SlideShare a Scribd company logo

Devops is a Security Requirement

Kris Buytaert
Kris Buytaert

Slides for my DevSecOps Leadership forum in Amsterdam

Technology
1 of 64
Download to read offline
Devops is a securityDevops is a security RequirementRequirement @KrisBuytaert May 2018, Amsterdam
Kris BuytaertKris Buytaert ● I used to be a Dev,I used to be a Dev, ● Then Became an OpThen Became an Op ● Even did Security (OSSTM)Even did Security (OSSTM) ● Chief Trolling Ofcer and Open SourceChief Trolling Ofcer and Open Source Consultant @inuits.euConsultant @inuits.eu ● Everything is an freaking DNS ProblemEverything is an freaking DNS Problem ● Building Clouds since before the bookstoreBuilding Clouds since before the bookstore ● Some books, some papers, some blogsSome books, some papers, some blogs ● eToo many conferences. #devopsdays,eToo many conferences. #devopsdays, #loadays, #cfgmgmtcamp#loadays, #cfgmgmtcamp
Who has upgraded his business criticalWho has upgraded his business critical applications over the past 12 months ?applications over the past 12 months ?
Why not ?Why not ?
What's this Devops thing really about ?What's this Devops thing really about ?
World , 200X-2009World , 200X-2009 Patrick Debois, Gildas Le Nadan, Andrew Clay Shafer, Kris Buytaert, JezzPatrick Debois, Gildas Le Nadan, Andrew Clay Shafer, Kris Buytaert, Jezz Humble, Lindsay Holmwood, John Willis, Chris Read, Julian Simpson, andHumble, Lindsay Holmwood, John Willis, Chris Read, Julian Simpson, and lots of others ..lots of others .. Gent , October 2009Gent , October 2009 Mountain View , June 2010Mountain View , June 2010 Hamburg , October 2010Hamburg , October 2010 Boston, March 2011Boston, March 2011 Mountain View, June 2011Mountain View, June 2011 Bangalore, Melbourne,Bangalore, Melbourne, Goteborg , October 2011Goteborg , October 2011
C(L)AMSC(L)AMS ● CultureCulture ● (Lean)(Lean) ● AutomationAutomation ● MeasurementMeasurement ● SecuritySecurity Damon Edwards and John WillisDamon Edwards and John Willis
Debunking the CriticsDebunking the Critics Security not included ?Security not included ? Everyone is Included:Everyone is Included: security, dba, devs,security, dba, devs, ops, designer, analysts,ops, designer, analysts, We are solving a busines problem,We are solving a busines problem, Not a technology problemNot a technology problem
*ops*ops *.**.*
Frank BreedijkFrank Breedijk @seccubus@seccubus ● Http → httpsHttp → https ● Imap → imapsImap → imaps ● Pop3 → pop3sPop3 → pop3s ● Devop → devopSDevop → devopS
““DevOps is a cultural andDevOps is a cultural and professional movement”professional movement” Adam JacobAdam Jacob
How did we get here ?How did we get here ?
The(se)(Old) DaysThe(se)(Old) Days ● ““Put this Code Live, here's a tarball/container”Put this Code Live, here's a tarball/container” ● What dependencies ?What dependencies ? ● No machines available ?No machines available ? ● What database ?What database ? ● Security ?Security ? ● High Availability ?High Availability ? ● Scalability ?Scalability ? ● My computer can't install this ?My computer can't install this ?
Devs vs OpsDevs vs Ops
People hated SysadminsPeople hated Sysadmins BecauseBecause ● They slow stuf downThey slow stuf down ● The say noThe say no ● They say no againThey say no again ● They refuse to break stufThey refuse to break stuf ● They care about uptimeThey care about uptime ● They don't care about fancy newThey don't care about fancy new featuresfeatures
People hate SecurityPeople hate Security BecauseBecause ● They slow stuf downThey slow stuf down ● The say noThe say no ● They say no againThey say no again ● They refuse to leave holes openThey refuse to leave holes open ● They care about securityThey care about security ● They don't care about fancy newThey don't care about fancy new featuresfeatures Security Ofcers have an expiry dateSecurity Ofcers have an expiry date
10 days into operation10 days into operation ● What High Load ? What Memory usage ?What High Load ? What Memory usage ? ● Are these Logs ? Or this is actualy customerAre these Logs ? Or this is actualy customer data ?data ? ● How many users are there , should they launchHow many users are there , should they launch 100 queries each ?? Oh we're having 10K100 queries each ?? Oh we're having 10K usersusers ● Why is debugging enabled ?Why is debugging enabled ? ● Who wrote this ?Who wrote this ? ● Does this user belong here ?Does this user belong here ?
11 days into operations11 days into operations
12 days into operations12 days into operations
13 days into operations13 days into operations
14 days into operations14 days into operations
Tomorrow :)Tomorrow :)
We can solve this !We can solve this ! ● We are not here toWe are not here to blockblock ● Some people thinkSome people think the Security /the Security / Operations workOperations work starts on deploymentstarts on deployment ● It starts much earlierIt starts much earlier ● Start talking asapStart talking asap
Culture,Culture, automation,automation, Measturement,Measturement, sharingsharing
Breaking the SilosBreaking the Silos Getting AlongGetting AlongOpsOpsDevsDevs
● Who is in charge of security ?Who is in charge of security ? ● What do your developers think about security ?What do your developers think about security ? ● When do you think about security ?When do you think about security ? ● The problem with security is it doesn'tThe problem with security is it doesn't generate revenuegenerate revenue ● Security needs to become part of your DNA.Security needs to become part of your DNA.
With great power ...With great power ... Your code will go to production..Your code will go to production.. You will be able to fx it ..You will be able to fx it .. You will have access to the logsYou will have access to the logs Access to the metrics...Access to the metrics...
https://www.slideshare.net/jedi4ever/from-devops-to-devops-what-a-diference-one-character-makes/75/
Devops is a ReorgDevops is a Reorg ● New role for Change ManagementNew role for Change Management ● New role for Security OfcersNew role for Security Ofcers ● Added roles for TestersAdded roles for Testers ● Shift LeftShift Left
Whats in it for you ?Whats in it for you ? •Faster time to marketFaster time to market •Features go live in hours vs yearsFeatures go live in hours vs years •In a more safe (Secure)In a more safe (Secure) •Reliable fashionReliable fashion •Fully automatedFully automated •More happyMore happy {customers,developers,managers,investors}{customers,developers,managers,investors}
Culture,Culture, Automation,Automation, Measurement,Measurement, SharingSharing
