because I refuse to be a source of vulnerability or weakness. I am rugged because I assure my code will support its mission. I am rugged because my code can face these challenges and persist in spite of them. I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.    
  • 13. @joshcorman @RealGeneKim The Rugged Manifesto I am rugged... and more importantly, my code is rugged. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security. I recognize these things - and I choose to be rugged. I am rugged because I refuse to be a source of vulnerability or weakness. I am rugged because I assure my code will support its mission. I am rugged because my code can face these challenges and persist in spite of them. I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.    
  • 14. @joshcorman @RealGeneKim Our Goals § Play Mad Chemists § The Best & Brightest of DevOps § The Best & Brightest of Security § Cause High Value / High Connection § Merge our Tribes for Mutual Awesomeness § Catalyze New Patterns and Solutions
  • 19. @RealGeneKim IT Ops And Dev At War 19  
  • 21. @RealGeneKim There Is A Better Way…
  • 22. @RealGeneKim Google, Amazon, Netflix, Spotify, Etsy, Spotify, Twitter, Facebook…
  • 23. @RealGeneKim 10 deploys per day Dev & ops cooperation at Flickr John Allspaw & Paul Hammond Velocity 2009 Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
  • 25. Little bit weird Sits closer to the boss Thinks too hard Pulls levers & turns knobs Easily excited Yells a lot in emergencies Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
  • 26. *  
  • 27. @RealGeneKim Ops who think like devs Devs who think like ops Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
  • 28. @RealGeneKim Dev and Ops Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
  • 29. @RealGeneKimSource: Theo Schlossnagle (@postwait) DevOps is incomplete, is interpreted wrong, and is too isolated
  • 32. @RealGeneKim Justin Collins, Neil Matatall & Alex Smolen from Twitter *  
  • 33. @RealGeneKim High Performers Are More Agile 30x 8,000x more frequent deployments faster lead times than their peers Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic
  • 34. @RealGeneKim High Performers Are More Reliable 2x 12x the change success rate faster mean time to recover (MTTR) Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic
  • 35. @RealGeneKim High Performers Win In The Marketplace 2x 50%more likely to exceed profitability, market share & productivity goals higher market capitalization growth over 3 years* Source: Puppet Labs 2014 State Of DevOps
  • 36. @RealGeneKim Deploy Smaller Changes, More Frequently * Source: http://www.facebook.com/note.php?note_id=14218138919
  • 37. @RealGeneKim “As a lifelong Ops practitioner, I know we need DevOps to make our work humane. In the past, I’ve worked every holiday, on my birthday, my spouse’s birthday, and even on the day my son was born.” Nathan Shimek Engineering Manager, New Context @nathan_shimek
  • 39. @RealGeneKim The First Way: Outcomes §  Creating single repository for code and environments §  All Ops artifacts in version control §  Determinism in the release process §  Consistent Dev, Test and Production environments, all properly built before deployment begins §  Developers checking in code daily, being productive §  Automated regression testing §  Features being deployed daily without catastrophic failures §  Decreased lead time §  Faster cycle time and release cadence
  • 40. @RealGeneKim The Second Way: Outcomes §  Peer review of code and environment changes §  Disciplined automated testing enabling many simultaneous small, agile teams to work productively §  Proactive monitoring of the production environment §  Defects and security issues getting fixed faster than ever §  High trust culture §  All groups communicating and coordinating better §  Everybody is getting more work done
  • 43. @joshcorman @RealGeneKim Session ID: Gene Kim 15 min: why we’re here, and why it’s “go time” Josh: 0m Gene: 7m
  • 44. @joshcorman @RealGeneKim § we’ve seen what true integration of infosec into the daily work of Dev and Ops; and it is good § key learnings of the DevOps Enterprise 2015 § Ed Bellis example: Capital One: DevOpsSec § examples of practices: preventive, detective/ corrective
  • 46. @joshcorman @RealGeneKim New engineer to John Allspaw: “Is it okay for me to make this change?” John Allspaw: “I don’t know. Is it?”
