Download to read offline
![2
Yes, we have a DevOps team. I have no idea
what theyâre up to, but my team [Security] is
responsible for securing their apps.
â
â
âTufin Customer
2018](https://image.slidesharecdn.com/devopsvssecurity-190308011259/75/Are-your-DevOps-and-Security-teams-friends-or-foes-2-2048.jpg)
More Related Content
Similar to Are your DevOps and Security teams friends or foes?
![[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-themodernstackbuildingwebaiapplicationswithserverless-251124030844-388cf04f-thumbnail.jpg?width=640&height=640&fit=bounds)
![Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]](https://cdn.slidesharecdn.com/ss_thumbnails/agenticcommunityseries-day3-cfd-251120170304-ddef8112-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-phpinaiagethelaravelway-251125012602-ef9d330e-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...](https://cdn.slidesharecdn.com/ss_thumbnails/md-craftingimmersiveuiwithe2eandagslshaderveronicaputrianggraini-251124030840-0c677f44-thumbnail.jpg?width=640&height=640&fit=bounds)
Are your DevOps and Security teams friends or foes?
- 1. Are your DevOpsand Security teams friends or foes? Colby Dyess, Director Cloud Marketing, Tufin Reuven Harrison Co-founder & CTO, Tufin
- 2. 2 Yes, we havea DevOps team. I have no idea what theyâre up to, but my team [Security] is responsible for securing their apps. â â âTufin Customer 2018
- 3.
- 4. 4 âą Collaboration betweenDevelopers and IT Operations âą To speed up things âą Through automation âą And shared responsibility DevOps Origin
- 5. 5 DevOps Today GOALS Improved deploymentfrequency Faster time to market Less failure rate to new releases Short lead time between fixes Improve mean time to recovery RESPONSIBILITIES CI/CD pipelines Dev environments Run-time environments DevOps is about Speed and Repeatability
- 6. 6 CI Development Source Control Build Testing Commit Initiate CI Process TestReport Continuous Integration(CI) is a development practice that requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early.
- 7. 7 CD Continuous deployment isa strategy for software releases wherein any code commit that passes the automated testing phase is automatically released into the production environment, making changes that are visible to the software's users. Unit Test Platform Test Deliver to Staging Application Acceptance Tests Deploy to Production Post Deploy Tests Auto Continuous Delivery Auto Auto Manual Auto Unit Test Platform Test Deliver to Staging Application Acceptance Tests Deploy to Production Post Deploy Tests Auto Continuous Deployment Auto Auto AutoAuto
- 8. 8 From IT toNo IT 1980âs 1999 2006 2013 2015 2015
- 9. 9 âą Deployments shouldbe based on a descriptive language âą Code AND infrastructure should be defined in a code repository like github Infrastructure as Code
- 10.
- 11. 11 Advantages: âą Deployments arerepeatable and automated âą Easier troubleshooting because the state is known (no one manipulates it after deployment) âą Automatic audit trail for all changes âą Easy upgrades and rollbacks Infrastructure as Code & Immutable Infrastructure
- 12.
- 13. Impact on ITSecurity
- 14. 14 Agility Digital Transformation, poweredby cloud-native platforms, is increasing business agility and accelerating innovation. Security in this new world requires a totally different approach where traditional tools and practices are unsuitable. Security Agility vs. Security
- 15. 15 The New Stack App Switchesand Routers Firewalls Compute Load Balancers Cloud Service Service Service Service Service Service Service Service Service App NewOld
- 16. 16 App New Roles andResponsibilities Switches and Routers Firewalls Compute Load Balancers Cloud Service Service Service Service Service Service Service Service Service App Dev IT / Security Dev DevOps NewOld
- 17. 17 âą In orderto segment, we need to categorize our resources âą Traditional security zones are based on IP addresses, Subnets and VLANs âą As we move to higher-level abstractions, these become less suitable Bye Bye IP WHO?