" Our job as engineers (and ops, dev-ops, QA," Our job as engineers (and ops, dev-ops, QA, support, everyone in the company actually) is tosupport, everyone in the company actually) is to enable the business goals. We strongly feel thatenable the business goals. We strongly feel that in order to do that you must havein order to do that you must have the ability tothe ability to deploy code quickly and safelydeploy code quickly and safely. Even if the. Even if the business goals are to deploy strongly QA’d codebusiness goals are to deploy strongly QA’d code once a month at 3am (it’s not for us, we push allonce a month at 3am (it’s not for us, we push all the time), having a reliable and easythe time), having a reliable and easy deployment should bedeployment should be non-negotiablenon-negotiable."." Etsy Blog upon releasing DeployinatorEtsy Blog upon releasing Deployinator http://codeascraft.etsy.com/2010/05/20/quantum-of-deployment/http://codeascraft.etsy.com/2010/05/20/quantum-of-deployment/
This is not Continuous DeploymentThis is not Continuous Deployment @stahnma@stahnma @#devopsdays Ohio@#devopsdays Ohio
Continuous Delivery is aContinuous Delivery is a Security RequirementSecurity Requirement
MTTR ~> 0MTTR ~> 0
How do we get fromHow do we get from We don’t dare to patchWe don’t dare to patch ToTo All systems green , lets goAll systems green , lets go
It's too riskyIt's too risky •We deployed 6 months ago, it wasWe deployed 6 months ago, it was painfull, we needed 3 weeks aftercarepainfull, we needed 3 weeks aftercare •There's 3576 changes in the newThere's 3576 changes in the new deploy, we have no clue what causeddeploy, we have no clue what caused this problemthis problem •We need 20 people in a room for 8-12We need 20 people in a room for 8-12 hourshours •I have no clue why I wrote that line ofI have no clue why I wrote that line of code 3 months agocode 3 months ago •The person who wrote this left 2The person who wrote this left 2 weeks agoweeks ago •Ooops we forgot to delete that featureOoops we forgot to delete that feature they don't want anymore.they don't want anymore. •We deploy automaticaly,We deploy automaticaly, •I clearly remember what we fxedI clearly remember what we fxed yesterdayyesterday •And that's the only thing that hasAnd that's the only thing that has changed in the last commitchanged in the last commit •The person who wrote the code is stillThe person who wrote the code is still in the buildingin the building •We really need this feature now, weWe really need this feature now, we can remove it latercan remove it later
Every commitEvery commit withwith successful testssuccessful tests willwill automaticallyautomatically bebe deployeddeployed productionproduction
Every commitEvery commit with successful testwith successful test will automatically be deployed towill automatically be deployed to productionproduction Version controlVersion control Who, changed what, why and whenWho, changed what, why and when
Every commit withEvery commit with successful testssuccessful tests will automatically be deployed towill automatically be deployed to productionproduction Automated testing strategy, is keyAutomated testing strategy, is key Successful tests, no bypassing of theSuccessful tests, no bypassing of the teststests
Test all the thingsTest all the things •Unit testsUnit tests •Integration TestsIntegration Tests •System TestsSystem Tests •Acceptance TestsAcceptance Tests •Security TestsSecurity Tests •Performance TestsPerformance Tests •Regression TestsRegression Tests •Functional TestsFunctional Tests
Every commit with successful testsEvery commit with successful tests willwill automaticallyautomatically be deployed tobe deployed to productionproduction Automate all the things !Automate all the things ! No humans involved,No humans involved, Less error proneLess error prone Less boringLess boring
Every commit with successful testsEvery commit with successful tests will automatically bewill automatically be deployed todeployed to productionproduction Deployed code does not meanDeployed code does not mean enabled feature.enabled feature.
Auditors / ComplianceAuditors / Compliance •We do the same, just automatedWe do the same, just automated •Separation of DutiesSeparation of Duties ● Man vs MachineMan vs Machine •Authentication and Audit TrailAuthentication and Audit Trail •Full automation, Git logs, Deploy logs,Full automation, Git logs, Deploy logs, no more manual actionsno more manual actions •Have you tried talking to them ?Have you tried talking to them ?
What's in your Pipeline ?What's in your Pipeline ?
A pipelineA pipeline ● Checkout codeCheckout code ● SyntaxSyntax ● StyleStyle ● Code CoverageCode Coverage ● TestsTests ● BuildBuild ● More TestsMore Tests ● PackagePackage ● Upload to RepoUpload to Repo
A pipeline++A pipeline++ ● Checkout codeCheckout code ● SyntaxSyntax ● StyleStyle ● Code CoverageCode Coverage ● TestsTests ● BuildBuild ● More TestsMore Tests ● PackagePackage ● Upload to RepoUpload to Repo ● Deploy on TestDeploy on Test ● …… ● Insert SECURITYInsert SECURITY TESTS !TESTS !
Attack yourselve onAttack yourselve on every buildevery build ● Gauntlt , write security testsGauntlt , write security tests ● Vulnerability scans (Arachni)Vulnerability scans (Arachni) ● OpenVASOpenVAS ● OWASP DevSlop Tool ProjectOWASP DevSlop Tool Project ● The OWASP AppSec Rugged DevOps PipelineThe OWASP AppSec Rugged DevOps Pipeline ProjectProject ● Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Leverage InfrastructureLeverage Infrastructure as Codeas Code ● Confgure 1000 nodes,Confgure 1000 nodes, ● Modify 2000 fles,Modify 2000 fles, ● TogetherTogether ● Think :Think : ● Cfengine,Puppet, Chef, SaltCfengine,Puppet, Chef, Salt ● Put confgs under version controlPut confgs under version control ● Please don't roll your own ...Please don't roll your own ...
Puppet in ActionPuppet in Action
Policies/Hardening withPolicies/Hardening with Dev-sec.ioDev-sec.io
OrchestrationOrchestration ● Fix security issues with 1 commandFix security issues with 1 command ● mco package bind upgrademco package bind upgrade ● Write Ansible role to upgrade XYZWrite Ansible role to upgrade XYZ
Culture,Culture, Automation,Automation, Measurement :Measurement : measure all the thingsmeasure all the things SharingSharing
Logstash in ActionLogstash in Action Screenshot dating 2012 ON purpose .. this is NOT bleeding edge technology
S in devops/Clams ?S in devops/Clams ? ● Version control => AuditingVersion control => Auditing ● CI/CDCI/CD • Add security IN the pipelineAdd security IN the pipeline • Reduce MTTMReduce MTTM ● Confguration MgmtConfguration Mgmt ● Auditing & EnforcingAuditing & Enforcing ● Policy DefnitionPolicy Defnition ● Monitoring : Find the anomaliesMonitoring : Find the anomalies
It's not about the toolsIt's not about the tools It's about changeIt's about change It's about the peopleIt's about the people
{devops/security }{devops/security } is not a product you can buy,is not a product you can buy, It's a lifestyleIt's a lifestyle
ContactContact Kris Buytaert Kris.Buytaert@inuits.euKris Buytaert Kris.Buytaert@inuits.eu Further ReadingFurther Reading @krisbuytaert@krisbuytaert http://www.krisbuytaert.be/blog/http://www.krisbuytaert.be/blog/ http://www.inuits.eu/http://www.inuits.eu/ InuitsInuits Essensesteenweg 31Essensesteenweg 31 2930 Brasschaat2930 Brasschaat BelgiumBelgium 891.514.231891.514.231 +32 475 961221+32 475 961221