  • 47. @joshcorman @RealGeneKim One Of The Highest Predictors Of Performance Source: Typology Of Organizational Culture (Westrum, 2004)
  • 48. @joshcorman @RealGeneKim One Of The Highest Predictors Of Performance Source: Typology Of Organizational Culture (Westrum, 2004)
  • 49. @joshcorman @RealGeneKim DevOps Enterprise: Lessons Learned § On Oct 21-23, we held the DevOps Enterprise Summit, a conference for horses, by horses § Speakers included leaders from: § Macy’s, Disney, GE Capital, Blackboard, Telstra, US Department of Homeland Security, CSG, Raytheon, Ticketmaster, Union Bank of California
  • 50. @joshcorman @RealGeneKim Observations § They were using the same technical practices and getting the same sort of metrics as the unicorns § Target: 10+ deploys per day, < 10 incidents per month § Capital One: 100s of deploys per day, lead time of minutes § Macy’s: 1,500 manual tests every 10 days, now 100Ks automated tests run daily § Nationwide Insurance: Retirement Plans app (COBOL on mainframe)
  • 51. @joshcorman @RealGeneKim Observations § The transformation stories are among the most courageous I’ve ever heard – § Often the transformation leader was putting themselves in personal jeopardy § Why? Absolute clarity and conviction that it was the right thing for the organization *  
  • 52. @joshcorman @RealGeneKim 52  Source: Lean Enterprise (upcoming): Jez Humble, Joanne Molesky, and Barry O’Reilly
  • 53. @RealGeneKim Capital One: DevOpsSec Source: Tapabrata Pal, Capital One *  
  • 54. @joshcorman @RealGeneKim Heather Mickman, Target, Inc. § Abolished the TEP-LARB process § As a result, she won the Lifetime Achievement Award from her grateful team
  • 55. @joshcorman @RealGeneKim What About Infosec? § Ed Bellis § Former CISO of Orbitz § VP Information Security at Bank of America § Currently CEO of Risk I/O
  • 56. @joshcorman @RealGeneKim Risk I/O DevOps By the Numbers Small & Frequent Commits • Average between 75 & 125 commits commits to Master/week • Simplicity is your friend
  • 57. @joshcorman @RealGeneKim Risk I/O DevOps By the Numbers Small & Frequent Commits • Average between 75 & 125 commits commits to Master/week • Simplicity is your friend Security Automation at Risk I/O Chef All the Things! Test All the Things! (including security) Static + Dynamic Throughout Continuous Integration via CircleCI Open-Sourced Cookbooks ModSecurity (airbag) Nessus (air bag ctrl) Nmap (brakes) SSH iptables (shoulder belt) encrypted volumes Duo 2FA openVPN ChatOps = Slack + graphite + logstash + sensu + pagerduty
  • 58. @joshcorman @RealGeneKim Risk I/O DevOps By the Numbers Small & Frequent Commits • Average between 75 & 125 commits commits to Master/week • Simplicity is your friend Security Automation at Risk I/O Chef All the Things! Test All the Things! (including security) Static + Dynamic Throughout Continuous Integration via CircleCI Open-Sourced Cookbooks ModSecurity (airbag) Nessus (air bag ctrl) Nmap (brakes) SSH iptables (shoulder belt) encrypted volumes Duo 2FA openVPN ChatOps = Slack + graphite + logstash + sensu + pagerduty DevOps as a Compliance Enabler Automation as Evidence & Doc Cookbooks Leveraging the ELK Stack Elasticsearch Logstash Kibana Github + Code Climate + Risk I/O Compliance Automation Extra Credit: https:// telekomlabs.github.io/ @Eellis
  • 59. @RealGeneKim The  DevOps  Audit  Defense  Toolkit   h]p://bit.ly/DevOpsAudit         James  DeLuccia  IV   Jeff  Gallimore   Gene  Kim   Byron  Miller  
  • 60. @RealGeneKim Breaking The Bottlenecks In The Flow § Environment creation § Code deployment § Test setup and run (mention @rohansingh) § Overly tight architecture § Development § Product management
  • 64. @joshcorman @RealGeneKim Session ID: Gene Kim 15 min: where we want to go Gene: 0m Josh: 10m
