SlideShare a Scribd company logo
#RSAC
SESSION ID:
David Mortman Joshua Corman
Continuous Security: 5 Ways
DevOps Improves Security
ASD-T07R
CTO
Sonatype
@joshcorman
Chief Security Architect & Distinguished Engineer
Dell Software
@mortman
#RSAC
@mortman
@joshcorman
2	
  
10/23/2013	
   	
  @joshcorman	
  
“It’s	
  not	
  enough	
  to	
  do	
  your	
  best;	
  you	
  must	
  know	
  what	
  to	
  do,	
  and	
  then	
  do	
  your	
  
best”	
  Deming	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcormanON	
  TIME	
  	
   ON	
  BUDGET	
  
ACCEPTABLE	
  
QUALITY/RISK	
  
Dev’s	
  core	
  moJvaJons	
  are	
  to	
  be	
  OnTime,	
  OnBudget,	
  w/	
  Acceptable	
  Quality/Risk	
  
@joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman
4
#RSAC
@mortman
@joshcorman
5
“Don’t	
  Go	
  Chasin’	
  Waterfalls”	
  Dev	
  started	
  w/	
  Waterfall,	
  but	
  modern	
  demands	
  
require	
  us	
  to	
  go	
  faster	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman
ON	
  TIME.	
  	
  
Faster	
  builds.	
  	
  
Fewer	
  interrupFons.	
  
More	
  innovaFon.	
  	
  
ON	
  BUDGET.	
  
More	
  efficient.	
  	
  
More	
  profitable.	
  
More	
  compeFFve.	
  
ACCEPTABLE	
  QUALITY/RISK.	
  
Easier	
  compliance.	
  
Higher	
  quality.	
  	
  
Built-­‐in	
  audit	
  protecFon.	
  
Waterfall’s	
  Design	
  -­‐>	
  Dev	
  -­‐>	
  Test	
  -­‐>	
  Deploy	
  may	
  go	
  1.5-­‐3yrs	
  b/w	
  releases.	
  
@joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman
Agile	
  goats;	
  not	
  goat	
  rodeo.	
  “We	
  need	
  to	
  be	
  agile,	
  but	
  not	
  fragile.”	
  
@RuggedSoWware	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman
ON	
  TIME.	
  	
  
Faster	
  builds.	
  	
  
Fewer	
  interrupFons.	
  
More	
  innovaFon.	
  	
  
ON	
  BUDGET.	
  
More	
  efficient.	
  	
  
More	
  profitable.	
  
More	
  compeFFve.	
  
ACCEPTABLE	
  QUALITY/RISK.	
  
Easier	
  compliance.	
  
Higher	
  quality.	
  	
  
Built-­‐in	
  audit	
  protecFon.	
  
Agile	
  /	
  CI	
  
Agile	
  &	
  Lean	
  Jghtened	
  Design	
  -­‐>	
  Build	
  -­‐>	
  Test	
  cycle	
  releasing	
  6-­‐12+	
  smaller	
  
batches/yr	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  	
  
#RSAC
@mortman
@joshcormanDevOps
It	
  may	
  feel	
  like	
  DevOps	
  is	
  Pandora’s	
  Box,	
  but	
  it’s	
  open…	
  and	
  hope	
  remains.	
  ;)	
  
@joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman
ON	
  TIME.	
  	
  
Faster	
  builds.	
  	
  
Fewer	
  interrupFons.	
  
More	
  innovaFon.	
  	
  
ON	
  BUDGET.	
  
More	
  efficient.	
  	
  
More	
  profitable.	
  
More	
  compeFFve.	
  
ACCEPTABLE	
  QUALITY/RISK.	
  
Easier	
  compliance.	
  
Higher	
  quality.	
  	
  
Built-­‐in	
  audit	
  protecFon.	
  
DevOps	
  /	
  CD	
  
Agile	
  /	
  CI	
  
Agile	
  made	
  dev	
  faster	
  but	
  wasn’t	
  enough.	
  DevOps	
  extends	
  pa`erns	
  to	
  Ops	
  4	
  mutual	
  
gains	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcormanSW Supply Chains
11
Deming	
  drove	
  Toyota	
  Supply	
  Chains.	
  We	
  can	
  EXTEND	
  DevOps	
  w/	
  his	
  quality/safety	
  
pa`erns	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman
ON	
  TIME.	
  	
  
Faster	
  builds.	
  	
  
Fewer	
  interrupFons.	
  
More	
  innovaFon.	
  	
  
ON	
  BUDGET.	
  
More	
  efficient.	
  	
