Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Journey to DevSecOps

437 views

Published on

Changing how security gets delivered to help with making innovation safe at speed and scale.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The Journey to DevSecOps

  1. 1. Shannon Lietz The Journey to DevSecOps^ @devsecops
  2. 2. Always an Early Adopter Google Trends • DevOps.com was bought in 2004 • Google searches for “DevOps” started to rise in 2010 • Major influences: – Saving your Infrastructure from DevOps / Chicago Tribune – DevOps: A Culture Shift, Not a Technology / Information Week – DevOps: A Sharder’s Tale from Etsy – DevOps.com articles • RuggedSoftware.org was bought in 2010 https://www.google.com/trends/
  3. 3. Chasing Innovation…
  4. 4. Which means, spending most of your career doing this… Bang Head Here
  5. 5. This is the End of Security as We Know It… Say what?!??! 6+ years later, it’s hard to believe we’re still shocked by this quote! This talk will provide you with a path forward… And a survival kit... -Josh Corman
  6. 6. An Ugly Little Secret • DevOps teams make security decisions… several times, everyday! • Hackers find security issues and exploit them... several times, everday! • Security teams hardly ever make security decisions... and really only when risks need to be officially authorized! https://www.flickr.com/photos/denise_rowlands
  7. 7. In a Deming World… • Most decisions are made within the software supply chain by engineering teams • Security decisions are usually made as a result of attempting to balance design constraints • Gating processes are not Deming-like; but it is hard to avoid business catastrophes by applying measure ahead strategies for security • Most security defects are identified during a major event triggering the equivalent of a security “recall” design build deploy operate How do I secure my app? What component is secure enough? How do I secure secrets for the app? Is my app getting attacked? How? Typical gates for security checks & balances Mistakes and drift often happen after design and build phases Most costly mistakes Happen during design Missing and much-needed feedback loop
  8. 8. Hackers have lots of opportunities… People • Susceptible to phishing and email scams • Can be social engineered Process • Humans make mistakes, because they are human (6 Sigma) • Process gaps provide room for fraud Technology • Software complexity increases with reusable components • Technology providers have to do their part, or everyone fails!
  9. 9. Get Grounded in Reality • Secure business is the new black! KTLO! • Everyone must be responsible for security! • Perfection is over-rated… Mistakes are inevitable. • Reacting can be costly… build security in. • Compliance is important but it’s not security! • A blaming culture is dangerous, avoid it! • Continuously test, detect, measure and incrementally improve.
  10. 10. Keep The Lights On! • Keeping the Lights on includes Security… • 66% of companies adopting DevOps • DevOps teams need guardrails and guidelines to move fast • Security decisions that haven’t been made before likely require escalation https://www.flickr.com/photos/darwinbell http://www.rightscale.com/blog/cloud-industry-insights/cloud- computing-trends-2015-state-cloud-survey
  11. 11. Enlist Everyone! • Common ratio for Dev, Ops and Sec => 100, 10, 1 • Numbers matter against attackers! • Skills help, but anyone can identify an anomaly. • Everyone needs to help with security; everyone has a role to play. And this is hard to find...
  12. 12. Mistakes happen… • DevOps utilize customer-driven development processes with incremental changes…Mistakes just happen. • But because of frequent changes, teams have more opportunities to correct defects, on average 30x more • Teams need help deciphering how to self-correct https://www.flickr.com/photos/doobybrain
  13. 13. Protection is ideal; Detection is a must! • The faster a defect is discovered, the faster it can be dealt with. • DevOps has 50% faster MTTR • Transforming security events into incidents and problems helps with resolution rates https://www.flickr.com/photos/daoro
  14. 14. Compliance Programs won’t stop a breach • Point in time assessments don’t go far enough • 0 companies (in 10 years) have been found compliant after a breach • Compliance needs to be paired with rugged security http://www.slideshare.net/VerizonEnterpriseSolutions/webinar-new- insights-to-simplify-pci-compliance-and-manage-risk
  15. 15. High Performing is where it’s at! • High performing teams that focus on a blameless culture improve on average 50% better • Blaming cultures create less engagement, 30% less efficient • MTTR is 5x faster in blameless teams that focus on opportunities first #1
  16. 16. Continuous Improvement • Continuous improvement has been a goal for an endless amount of years • Teams that focus on testing, early detection, and measuring progress have 30% fewer defects in production • Tests are often added to continuous delivery to achieve better results throughout the continuous delivery pipeline https://www.flickr.com/photos/deniscollette
  17. 17. Great! What does this look like in practice for a security professional? Leaning in over Always Saying “No” Data & Security Science over Fear, Uncertainty and Doubt Open Contribution & Collaboration over Security-Only Requirements Consumable Security Services with APIs over Mandated Security Controls & Paperwork Business Driven Security Scores over Rubber Stamp Security Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident Shared Threat Intelligence over Keeping Info to Ourselves Compliance Operations over Clipboards & Checklists
  18. 18. Use Security Skills to Build Tools
  19. 19. Migrate to Security as Code
  20. 20. Get Involved and Join the Community • devsecops.org • @devsecops on Twitter • DevSecOps on LinkedIn • DevSecOps on Github • RuggedSoftware.org • Compliance at Velocity • Join Us !!! • Spread the word!!!
  21. 21. #RuggedDevOps If you see something cool…
  22. 22. Thank You to Our Sponsors
  23. 23. Get today’s Rugged DevOps presentations in your inbox mmiller@sonatype.com

×