Architecting Enterprise wide security programs Integrating security activities into the SDLC Achieving security at DevOps speed How many have been at the devopsdays singapore last year?
Us security guys typically only mingle in dedicated security meetups and conferences and talk about the latest way of how to break stuff, but as most of my work is spent in development teams I really enjoy the conversations with people that build software and I don’t just mean devs. So when I heard that devopsdays are being hosted in Singapore I was very excited, their line up of speakers was fantastic we even had John Willis giving a keynote. As with every DevOpsDays conference the whole afternoon was dedicated to openspace topics and I was really keen to know about others are integrating security into agile and devops. The topic was eventually selected and I counted 40+ people that joined the session. And even though we had some people share their experiences, what really struck me was the fact that so many people were genuinely interested in how to integrate security but there weren’t many concrete answers given. So that’s why, in the spirit of devops, I wanted to contribute to the community and created devsecops to achieve exactly that. Find solutions that help create secure applications at the speed of DevOps.
WIP: Work that you have started, but that isn’t completed yet.
Infrastructure wasn’t able to deal with rapid changes coming out of production
Understanding of the value of throughout SDLC And since then has spread around the globe.
Starts with agile, but goes well beyond Amplify Feedback loops
And everyone’s job is to enable the business!
In fact, many believe that it’s not a matter of if your company is adopting devops, but when. This is quite interesting because devXops is still evolving.especially in the area of devSecOps. The exciting thing is that DevSecOps is still very young and great new ideas of how to improve things are being discovered daily. Every single conversation we have can push the envelope.
“DevOps works because dev and ops teams understand each other better and can make more informed decisions. Rather than solving problems in silos, they’re solving for the stream of activity and the goal. If you show DevOps teams how security can make them better, then as a reciprocation they tend to ask, “Well, are there any choices we make that would make your life easier?”
Companies like the Etsy online marketplace have also demonstrated that providing an environment in which it&apos;s safe to talk about failure makes it much more likely that problems are discovered early and information gets shared more quickly and more widely. Josh is talking about how the culture of transparency and sharing information between teams has allowed the development and operations teams to better understand where the other team is coming from – allowing everyone to be on the same page. Especially in an environment where speed is of utmost importance, knowing exactly what is going on at any given time is going to be essential for the health of organization as a whole.
Transparency is an essential part of the DevSecOps world, and security processes and monitoring has to be seen by all stakeholders if it is going to thrive in a DevOps world. See more at: https://www.checkmarx.com/2015/11/13/devsecops-4-best-practices-the-pros-teach-us-about-security-and-devops/?utm_content=buffer04d69&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer#sthash.mRgdPnKn.dpuf
You don’t start with
Everyone is responsible for security, make it easy to “win”
In order to deliver inherently secure applications at devops speed, we need to have team members that embrace security. Failing unit tests
Fix things quickly. Metrics An AppSec Pipelines takes the principles of DevOps and Lean and applies that to an application security program.
We could probably spend the next 6 sessions talking about this alone
You don’t start with
A quick word on *AST, only covers about 50% of the potential findings. It’s important to understand what they can identify and what they can’t. (RUNTIME APPLICATION SELF-PROTECTION)
You don’t start with
So in order for devsecops to live up to its full potential and enable organisations to deliver inherently secure software at devops speed, Culture, Processes and Technologies have to come together as one towards the same goal. Thank you
DevSecOps - The big picture
The big picture
Culture, Processes and Technologies on a high level
Company: Vantage Point
Agile Ops Anyone?
2 major related trends:
1. Agile Operations/Infrastructure
2. Collaboration between dev and ops
Ultimately led to the first DevOpsDays in 2009…
So, what is DevOps?
• Set of principles and practices for efficient
communication and collaboration. (Culture)
• Automated deployment pipeline. (Processes)
• Supporting tool chain (Technologies)
”[…]it seems as though the problems are
just between dev and ops, but test is in
there, and you have security objectives.
These are top-level concerns of
Management […] and have become part of
the DevOps picture.
In other words, when you hear "DevOps"
today, you should probably be thinking
- Gene Kim
DevSecOps enables organisations to
deliver inherently secure software at
Security challenges in DevOps
• It is clear why companies are moving to DevOps
…but how can security keep up with this?
• Communication and transparency
• High-trust environment “blameless postmortem”
• Continuous improvement
• Everyone is responsible for security
• Automate as much as possible
• Everything as code
Open Space Ideas
• How did your org switch to Dev(Sec)Ops?
• Continuous Improvement (Kaizen)
• What are you automating at the moment?
Open Space Ideas
• Scaling security requirements
• TDD and security in testing
• Which *AST technologies have you been using?
• Experience with IDE Plugins
• Environment management (Dev/Prod parity)
• Configuration management (configuration drift)
• Patch Management and deployment strategies
• DevSecOps enable organisations to deliver inherently
secure software at DevOps speed.