SlideShare a Scribd company logo

4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices

Threat Stack
Threat Stack

Most companies value speed over security, which has traditionally been a blocker in delivering software. But with more and more breaches and vulnerabilities reported (Shellshock and Heartbleed to name a just few) it's more important than ever that security gets integrated into the operations process. Here are the top four ways to balance DevOps workflows while maintaining a pragmatic view on security.

Technology
1 of 37
Download to read offline
4 Steps to Integrate DevOps Workflows With Cloud Security Practices By Pete Cheslock Senior Director, Ops and Support at Threat Stack
Introductions Pete Cheslock Senior Director, Ops and Support As the head of Threat Stack’s operations and support teams, Pete is focused on delivering the highest level of service, reliability, and customer satisfaction to Threat Stack’s growing user base. An industry veteran with over 15 years’ experience in DevOps, Pete understands the challenges and issues faced by security, development and operations professionals everyday and how Threat Stack can help. You can find Pete on Twitter @PeteCheslock.
One of the biggest themes I’ve observed throughout my career is: Companies value speed over security.
…yet this approach has traditionally been a blocker in delivering software.
Recently, however, with more and more breaches and vulnerabilities reported (i.e. Shellshock and Heartbleed), it’s important now more than ever that security gets integrated INTO the operations process.
Here are the 4 Ways to Balance DevOps Workflows With Pragmatic Security:
1. Recognize that tools enabling DevOps also introduce new threats and attack surfaces!
•Vagrant •Packer •Docker •Chef •Puppet •Salt •Ansible •etc., etc. Many apps have entered the modern-day Ops toolbelt:
The problem that many of these tools solve is the ability for engineers to: • Manage more systems • With more control • And consistency …than ever before!
With Ops Engineers now representing their infrastructure as code, they can deploy changes with much higher velocity and much less risk than ever before.
And since their infrastructure is now represented in source control, they can use software engineering methodologies to test their code, and can do so much earlier in the Dev process.
With Docker and OSv, and the maturity around orchestrating containers and processes with tools like Kubernetes, Mesos and others… Ops Engineers can maintain a platform that enables Software Engineers to ship changes quickly and effectively.
The wall that existed between Engineering and Operations is now broken down! Both sides are embracing change and pushing updates frequently.
However, we’re now faced with a new wall. It exists between Security and the rest of the technical organization.
Fortunately, there are collaborative ways to overcome this wall…
2. Mitigate risk while still moving fast
This is the classic “DevOps” conversation all over again…
Developers want frequent change and/ or are being pushed forward for change by the Product team… …yet Operations teams want stability and changes to their system could introduce instability.
Now, both Dev and Ops teams are enabling each other to ship effectively using many of these new tools to assist them. Unfortunately, Security teams have been left behind…
The ideal state is: Security teams using and creating new tools that enable them to insert security and risk control in the same pipelines that Engineering and Operations are using to deploy their changes.
(FYI: This is a BIG problem I’m excited Threat Stack is solving for Dev, Ops and Security teams)
For example… If Ops teams use Chef to continually update their systems at scale, Security teams should be writing cookbooks that setup and enforce security policies.
Or… If Engineering is using Jenkins to continuously integrate their code, Security teams should add additional tooling into the build pipeline to monitor for risk and threats.
3. Let developers and others have safe access to production
A practice I’ve seen work well is to put the engineers on call for the specific applications they own.
For example… The Web team has a pager rotation and gets alerts when there are issues with the web servers. The Search team gets alerts when search clusters are OOMing.
But this can present a frightening reality to Security teams who now have to deal with both frequent changes to the code AND an endless group of people who have access to systems.
Trust but Verify I’ve taken this approach when it comes to access control and have implemented tools including: • auditd • OSSEC • centralized logging
This helps ensure compliance, BUT: •These tools are cumbersome to setup and configure. •You don’t want them to come in the way of progress OR performance. This is why carefully increasing ownership works well among teams.
4. Build a system that will allow you to regularly push to production with security checks in place
The same CI tools (i.e. Jenkins) that Engineering has been using to continuously integrate their feature branches are the same tools Operations can use to manage and deploy code (whether or not this is the ideal solution).
Security teams should work to integrate security tooling direction into the automation pipelines to allow for quick feedback loops that Engineering and Operations have become used to.
Building in automation + Taking advantage of virtualized cloud infrastructure + A workflow that empowers developers to push code continuously = Companies can move fast when deploying and managing apps with less overhead.
In a wrap…
As DevOps has evolved into a mainstream philosophy, we’ve heard more DevOps conversations on security- related topics than ever before. This process is the next logical step.
That means it’s more important than ever that there is a unified understanding of the ways to balance new DevOps workflows with evolving cloud security practices.
To see how we’re enabling teams to integrate these workflows: Sign up: http://threatstack.com/ signup Stay in touch: @ThreatStack

