Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Damon Edwards presentation at AppSec USA 2014 (Denver, CO on 9/19/14)

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

  1. 1. Where the Security Rubber Meets the DevOps Road Understanding Your Company’s DevOps Transformation (so you can leverage it for your own goals)
  2. 2. @damonedwards
  3. 3. devopscafe.org
  4. 4. Operations Tools DevOps Consulting Automation Design
  5. 5. Security Expert
  6. 6. Giving the customer... •What they want •When they want it •At the lowest cost possible
  7. 7. Dev Ops
  8. 8. Wall of Confusion Dev Ops DevOps Problems!
  9. 9. Ah-ha! Time to Market Shorten Remove Dev Ops Wall of ion onfus C Feedback
  10. 10. Ah-ha! Time to Market Shorten Remove Dev Ops Wall of ion onfus C Feedback
  11. 11. Signals the org is getting better
  12. 12. Signals the org is getting better Lead Times (and more predictable)
  13. 13. Signals the org is getting better Lead Times (and more predictable) MTTD (Mean Time To Detect)
  14. 14. Signals the org is getting better Lead Times (and more predictable) MTTD (Mean Time To Detect) MTTR (Mean Time to Repair)
  15. 15. Signals the org is getting better Lead Times (and more predictable) MTTD (Mean Time To Detect) MTTR (Mean Time to Repair) Quality at the Source (Less scrap, caught faster)
  16. 16. Why DevOps? Why Now?
  17. 17. Why DevOps? Why Now? (If we ignore DevOps, won’t it just blow over?)
  18. 18. We need the capability to learn faster than our competitors
  19. 19. The Rise of a New IT Operations Support Model By 2015, DevOps will evolve from a niche strategy employed by large cloud providers into a mainstream strategy employed by 20% of Global 2000 organizations Why DevOps will emerge: !DevOps is not usually driven from Why DevOps will not emerge: !Cultural changes are the hardest to organizations. the top down and, thus, may be more easily accepted by IT operations teams. implement, and DevOps requires a significant rethinking of IT operations conventional wisdom. !ITIL and other best practices frameworks are acknowledged to have not delivered on their goals, enabling IT organizations to look for !There is a large body of work with respect to ITIL and other best practices frameworks that is already accepted within the industry new models. !The growing interest in tools such as Chef, Puppet, etc., will help industry. !Open source (OSS) management tools, which are more aligned with this approach, have not seen pp p stimulate demand for OSS-based management pp significant enterprise market share traction.
  20. 20. 2014 State of DevOps Survey 9,200+ Respondents from 110 countries, across all industries
  21. 21. 2014 State of DevOps Survey 9,200+ Respondents from 110 countries, across all industries
  22. 22. DevOps gives us the capability to learn faster than our competitors
  23. 23. DevOps is here to stay.
  24. 24. DevOps is here to stay. ( opportunity? risk?)
  25. 25. Opportunity for InfoSec: Reset the relationship DevOps
  26. 26. Slios are the #1 enemy of throughput and quality Dev Team Release Team Ops Team Business Team
  27. 27. Slios are the #1 enemy of throughput and quality Dev Team Release Team Ops Team Business Team ! Handoff ! Handoff ! Handoff
  28. 28. Slios are the #1 enemy of throughput and quality Dev Team Release Team Ops Team Business Team Handoff ! Application Knowledge ! Handoff ! Handoff
  29. 29. Slios are the #1 enemy of throughput and quality Dev Team Release Team Ops Team Business Team ! Application Knowledge ! Operational Knowledge ! Handoff Handoff Handoff
  30. 30. Slios are the #1 enemy of throughput and quality Dev Team Release Team Ops Team Business Team Handoff ! Application Knowledge ! Operational Knowledge Business Intent ! Handoff Handoff
  31. 31. Slios are the #1 enemy of throughput and quality Dev Team Release Team Ops Team Business Team Handoff ! Application Knowledge ! Operational Knowledge Business Intent ! Handoff Handoff Ownership but limited Accountability
  32. 32. Slios are the #1 enemy of throughput and quality Dev Team Release Team Ops Team Business Team Handoff ! Application Knowledge ! Operational Knowledge Business Intent ! Handoff Handoff Ownership but limited Accountability Accountability but no Ownership