Recommended

Is there a future for devops ?
Is there a future for devops ?Is there a future for devops ?
Is there a future for devops ?Kris Buytaert
 
From devoops to devops
From devoops to devopsFrom devoops to devops
From devoops to devopsKris Buytaert
 
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipelineGroovy there's a docker in my application pipeline
Groovy there's a docker in my application pipelineKris Buytaert
 
Nightmare on Docker street
Nightmare on Docker streetNightmare on Docker street
Nightmare on Docker streetKris Buytaert
 
Moby is killing your devops efforts
Moby is killing your devops effortsMoby is killing your devops efforts
Moby is killing your devops effortsKris Buytaert
 
Repositories as Code
Repositories as CodeRepositories as Code
Repositories as CodeKris Buytaert
 
No, we can't do continuous delivery
No, we can't do continuous deliveryNo, we can't do continuous delivery
No, we can't do continuous deliveryKris Buytaert
 
Devops is dead, Long Live Devops
Devops is dead, Long Live DevopsDevops is dead, Long Live Devops
Devops is dead, Long Live DevopsKris Buytaert
 

Recommended

Is there a future for devops ?
Is there a future for devops ?Is there a future for devops ?
Is there a future for devops ?Kris Buytaert
 
From devoops to devops
From devoops to devopsFrom devoops to devops
From devoops to devopsKris Buytaert
 
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipelineGroovy there's a docker in my application pipeline
Groovy there's a docker in my application pipelineKris Buytaert
 
Nightmare on Docker street
Nightmare on Docker streetNightmare on Docker street
Nightmare on Docker streetKris Buytaert
 
Moby is killing your devops efforts
Moby is killing your devops effortsMoby is killing your devops efforts
Moby is killing your devops effortsKris Buytaert
 
Repositories as Code
Repositories as CodeRepositories as Code
Repositories as CodeKris Buytaert
 
No, we can't do continuous delivery
No, we can't do continuous deliveryNo, we can't do continuous delivery
No, we can't do continuous deliveryKris Buytaert
 
Devops is dead, Long Live Devops
Devops is dead, Long Live DevopsDevops is dead, Long Live Devops
Devops is dead, Long Live DevopsKris Buytaert
 
The Return of the Dull Stack Engineer
The Return of the Dull Stack EngineerThe Return of the Dull Stack Engineer
The Return of the Dull Stack EngineerKris Buytaert
 
Devops is not about Tooling
Devops is not about ToolingDevops is not about Tooling
Devops is not about ToolingKris Buytaert
 
Continous Delivery of your Infrastructure
Continous Delivery of your InfrastructureContinous Delivery of your Infrastructure
Continous Delivery of your InfrastructureKris Buytaert
 
Run stuff, Deploy Stuff
Run stuff, Deploy StuffRun stuff, Deploy Stuff
Run stuff, Deploy StuffKris Buytaert
 
Adopting Devops , Stories from the trenches
Adopting Devops , Stories from the trenchesAdopting Devops , Stories from the trenches
Adopting Devops , Stories from the trenchesKris Buytaert
 
On the Importance of Infrastructure as Code
On the Importance of Infrastructure as CodeOn the Importance of Infrastructure as Code
On the Importance of Infrastructure as CodeKris Buytaert
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionKris Buytaert
 
The influence of "Distributed platforms" on #devops
The influence of "Distributed platforms" on #devopsThe influence of "Distributed platforms" on #devops
The influence of "Distributed platforms" on #devopsKris Buytaert
 
Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Kris Buytaert
 
devops is a reorg
devops is a reorgdevops is a reorg
devops is a reorgKris Buytaert
 
Pipeline as Code
Pipeline as CodePipeline as Code
Pipeline as CodeKris Buytaert
 
Automating MySQL operations with Puppet
Automating MySQL operations with PuppetAutomating MySQL operations with Puppet
Automating MySQL operations with PuppetKris Buytaert
 
Continuous Infrastructure First
Continuous Infrastructure FirstContinuous Infrastructure First
Continuous Infrastructure FirstKris Buytaert
 
Docker is killing your #devops Efforts
Docker is killing your #devops EffortsDocker is killing your #devops Efforts
Docker is killing your #devops EffortsKris Buytaert
 
Closing the gap between Distros(devs) and their Users(ops)
Closing the gap between Distros(devs) and their Users(ops)Closing the gap between Distros(devs) and their Users(ops)
Closing the gap between Distros(devs) and their Users(ops)Kris Buytaert
 
From MonitoringSucks to Monitoring Love , 2016 Edition
From MonitoringSucks to Monitoring Love , 2016 EditionFrom MonitoringSucks to Monitoring Love , 2016 Edition
From MonitoringSucks to Monitoring Love , 2016 EditionKris Buytaert
 
Devopsdays Amsterdam 2017 Keynote, looking back at 5 years of AMS
Devopsdays Amsterdam 2017 Keynote, looking back at 5 years of AMSDevopsdays Amsterdam 2017 Keynote, looking back at 5 years of AMS
Devopsdays Amsterdam 2017 Keynote, looking back at 5 years of AMSKris Buytaert
 
Devops, The future is here, it's just not evenly distributed
Devops, The future is here, it's just not evenly distributedDevops, The future is here, it's just not evenly distributed
Devops, The future is here, it's just not evenly distributedKris Buytaert
 
Deploying your SaaS stack OnPrem
Deploying your SaaS stack OnPremDeploying your SaaS stack OnPrem
Deploying your SaaS stack OnPremKris Buytaert
 
Open Source Monitoring in 2015
Open Source Monitoring in 2015Open Source Monitoring in 2015
Open Source Monitoring in 2015Kris Buytaert
 
From Config Management Sucks to #cfgmgmtlove
From Config Management Sucks to #cfgmgmtlove From Config Management Sucks to #cfgmgmtlove
From Config Management Sucks to #cfgmgmtlove Kris Buytaert
 
Can we fix dev-oops ?
Can we fix dev-oops ?Can we fix dev-oops ?
Can we fix dev-oops ?Kris Buytaert
 