  
More	
  profitable.	
  
More	
  compeFFve.	
  
ACCEPTABLE	
  QUALITY/RISK.	
  
Easier	
  compliance.	
  
Higher	
  quality.	
  	
  
Built-­‐in	
  audit	
  protecFon.	
  
SW	
  Supply	
  Chain	
  
DevOps	
  /	
  CD	
  
Agile	
  /	
  CI	
  
SW	
  SupplyChains	
  enable	
  faster,	
  more	
  efficient	
  dev	
  by	
  reducing	
  elecJve	
  complexity/
risk++	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcormanSW Supply Chains
Our	
  SW	
  Supply	
  Chain	
  is	
  only	
  as	
  strong	
  as	
  its	
  weakest	
  link.	
  Can	
  you	
  say	
  #OpenSSL?	
  
@joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman
Toyota	
  
Advantage	
  
Toyota	
  
Prius	
  
Chevy	
  
Volt	
  
Unit	
  Cost	
   61%	
   $24,200	
   $39,900	
  
Units	
  Sold	
   13x	
   23,294	
   1,788	
  
In-­‐House	
  
ProducJon	
  
50%	
   27%	
   54%	
  
Plant	
  Suppliers	
  
16%	
  	
  
(10x	
  per)	
  
125	
   800	
  
Firm-­‐Wide	
  
Suppliers	
  
4%	
   224	
   5,500	
  
Comparing the Prius and the Volt
Toyota	
  Prius	
  (v	
  Volt)	
  used	
  1/6th	
  suppliers,	
  be`er	
  leveraged,	
  for	
  60%	
  price	
  &	
  12x	
  
sales	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcormanDevOps Defined
Is	
  #DevOps	
  a	
  Culture?	
  A	
  Process?	
  A	
  Toochain?	
  YES;	
  but	
  the	
  greatest	
  of	
  these	
  is	
  
Culture/Empathy	
  @joshcorman	
  @mortman	
  #RSAC	
  	
  
#RSAC
@mortman
@joshcorman
Myths	
  abound	
  RE:	
  Security	
  &	
  #DevOps.	
  We	
  FUD-­‐Haters	
  should	
  deal	
  w/	
  facts	
  
@joshcorman	
  @mortman	
  #RSAC	
  	
  
#RSAC
@mortman
@joshcorman
RE:	
  #DevOps	
  &	
  Security:	
  You’re	
  enJtled	
  to	
  your	
  own	
  opinions,	
  but	
  not	
  to	
  your	
  own	
  
facts.	
  @joshcorman	
  @mortman	
  #RSAC	
  	
  
#RSAC
@mortman
@joshcorman
MythBusted:	
  “ITIL	
  &	
  ChangeMngt	
  can’t	
  be	
  done	
  w/	
  #DevOps	
  ”	
  <-­‐	
  It	
  can	
  even	
  make	
  
it	
  easier/be`er	
  @joshcorman	
  @mortman	
  #RSAC	
  
#RSAC
@mortman
@joshcorman
True	
  #DevOps	
  +	
  Security	
  isn’t	
  all	
  rainbows	
  &	
  unicorns.	
  Unicorn	
  p00p	
  has	
  to	
  be	
  
worked	
  thru	
  @joshcorman	
  @mortman	
  #RSAC	
  	
  
#RSAC
@mortman
@joshcorman
spending	
   a`ack	
  risk	
  
Source:	
  Normalized	
  CObIT	
  spending	
  across	
  IDC,	
  Gartner,	
  The	
  451	
  Group;	
  since	
  groupings	
  vary	
  
Host	
  Security	
  	
  ~$10B	
  
Data	
  Security	
  	
  ~$5B	
  
People	
  Security	
  	
  ~$4B	
  
Network	
  Security	
  	
  ~$20B	
  
SoWware	
  
Security	
  
~$0.5B	
  
	
  
Assembled	
  3rd	
  Party	
  &	
  
OpenSource	
  
Components	
  
	
  
~90%	
  of	
  most	
  
applicaJons	
  
	
  
Almost	
  No	
  Spending	
  
Wri`en	
  Code	
  Scanning	
  
SW Status Quo: Most attacked; least spend
Worse,	
  w/in	
  SoWware,	
  exisJng	
  dollars	
  go	
  to	
  the	
  <=	
  10%	
  wri`en	
  	
  
	