  33. 33. Redraw the organization to eliminate silos Dev Team Release Team Ops Team Business Team
  34. 34. Redraw the organization to eliminate silos Cross Functional Delivery Team Dev Team Release Team Ops Team Business Team Cross Functional Delivery Team Cross Functional Delivery Team Aligned by value streams or customer identifiable services
  35. 35. Redraw the organization to eliminate silos Cross Functional Delivery Team Dev Team Release Team Ops Team Business Team Cross Functional Delivery Team Cross Functional Delivery Team Aligned by value streams or customer identifiable services Freedom & Responsibility Culture is key to enabling
  36. 36. Redraw the organization to eliminate silos Cross Functional Delivery Team Dev Team Release Team Ops Team Business Team Cross Functional Delivery Team Cross Functional Delivery Team Aligned by value streams or customer identifiable services Freedom & Responsibility Culture is key to enabling Google: “Cloud Operations at Netflix” “Actionable Metrics Netflix” Roy Rapoport Different Talk
  37. 37. How? DevOps
  38. 38. Turn information flow into artifact flow Customer Shared Drive Test Shared Drive Prod Commits Rollout Schedule README MOP Release Schedule PRD PRD Release Memos Tasks QA Forum Ticket Remedy Ticket Estimates Technical Support Patch Calendar QA forum MOP EP(2) README ERR ERR MOP, SOP PRD Design Specs crit bugs email Lockdown control checklist M New Targets Remedy Ticket Single Image Server XML BRD ERR BTS QA Environment Documentum Production Packages Customer communication L/T = 28d P/T = 7d H/C = 1 S/R = Stephen / Xi Product Program Planning L/T = 105d P/T = 46d H/C = 15 S/R = 100% John Robert Release Program Management L/T = P/T = H/C = S/R = Erica Smith Engineering Planning Process L/T = 45d P/T = 18d H/C = 23 S/R = Preliminary Bob Smith Development L/T = 45d P/T = 21d H/C = 140 S/R = Bob Smith Full Development L/T = 75d P/T = 43d H/C = 130 S/R = Bob Smith Build L/T = 1d P/T = 0.3d H/C = 2 S/R = 33% John Doe D Selective Promotion L/T = 90d P/T = 15d H/C = 5 S/R = Steve Young QA Test L/T = 105d P/T = 11d H/C = 42 S/R = Sam Young Engineering Release L/T = 60d P/T = 1d H/C = 1 S/R = >5% Victoria Doe Release Promotion L/T = 60d P/T = 0.2d H/C = 1 S/R = >5% Victoria Doe Cloud Services Release L/T = 60d P/T = 16d H/C = 3 S/R = 3% Reggie / Carlos Change Control L/T = 42d P/T = H/C = S/R = Peter Lee Deploy Release L/T = 90d P/T = 8d H/C = 8 S/R = 2% Lewis S./Peter Y. Server Provisioning L/T = 24d P/T = 4d H/C = 3 S/R = 50% Jen Garza BRD Server Acceptance L/T = 14d P/T = 1d H/C = 4.5 S/R = 15% Lynn A. etc derived reqs. PRD QA Forum Ticket Service pack review L/T = 56d P/T = 7d H/C = 6 S/R = 100% Suresh Wu M PD(3) PD(3) M EP PD M(3) M W(2) TS M(3) M(2) W(2) M(2) EP EP EP(3) W W EP W PD TS(2) M M M(2) M W(2) EP D M(3) EP W EP PD D(3) Current state value stream map L/T Lead time P/T Process time H/C Head count S/R Scrap rate D Defects EP Extra processes M Motion PD Partially done TS Task switching W Waiting Product Management Engineering Cloud Services
  39. 39. Turn information flow into artifact flow Customer Shared Drive Test Shared Drive Prod Commits Rollout Schedule README MOP Release Schedule PRD PRD Release Memos Tasks QA Forum Ticket Remedy Ticket Estimates Technical Support Patch Calendar QA forum MOP EP(2) README ERR ERR MOP, SOP PRD Design Specs crit bugs email Lockdown control checklist M New Targets Remedy Ticket Single Image Server XML BRD ERR BTS QA Environment Documentum Production Packages Customer communication L/T = 28d P/T = 7d H/C = 1 S/R = Stephen / Xi Product Program Planning L/T = 105d P/T = 46d H/C = 15 S/R = 100% John Robert Release Program Management L/T = P/T = H/C = S/R = Erica Smith Engineering Planning Process L/T = 45d P/T = 18d H/C = 23 S/R = Preliminary Bob Smith Development L/T = 45d P/T = 21d H/C = 140 S/R = Bob Smith Full Development L/T = 75d P/T = 43d H/C = 130 S/R = Bob Smith Build L/T = 1d P/T = 0.3d H/C = 2 S/R = 33% John Doe D Selective Promotion L/T = 90d P/T = 