Successfully reported this slideshow.
Your SlideShare is downloading. ×

DevSecOps: The End of the Beginning - Austin

Loading in …3

Check these out next

1 of 69 Ad

More Related Content

Slideshows for you (19)

Similar to DevSecOps: The End of the Beginning - Austin (20)


More from Andrew Shafer (20)

Recently uploaded (20)


DevSecOps: The End of the Beginning - Austin

  1. 1. devsecops Andrew Clay Shafer @littleidea the end of the beginning
  2. 2. @littleidea Andrew Clay Shafer
  3. 3. @littleidea Andrew Clay Shafer
  4. 4. @littleidea Andrew Clay Shafer
  5. 5. @littleidea
  6. 6. I hate the word ‘DevSecOps’ I also hated the word ‘DevOps’ Before that I hated the word ‘Cloud’ But here we are Get off my lawn
  8. 8. This is embarrassing.
  9. 9. I didn’t invent devops. I stole it.
  10. 10. Velocity 2009
  11. 11. 2009 Gent, Belgium Patrick DeBois
  12. 12. Spectrum of Criticality Cat Pictures Finance Life & Death
  13. 13. devops - calms • culture • automation • (lean) • metrics • sharing Damon Edwards and John Willis (plus Jez Humble)
  14. 14. what does that mean? what am I supposed to do now?
  15. 15. tried to make these actionable
  16. 16. Culture Automation LeanMetrics Sharing
  17. 17. Westrum Topology Culture
  18. 18. Manual Scripted Platform toil effort directed catastrophic failure disaster recovery self healing incidents MTTR continuous partial failure Automation (And Architecture)
  19. 19. unmonitored measured insightful no info data SLI ssh aggregation dashboards never gets done secondary observability built in Metrics
  20. 20. hidden available ambient can’t find searchable cultivated strong silos publish info share personally everything is secret secret to company global community Sharing
  21. 21. Lean Subsumes ALL the Things ignore what a terrible metaphor manufacturing is for software
  22. 22. Continuous Improvement
  23. 23. complacent motivated inspired
  24. 24. CALMS sounds better than CAMS ¯_(ツ)_/¯
  25. 25. Culture Automation LeanMetrics Sharing
  26. 26. Culture Automation LeanMetrics Sharing Security
  27. 27. lol try do security? after the fact first principles theatrics tools built in hide blame own Security
  28. 28. devops • developers and operations can and should work together • system administration evolving to look more like software development • evolving together as global community sharing solutions Legacy me - in 2010
  29. 29. devsecops • developers AND operations AND security can and should work together • security is evolving to incorporate more software development • evolving together as global community sharing solutions me - in 2019
  30. 30. super computers everywhere connecting all human knowledge with high speed networks …to adversaries
  31. 31. every aspect of human performance and experience that can be optimized will be… including owning you
  32. 32. optimizing human performance and experience operating software… and humans with software… @littleidea’s definition of devops™:
  33. 33. optimizing human performance and experience securing software… and humans with software… @littleidea’s definition of devsecops™:
  35. 35. we have devsecops
  36. 36. implementing devops is not a thing
  37. 37. implementing devsecops is not a thing either
  38. 38. devops is never done
  39. 39. security is never done either
  40. 40. everyone wants the devops Well actually…
  41. 41. what they really want • scalability • availability • reliability • operability • usability • observability • all for free • without changing anything
  42. 42. without changing anything
  43. 43. without changing anything
  44. 44. without changing anything
  45. 45. everyone wants the devsecops Well actually…
  46. 46. without changing anything
  47. 47. don’t want to forget ‘how we do things here’
  48. 48. resistance to change?
  49. 49. security: the unfunded mandate incentives drive behaviors so weird…
  50. 50. people attach their identity to their tasks changing what they do is an attack on their identity
  51. 51. we have to make them heroes in the new version of the story
  52. 52. developers are under a lot of pressure to do things… right now
  53. 53. we have to make doing the ‘right thing’ the ‘easy thing’
  54. 54. your platform has to audit and enforce your policy* *risk profile
  55. 55. continuous compliance
  56. 56. when devsecops is successful people will abuse the term and it will splinter into subcommunities
  57. 57. because infosec is not one thing either
  58. 58. what are the infosec analogs for ‘observability’, ‘reliability’, ‘resiliance’ & ‘chaos’?
  59. 59. It ought to be remembered that there is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of a new order of things.   Because the innovator has for enemies all those who have done well under the old conditions, and lukewarm defenders in those who may do well under the new. Niccolò Machiavelli, The Prince
  60. 60. good luck; have fun
  61. 61. I’m not here to answer questions. I’m here to have conversations. Thank You