  
StatusQuo:	
  SW	
  is	
  MOST	
  a`acked	
  &	
  gets	
  LEAST	
  SecSpend;	
  most	
  on	
  10%	
  of	
  code	
  we	
  
write	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcormanInsanity
Einstein's	
  Insanity:	
  We	
  could	
  do	
  the	
  same	
  thing	
  over	
  &	
  over	
  expecJng	
  different	
  
results	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman
WRT	
  Security	
  &	
  #DevOps	
  We	
  lose	
  things	
  AND	
  we	
  gain	
  things.	
  We’ll	
  look	
  at	
  5	
  things	
  
we	
  gain	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman
This	
  was	
  added	
  b/c	
  the	
  Red	
  Hat	
  in	
  the	
  “Lost	
  &	
  Found”	
  made	
  @mortman	
  giggle	
  &	
  he	
  
forced	
  it	
  upon	
  @joshcorman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman1) Instrumentation
1)	
  InstrumentaJon!	
  #DevOps	
  instruments	
  EVERYTHING	
  &	
  Security	
  can	
  use	
  it	
  in	
  
MANY	
  ways	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman2) Be Mean To Your Code!
2)	
  Be	
  Mean	
  To	
  Your	
  Code!	
  To	
  avoid	
  failure;	
  fail	
  all	
  the	
  Jme	
  #ChaosMonkey	
  #Gauntlt	
  
#BrakeMan	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman
3)	
  Complexity	
  Is	
  Enemy	
  of	
  “All	
  The	
  Things”!	
  All	
  #DevOps	
  parJes	
  benefit	
  from	
  
reducing	
  complexity	
  @joshcorman	
  @mortman	
  #RSAC	
  
#RSAC
@mortman
@joshcorman
DecomposiJon	
  lowers	
  complexity	
  adds	
  security	
  and	
  reliability	
  @mortman	
  
@joshcorman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman
Simple	
  >	
  Complex.	
  Simple	
  !=	
  Easy	
  though.	
  There	
  is	
  no	
  easy	
  bu`on,	
  but	
  there	
  is	
  an	
  
easiER	
  one.	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman
4)	
  Implicit	
  and	
  Explicit	
  Change	
  Management.	
  Change	
  is	
  good	
  and	
  leads	
  to	
  stability	
  
and	
  fights	
  stagnaJon.	
  @joshcorman	
  @mortman	
  #rsac	
  #devops	
  
#RSAC
@mortman
@joshcorman
All	
  of	
  Chuck	
  Norris’s	
  Change	
  Controls	
  are	
  Full	
  Cycle	
  and	
  they’re	
  always	
  approved!	
  
@joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman
5)	
  Empathy	
  is	
  the	
  killer	
  app!	
  Silos	
  prohibit	
  sharing	
  and	
  empathy….	
  #RSAC	
  #DevOps	
  
@mortman	
  @joshcorman	
  
#RSAC
@mortman
@joshcorman
Madame	
  CISO,	
  Tear	
  Down	
  This	
  Wall!	
  #RSAC	
  #DevOps	
  @mortman	
  @joshcorman	
  
#RSAC
@mortman
@joshcorman
Defensible	
  Infrastructure	
  
10%	
  	
  
Wri`en	
  
OperaFonal	
  Excellence	
  
SituaFonal	
  Awareness	
  
Counter-­‐
measures	
  
The	
  soWware	
  &	
  hardware	
  we	
  
build,	
  buy,	
  and	
  deploy.	
  90%	
  of	
  
soWware	
  is	
  assembled	
  from	
  3rd	
  
party	
  &	
  Open	
  Source	
  	
  
MOST	
  IMPACT:	
  BUY/BUILD	
  DEFENSIBLE	
  SOFTWARE	
  
DefensibleIT	
  &	
  OpsExcellence	
  have	
  MOST	
  Security	
  impact,	
  but	
  elude	
  CISO	
  influence	
  
BUT...	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
@mortman
@joshcorman
34
10/23/2013	
  
	
  @joshcorman	
  
Defensible	
  Infrastructure	
  
OperaFonal	
  Excellence	
  
SituaFonal	
  Awareness	
  
Counter-­‐
measures	
  
DevOps	
  
DevOps	
  
DevOps	
  
[cont]	
  #DevOps	
  smashes	
  silos	
  &	
  finally	
  enables	
  the	
  MUCH	
  LARGER	
  Security	
  gains	
  in	
  
both	
  @joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  	
  
#RSAC
@mortman
@joshcormanApply!
u  Stop resisting… “Survival isn’t mandatory” – Deming
u  Josh’s RSAC EU Keynote http://youtu.be/m4Y_K7MXQxQ
u  Read “The Phoenix Project” by Gene Kim
u  http://itrevolution.com/books/phoenix-project-devops-book/
u  Watch videos from RSAC “DevOps Connect” Rugged DevOps Day
u  http://www.sonatype.org/nexus/2015/04/13/devops-connect-secops-editon-at-
rsac-2015-speakers-and-schedule/
u  Grab tooling:
u  Gauntlt, BrakeMan, Chaos Monkey, and the Simian Army
u  Start small, start anywhere, start TODAY!
Get	
  on	
  the	
  train	
  before	
  the	
  train	
  gets	
  on	
  you!	
  Don’t	
  delay,	
  start	
  today!	
  