15d H/C = 5 S/R = Steve Young QA Test L/T = 105d P/T = 11d H/C = 42 S/R = Sam Young Engineering Release L/T = 60d P/T = 1d H/C = 1 S/R = >5% Victoria Doe Release Promotion L/T = 60d P/T = 0.2d H/C = 1 S/R = >5% Victoria Doe Cloud Services Release L/T = 60d P/T = 16d H/C = 3 S/R = 3% Reggie / Carlos Change Control L/T = 42d P/T = H/C = S/R = Peter Lee Deploy Release L/T = 90d P/T = 8d H/C = 8 S/R = 2% Lewis S./Peter Y. Server Provisioning L/T = 24d P/T = 4d H/C = 3 S/R = 50% Jen Garza BRD Server Acceptance L/T = 14d P/T = 1d H/C = 4.5 S/R = 15% Lynn A. etc derived reqs. PRD QA Forum Ticket Service pack review L/T = 56d P/T = 7d H/C = 6 S/R = 100% Suresh Wu M PD(3) PD(3) M EP PD M(3) M W(2) TS M(3) M(2) W(2) M(2) EP EP EP(3) W W EP W PD TS(2) M M M(2) M W(2) EP D M(3) EP W EP PD D(3) Current state value stream map L/T Lead time P/T Process time H/C Head count S/R Scrap rate D Defects EP Extra processes M Motion PD Partially done TS Task switching W Waiting Product Management Engineering Cloud Services
  40. 40. Drive all changes through a SDLC Tests Code Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE
  41. 41. Drive all changes through a SDLC Code Dev Ops * Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE Collaboration Tests
  42. 42. Drive all changes through a SDLC Versioned Release Tests Code Dev Ops * Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE Collaboration
  43. 43. Versioned Release Tests Code Dev Ops * Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE Collaboration Dev Ops * Execute Operations Procedures Drive all changes through a SDLC
  44. 44. Versioned Release Tests Code Dev Ops * Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE Collaboration Dev Ops * Execute Operations Procedures Drive all changes through a SDLC Same People!!
  45. 45. Versioned Release Tests Code Dev Ops * Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo SERVICE Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE Collaboration Dev Ops * Execute Operations Procedures Drive all changes through a SDLC
  46. 46. How? DevOps
  47. 47. What about cross-cutting concerns? Cross Functional Delivery Team (PO • Dev • Test • SRE) Tests Code Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Packages Environments SOURCE QA Security Environments Monitoring --- Metrics
  48. 48. What about cross-cutting concerns? Cross Functional Delivery Team (PO • Dev • Test • SRE) Tests Code Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Packages Environments SOURCE Metrics as a Service Monitoring --- Metrics QA as a Service Security as a Service Env. as a Service QA Security Environments
  49. 49. What about cross-cutting concerns? Cross Functional Delivery Team (PO • Dev • Test • SRE) Tests Code Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Packages Environments SOURCE pull pull pull pull Metrics as a Service Monitoring --- Metrics QA as a Service Security as a Service Env. as a Service QA Security Environments
  50. 50. Be a service provider pull Cross-Cutting Concern X ✓ Standardized offerings ✓ Pulled by users (not pushed) ✓ On-demand and self-service ✓ Implementation knowledge not necessary for normal use ✓ Provider spends their time building service and coaching users X as a Service
  51. 51. How to start being a service provider pull X as a Service Cross-Cutting Concern X
  52. 52. How to start being a service provider pull X as a Service Cross-Cutting Concern X
  53. 53. How to start being a service provider pull X as a Service Cross-Cutting Concern X 1 Define your offerings
  54. 54. How to start being a service provider pull X as a Service Cross-Cutting Concern X 1 Define your offerings
  55. 55. How to start being a service provider pull X as a Service Cross-Cutting Concern X 1 Define your offerings 2 Tame the tool sprawl
  56. 56. How to start being a service provider pull X as a Service Cross-Cutting Concern X 1 Define your offerings 2 Tame the tool sprawl
  57. 57. How to start being a service provider pull X as a Service Cross-Cutting Concern X 1 Define your offerings 2 Tame the tool sprawl 3 Setup self-service interfaces
