Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecOps - The big picture

771 views

Published on

This was the first presentation giving at the DevSecOps meetup in Singapore.

Published in: Technology
  • Be the first to comment

DevSecOps - The big picture

  1. 1. The big picture Culture, Processes and Technologies on a high level
  2. 2. Stefan Streichsbier Company: Vantage Point Twitter: @s_streichsbier Why?
  3. 3. A Brief History of DevOps
  4. 4. In the beginning there was… Source: https://www.flickr.com/photos/37186408@N05/12162302775
  5. 5. Waterfall • Long release cycles • A lot of “WIP” • Functional silos • Incredibly rigid
  6. 6. …then there was Agile Source: https://i.ytimg.com/vi/8Hedq2d1H44/maxresdefault.jpg
  7. 7. Agile • Shorter release cycles • Smaller batch sizes • Cross-functional teams • “Incredibly” agile
  8. 8. Suddenly Ops was the bottleneck
  9. 9. Agile Ops Anyone? 2 major related trends: 1. Agile Operations/Infrastructure 2. Collaboration between dev and ops Ultimately led to the first DevOpsDays in 2009…
  10. 10. So, what is DevOps? • Set of principles and practices for efficient communication and collaboration. (Culture) • Automated deployment pipeline. (Processes) • Supporting tool chain (Technologies)
  11. 11. ”[…]it seems as though the problems are just between dev and ops, but test is in there, and you have security objectives. These are top-level concerns of Management […] and have become part of the DevOps picture. In other words, when you hear "DevOps" today, you should probably be thinking DevOpsQATestInfoSec." - Gene Kim
  12. 12. DevSecOps
  13. 13. Target State DevSecOps enables organisations to deliver inherently secure software at DevOps speed.
  14. 14. Security challenges in DevOps • It is clear why companies are moving to DevOps …but how can security keep up with this? Source: https://xebialabs.com/assets/files/whitepapers/ITRev_DevOps_Guide_5_2015.pdf
  15. 15. 3 key categories of DevSecOps 1. Culture 2. Processes 3. Technologies
  16. 16. Culture
  17. 17. Culture • Communication and transparency • High-trust environment “blameless postmortem” • Continuous improvement • Everyone is responsible for security • Automate as much as possible • Everything as code
  18. 18. Culture: Open Space Ideas • How did your org switch to Dev(Sec)Ops? • Continuous Improvement (Kaizen) • What are you automating at the moment?
  19. 19. Processes
  20. 20. Processes 1. Secure SDLC 2. Security Pipelines
  21. 21. Processes: Secure SDLC 1. Training 2. Requirements 3. Architecture & Design 4. Coding 5. Testing 6. Deployment 7. Post Deployment
  22. 22. Processes: Sec Pipelines • Opt. critical resource • Reduce friction • Increase visibility • Each step repeatable • Drive up consistency
  23. 23. Security Pipelines
  24. 24. Processes: Open Space Ideas • How are you managing security requirements? • How are you building security into the SDLC? • AppSec Pipelines in the wild • ChatSecOps
  25. 25. TechnologiesDevOps is not supposed to be about “tools”
  26. 26. DevSecOps Technologies 1. Requirements 2. Code: IDE Plugins, SAST 3. Test: Gauntlt, *AST 4. Configure: Sec as Code 5. Maintenance: Patch Management 6. Monitor: Auditing, Attack visibility, RASP Warning about *AST
  27. 27. Technologies: Open Space Ideas • Scaling security requirements • TDD and security in testing • Which *AST technologies have you been using? • Experience with IDE Plugins • Environment management (Dev/Prod parity) • Configuration management (configuration drift) • Patch Management and deployment strategies (e.g. Phoenix)
  28. 28. Summary • DevSecOps enable organisations to deliver inherently secure software at DevOps speed.
  29. 29. Questions?
  30. 30. Inspirations • http://itrevolution.com/heres-how-the-amazing-twitter-infosec-team-helps-devops/ • http://techbeacon.com/devsecops-9-ways-devops-automation-bolster-security-compliance • https://www.checkmarx.com/2015/11/13/devsecops-4-best-practices-the-pros-teach-us-about- security-and-devops/ • http://www.slideshare.net/zanelackey/effective-approaches-to-web-application-security • http://searchdatacenter.techtarget.com/feature/How-to-adopt-a-successful-DevOps-enterprise • https://opensource.com/business/14/7/devops-red-hat • http://www.infoq.com/news/2014/03/etsy-deploy-50-times-a-day • http://www.slideshare.net/mtesauro/taking-appsec-to-11-appsec-pipeline-devops-and-making- things-better • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

×