More Related Content

What's hot

The Return of the Dull Stack Engineer
The Return of the Dull Stack EngineerThe Return of the Dull Stack Engineer
The Return of the Dull Stack EngineerKris Buytaert
 
Devops is not about Tooling
Devops is not about ToolingDevops is not about Tooling
Devops is not about ToolingKris Buytaert
 
Continous Delivery of your Infrastructure
Continous Delivery of your InfrastructureContinous Delivery of your Infrastructure
Continous Delivery of your InfrastructureKris Buytaert
 
Run stuff, Deploy Stuff
Run stuff, Deploy StuffRun stuff, Deploy Stuff
Run stuff, Deploy StuffKris Buytaert
 
Adopting Devops , Stories from the trenches
Adopting Devops , Stories from the trenchesAdopting Devops , Stories from the trenches
Adopting Devops , Stories from the trenchesKris Buytaert
 
On the Importance of Infrastructure as Code
On the Importance of Infrastructure as CodeOn the Importance of Infrastructure as Code
On the Importance of Infrastructure as CodeKris Buytaert
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionKris Buytaert
 
The influence of "Distributed platforms" on #devops
The influence of "Distributed platforms" on #devopsThe influence of "Distributed platforms" on #devops
The influence of "Distributed platforms" on #devopsKris Buytaert
 
Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Kris Buytaert
 
Automating MySQL operations with Puppet
Automating MySQL operations with PuppetAutomating MySQL operations with Puppet
Automating MySQL operations with PuppetKris Buytaert
 
Continuous Infrastructure First
Continuous Infrastructure FirstContinuous Infrastructure First
Continuous Infrastructure FirstKris Buytaert
 
Docker is killing your #devops Efforts
Docker is killing your #devops EffortsDocker is killing your #devops Efforts
Docker is killing your #devops EffortsKris Buytaert
 
Closing the gap between Distros(devs) and their Users(ops)
Closing the gap between Distros(devs) and their Users(ops)Closing the gap between Distros(devs) and their Users(ops)
Closing the gap between Distros(devs) and their Users(ops)Kris Buytaert
 
From MonitoringSucks to Monitoring Love , 2016 Edition
From MonitoringSucks to Monitoring Love , 2016 EditionFrom MonitoringSucks to Monitoring Love , 2016 Edition
From MonitoringSucks to Monitoring Love , 2016 EditionKris Buytaert
 
Devopsdays Amsterdam 2017 Keynote, looking back at 5 years of AMS
Devopsdays Amsterdam 2017 Keynote, looking back at 5 years of AMSDevopsdays Amsterdam 2017 Keynote, looking back at 5 years of AMS
Devopsdays Amsterdam 2017 Keynote, looking back at 5 years of AMSKris Buytaert
 
Devops, The future is here, it's just not evenly distributed
Devops, The future is here, it's just not evenly distributedDevops, The future is here, it's just not evenly distributed
Devops, The future is here, it's just not evenly distributedKris Buytaert
 
Deploying your SaaS stack OnPrem
Deploying your SaaS stack OnPremDeploying your SaaS stack OnPrem
Deploying your SaaS stack OnPremKris Buytaert
 
Open Source Monitoring in 2015
Open Source Monitoring in 2015Open Source Monitoring in 2015
Open Source Monitoring in 2015Kris Buytaert
 

What's hot (20)

The Return of the Dull Stack Engineer
The Return of the Dull Stack EngineerThe Return of the Dull Stack Engineer
The Return of the Dull Stack Engineer
 
Devops is not about Tooling
Devops is not about ToolingDevops is not about Tooling
Devops is not about Tooling
 
Continous Delivery of your Infrastructure
Continous Delivery of your InfrastructureContinous Delivery of your Infrastructure
Continous Delivery of your Infrastructure
 
Run stuff, Deploy Stuff
Run stuff, Deploy StuffRun stuff, Deploy Stuff
Run stuff, Deploy Stuff
 
Adopting Devops , Stories from the trenches
Adopting Devops , Stories from the trenchesAdopting Devops , Stories from the trenches
Adopting Devops , Stories from the trenches
 
On the Importance of Infrastructure as Code
On the Importance of Infrastructure as CodeOn the Importance of Infrastructure as Code
On the Importance of Infrastructure as Code
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 Edition
 
The influence of "Distributed platforms" on #devops
The influence of "Distributed platforms" on #devopsThe influence of "Distributed platforms" on #devops
The influence of "Distributed platforms" on #devops
 
Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?
 
devops is a reorg
devops is a reorgdevops is a reorg
devops is a reorg
 
Pipeline as Code
Pipeline as CodePipeline as Code
Pipeline as Code
 
Automating MySQL operations with Puppet
Automating MySQL operations with PuppetAutomating MySQL operations with Puppet
Automating MySQL operations with Puppet
 
Continuous Infrastructure First
Continuous Infrastructure FirstContinuous Infrastructure First
Continuous Infrastructure First
 
Docker is killing your #devops Efforts
Docker is killing your #devops EffortsDocker is killing your #devops Efforts
Docker is killing your #devops Efforts
 
Closing the gap between Distros(devs) and their Users(ops)
Closing the gap between Distros(devs) and their Users(ops)Closing the gap between Distros(devs) and their Users(ops)
Closing the gap between Distros(devs) and their Users(ops)
 
From MonitoringSucks to Monitoring Love , 2016 Edition
From MonitoringSucks to Monitoring Love , 2016 EditionFrom MonitoringSucks to Monitoring Love , 2016 Edition
From MonitoringSucks to Monitoring Love , 2016 Edition
 
Devopsdays Amsterdam 2017 Keynote, looking back at 5 years of AMS
Devopsdays Amsterdam 2017 Keynote, looking back at 5 years of AMSDevopsdays Amsterdam 2017 Keynote, looking back at 5 years of AMS
Devopsdays Amsterdam 2017 Keynote, looking back at 5 years of AMS
 
Devops, The future is here, it's just not evenly distributed
Devops, The future is here, it's just not evenly distributedDevops, The future is here, it's just not evenly distributed
Devops, The future is here, it's just not evenly distributed
 
Deploying your SaaS stack OnPrem
Deploying your SaaS stack OnPremDeploying your SaaS stack OnPrem
Deploying your SaaS stack OnPrem
 
Open Source Monitoring in 2015
Open Source Monitoring in 2015Open Source Monitoring in 2015
Open Source Monitoring in 2015
 

Similar to Devops is a Security Requirement

From Config Management Sucks to #cfgmgmtlove
From Config Management Sucks to #cfgmgmtlove From Config Management Sucks to #cfgmgmtlove
From Config Management Sucks to #cfgmgmtlove Kris Buytaert
 