  58. 58. How to start being a service provider pull X as a Service Cross-Cutting Concern X 1 Define your offerings 2 Tame the tool sprawl 3 Setup self-service interfaces
  59. 59. How to start being a service provider pull X as a Service Cross-Cutting Concern X 1 Define your offerings 2 Tame the tool sprawl 3 Setup self-service interfaces 4 Setup secure access
  60. 60. How to start being a service provider pull X as a Service Cross-Cutting Concern X 1 Define your offerings 2 Tame the tool sprawl 3 Setup self-service interfaces 4 Setup secure access
  61. 61. How to start being a service provider pull X as a Service Cross-Cutting Concern X Plug: Give Rundeck a try --> rundeck.org 1 Define your offerings 2 Tame the tool sprawl 3 Setup self-service interfaces 4 Setup secure access
  62. 62. What about things that can’t be automated? DevOps
  63. 63. Good rule of thumb: Tickets are for exceptions, not the daily work X X Ticket System ?? X
  64. 64. Good rule of thumb: Tickets are for exceptions, not the daily work Manual request queues lead to... • Bottlenecks • Increased lead times • Reinforces organizational silos • Misinterpretation or omissions X X Ticket System ?? X
  65. 65. How do we mitigate the negative impact of manual request queues? DevOps
  66. 66. Use a work management system like Kanban Up Next Service B Service C Service D Service E Doing Plan it Do it Review it Post Mortem Backlog prioritized by stakeholders Ta s k Task Service A Task Task Task Task Task Emergency - Type 1 Emergency - Type 2 Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task
  67. 67. Use a work management system like Kanban Up Next Service B Service C Service D Service E Doing Plan it Do it Review it Post Mortem Backlog prioritized by stakeholders Ta s k Task Service A Task Task Task Task Task Emergency - Type 1 Emergency - Type 2 Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Only works if you set and enforce: • Service catalog and backlog rules • WIP and SLA per service type • WIP per person
  68. 68. Use a work management system like Kanban Your standardized offerings Up Next Service B Service C Service D Service E Doing Plan it Do it Review it Post Mortem Backlog prioritized by stakeholders Ta s k Task Service A Task Task Task Task Task Emergency - Type 1 Emergency - Type 2 Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Only works if you set and enforce: • Service catalog and backlog rules • WIP and SLA per service type • WIP per person
  69. 69. Use a work management system like Kanban Your standardized offerings Up Next Service B Service C Service D Service E Doing Plan it Do it Review it Post Mortem Backlog prioritized by stakeholders Ta s k Task Service A Task Task Task Task Task Emergency - Type 1 Emergency - Type 2 Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Only works if you set and enforce: • Service catalog and backlog rules • WIP and SLA per service type • WIP per person SLA per service type
  70. 70. Use a work management system like Kanban Your standardized offerings Up Next Service B Service C Service D Service E Doing Plan it Do it Review it Post Mortem Backlog prioritized by stakeholders Ta s k Task Service A Task Task Task Task Task Emergency - Type 1 Emergency - Type 2 Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Task Only works if you set and enforce: • Service catalog and backlog rules • WIP and SLA per service type • WIP per person SLA per service type Enforce WIP to protect capacity and hit commitments!
  71. 71. ..But Security! ...But Compliance! DevOps
  72. 72. Security and Compliance Opportunity Tests Code Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE
  73. 73. Security and Compliance Opportunity Tests Code Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE Design and Code Reviews
  74. 74. Security and Compliance Opportunity Tests Code Source Repo Config Env Spec Run-book Auto-mation Design and Code Reviews CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE Code and Binary Scanning
  75. 75. Security and Compliance Opportunity Tests Code Source Repo Config Env Spec Run-book Auto-mation Design and Code Reviews CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE Code and Binary Scanning “Bake” security tests into your “immune system”