Recommended

3 Reasons Why The Host Rules Intrusion Detection in The Cloud
3 Reasons Why The Host Rules Intrusion Detection in The Cloud 3 Reasons Why The Host Rules Intrusion Detection in The Cloud
3 Reasons Why The Host Rules Intrusion Detection in The Cloud
Threat Stack
 
Should You Use Security Point Solutions?
Should You Use Security Point Solutions?Should You Use Security Point Solutions?
Should You Use Security Point Solutions?
Threat Stack
 
It All Started With a Wager About System Upgrades
It All Started With a Wager About System UpgradesIt All Started With a Wager About System Upgrades
It All Started With a Wager About System Upgrades
Threat Stack
 
The Case For Continuous Security
The Case For Continuous SecurityThe Case For Continuous Security
The Case For Continuous Security
Threat Stack
 
SHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditDSHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditD
Threat Stack
 
Using security to drive chaos engineering
Using security to drive chaos engineeringUsing security to drive chaos engineering
Using security to drive chaos engineering
Dinis Cruz
 
#ATAGTR2021 Presentation : "Chaos engineering: Break it to make it" by Anupa...
#ATAGTR2021 Presentation : "Chaos engineering: Break it to make it" by Anupa...#ATAGTR2021 Presentation : "Chaos engineering: Break it to make it" by Anupa...
#ATAGTR2021 Presentation : "Chaos engineering: Break it to make it" by Anupa...
Agile Testing Alliance
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016
Teri Radichel
 

Recommended

3 Reasons Why The Host Rules Intrusion Detection in The Cloud
3 Reasons Why The Host Rules Intrusion Detection in The Cloud 3 Reasons Why The Host Rules Intrusion Detection in The Cloud
3 Reasons Why The Host Rules Intrusion Detection in The Cloud
Threat Stack
 
Should You Use Security Point Solutions?
Should You Use Security Point Solutions?Should You Use Security Point Solutions?
Should You Use Security Point Solutions?
Threat Stack
 
It All Started With a Wager About System Upgrades
It All Started With a Wager About System UpgradesIt All Started With a Wager About System Upgrades
It All Started With a Wager About System Upgrades
Threat Stack
 
The Case For Continuous Security
The Case For Continuous SecurityThe Case For Continuous Security
The Case For Continuous Security
Threat Stack
 
SHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditDSHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditD
Threat Stack
 
Using security to drive chaos engineering
Using security to drive chaos engineeringUsing security to drive chaos engineering
Using security to drive chaos engineering
Dinis Cruz
 
#ATAGTR2021 Presentation : "Chaos engineering: Break it to make it" by Anupa...
#ATAGTR2021 Presentation : "Chaos engineering: Break it to make it" by Anupa...#ATAGTR2021 Presentation : "Chaos engineering: Break it to make it" by Anupa...
#ATAGTR2021 Presentation : "Chaos engineering: Break it to make it" by Anupa...
Agile Testing Alliance
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016
Teri Radichel
 
Pick Any Three: Good, Fast, or Safe - Devops from Scratch
Pick Any Three: Good, Fast, or Safe - Devops from ScratchPick Any Three: Good, Fast, or Safe - Devops from Scratch
Pick Any Three: Good, Fast, or Safe - Devops from Scratch
Pete Cheslock
 