@joshcorman	
  @mortman	
  #RSAC	
  #DevOps	
  
#RSAC
Conclusion/Wrap-Up
Follow	
  Us	
  &	
  Rugged	
  #DevOps	
  at:	
  	
  
@mortman	
  @joshcorman	
  @RuggedSoWware	
  @RuggedDevOps	
  @iamthecavalry	
  	
  

More Related Content

What's hot

Why Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimWhy Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene Kim
Dynatrace
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanent
Tom Stiehm
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
My 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary JourneyMy 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary Journey
Burr Sutter
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Matt Tesauro
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Nick Galbreath
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
Aaron Rinehart
 
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
Gene Kim
 
DevOps and Audit
DevOps and AuditDevOps and Audit
DevOps and Audit
Jeff Gallimore
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
C4Media
 
DevSecOps at Agile 2019
DevSecOps at   Agile 2019 DevSecOps at   Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
Steve Poole
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Burr Sutter
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
Aaron Rinehart
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
Nick Galbreath
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
Keet Sugathadasa
 
Pragmatic Security and Rugged DevOps - SXSW 2015
Pragmatic Security and Rugged DevOps - SXSW 2015Pragmatic Security and Rugged DevOps - SXSW 2015
Pragmatic Security and Rugged DevOps - SXSW 2015
James Wickett
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Tom Stiehm
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Nick Galbreath
 

What's hot (20)

Why Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimWhy Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene Kim
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanent
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
 
My 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary JourneyMy 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary Journey
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
 
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
 
DevOps and Audit
DevOps and AuditDevOps and Audit
DevOps and Audit
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
 
DevSecOps at Agile 2019
DevSecOps at   Agile 2019 DevSecOps at   Agile 2019
DevSecOps at Agile 2019
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
 
Pragmatic Security and Rugged DevOps - SXSW 2015
Pragmatic Security and Rugged DevOps - SXSW 2015Pragmatic Security and Rugged DevOps - SXSW 2015
Pragmatic Security and Rugged DevOps - SXSW 2015
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 

Viewers also liked

Togaf
TogafTogaf
Security Essentials
Security EssentialsSecurity Essentials
Security Essentials
Ashley Deuble
 
Agile security
Agile securityAgile security
Agile security
Arthur Donkers
 
Oracle Unified Method (OUM)
Oracle Unified Method (OUM) Oracle Unified Method (OUM)
Oracle Unified Method (OUM)
UBC Corporation
 
Cessez de presser le citron – gérez la capacité pour atteindre vos résultats
Cessez de presser le citron – gérez la capacité pour atteindre vos résultatsCessez de presser le citron – gérez la capacité pour atteindre vos résultats
Cessez de presser le citron – gérez la capacité pour atteindre vos résultats
PMI-Montréal
 
La valeur d’affaires: L’indicateur qui peut changer le succès des projets
La valeur d’affaires: L’indicateur qui peut changer le succès des projetsLa valeur d’affaires: L’indicateur qui peut changer le succès des projets
La valeur d’affaires: L’indicateur qui peut changer le succès des projets
Pyxis Technologies
 
Deming to Devops
Deming to Devops Deming to Devops
Deming to Devops
John Willis
 
ProjectLibre1.5 - Lesson 5 - Reports
ProjectLibre1.5 - Lesson 5 - ReportsProjectLibre1.5 - Lesson 5 - Reports
ProjectLibre1.5 - Lesson 5 - Reports
Hezequias Vasconcelos
 
Ceph Block Devices: A Deep Dive
Ceph Block Devices:  A Deep DiveCeph Block Devices:  A Deep Dive
Ceph Block Devices: A Deep Dive
Red_Hat_Storage
 
Stop to start
Stop to startStop to start
Stop to start
Yannick Quenec'hdu
 
What is Cobit
What is CobitWhat is Cobit
What is Cobit
Ben Kalland
 
LISA 2011 Keynote: The DevOps Transformation
LISA 2011 Keynote: The DevOps TransformationLISA 2011 Keynote: The DevOps Transformation
LISA 2011 Keynote: The DevOps Transformation
benrockwood
 
