Download as PDF, PPTX
![#RSAC
@mortman
@joshcorman
34
10/23/2013
@joshcorman
Defensible
Infrastructure
OperaFonal
Excellence
SituaFonal
Awareness
Counter-‐
measures
DevOps
DevOps
DevOps
[cont]
#DevOps
smashes
silos
&
finally
enables
the
MUCH
LARGER
Security
gains
in
both
@joshcorman
@mortman
#RSAC
#DevOps](https://image.slidesharecdn.com/asd-t07devopscormanmortmanfinalpostb-150501112613-conversion-gate01/85/Continuous-Security-5-Ways-DevOps-Improves-Security-34-320.jpg)
Uploaded bySonatype
Continuous Security: 5 Ways DevOps Improves Security
The document discusses how DevOps enhances security through faster development cycles, improved quality, and compliance. It emphasizes the importance of reducing complexity, fostering empathy, and managing change effectively in software processes. Additionally, it highlights the necessity of integrating automated tools and practices to achieve operational excellence in software development and security.
More Related Content
Similar to Continuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves Security
- 1. #RSAC SESSION ID: David MortmanJoshua Corman Continuous Security: 5 Ways DevOps Improves Security ASD-T07R CTO Sonatype @joshcorman Chief Security Architect & Distinguished Engineer Dell Software @mortman
- 2. #RSAC @mortman @joshcorman 2 10/23/2013 @joshcorman “It’s not enough to do your best; you must know what to do, and then do your best” Deming @joshcorman @mortman #RSAC #DevOps
- 3. #RSAC @mortman @joshcormanON TIME ON BUDGET ACCEPTABLE QUALITY/RISK Dev’s core moJvaJons are to be OnTime, OnBudget, w/ Acceptable Quality/Risk @joshcorman @mortman #RSAC #DevOps
- 4.
- 5. #RSAC @mortman @joshcorman 5 “Don’t Go Chasin’ Waterfalls” Dev started w/ Waterfall, but modern demands require us to go faster @joshcorman @mortman #RSAC #DevOps
- 6. #RSAC @mortman @joshcorman ON TIME. Faster builds. Fewer interrupFons. More innovaFon. ON BUDGET. More efficient. More profitable. More compeFFve. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-‐in audit protecFon. Waterfall’s Design -‐> Dev -‐> Test -‐> Deploy may go 1.5-‐3yrs b/w releases. @joshcorman @mortman #RSAC #DevOps
- 7. #RSAC @mortman @joshcorman Agile goats; not goat rodeo. “We need to be agile, but not fragile.” @RuggedSoWware @joshcorman @mortman #RSAC #DevOps
- 8. #RSAC @mortman @joshcorman ON TIME. Faster builds. Fewer interrupFons. More innovaFon. ON BUDGET. More efficient. More profitable. More compeFFve. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-‐in audit protecFon. Agile / CI Agile & Lean Jghtened Design -‐> Build -‐> Test cycle releasing 6-‐12+ smaller batches/yr @joshcorman @mortman #RSAC #DevOps
- 9. #RSAC @mortman @joshcormanDevOps It may feel like DevOps is Pandora’s Box, but it’s open… and hope remains. ;) @joshcorman @mortman #RSAC #DevOps
- 10. #RSAC @mortman @joshcorman ON TIME. Faster builds. Fewer interrupFons. More innovaFon. ON BUDGET. More efficient. More profitable. More compeFFve. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-‐in audit protecFon. DevOps / CD Agile / CI Agile made dev faster but wasn’t enough. DevOps extends pa`erns to Ops 4 mutual gains @joshcorman @mortman #RSAC #DevOps
- 11. #RSAC @mortman @joshcormanSW Supply Chains 11 Deming drove Toyota Supply Chains. We can EXTEND DevOps w/ his quality/safety pa`erns @joshcorman @mortman #RSAC #DevOps
- 12. #RSAC @mortman @joshcorman ON TIME. Faster builds. Fewer interrupFons. More innovaFon. ON BUDGET. More efficient. More profitable. More compeFFve. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-‐in audit protecFon. SW Supply Chain DevOps / CD Agile / CI SW SupplyChains enable faster, more efficient dev by reducing elecJve complexity/ risk++ @joshcorman @mortman #RSAC #DevOps
- 13. #RSAC @mortman @joshcormanSW Supply Chains Our SW Supply Chain is only as strong as its weakest link. Can you say #OpenSSL? @joshcorman @mortman #RSAC #DevOps
- 14. #RSAC @mortman @joshcorman Toyota Advantage Toyota Prius Chevy Volt Unit Cost 61% $24,200 $39,900 Units Sold 13x 23,294 1,788 In-‐House ProducJon 50% 27% 54% Plant Suppliers 16% (10x per) 125 800 Firm-‐Wide Suppliers 4% 224 5,500 Comparing the Prius and the Volt Toyota Prius (v Volt) used 1/6th suppliers, be`er leveraged, for 60% price & 12x sales @joshcorman @mortman #RSAC #DevOps
- 15. #RSAC @mortman @joshcormanDevOps Defined Is #DevOps a Culture? A Process? A Toochain? YES; but the greatest of these is Culture/Empathy @joshcorman @mortman #RSAC