SRE in Startup
SRE in StartupSRE in Startup
SRE in Startup
Ladislav Prskavec
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
Chaos engineering intro
Chaos engineering introChaos engineering intro
Chaos engineering intro
Shantanu Deshpande
 
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTop 5 Priorities for Cloud Security
Top 5 Priorities for Cloud Security
Teri Radichel
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
SeniorStoryteller
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
Kennedy
 
Simplicity in Hybrid IT Environments – A Security Oxymoron?
Simplicity in Hybrid IT Environments – A Security Oxymoron?Simplicity in Hybrid IT Environments – A Security Oxymoron?
Simplicity in Hybrid IT Environments – A Security Oxymoron?
Tripwire
 
Mechsoft software rescue
Mechsoft software rescueMechsoft software rescue
Mechsoft software rescueMechsoft Digital services Pvt. Ltd.
 
Introduction to Chaos Engineering
Introduction to Chaos EngineeringIntroduction to Chaos Engineering
Introduction to Chaos Engineering
Raymond Adrian (Rad) Butalid
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)
Dinis Cruz
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
Major Hayden
 
An Introduction to Chaos Engineering
An Introduction to Chaos EngineeringAn Introduction to Chaos Engineering
An Introduction to Chaos Engineering
Gremlin
 
Journey to Azure Sentinel
Journey to Azure SentinelJourney to Azure Sentinel
Journey to Azure Sentinel
Cheah Eng Soon
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
Adrian Sanabria
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
Stefan Streichsbier
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?
Adrian Sanabria
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
Aaron Rinehart
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
Keet Sugathadasa
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
Ajeet Singh
 
How to implement DevOps for Enterprise
How to implement DevOps for EnterpriseHow to implement DevOps for Enterprise
How to implement DevOps for Enterprise
Simform
 

More Related Content

What's hot

Pick Any Three: Good, Fast, or Safe - Devops from Scratch
Pick Any Three: Good, Fast, or Safe - Devops from ScratchPick Any Three: Good, Fast, or Safe - Devops from Scratch
Pick Any Three: Good, Fast, or Safe - Devops from Scratch
Pete Cheslock
 
SRE in Startup
SRE in StartupSRE in Startup
SRE in Startup
Ladislav Prskavec
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
Chaos engineering intro
Chaos engineering introChaos engineering intro
Chaos engineering intro
Shantanu Deshpande
 
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTop 5 Priorities for Cloud Security
Top 5 Priorities for Cloud Security
Teri Radichel
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
SeniorStoryteller
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
Kennedy
 
Simplicity in Hybrid IT Environments – A Security Oxymoron?
Simplicity in Hybrid IT Environments – A Security Oxymoron?Simplicity in Hybrid IT Environments – A Security Oxymoron?
Simplicity in Hybrid IT Environments – A Security Oxymoron?
Tripwire
 
Introduction to Chaos Engineering
Introduction to Chaos EngineeringIntroduction to Chaos Engineering
Introduction to Chaos Engineering
Raymond Adrian (Rad) Butalid
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)
Dinis Cruz
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
Major Hayden
 
An Introduction to Chaos Engineering
An Introduction to Chaos EngineeringAn Introduction to Chaos Engineering
An Introduction to Chaos Engineering
Gremlin
 
Journey to Azure Sentinel
Journey to Azure SentinelJourney to Azure Sentinel
Journey to Azure Sentinel
Cheah Eng Soon
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
Adrian Sanabria
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
Stefan Streichsbier
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?
Adrian Sanabria
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
Aaron Rinehart
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
Keet Sugathadasa
 

What's hot (20)

Pick Any Three: Good, Fast, or Safe - Devops from Scratch
Pick Any Three: Good, Fast, or Safe - Devops from ScratchPick Any Three: Good, Fast, or Safe - Devops from Scratch
Pick Any Three: Good, Fast, or Safe - Devops from Scratch
 
SRE in Startup
SRE in StartupSRE in Startup
SRE in Startup
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Chaos engineering intro
Chaos engineering introChaos engineering intro
Chaos engineering intro
 
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTop 5 Priorities for Cloud Security
Top 5 Priorities for Cloud Security
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
 
Simplicity in Hybrid IT Environments – A Security Oxymoron?
Simplicity in Hybrid IT Environments – A Security Oxymoron?Simplicity in Hybrid IT Environments – A Security Oxymoron?
Simplicity in Hybrid IT Environments – A Security Oxymoron?
 