- 18. 18 âą Security Groups âąRoles (IAM) âą Tags and Labels âą Domain names (FQDN) - *.aws.com âą Subnets are still used but to a lesser extent (usually for connectivity to external, legacy environments) Policy Categories that Work (Instead of IP Addresses)
- 19. 19 Challenges Donât have accessâ limited visibility Traditional tools donât work â limited control Existing tools & practices will break agility
- 20. Baking Security intoDevOps
- 21. 21 CI/CD to theRescue Development Source Control Build Testing Commit Initiate CI Process TestReport
- 22. 22 Monitoring, alerting, enforcement, threat detection& response Shift Left Appsec Static code analysis Vulnerability analysis Security testing Check Infrastructure as Code against policies Code Build & Test Deploy Operate Shift left
- 23. 23 Monitoring, alerting, enforcement, threat detection& response Shift Left Appsec Static code analysis Vulnerability analysis Security testing Check Infrastructure as Code against policies Code Build & Test Deploy Operate Shift left NEW: Auto-Policy Generation
- 24. 24 Learn the Policy Automatically Automaticallydiscover which services are deployed, how they are connected, and which external services they rely on. Visibility Learn Review Enforce Service A Service C Service B Github Azure
- 25. 25 The Policy isReset Before Tests
- 26. 26 Automatic Policy Learningin the CI/CD Pipeline
- 27. 27 The Policy isGenerated After Tests
- 28.
- 29. 29 âą DevOps isabout collaboration âą Security must be part of that âą There will be a learning curve âą Assign owners to make security work in the DevOps environments âą Task them with learning and bridging the gap Collaborate! You will get much better security!
- 30. 30 Tufin Cloud Security âąGain visibility into cloud-native environments âą Define and control security policies âą Security automation in the CI/CD pipeline
- 31.
Editor's Notes
- #6Â DevOps is an engineering methodology for streamlining app development If something needs to be done more than once â automate it!
- #7Â Git: Developers cooperate and communicate through this platform Jenkins: the main pivot
- #11Â No config changes after deployment
- #15Â Organizations are under constant pressure to innovate and remain competitive, while reducing costs. This has driven business leaders to push for digital transformation, often powered by cloud-native platforms and DevOps practices that boost business agility. Security teams, however, have been left behind â forced to rely on tools and practices that were not designed for cloud and agile environments. As a result, organizations have had to trade agility for security.
- #16Â How did we get here? Traditionally, applications were built on top of infrastructure â both physical and virtual â and security teams had standard practices for provisioning, managing and operating the infrastructure. Applications took months, sometimes years to build and might get updated only a handful of times each year. For the most part, security teams could keep pace with new app deployments and change requests. <CLICK> But over the past several years, developers have turned to public clouds for rapid provisioning and organizations have adopted DevOps practices that automate application build, test and deployment cycles. <CLICK> We still build applications, of course, but theyâre no longer monolithic or dependent upon infrastructure. <CLICK> Instead applications are composed of several small or micro services. This enables developers to add new services and change existing services faster than ever before. In fact, updates that used to happen every few months now happen multiple times a day! Traditional IT and security practices are not setup to handle the scale or pace of change that cloud enables.
- #17Â The adoption of cloud-native platforms and DevOps practices also impacts traditional roles and responsibilities. For example, developers focused on building applications while IT managed infrastructure provisioning and security. In the new world, developers build applications based on microservices â some of services are custom built, while others are provided by the cloud platform. Meanwhile, DevOps teams have taken responsibility for management of cloud infrastructure and services. However, when it comes to security most organizations are left vulnerable. DevOps are not security specialists and may not properly address security and compliance requirements. At the same time, IT security rarely has access, visibility or control of cloud-native environments.
- #19Â Donât define the low-level SGs and forth â define guardrails using tags Ideally â define a unified policy across everything
- #20Â We donât own the infrastructure Developers deploy the full stack including security configuration We canât use IP addresses for segmentation Everything should be automated
- #23Â Add automated security testing in the CI/CD pipeline Work in the pipeline with the developers to test, assess, audit and block! Build and test: Identify malicious and vulnerable dependencies Add security tests Deploy: Ensure compliance before production (for both code and configuration!) Operate: Swap out misbehaving components (e.g., a container)
- #24Â Add automated security testing in the CI/CD pipeline Work in the pipeline with the developers to test, assess, audit and block! Build and test: Identify malicious and vulnerable dependencies Add security tests Deploy: Ensure compliance before production (for both code and configuration!) Operate: Swap out misbehaving components (e.g., a container)