Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to work in devsecops

356 views

Published on

This is a no-punches-pulled honest conversation about authentic dev-sec-ops and not the vendor favourite buzzwords that have become proper nouns and marketing hooks.

We investigated an (updated) definition of done; how we are sometimes unknowingly still creating silos; some anti-patterns in devops; how to possibly structure your transformations and your teams; how to engage your staff; which roles to include and if any are excluded; how the 'shifting left' movement should include operations and security too; and more.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

How to work in devsecops

  1. 1. Dev Sec Ops And QA, and Product, and UX, and other team members. Theresa Neate 30 May 2018
  2. 2. ©2018 theresaneate.com https://twitter.com/TheresaNeate Introductions Theresa Neate ● Lead QA & Developer Advocate at REA Group ● Writer at DevOps Agenda (TechTarget) ● Advisory Board member at DevOps Agenda ● DevOps Girls Co-organiser images: https://twitter.com/MillyRowboat 2
  3. 3. ©2018 theresaneate.com https://twitter.com/TheresaNeate History of devops 2001 Agile Manifesto 2009 Velocity Conference Allspaw and Hammond “10+ Deploys Per Day...” Agile conference Toronto Debois & Shafer “Agile Infrastructure” 2008 Origins of Lean Goldratt Ohno Deming ~1940s to ~1997 devopsdays Patrick Debois 2009 3
  4. 4. ©2018 theresaneate.com https://twitter.com/TheresaNeate devops is not this 4
  5. 5. ©2018 theresaneate.com https://twitter.com/TheresaNeate nor this 5
  6. 6. ©2018 theresaneate.com https://twitter.com/TheresaNeate nor this 6
  7. 7. ©2018 theresaneate.com https://twitter.com/TheresaNeate nor this 7
  8. 8. ©2018 theresaneate.com https://twitter.com/TheresaNeate nor this 8
  9. 9. ©2018 theresaneate.com https://twitter.com/TheresaNeate Faulty interpretation of dev(sec)ops Is that it excludes roles or disciplines not explicitly mentioned. 9
  10. 10. ©2018 theresaneate.com https://twitter.com/TheresaNeate Just because devops doesn’t say SEC Does not mean Security is not included! 10
  11. 11. ©2018 theresaneate.com https://twitter.com/TheresaNeate dev(sec)ops is about working together ALL of us. 11
  12. 12. ©2018 theresaneate.com https://twitter.com/TheresaNeate How do we do that? Because devsecops is devops which explicitly mentions Security ... And devops is agile infrastructure … And agile infrastructure is about agility … 12
  13. 13. ©2018 theresaneate.com https://twitter.com/TheresaNeate The answers lie in its origins of lean & agility 13
  14. 14. ©2018 theresaneate.com https://twitter.com/TheresaNeate The answers lie in lean & agile (cont’d) 14 http://agilemanifesto.org/principles.html “Deliver working software frequently” “Build projects around motivated individuals. ...” “The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.” “Working software is the primary measure of progress.” “Continuous attention to technical excellence and good design enhances agility.” “Simplicity--...is essential.”
  15. 15. ©2018 theresaneate.com https://twitter.com/TheresaNeate How some have defined dev-sec-ops 15 http://www.devsecops.org/
  16. 16. ©2018 theresaneate.com https://twitter.com/TheresaNeate Theresa’s translation 16 1. Proactivity 2. Efficiency & Lean 3. Feedback 4. Systems thinking 5. Continuous learning 6. CAMS - Culture, Automation, Measurement, Sharing
  17. 17. ©2018 theresaneate.com https://twitter.com/TheresaNeate “Done” without security (or ops) is not DONE 17
  18. 18. ©2018 theresaneate.com https://twitter.com/TheresaNeate A possible day in the life of dev-sec-ops 1. Work is broken into small pieces 2. Definition of done is defined, including security and ops and monitoring and testing requirements for THAT story/task a. Automated tests written against these requirements 3. These “non functional” requirements are coded in (as much as possible) alongside the functionality (security as code, infrastructure as code) 18
  19. 19. ©2018 theresaneate.com https://twitter.com/TheresaNeate A day in the life of dev-sec-ops (cont’d) 4. Local tests pass (bring on the early feedback!) 5. If tests pass, code is committed to CI and integrated to trunk 6. Wider automated (integration, etc.) tests are run where applicable, including security tests as part of build pipeline 7. If required, manual tests are done, e.g. security scan, exploratory testing, etc. 8. Rinse, repeat. It’s just how the team flows: no afterthoughts, quality is baked in. 19
  20. 20. ©2018 theresaneate.com https://twitter.com/TheresaNeate The danger of proper noun “models” 20 https://pragdave.me/blog/2014/03/04/time-to-kill-agile.html
  21. 21. ©2018 theresaneate.com https://twitter.com/TheresaNeate The danger of proper noun “models” 21
  22. 22. ©2018 theresaneate.com https://twitter.com/TheresaNeate Closing 22
  23. 23. ©2018 theresaneate.com https://twitter.com/TheresaNeate Thank You! Questions? 23 (See next page for reading suggestions)
  24. 24. ©2018 theresaneate.com https://twitter.com/TheresaNeate Reading The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win by Gene Kim, Kevin Behr, George Spafford, IT Revolution Press, 2013. http://www.devsecops.org/ http://itrevolution.com/devops-culture-part-1/ https://itrevolution.com/the-three-ways-principles-underpinning-devops/ https://devopsagenda.techtarget.com/opinion/Its-past-time-to-revisit-Agiles-definition-of-done https://xp123.com/articles/coaching-drills-and-exercises/ https://www.agilealliance.org/the-agile-root-of-devops/ https://twitter.com/royrapoport/status/996013869230272512 https://pragdave.me/blog/2014/03/04/time-to-kill-agile.html 24

×