- 16. #RSAC @mortman @joshcorman Myths abound RE: Security & #DevOps. We FUD-‐Haters should deal w/ facts @joshcorman @mortman #RSAC
- 17. #RSAC @mortman @joshcorman RE: #DevOps & Security: You’re enJtled to your own opinions, but not to your own facts. @joshcorman @mortman #RSAC
- 18. #RSAC @mortman @joshcorman MythBusted: “ITIL & ChangeMngt can’t be done w/ #DevOps ” <-‐ It can even make it easier/be`er @joshcorman @mortman #RSAC
- 19. #RSAC @mortman @joshcorman True #DevOps + Security isn’t all rainbows & unicorns. Unicorn p00p has to be worked thru @joshcorman @mortman #RSAC
- 20. #RSAC @mortman @joshcorman spending a`ack risk Source: Normalized CObIT spending across IDC, Gartner, The 451 Group; since groupings vary Host Security ~$10B Data Security ~$5B People Security ~$4B Network Security ~$20B SoWware Security ~$0.5B Assembled 3rd Party & OpenSource Components ~90% of most applicaJons Almost No Spending Wri`en Code Scanning SW Status Quo: Most attacked; least spend Worse, w/in SoWware, exisJng dollars go to the <= 10% wri`en StatusQuo: SW is MOST a`acked & gets LEAST SecSpend; most on 10% of code we write @joshcorman @mortman #RSAC #DevOps
- 21. #RSAC @mortman @joshcormanInsanity Einstein's Insanity: We could do the same thing over & over expecJng different results @joshcorman @mortman #RSAC #DevOps
- 22. #RSAC @mortman @joshcorman WRT Security & #DevOps We lose things AND we gain things. We’ll look at 5 things we gain @joshcorman @mortman #RSAC #DevOps
- 23. #RSAC @mortman @joshcorman This was added b/c the Red Hat in the “Lost & Found” made @mortman giggle & he forced it upon @joshcorman #RSAC #DevOps
- 24. #RSAC @mortman @joshcorman1) Instrumentation 1) InstrumentaJon! #DevOps instruments EVERYTHING & Security can use it in MANY ways @joshcorman @mortman #RSAC #DevOps
- 25. #RSAC @mortman @joshcorman2) Be MeanTo Your Code! 2) Be Mean To Your Code! To avoid failure; fail all the Jme #ChaosMonkey #Gauntlt #BrakeMan @joshcorman @mortman #RSAC #DevOps
- 26. #RSAC @mortman @joshcorman 3) Complexity Is Enemy of “All The Things”! All #DevOps parJes benefit from reducing complexity @joshcorman @mortman #RSAC
- 27. #RSAC @mortman @joshcorman DecomposiJon lowers complexity adds security and reliability @mortman @joshcorman #RSAC #DevOps
- 28. #RSAC @mortman @joshcorman Simple > Complex. Simple != Easy though. There is no easy bu`on, but there is an easiER one. @joshcorman @mortman #RSAC #DevOps
- 29. #RSAC @mortman @joshcorman 4) Implicit and Explicit Change Management. Change is good and leads to stability and fights stagnaJon. @joshcorman @mortman #rsac #devops
- 30. #RSAC @mortman @joshcorman All of Chuck Norris’s Change Controls are Full Cycle and they’re always approved! @joshcorman @mortman #RSAC #DevOps
- 31. #RSAC @mortman @joshcorman 5) Empathy is the killer app! Silos prohibit sharing and empathy…. #RSAC #DevOps @mortman @joshcorman
- 32. #RSAC @mortman @joshcorman Madame CISO, Tear Down This Wall! #RSAC #DevOps @mortman @joshcorman
- 33. #RSAC @mortman @joshcorman Defensible Infrastructure 10% Wri`en OperaFonal Excellence SituaFonal Awareness Counter-‐ measures The soWware & hardware we build, buy, and deploy. 90% of soWware is assembled from 3rd party & Open Source MOST IMPACT: BUY/BUILD DEFENSIBLE SOFTWARE DefensibleIT & OpsExcellence have MOST Security impact, but elude CISO influence BUT... @joshcorman @mortman #RSAC #DevOps
- 34. #RSAC @mortman @joshcorman 34 10/23/2013 @joshcorman Defensible Infrastructure OperaFonal Excellence SituaFonal Awareness Counter-‐ measures DevOps DevOps DevOps [cont] #DevOps smashes silos & finally enables the MUCH LARGER Security gains in both @joshcorman @mortman #RSAC #DevOps
- 35. #RSAC @mortman @joshcormanApply! u Stop resisting…“Survival isn’t mandatory” – Deming u Josh’s RSAC EU Keynote http://youtu.be/m4Y_K7MXQxQ u Read “The Phoenix Project” by Gene Kim u http://itrevolution.com/books/phoenix-project-devops-book/ u Watch videos from RSAC “DevOps Connect” Rugged DevOps Day u http://www.sonatype.org/nexus/2015/04/13/devops-connect-secops-editon-at- rsac-2015-speakers-and-schedule/ u Grab tooling: u Gauntlt, BrakeMan, Chaos Monkey, and the Simian Army u Start small, start anywhere, start TODAY! Get on the train before the train gets on you! Don’t delay, start today! @joshcorman @mortman #RSAC #DevOps
- 36. #RSAC Conclusion/Wrap-Up Follow Us & Rugged #DevOps at: @mortman @joshcorman @RuggedSoWware @RuggedDevOps @iamthecavalry