Can we fix dev-oops ?
Can we fix dev-oops ?Can we fix dev-oops ?
Can we fix dev-oops ?Kris Buytaert
 
Continuous Delivery of (y)our infrastructure.
Continuous Delivery of (y)our infrastructure.Continuous Delivery of (y)our infrastructure.
Continuous Delivery of (y)our infrastructure.Kris Buytaert
 
Continuous Infrastructure First Ignite Edition
Continuous Infrastructure First Ignite EditionContinuous Infrastructure First Ignite Edition
Continuous Infrastructure First Ignite EditionKris Buytaert
 
DevOps Days Kyiv 2019 -- continuous Infrafirstructure First //Kris buytaert
DevOps Days Kyiv 2019 -- continuous Infrafirstructure First //Kris buytaertDevOps Days Kyiv 2019 -- continuous Infrafirstructure First //Kris buytaert
DevOps Days Kyiv 2019 -- continuous Infrafirstructure First //Kris buytaertMykola Marzhan
 
Let's bring the teams back together
Let's bring the teams back togetherLet's bring the teams back together
Let's bring the teams back togetherKris Buytaert
 
Its not about the tooling
Its not about the toolingIts not about the tooling
Its not about the toolingBram Vogelaar
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Kris Buytaert
 
Pipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodePipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodeKris Buytaert
 
Devops its not about the tooling
Devops its not about the toolingDevops its not about the tooling
Devops its not about the toolingBram Vogelaar
 
Development Doesn't Stop at the Last Commit
Development Doesn't Stop at the Last CommitDevelopment Doesn't Stop at the Last Commit
Development Doesn't Stop at the Last CommitKris Buytaert
 
OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert
OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert
OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert NETWAYS
 
Icinga Camp Amsterdam - Infrastructure as Code
Icinga Camp Amsterdam - Infrastructure as CodeIcinga Camp Amsterdam - Infrastructure as Code
Icinga Camp Amsterdam - Infrastructure as CodeIcinga
 
Devops, the future is here, it's just not evenly distributed yet.
Devops, the future is here, it's just not evenly distributed yet.Devops, the future is here, it's just not evenly distributed yet.
Devops, the future is here, it's just not evenly distributed yet.Kris Buytaert
 
OSDC 2015: Kris Buytaert | From ConfigManagementSucks to ConfigManagementLove
OSDC 2015: Kris Buytaert | From ConfigManagementSucks to ConfigManagementLoveOSDC 2015: Kris Buytaert | From ConfigManagementSucks to ConfigManagementLove
OSDC 2015: Kris Buytaert | From ConfigManagementSucks to ConfigManagementLoveNETWAYS
 
Devops Devops Devops, at Froscon
Devops Devops Devops, at FrosconDevops Devops Devops, at Froscon
Devops Devops Devops, at FrosconKris Buytaert
 
Drupal and Devops , the Survey Results
Drupal and Devops , the Survey ResultsDrupal and Devops , the Survey Results
Drupal and Devops , the Survey ResultsKris Buytaert
 
Monitoring in an Infrastructure as Code Age
Monitoring in an Infrastructure as Code AgeMonitoring in an Infrastructure as Code Age
Monitoring in an Infrastructure as Code AgePuppet
 

Similar to Devops is a Security Requirement (19)

From Config Management Sucks to #cfgmgmtlove
From Config Management Sucks to #cfgmgmtlove From Config Management Sucks to #cfgmgmtlove
From Config Management Sucks to #cfgmgmtlove
 
Can we fix dev-oops ?
Can we fix dev-oops ?Can we fix dev-oops ?
Can we fix dev-oops ?
 
Continuous Delivery of (y)our infrastructure.
Continuous Delivery of (y)our infrastructure.Continuous Delivery of (y)our infrastructure.
Continuous Delivery of (y)our infrastructure.
 
Continuous Infrastructure First Ignite Edition
Continuous Infrastructure First Ignite EditionContinuous Infrastructure First Ignite Edition
Continuous Infrastructure First Ignite Edition
 
DevOps Days Kyiv 2019 -- continuous Infrafirstructure First //Kris buytaert
DevOps Days Kyiv 2019 -- continuous Infrafirstructure First //Kris buytaertDevOps Days Kyiv 2019 -- continuous Infrafirstructure First //Kris buytaert
DevOps Days Kyiv 2019 -- continuous Infrafirstructure First //Kris buytaert
 
Let's bring the teams back together
Let's bring the teams back togetherLet's bring the teams back together
Let's bring the teams back together
 
Its not about the tooling
Its not about the toolingIts not about the tooling
Its not about the tooling
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?
 
Pipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodePipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as Code
 
Devops its not about the tooling
Devops its not about the toolingDevops its not about the tooling
Devops its not about the tooling
 
Development Doesn't Stop at the Last Commit
Development Doesn't Stop at the Last CommitDevelopment Doesn't Stop at the Last Commit
Development Doesn't Stop at the Last Commit
 
OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert
OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert
OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert
 
Icinga Camp Amsterdam - Infrastructure as Code
Icinga Camp Amsterdam - Infrastructure as CodeIcinga Camp Amsterdam - Infrastructure as Code
Icinga Camp Amsterdam - Infrastructure as Code
 
Devops 4 Saas
Devops 4 SaasDevops 4 Saas
Devops 4 Saas
 
Devops, the future is here, it's just not evenly distributed yet.
Devops, the future is here, it's just not evenly distributed yet.Devops, the future is here, it's just not evenly distributed yet.
Devops, the future is here, it's just not evenly distributed yet.
 
OSDC 2015: Kris Buytaert | From ConfigManagementSucks to ConfigManagementLove
OSDC 2015: Kris Buytaert | From ConfigManagementSucks to ConfigManagementLoveOSDC 2015: Kris Buytaert | From ConfigManagementSucks to ConfigManagementLove
OSDC 2015: Kris Buytaert | From ConfigManagementSucks to ConfigManagementLove
 
Devops Devops Devops, at Froscon
Devops Devops Devops, at FrosconDevops Devops Devops, at Froscon
Devops Devops Devops, at Froscon
 
Drupal and Devops , the Survey Results
Drupal and Devops , the Survey ResultsDrupal and Devops , the Survey Results
Drupal and Devops , the Survey Results
 
Monitoring in an Infrastructure as Code Age
Monitoring in an Infrastructure as Code AgeMonitoring in an Infrastructure as Code Age
Monitoring in an Infrastructure as Code Age
 

More from Kris Buytaert

Years of (not) learning , from devops to devoops
Years of (not) learning , from devops to devoopsYears of (not) learning , from devops to devoops
Years of (not) learning , from devops to devoopsKris Buytaert
 