Mechsoft software rescue
Mechsoft software rescueMechsoft software rescue
Mechsoft software rescue
 
Introduction to Chaos Engineering
Introduction to Chaos EngineeringIntroduction to Chaos Engineering
Introduction to Chaos Engineering
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
 
An Introduction to Chaos Engineering
An Introduction to Chaos EngineeringAn Introduction to Chaos Engineering
An Introduction to Chaos Engineering
 
Journey to Azure Sentinel
Journey to Azure SentinelJourney to Azure Sentinel
Journey to Azure Sentinel
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
 

Similar to 4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices

DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
Ajeet Singh
 
How to implement DevOps for Enterprise
How to implement DevOps for EnterpriseHow to implement DevOps for Enterprise
How to implement DevOps for Enterprise
Simform
 
Ensuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps SecurityEnsuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps Security
Dev Software
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdf
Enov8
 
Dev ops ppt
Dev ops pptDev ops ppt
Dev ops ppt
sterlingit
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
Techugo
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
Techugo
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
Techugo
 
5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper
wardell henley
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdf
Techugo
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
DevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practicesDevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practices
ayoubbahaddouayoub
 
Enterprise Devsecops
Enterprise DevsecopsEnterprise Devsecops
Enterprise Devsecops
Enov8
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
8 Ways to Boost Your DevOps Efforts
8 Ways to Boost Your DevOps Efforts8 Ways to Boost Your DevOps Efforts
8 Ways to Boost Your DevOps Efforts
Lucy Zeniffer
 
The State of DevOps Tools: A Primer
The State of DevOps Tools: A PrimerThe State of DevOps Tools: A Primer
The State of DevOps Tools: A Primer
DevOps.com
 
DevOps and Tools
DevOps and ToolsDevOps and Tools
DevOps and Tools
Mohammed Fazuluddin
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
Turja Narayan Chaudhuri
 
DevOps, from inception to conclusion
DevOps, from inception to conclusionDevOps, from inception to conclusion
DevOps, from inception to conclusionAbhishek Gaurav
 

Similar to 4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices (20)

DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
 
How to implement DevOps for Enterprise
How to implement DevOps for EnterpriseHow to implement DevOps for Enterprise
How to implement DevOps for Enterprise
 
Ensuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps SecurityEnsuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps Security
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdf
 
Dev ops ppt
Dev ops pptDev ops ppt
Dev ops ppt
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
 
5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdf
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
DevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practicesDevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practices
 
Enterprise Devsecops
Enterprise DevsecopsEnterprise Devsecops
Enterprise Devsecops
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
 
8 Ways to Boost Your DevOps Efforts
8 Ways to Boost Your DevOps Efforts8 Ways to Boost Your DevOps Efforts
8 Ways to Boost Your DevOps Efforts
 
The State of DevOps Tools: A Primer
The State of DevOps Tools: A PrimerThe State of DevOps Tools: A Primer
The State of DevOps Tools: A Primer
 
DevOps and Tools
DevOps and ToolsDevOps and Tools
DevOps and Tools
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
 
DevOps, from inception to conclusion
DevOps, from inception to conclusionDevOps, from inception to conclusion
DevOps, from inception to conclusion
 

Recently uploaded

Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 

Recently uploaded (20)

Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 

4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices

  • 1. 4 Steps to Integrate DevOps Workflows With Cloud Security Practices By Pete Cheslock Senior Director, Ops and Support at Threat Stack
  • 2. Introductions Pete Cheslock Senior Director, Ops and Support As the head of Threat Stack’s operations and support teams, Pete is focused on delivering the highest level of service, reliability, and customer satisfaction to Threat Stack’s growing user base. An industry veteran with over 15 years’ experience in DevOps, Pete understands the challenges and issues faced by security, development and operations professionals everyday and how Threat Stack can help. You can find Pete on Twitter @PeteCheslock.
  • 3. One of the biggest themes I’ve observed throughout my career is: Companies value speed over security.
  • 4. …yet this approach has traditionally been a blocker in delivering software.
  • 5. Recently, however, with more and more breaches and vulnerabilities reported (i.e. Shellshock and Heartbleed), it’s important now more than ever that security gets integrated INTO the operations process.
  • 6. Here are the 4 Ways to Balance DevOps Workflows With Pragmatic Security:
  • 7. 1. Recognize that tools enabling DevOps also introduce new threats and attack surfaces!
  • 9. The problem that many of these tools solve is the ability for engineers to: • Manage more systems • With more control • And consistency …than ever before!
  • 10. With Ops Engineers now representing their infrastructure as code, they can deploy changes with much higher velocity and much less risk than ever before.
  • 11. And since their infrastructure is now represented in source control, they can use software engineering methodologies to test their code, and can do so much earlier in the Dev process.
  • 12. With Docker and OSv, and the maturity around orchestrating containers and processes with tools like Kubernetes, Mesos and others… Ops Engineers can maintain a platform that enables Software Engineers to ship changes quickly and effectively.
  • 13. The wall that existed between Engineering and Operations is now broken down! Both sides are embracing change and pushing updates frequently.
  • 14. However, we’re now faced with a new wall. It exists between Security and the rest of the technical organization.
  • 15. Fortunately, there are collaborative ways to overcome this wall…
  • 16. 2. Mitigate risk while still moving fast
  • 17. This is the classic “DevOps” conversation all over again…
  • 18. Developers want frequent change and/ or are being pushed forward for change by the Product team… …yet Operations teams want stability and changes to their system could introduce instability.
  • 19. Now, both Dev and Ops teams are enabling each other to ship effectively using many of these new tools to assist them. Unfortunately, Security teams have been left behind…
  • 20. The ideal state is: Security teams using and creating new tools that enable them to insert security and risk control in the same pipelines that Engineering and Operations are using to deploy their changes.
  • 21. (FYI: This is a BIG problem I’m excited Threat Stack is solving for Dev, Ops and Security teams)
  • 22. For example… If Ops teams use Chef to continually update their systems at scale, Security teams should be writing cookbooks that setup and enforce security policies.
  • 23. Or… If Engineering is using Jenkins to continuously integrate their code, Security teams should add additional tooling into the build pipeline to monitor for risk and threats.
  • 24. 3. Let developers and others have safe access to production
  • 25. A practice I’ve seen work well is to put the engineers on call for the specific applications they own.
  • 26. For example… The Web team has a pager rotation and gets alerts when there are issues with the web servers. The Search team gets alerts when search clusters are OOMing.
  • 27. But this can present a frightening reality to Security teams who now have to deal with both frequent changes to the code AND an endless group of people who have access to systems.
  • 28. Trust but Verify I’ve taken this approach when it comes to access control and have implemented tools including: • auditd • OSSEC • centralized logging
  • 29. This helps ensure compliance, BUT: •These tools are cumbersome to setup and configure. •You don’t want them to come in the way of progress OR performance. This is why carefully increasing ownership works well among teams.
  • 30. 4. Build a system that will allow you to regularly push to production with security checks in place
  • 31. The same CI tools (i.e. Jenkins) that Engineering has been using to continuously integrate their feature branches are the same tools Operations can use to manage and deploy code (whether or not this is the ideal solution).
  • 32. Security teams should work to integrate security tooling direction into the automation pipelines to allow for quick feedback loops that Engineering and Operations have become used to.
  • 33. Building in automation + Taking advantage of virtualized cloud infrastructure + A workflow that empowers developers to push code continuously = Companies can move fast when deploying and managing apps with less overhead.
  • 35. As DevOps has evolved into a mainstream philosophy, we’ve heard more DevOps conversations on security- related topics than ever before. This process is the next logical step.
  • 36. That means it’s more important than ever that there is a unified understanding of the ways to balance new DevOps workflows with evolving cloud security practices.
  • 37. To see how we’re enabling teams to integrate these workflows: Sign up: http://threatstack.com/ signup Stay in touch: @ThreatStack