  76. 76. Security and Compliance Opportunity Tests Code Source Repo Config Env Spec Run-book Auto-mation Design and Code Reviews CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE Code and Binary Scanning “Bake” security tests into your “immune system” Component vulnerability and governance
  77. 77. Security and Compliance Opportunity Tests Code Source Repo Config Env Spec Run-book Auto-mation Design and Code Reviews CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE Code and Binary Scanning “Bake” security tests into your “immune system” Component vulnerability and governance Access policy and operational security checks
  78. 78. Security and Compliance Opportunity Tests Code Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE
  79. 79. Security and Compliance Opportunity Tests Code Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE What’s the change?
  80. 80. Security and Compliance Opportunity Tests Code Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE What’s the change? How did you validate the change?
  81. 81. Security and Compliance Opportunity How did you validate the change? Tests Code Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE What’s the change? Where did the change go?
  82. 82. Security and Compliance Opportunity How did you validate the change? Tests Code Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE What’s the change? Where did the change go? Who has access to what environment? Who did what when and where?
  83. 83. Security and Compliance Opportunity How did you validate the change? Tests Code Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console What was executed on the box to make the change? Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE What’s the change? Where did the change go? Who has access to what environment? Who did what when and where?
  84. 84. Security and Compliance Opportunity How did you validate the change? Tests Code Source Repo Config Env Spec Run-book Auto-mation CI Server Package Repo Operations Console What was executed on the box to make the change? Shell Powershell Pre-Production Environments Shell Powershell Production Environment Packages Operations Development SOURCE What’s the change? Where did the change go? Who has access to what environment? Who did what when and where? Change things here Run / control things here
  85. 85. Are you helping your company to...
  86. 86. Are you helping your company to... Reduce cycle time AND improve quality?
  87. 87. Are you helping your company to... Reduce cycle time AND improve quality? Eliminate handoffs or reduce the friction of those handoffs that can't be eliminated?
  88. 88. Are you helping your company to... Reduce cycle time AND improve quality? Eliminate handoffs or reduce the friction of those handoffs that can't be eliminated? Improve tool-to-tool artifact flow and eliminate manual information flow?
  89. 89. Are you helping your company to... Reduce cycle time AND improve quality? Eliminate handoffs or reduce the friction of those handoffs that can't be eliminated? Improve tool-to-tool artifact flow and eliminate manual information flow? Eliminate manually-fulfilled request queues and other sources of waiting?
  90. 90. Are you helping your company to... Reduce cycle time AND improve quality? Eliminate handoffs or reduce the friction of those handoffs that can't be eliminated? Improve tool-to-tool artifact flow and eliminate manual information flow? Eliminate manually-fulfilled request queues and other sources of waiting? Improve awareness and understanding of the current state and desired state of the end-to-end system?
  91. 91. @damonedwards damon@simplifyops.com

    Be the first to comment

    Login to see the comments

  • MarkCelano1

    Sep. 19, 2014
  • uzy_exe

    Sep. 22, 2014
  • svanzoest

    Feb. 22, 2015

Damon Edwards presentation at AppSec USA 2014 (Denver, CO on 9/19/14)

Views

Total views

1,749

On Slideshare

0

From embeds

0

Number of embeds

69

Actions

Downloads

35

Shares

0

Comments

0

Likes

3

×