Observability will not fix your Broken Monitoring ,Ignite
Observability will not fix your Broken Monitoring ,IgniteObservability will not fix your Broken Monitoring ,Ignite
Observability will not fix your Broken Monitoring ,IgniteKris Buytaert
 
Infrastructure as Code Patterns
Infrastructure as Code PatternsInfrastructure as Code Patterns
Infrastructure as Code PatternsKris Buytaert
 
From devoops to devops 13 years of (not) learning
From devoops to devops 13 years of (not) learningFrom devoops to devops 13 years of (not) learning
From devoops to devops 13 years of (not) learningKris Buytaert
 
Pipeline all the Dashboards as Code
Pipeline all the Dashboards as CodePipeline all the Dashboards as Code
Pipeline all the Dashboards as CodeKris Buytaert
 
Help , My Datacenter is on fire
Help , My Datacenter is on fireHelp , My Datacenter is on fire
Help , My Datacenter is on fireKris Buytaert
 
Devops is Dead, Long live Devops
Devops is Dead, Long live DevopsDevops is Dead, Long live Devops
Devops is Dead, Long live DevopsKris Buytaert
 
10 years of #devopsdays, but what have we really learned ?
10 years of #devopsdays, but what have we really learned ? 10 years of #devopsdays, but what have we really learned ?
10 years of #devopsdays, but what have we really learned ? Kris Buytaert
 
Continuous Infrastructure First
Continuous Infrastructure FirstContinuous Infrastructure First
Continuous Infrastructure FirstKris Buytaert
 
Is there a Future for devops ?
Is there a Future for devops ? Is there a Future for devops ?
Is there a Future for devops ? Kris Buytaert
 
10 Years of #devopsdays weirdness
10 Years of #devopsdays weirdness10 Years of #devopsdays weirdness
10 Years of #devopsdays weirdnessKris Buytaert
 
ADDO 2019: Looking back at over 10 years of Devops
ADDO 2019: Looking back at over 10 years of DevopsADDO 2019: Looking back at over 10 years of Devops
ADDO 2019: Looking back at over 10 years of DevopsKris Buytaert
 
Open Source Monitoring in 2019
Open Source Monitoring in 2019 Open Source Monitoring in 2019
Open Source Monitoring in 2019 Kris Buytaert
 
Migrating to Puppet 5
Migrating to Puppet 5Migrating to Puppet 5
Migrating to Puppet 5Kris Buytaert
 
Looking back at 5 years of #cfgmgmtcamp
Looking back at 5 years of #cfgmgmtcampLooking back at 5 years of #cfgmgmtcamp
Looking back at 5 years of #cfgmgmtcampKris Buytaert
 
Looking back at 7.5 years of Devopsdays , DOd PDX
Looking back at 7.5 years of Devopsdays , DOd PDXLooking back at 7.5 years of Devopsdays , DOd PDX
Looking back at 7.5 years of Devopsdays , DOd PDXKris Buytaert
 

More from Kris Buytaert (17)

Years of (not) learning , from devops to devoops
Years of (not) learning , from devops to devoopsYears of (not) learning , from devops to devoops
Years of (not) learning , from devops to devoops
 
Observability will not fix your Broken Monitoring ,Ignite
Observability will not fix your Broken Monitoring ,IgniteObservability will not fix your Broken Monitoring ,Ignite
Observability will not fix your Broken Monitoring ,Ignite
 
Infrastructure as Code Patterns
Infrastructure as Code PatternsInfrastructure as Code Patterns
Infrastructure as Code Patterns
 
From devoops to devops 13 years of (not) learning
From devoops to devops 13 years of (not) learningFrom devoops to devops 13 years of (not) learning
From devoops to devops 13 years of (not) learning
 
Pipeline all the Dashboards as Code
Pipeline all the Dashboards as CodePipeline all the Dashboards as Code
Pipeline all the Dashboards as Code
 
Help , My Datacenter is on fire
Help , My Datacenter is on fireHelp , My Datacenter is on fire
Help , My Datacenter is on fire
 
GitOps , done Right
GitOps , done RightGitOps , done Right
GitOps , done Right
 
Devops is Dead, Long live Devops
Devops is Dead, Long live DevopsDevops is Dead, Long live Devops
Devops is Dead, Long live Devops
 
10 years of #devopsdays, but what have we really learned ?
10 years of #devopsdays, but what have we really learned ? 10 years of #devopsdays, but what have we really learned ?
10 years of #devopsdays, but what have we really learned ?
 
Continuous Infrastructure First
Continuous Infrastructure FirstContinuous Infrastructure First
Continuous Infrastructure First
 
Is there a Future for devops ?
Is there a Future for devops ? Is there a Future for devops ?
Is there a Future for devops ?
 
10 Years of #devopsdays weirdness
10 Years of #devopsdays weirdness10 Years of #devopsdays weirdness
10 Years of #devopsdays weirdness
 
ADDO 2019: Looking back at over 10 years of Devops
ADDO 2019: Looking back at over 10 years of DevopsADDO 2019: Looking back at over 10 years of Devops
ADDO 2019: Looking back at over 10 years of Devops
 
Open Source Monitoring in 2019
Open Source Monitoring in 2019 Open Source Monitoring in 2019
Open Source Monitoring in 2019
 
Migrating to Puppet 5
Migrating to Puppet 5Migrating to Puppet 5
Migrating to Puppet 5
 
Looking back at 5 years of #cfgmgmtcamp
Looking back at 5 years of #cfgmgmtcampLooking back at 5 years of #cfgmgmtcamp
Looking back at 5 years of #cfgmgmtcamp
 
Looking back at 7.5 years of Devopsdays , DOd PDX
Looking back at 7.5 years of Devopsdays , DOd PDXLooking back at 7.5 years of Devopsdays , DOd PDX
Looking back at 7.5 years of Devopsdays , DOd PDX
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Devops is a Security Requirement