From Continuous Integration to DevOps - Japan Innovate 2013
From Continuous Integration to DevOps - Japan Innovate 2013From Continuous Integration to DevOps - Japan Innovate 2013
From Continuous Integration to DevOps - Japan Innovate 2013
Sanjeev Sharma
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introduction
aqel aqel
 
Oracle et les offres infastructure as a service
Oracle et les offres infastructure as a serviceOracle et les offres infastructure as a service
Oracle et les offres infastructure as a service
EASYTEAM
 
Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10
Combell NV
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Cigital
 
devops - what's missing? what's next?
devops - what's missing? what's next?devops - what's missing? what's next?
devops - what's missing? what's next?
Andrew Shafer
 
Hébergements scalables, Human talks Grenoble
Hébergements scalables, Human talks GrenobleHébergements scalables, Human talks Grenoble
Hébergements scalables, Human talks Grenoble
Philippe Le Van
 

Viewers also liked (20)

Togaf
TogafTogaf
Togaf
 
Security Essentials
Security EssentialsSecurity Essentials
Security Essentials
 
Agile security
Agile securityAgile security
Agile security
 
Oracle Unified Method (OUM)
Oracle Unified Method (OUM) Oracle Unified Method (OUM)
Oracle Unified Method (OUM)
 
Cessez de presser le citron – gérez la capacité pour atteindre vos résultats
Cessez de presser le citron – gérez la capacité pour atteindre vos résultatsCessez de presser le citron – gérez la capacité pour atteindre vos résultats
Cessez de presser le citron – gérez la capacité pour atteindre vos résultats
 
La valeur d’affaires: L’indicateur qui peut changer le succès des projets
La valeur d’affaires: L’indicateur qui peut changer le succès des projetsLa valeur d’affaires: L’indicateur qui peut changer le succès des projets
La valeur d’affaires: L’indicateur qui peut changer le succès des projets
 
Deming to Devops
Deming to Devops Deming to Devops
Deming to Devops
 
ProjectLibre1.5 - Lesson 5 - Reports
ProjectLibre1.5 - Lesson 5 - ReportsProjectLibre1.5 - Lesson 5 - Reports
ProjectLibre1.5 - Lesson 5 - Reports
 
Ceph Block Devices: A Deep Dive
Ceph Block Devices:  A Deep DiveCeph Block Devices:  A Deep Dive
Ceph Block Devices: A Deep Dive
 
Stop to start
Stop to startStop to start
Stop to start
 
What is Cobit
What is CobitWhat is Cobit
What is Cobit
 
LISA 2011 Keynote: The DevOps Transformation
LISA 2011 Keynote: The DevOps TransformationLISA 2011 Keynote: The DevOps Transformation
LISA 2011 Keynote: The DevOps Transformation
 
From Continuous Integration to DevOps - Japan Innovate 2013
From Continuous Integration to DevOps - Japan Innovate 2013From Continuous Integration to DevOps - Japan Innovate 2013
From Continuous Integration to DevOps - Japan Innovate 2013
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introduction
 
Oracle et les offres infastructure as a service
Oracle et les offres infastructure as a serviceOracle et les offres infastructure as a service
Oracle et les offres infastructure as a service
 
Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
devops - what's missing? what's next?
devops - what's missing? what's next?devops - what's missing? what's next?
devops - what's missing? what's next?
 
Hébergements scalables, Human talks Grenoble
Hébergements scalables, Human talks GrenobleHébergements scalables, Human talks Grenoble
Hébergements scalables, Human talks Grenoble
 
Migrer de V vers l'Agile
Migrer de V vers l'AgileMigrer de V vers l'Agile
Migrer de V vers l'Agile
 

Similar to Continuous Security: 5 Ways DevOps Improves Security

Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
James Wickett
 
How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security people
Priyanka Aash
 
DevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratchDevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratch
Pete Cheslock
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
Priyanka Aash
 
Epistemological Problem of Application Security
Epistemological Problem of Application SecurityEpistemological Problem of Application Security
Epistemological Problem of Application Security
James Wickett
 
Better and Faster: A Journey Toward Clean Code and Enjoyment
Better and Faster: A Journey Toward Clean Code and EnjoymentBetter and Faster: A Journey Toward Clean Code and Enjoyment
Better and Faster: A Journey Toward Clean Code and Enjoyment
Chris Holland
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
Security precognition chaos engineering in incident response
Security precognition  chaos engineering in incident responseSecurity precognition  chaos engineering in incident response
Security precognition chaos engineering in incident response
Priyanka Aash
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
James Wickett
 
DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzing
PacSecJP
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
Designing a secure software development process with DevOps
Designing a secure software development process with DevOpsDesigning a secure software development process with DevOps
Designing a secure software development process with DevOps
Mike Long
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
RSA 2017 APJ DevSecOps Fabian Slides
RSA 2017 APJ DevSecOps Fabian SlidesRSA 2017 APJ DevSecOps Fabian Slides
RSA 2017 APJ DevSecOps Fabian Slides
Fab L
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
DevOps: The New Face Of Application Development - Global Azure Bootcamp
DevOps: The New Face Of Application Development - Global Azure BootcampDevOps: The New Face Of Application Development - Global Azure Bootcamp
DevOps: The New Face Of Application Development - Global Azure Bootcamp
Richard Harbridge
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)
dhubbard858
 

Similar to Continuous Security: 5 Ways DevOps Improves Security (20)

Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
 
How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security people
 
DevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratchDevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratch
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
 
Epistemological Problem of Application Security
Epistemological Problem of Application SecurityEpistemological Problem of Application Security
Epistemological Problem of Application Security
 
Better and Faster: A Journey Toward Clean Code and Enjoyment
Better and Faster: A Journey Toward Clean Code and EnjoymentBetter and Faster: A Journey Toward Clean Code and Enjoyment
Better and Faster: A Journey Toward Clean Code and Enjoyment
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Security precognition chaos engineering in incident response
Security precognition  chaos engineering in incident responseSecurity precognition  chaos engineering in incident response
Security precognition chaos engineering in incident response
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
 
DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzing
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Designing a secure software development process with DevOps
Designing a secure software development process with DevOpsDesigning a secure software development process with DevOps
Designing a secure software development process with DevOps
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
RSA 2017 APJ DevSecOps Fabian Slides
RSA 2017 APJ DevSecOps Fabian SlidesRSA 2017 APJ DevSecOps Fabian Slides
RSA 2017 APJ DevSecOps Fabian Slides
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
DevOps: The New Face Of Application Development - Global Azure Bootcamp
DevOps: The New Face Of Application Development - Global Azure BootcampDevOps: The New Face Of Application Development - Global Azure Bootcamp
DevOps: The New Face Of Application Development - Global Azure Bootcamp
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
 
Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)
 

More from Sonatype

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
Sonatype
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
Sonatype
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
Sonatype
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
Sonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
Sonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Sonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
Sonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
Sonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
Sonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Sonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Sonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
Sonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
Sonatype
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
Sonatype
 

More from Sonatype (20)

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
 

Recently uploaded

Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 

Recently uploaded (20)

Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 

Continuous Security: 5 Ways DevOps Improves Security

  • 1. #RSAC SESSION ID: David Mortman Joshua Corman Continuous Security: 5 Ways DevOps Improves Security ASD-T07R CTO Sonatype @joshcorman Chief Security Architect & Distinguished Engineer Dell Software @mortman
  • 2. #RSAC @mortman @joshcorman 2   10/23/2013    @joshcorman   “It’s  not  enough  to  do  your  best;  you  must  know  what  to  do,  and  then  do  your   best”  Deming  @joshcorman  @mortman  #RSAC  #DevOps  
  • 3. #RSAC @mortman @joshcormanON  TIME     ON  BUDGET   ACCEPTABLE   QUALITY/RISK   Dev’s  core  moJvaJons  are  to  be  OnTime,  OnBudget,  w/  Acceptable  Quality/Risk   @joshcorman  @mortman  #RSAC  #DevOps  
  • 5. #RSAC @mortman @joshcorman 5 “Don’t  Go  Chasin’  Waterfalls”  Dev  started  w/  Waterfall,  but  modern  demands   require  us  to  go  faster  @joshcorman  @mortman  #RSAC  #DevOps  
  • 6. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   Waterfall’s  Design  -­‐>  Dev  -­‐>  Test  -­‐>  Deploy  may  go  1.5-­‐3yrs  b/w  releases.   @joshcorman  @mortman  #RSAC  #DevOps  
  • 7. #RSAC @mortman @joshcorman Agile  goats;  not  goat  rodeo.  “We  need  to  be  agile,  but  not  fragile.”   @RuggedSoWware  @joshcorman  @mortman  #RSAC  #DevOps  
  • 8. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   Agile  /  CI   Agile  &  Lean  Jghtened  Design  -­‐>  Build  -­‐>  Test  cycle  releasing  6-­‐12+  smaller   batches/yr  @joshcorman  @mortman  #RSAC  #DevOps    
  • 9. #RSAC @mortman @joshcormanDevOps It  may  feel  like  DevOps  is  Pandora’s  Box,  but  it’s  open…  and  hope  remains.  ;)   @joshcorman  @mortman  #RSAC  #DevOps  
  • 10. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   DevOps  /  CD   Agile  /  CI   Agile  made  dev  faster  but  wasn’t  enough.  DevOps  extends  pa`erns  to  Ops  4  mutual   gains  @joshcorman  @mortman  #RSAC  #DevOps  
  • 11. #RSAC @mortman @joshcormanSW Supply Chains 11 Deming  drove  Toyota  Supply  Chains.  We  can  EXTEND  DevOps  w/  his  quality/safety   pa`erns  @joshcorman  @mortman  #RSAC  #DevOps  
  • 12. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   SW  Supply  Chain   DevOps  /  CD   Agile  /  CI   SW  SupplyChains  enable  faster,  more  efficient  dev  by  reducing  elecJve  complexity/ risk++  @joshcorman  @mortman  #RSAC  #DevOps  
  • 13. #RSAC @mortman @joshcormanSW Supply Chains Our  SW  Supply  Chain  is  only  as  strong  as  its  weakest  link.  Can  you  say  #OpenSSL?   @joshcorman  @mortman  #RSAC  #DevOps  
  • 14. #RSAC @mortman @joshcorman Toyota   Advantage   Toyota   Prius   Chevy   Volt   Unit  Cost   61%   $24,200   $39,900   Units  Sold   13x   23,294   1,788   In-­‐House   ProducJon   50%   27%   54%   Plant  Suppliers   16%     (10x  per)   125   800   Firm-­‐Wide   Suppliers   4%   224   5,500   Comparing the Prius and the Volt Toyota  Prius  (v  Volt)  used  1/6th  suppliers,  be`er  leveraged,  for  60%  price  &  12x   sales  @joshcorman  @mortman  #RSAC  #DevOps  
  • 15. #RSAC @mortman @joshcormanDevOps Defined Is  #DevOps  a  Culture?  A  Process?  A  Toochain?  YES;  but  the  greatest  of  these  is   Culture/Empathy  @joshcorman  @mortman  #RSAC    
  • 16. #RSAC @mortman @joshcorman Myths  abound  RE:  Security  &  #DevOps.  We  FUD-­‐Haters  should  deal  w/  facts   @joshcorman  @mortman  #RSAC    
  • 17. #RSAC @mortman @joshcorman RE:  #DevOps  &  Security:  You’re  enJtled  to  your  own  opinions,  but  not  to  your  own   facts.  @joshcorman  @mortman  #RSAC    
  • 18. #RSAC @mortman @joshcorman MythBusted:  “ITIL  &  ChangeMngt  can’t  be  done  w/  #DevOps  ”  <-­‐  It  can  even  make   it  easier/be`er  @joshcorman  @mortman  #RSAC  
  • 19. #RSAC @mortman @joshcorman True  #DevOps  +  Security  isn’t  all  rainbows  &  unicorns.  Unicorn  p00p  has  to  be   worked  thru  @joshcorman  @mortman  #RSAC    