  • 65. @joshcorman @RealGeneKim §  outline concrete tangible things that can be done together to fulfill it §  Accelerating to transition from here to there §  Deming -> SW Supply Chain Rigor §  Better/Fewer suppliers. §  Better Supply §  Traceability/Visibility throughout for Prompt/Agile recall §  “Congressional Bill” - now or never (Jim Routh) §  Expanding the DevOps Enterprise community §  we can have mutual benefit through DevOps and software supply chains §  legislation
  • 67. @joshcorman @RealGeneKim67   4/20/15   Product Vulnerability Disclosures Following the HeartBleed Announcement (Circle Size Indicates CVSS Severity Score) F5 New OpenSSL Disclosures (Both CVSS Level 10) Here IBM Cisco IBM McAfee Initial 'HeartBleed' OpenSSL Disclosure (CVSS Level 5 (underscored)) NumberofProductsIncludedinAnnouncement 0 10 20 30 40 50 60 70 80 90 100 110 120 Days Since HeartBeed Announcement 0 10 20 30 40 50 60 70 80 90 100 110 120     X  Axis:    Time  (Days)  following  ini0al  HeartBleed  disclosure  and  patch  availability   Y  Axis:    Number  of  products  included  in  the  vendor  vulnerability  disclosure   Z  Axis  (circle  size):    Exposure  as  measured  by  the  CVE  CVSS  score     COMMERCIAL  RESPONSES  TO  OPENSSL  
  • 68. @joshcorman @RealGeneKim h]ps://www.usenix.org/system/files/login/ar0cles/15_geer_0.pdf     For  the  41%     390  days   CVSS  10s  224  days    
  • 69. @joshcorman @RealGeneKim True Costs & Least Cost Avoiders ACME   Enterprise   Bank   Retail    Manufacturing   BioPharma   Educa0on   High  Tech   Enterprise   Bank   Retail    Manufacturing   BioPharma   Educa0on   High  Tech   Enterprise   Bank   Retail   Manufacturing   BioPharma   Educa0on   High  Tech                                                                  
  • 71. @joshcorman @RealGeneKim ON  TIME     ON  BUDGET   ACCEPTABLE   QUALITY/RISK  
  • 74. @joshcorman @RealGeneKim ON  TIME.     Faster  builds.     Fewer  interrup9ons.   More  innova9on.     ON  BUDGET.   More  efficient.     More  profitable.   More  compe99ve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protec9on.  
  • 76. @joshcorman @RealGeneKim ON  TIME.     Faster  builds.     Fewer  interrup9ons.   More  innova9on.     ON  BUDGET.   More  efficient.     More  profitable.   More  compe99ve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protec9on.   Agile  /  CI  
  • 78. @joshcorman @RealGeneKim ON  TIME.     Faster  builds.     Fewer  interrup9ons.   More  innova9on.     ON  BUDGET.   More  efficient.     More  profitable.   More  compe99ve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protec9on.   DevOps  /  CD   Agile  /  CI  
  • 80. @joshcorman @RealGeneKim ON  TIME.     Faster  builds.     Fewer  interrup9ons.   More  innova9on.     ON  BUDGET.   More  efficient.     More  profitable.   More  compe99ve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protec9on.   SW  Supply  Chain   DevOps  /  CD   Agile  /  CI  
  • 82. @joshcorman @RealGeneKim Toyota   Advantage   Toyota   Prius   Chevy   Volt   Unit  Cost   61%   $24,200   $39,900   Units  Sold   13x   23,294   1,788   In-­‐House   Produc0on   50%   27%   54%   Plant  Suppliers   16%     (10x  per)   125   800   Firm-­‐Wide   Suppliers   4%   224   5,500   Comparing the Prius and the Volt
  • 84. @joshcorman @RealGeneKim H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014” §  Elegant Procurement Trio 1) Ingredients: §  Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk: §  …and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY) 3) Remediation: §  …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
  • 85. #RSAC SESSION ID: Go Forth… …and be Rugged @joshcorman @RealGeneKim @RuggedSoftware
  • 86. @joshcorman @RealGeneKim Want More Learn More? To receive the following: §  A copy of this presentation §  The 140 page excerpt of The Phoenix Project §  Videos and slides from DevOps Enterprise 2014 §  Information on DevOps Enterprise 2015 §  Link to the DevOps Audit Defense Toolkit §  Announcement of The Phoenix Project audiobook §  See early drafts of our upcoming DevOps Cookbook Just pick up your phone, and send an email: To: realgenekim@SendYourSlides.com Subject: devops realgenekim@SendYourSlides.com   devops