  • 1. Devops is a securityDevops is a security RequirementRequirement @KrisBuytaert May 2018, Amsterdam
  • 2. Kris BuytaertKris Buytaert ● I used to be a Dev,I used to be a Dev, ● Then Became an OpThen Became an Op ● Even did Security (OSSTM)Even did Security (OSSTM) ● Chief Trolling Ofcer and Open SourceChief Trolling Ofcer and Open Source Consultant @inuits.euConsultant @inuits.eu ● Everything is an freaking DNS ProblemEverything is an freaking DNS Problem ● Building Clouds since before the bookstoreBuilding Clouds since before the bookstore ● Some books, some papers, some blogsSome books, some papers, some blogs ● eToo many conferences. #devopsdays,eToo many conferences. #devopsdays, #loadays, #cfgmgmtcamp#loadays, #cfgmgmtcamp
  • 3. Who has upgraded his business criticalWho has upgraded his business critical applications over the past 12 months ?applications over the past 12 months ?
  • 4. Why not ?Why not ?
  • 5. What's this Devops thing really about ?What's this Devops thing really about ?
  • 6. World , 200X-2009World , 200X-2009 Patrick Debois, Gildas Le Nadan, Andrew Clay Shafer, Kris Buytaert, JezzPatrick Debois, Gildas Le Nadan, Andrew Clay Shafer, Kris Buytaert, Jezz Humble, Lindsay Holmwood, John Willis, Chris Read, Julian Simpson, andHumble, Lindsay Holmwood, John Willis, Chris Read, Julian Simpson, and lots of others ..lots of others .. Gent , October 2009Gent , October 2009 Mountain View , June 2010Mountain View , June 2010 Hamburg , October 2010Hamburg , October 2010 Boston, March 2011Boston, March 2011 Mountain View, June 2011Mountain View, June 2011 Bangalore, Melbourne,Bangalore, Melbourne, Goteborg , October 2011Goteborg , October 2011
  • 7. C(L)AMSC(L)AMS ● CultureCulture ● (Lean)(Lean) ● AutomationAutomation ● MeasurementMeasurement ● SecuritySecurity Damon Edwards and John WillisDamon Edwards and John Willis
  • 8. Debunking the CriticsDebunking the Critics Security not included ?Security not included ? Everyone is Included:Everyone is Included: security, dba, devs,security, dba, devs, ops, designer, analysts,ops, designer, analysts, We are solving a busines problem,We are solving a busines problem, Not a technology problemNot a technology problem
  • 10. Frank BreedijkFrank Breedijk @seccubus@seccubus ● Http → httpsHttp → https ● Imap → imapsImap → imaps ● Pop3 → pop3sPop3 → pop3s ● Devop → devopSDevop → devopS
  • 11. ““DevOps is a cultural andDevOps is a cultural and professional movement”professional movement” Adam JacobAdam Jacob
  • 12. How did we get here ?How did we get here ?
  • 13. The(se)(Old) DaysThe(se)(Old) Days ● ““Put this Code Live, here's a tarball/container”Put this Code Live, here's a tarball/container” ● What dependencies ?What dependencies ? ● No machines available ?No machines available ? ● What database ?What database ? ● Security ?Security ? ● High Availability ?High Availability ? ● Scalability ?Scalability ? ● My computer can't install this ?My computer can't install this ?
  • 14. Devs vs OpsDevs vs Ops
  • 15. People hated SysadminsPeople hated Sysadmins BecauseBecause ● They slow stuf downThey slow stuf down ● The say noThe say no ● They say no againThey say no again ● They refuse to break stufThey refuse to break stuf ● They care about uptimeThey care about uptime ● They don't care about fancy newThey don't care about fancy new featuresfeatures
  • 16.
  • 17. People hate SecurityPeople hate Security BecauseBecause ● They slow stuf downThey slow stuf down ● The say noThe say no ● They say no againThey say no again ● They refuse to leave holes openThey refuse to leave holes open ● They care about securityThey care about security ● They don't care about fancy newThey don't care about fancy new featuresfeatures Security Ofcers have an expiry dateSecurity Ofcers have an expiry date
  • 18.
  • 19. 10 days into operation10 days into operation ● What High Load ? What Memory usage ?What High Load ? What Memory usage ? ● Are these Logs ? Or this is actualy customerAre these Logs ? Or this is actualy customer data ?data ? ● How many users are there , should they launchHow many users are there , should they launch 100 queries each ?? Oh we're having 10K100 queries each ?? Oh we're having 10K usersusers ● Why is debugging enabled ?Why is debugging enabled ? ● Who wrote this ?Who wrote this ? ● Does this user belong here ?Does this user belong here ?
  • 20. 11 days into operations11 days into operations
  • 21. 12 days into operations12 days into operations
  • 22. 13 days into operations13 days into operations
  • 23. 14 days into operations14 days into operations
  • 25. We can solve this !We can solve this ! ● We are not here toWe are not here to blockblock ● Some people thinkSome people think the Security /the Security / Operations workOperations work starts on deploymentstarts on deployment ● It starts much earlierIt starts much earlier ● Start talking asapStart talking asap
  • 27. Breaking the SilosBreaking the Silos Getting AlongGetting AlongOpsOpsDevsDevs
  • 28. ● Who is in charge of security ?Who is in charge of security ? ● What do your developers think about security ?What do your developers think about security ? ● When do you think about security ?When do you think about security ? ● The problem with security is it doesn'tThe problem with security is it doesn't generate revenuegenerate revenue ● Security needs to become part of your DNA.Security needs to become part of your DNA.
  • 29. With great power ...With great power ... Your code will go to production..Your code will go to production.. You will be able to fx it ..You will be able to fx it .. You will have access to the logsYou will have access to the logs Access to the metrics...Access to the metrics...
  • 30.
  • 32. Devops is a ReorgDevops is a Reorg ● New role for Change ManagementNew role for Change Management ● New role for Security OfcersNew role for Security Ofcers ● Added roles for TestersAdded roles for Testers ● Shift LeftShift Left
  • 33.
  • 34. Whats in it for you ?Whats in it for you ? •Faster time to marketFaster time to market •Features go live in hours vs yearsFeatures go live in hours vs years •In a more safe (Secure)In a more safe (Secure) •Reliable fashionReliable fashion •Fully automatedFully automated •More happyMore happy {customers,developers,managers,investors}{customers,developers,managers,investors}
  • 36. " Our job as engineers (and ops, dev-ops, QA," Our job as engineers (and ops, dev-ops, QA, support, everyone in the company actually) is tosupport, everyone in the company actually) is to enable the business goals. We strongly feel thatenable the business goals. We strongly feel that in order to do that you must havein order to do that you must have the ability tothe ability to deploy code quickly and safelydeploy code quickly and safely. Even if the. Even if the business goals are to deploy strongly QA’d codebusiness goals are to deploy strongly QA’d code once a month at 3am (it’s not for us, we push allonce a month at 3am (it’s not for us, we push all the time), having a reliable and easythe time), having a reliable and easy deployment should bedeployment should be non-negotiablenon-negotiable."." Etsy Blog upon releasing DeployinatorEtsy Blog upon releasing Deployinator http://codeascraft.etsy.com/2010/05/20/quantum-of-deployment/http://codeascraft.etsy.com/2010/05/20/quantum-of-deployment/