  • 20. #RSAC @mortman @joshcorman spending   a`ack  risk   Source:  Normalized  CObIT  spending  across  IDC,  Gartner,  The  451  Group;  since  groupings  vary   Host  Security    ~$10B   Data  Security    ~$5B   People  Security    ~$4B   Network  Security    ~$20B   SoWware   Security   ~$0.5B     Assembled  3rd  Party  &   OpenSource   Components     ~90%  of  most   applicaJons     Almost  No  Spending   Wri`en  Code  Scanning   SW Status Quo: Most attacked; least spend Worse,  w/in  SoWware,  exisJng  dollars  go  to  the  <=  10%  wri`en       StatusQuo:  SW  is  MOST  a`acked  &  gets  LEAST  SecSpend;  most  on  10%  of  code  we   write  @joshcorman  @mortman  #RSAC  #DevOps  
  • 21. #RSAC @mortman @joshcormanInsanity Einstein's  Insanity:  We  could  do  the  same  thing  over  &  over  expecJng  different   results  @joshcorman  @mortman  #RSAC  #DevOps  
  • 22. #RSAC @mortman @joshcorman WRT  Security  &  #DevOps  We  lose  things  AND  we  gain  things.  We’ll  look  at  5  things   we  gain  @joshcorman  @mortman  #RSAC  #DevOps  
  • 23. #RSAC @mortman @joshcorman This  was  added  b/c  the  Red  Hat  in  the  “Lost  &  Found”  made  @mortman  giggle  &  he   forced  it  upon  @joshcorman  #RSAC  #DevOps  
  • 24. #RSAC @mortman @joshcorman1) Instrumentation 1)  InstrumentaJon!  #DevOps  instruments  EVERYTHING  &  Security  can  use  it  in   MANY  ways  @joshcorman  @mortman  #RSAC  #DevOps  
  • 25. #RSAC @mortman @joshcorman2) Be Mean To Your Code! 2)  Be  Mean  To  Your  Code!  To  avoid  failure;  fail  all  the  Jme  #ChaosMonkey  #Gauntlt   #BrakeMan  @joshcorman  @mortman  #RSAC  #DevOps  
  • 26. #RSAC @mortman @joshcorman 3)  Complexity  Is  Enemy  of  “All  The  Things”!  All  #DevOps  parJes  benefit  from   reducing  complexity  @joshcorman  @mortman  #RSAC  
  • 27. #RSAC @mortman @joshcorman DecomposiJon  lowers  complexity  adds  security  and  reliability  @mortman   @joshcorman  #RSAC  #DevOps  
  • 28. #RSAC @mortman @joshcorman Simple  >  Complex.  Simple  !=  Easy  though.  There  is  no  easy  bu`on,  but  there  is  an   easiER  one.  @joshcorman  @mortman  #RSAC  #DevOps  
  • 29. #RSAC @mortman @joshcorman 4)  Implicit  and  Explicit  Change  Management.  Change  is  good  and  leads  to  stability   and  fights  stagnaJon.  @joshcorman  @mortman  #rsac  #devops  
  • 30. #RSAC @mortman @joshcorman All  of  Chuck  Norris’s  Change  Controls  are  Full  Cycle  and  they’re  always  approved!   @joshcorman  @mortman  #RSAC  #DevOps  
  • 31. #RSAC @mortman @joshcorman 5)  Empathy  is  the  killer  app!  Silos  prohibit  sharing  and  empathy….  #RSAC  #DevOps   @mortman  @joshcorman  
  • 32. #RSAC @mortman @joshcorman Madame  CISO,  Tear  Down  This  Wall!  #RSAC  #DevOps  @mortman  @joshcorman  
  • 33. #RSAC @mortman @joshcorman Defensible  Infrastructure   10%     Wri`en   OperaFonal  Excellence   SituaFonal  Awareness   Counter-­‐ measures   The  soWware  &  hardware  we   build,  buy,  and  deploy.  90%  of   soWware  is  assembled  from  3rd   party  &  Open  Source     MOST  IMPACT:  BUY/BUILD  DEFENSIBLE  SOFTWARE   DefensibleIT  &  OpsExcellence  have  MOST  Security  impact,  but  elude  CISO  influence   BUT...  @joshcorman  @mortman  #RSAC  #DevOps  
  • 34. #RSAC @mortman @joshcorman 34 10/23/2013    @joshcorman   Defensible  Infrastructure   OperaFonal  Excellence   SituaFonal  Awareness   Counter-­‐ measures   DevOps   DevOps   DevOps   [cont]  #DevOps  smashes  silos  &  finally  enables  the  MUCH  LARGER  Security  gains  in   both  @joshcorman  @mortman  #RSAC  #DevOps    
  • 35. #RSAC @mortman @joshcormanApply! u  Stop resisting… “Survival isn’t mandatory” – Deming u  Josh’s RSAC EU Keynote http://youtu.be/m4Y_K7MXQxQ u  Read “The Phoenix Project” by Gene Kim u  http://itrevolution.com/books/phoenix-project-devops-book/ u  Watch videos from RSAC “DevOps Connect” Rugged DevOps Day u  http://www.sonatype.org/nexus/2015/04/13/devops-connect-secops-editon-at- rsac-2015-speakers-and-schedule/ u  Grab tooling: u  Gauntlt, BrakeMan, Chaos Monkey, and the Simian Army u  Start small, start anywhere, start TODAY! Get  on  the  train  before  the  train  gets  on  you!  Don’t  delay,  start  today!   @joshcorman  @mortman  #RSAC  #DevOps  
  • 36. #RSAC Conclusion/Wrap-Up Follow  Us  &  Rugged  #DevOps  at:     @mortman  @joshcorman  @RuggedSoWware  @RuggedDevOps  @iamthecavalry