  • 37. This is not Continuous DeploymentThis is not Continuous Deployment @stahnma@stahnma @#devopsdays Ohio@#devopsdays Ohio
  • 38. Continuous Delivery is aContinuous Delivery is a Security RequirementSecurity Requirement
  • 40. How do we get fromHow do we get from We don’t dare to patchWe don’t dare to patch ToTo All systems green , lets goAll systems green , lets go
  • 41. It's too riskyIt's too risky •We deployed 6 months ago, it wasWe deployed 6 months ago, it was painfull, we needed 3 weeks aftercarepainfull, we needed 3 weeks aftercare •There's 3576 changes in the newThere's 3576 changes in the new deploy, we have no clue what causeddeploy, we have no clue what caused this problemthis problem •We need 20 people in a room for 8-12We need 20 people in a room for 8-12 hourshours •I have no clue why I wrote that line ofI have no clue why I wrote that line of code 3 months agocode 3 months ago •The person who wrote this left 2The person who wrote this left 2 weeks agoweeks ago •Ooops we forgot to delete that featureOoops we forgot to delete that feature they don't want anymore.they don't want anymore. •We deploy automaticaly,We deploy automaticaly, •I clearly remember what we fxedI clearly remember what we fxed yesterdayyesterday •And that's the only thing that hasAnd that's the only thing that has changed in the last commitchanged in the last commit •The person who wrote the code is stillThe person who wrote the code is still in the buildingin the building •We really need this feature now, weWe really need this feature now, we can remove it latercan remove it later
  • 42.
  • 43. Every commitEvery commit withwith successful testssuccessful tests willwill automaticallyautomatically bebe deployeddeployed productionproduction
  • 44. Every commitEvery commit with successful testwith successful test will automatically be deployed towill automatically be deployed to productionproduction Version controlVersion control Who, changed what, why and whenWho, changed what, why and when
  • 45. Every commit withEvery commit with successful testssuccessful tests will automatically be deployed towill automatically be deployed to productionproduction Automated testing strategy, is keyAutomated testing strategy, is key Successful tests, no bypassing of theSuccessful tests, no bypassing of the teststests
  • 46. Test all the thingsTest all the things •Unit testsUnit tests •Integration TestsIntegration Tests •System TestsSystem Tests •Acceptance TestsAcceptance Tests •Security TestsSecurity Tests •Performance TestsPerformance Tests •Regression TestsRegression Tests •Functional TestsFunctional Tests
  • 47. Every commit with successful testsEvery commit with successful tests willwill automaticallyautomatically be deployed tobe deployed to productionproduction Automate all the things !Automate all the things ! No humans involved,No humans involved, Less error proneLess error prone Less boringLess boring
  • 48. Every commit with successful testsEvery commit with successful tests will automatically bewill automatically be deployed todeployed to productionproduction Deployed code does not meanDeployed code does not mean enabled feature.enabled feature.
  • 49. Auditors / ComplianceAuditors / Compliance •We do the same, just automatedWe do the same, just automated •Separation of DutiesSeparation of Duties ● Man vs MachineMan vs Machine •Authentication and Audit TrailAuthentication and Audit Trail •Full automation, Git logs, Deploy logs,Full automation, Git logs, Deploy logs, no more manual actionsno more manual actions •Have you tried talking to them ?Have you tried talking to them ?
  • 50.
  • 51. What's in your Pipeline ?What's in your Pipeline ?
  • 52. A pipelineA pipeline ● Checkout codeCheckout code ● SyntaxSyntax ● StyleStyle ● Code CoverageCode Coverage ● TestsTests ● BuildBuild ● More TestsMore Tests ● PackagePackage ● Upload to RepoUpload to Repo
  • 53. A pipeline++A pipeline++ ● Checkout codeCheckout code ● SyntaxSyntax ● StyleStyle ● Code CoverageCode Coverage ● TestsTests ● BuildBuild ● More TestsMore Tests ● PackagePackage ● Upload to RepoUpload to Repo ● Deploy on TestDeploy on Test ● …… ● Insert SECURITYInsert SECURITY TESTS !TESTS !
  • 54. Attack yourselve onAttack yourselve on every buildevery build ● Gauntlt , write security testsGauntlt , write security tests ● Vulnerability scans (Arachni)Vulnerability scans (Arachni) ● OpenVASOpenVAS ● OWASP DevSlop Tool ProjectOWASP DevSlop Tool Project ● The OWASP AppSec Rugged DevOps PipelineThe OWASP AppSec Rugged DevOps Pipeline ProjectProject ● Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
  • 55. Leverage InfrastructureLeverage Infrastructure as Codeas Code ● Confgure 1000 nodes,Confgure 1000 nodes, ● Modify 2000 fles,Modify 2000 fles, ● TogetherTogether ● Think :Think : ● Cfengine,Puppet, Chef, SaltCfengine,Puppet, Chef, Salt ● Put confgs under version controlPut confgs under version control ● Please don't roll your own ...Please don't roll your own ...
  • 58. OrchestrationOrchestration ● Fix security issues with 1 commandFix security issues with 1 command ● mco package bind upgrademco package bind upgrade ● Write Ansible role to upgrade XYZWrite Ansible role to upgrade XYZ
  • 59. Culture,Culture, Automation,Automation, Measurement :Measurement : measure all the thingsmeasure all the things SharingSharing
  • 60. Logstash in ActionLogstash in Action Screenshot dating 2012 ON purpose .. this is NOT bleeding edge technology
  • 61. S in devops/Clams ?S in devops/Clams ? ● Version control => AuditingVersion control => Auditing ● CI/CDCI/CD • Add security IN the pipelineAdd security IN the pipeline • Reduce MTTMReduce MTTM ● Confguration MgmtConfguration Mgmt ● Auditing & EnforcingAuditing & Enforcing ● Policy DefnitionPolicy Defnition ● Monitoring : Find the anomaliesMonitoring : Find the anomalies
  • 62. It's not about the toolsIt's not about the tools It's about changeIt's about change It's about the peopleIt's about the people
  • 63. {devops/security }{devops/security } is not a product you can buy,is not a product you can buy, It's a lifestyleIt's a lifestyle
  • 64. ContactContact Kris Buytaert Kris.Buytaert@inuits.euKris Buytaert Kris.Buytaert@inuits.eu Further ReadingFurther Reading @krisbuytaert@krisbuytaert http://www.krisbuytaert.be/blog/http://www.krisbuytaert.be/blog/ http://www.inuits.eu/http://www.inuits.eu/ InuitsInuits Essensesteenweg 31Essensesteenweg 31 2930 Brasschaat2930 Brasschaat BelgiumBelgium 891.514.231891.514.231 +32 475 961221+32 475 961221