SlideShare a Scribd company logo

DevOps and DevSecOps, Incident Management

S
ShriniKulkarni

Desert Code Camp 2019

Engineering
1 of 21
Download to read offline
DevOps = Development + Operations; DevSecOps = DevOps + Security; Shrini Kulkarni skulkarni@fastspring.comDesert Code Camp 2019
- Desert Code Camp 2019 Before DevOps Team Ops Team Dev Image Courtesy: Kieran Jacobsen, Readify, Microsoft
Desert Code Camp 2019 Before DevOps Team Dev(Engg) • Release management and deployments • IT admin and InfoSec • Infrastructure, DBA and maintenance • Reliability Engineering • Business Operations • Requirements -> design • SCM & Code revisioning • Coding, feature dev • Testing, QA • Delivering release candidate • Bug fixes and/or triageTeam (Sys)Ops
Outperforming teams are collaborate extensively with their counterparts 54% more likely to Developers 26.7% No executive support 56.7% Cultural inhibitors 43.3% Fragmentedprocesses Collaboration blockers DevOps was being initiated by more development teams than IT Ops teams by about a 40% to 33% margin Agile methodologieshave adopted 3/4 of teams BusinessIT Ops The average hourly cost of infrastructure failure is $100,000 per hour It takes on average 200 minutes to diagnose and repair a production issue A bug caught in production ends up costing than if the same bug was found earlier in the development cycle 100x more IT decision makers are still unfamiliar with the term DevOps 61 in 40% … of implementations end up getting reworked because they don’t meet the users’ original requirements … of development budgets for software, IT staff and external professional services will be consumed by poor requirements 41% IT drives business success! High IT performance correlates with strong business performance, helps boost productivity, market share and profit. Responding to ongoing needs for efficiency and growth Always keeping all systems safe and secure dual goals … for companies that try toadapt theirexisting toolsfor DevOps practices 80% failure rate … CIOs 70 % to reduce IT costs Would increase risk and accelerate business agility of
Desert Code Camp 2019 DevOps Cycle By 2022 DevOps will be the norm for majority of the software developed. HP Enterprise in 2017 - Ship Code 30x faster - 55% more responsive to business needs - 50% fewer failures - 38% improved code quality Puppetlabs in 2013 DevOps means caring about your job enough to not pass the buck, wanting to learn all the parts as a whole, and not just your little world. — John Vincent According to Statista, many business organizations are adopting DevOps and there is an increase up to 17% in 2018 than what was about 10% in the year 2017. Image source: Kieran Jacobsen, Readify & Microsoft
Desert Code Camp 2019 What is DevOps? Slide source: Thiago Almeida| @nzthiago | talmeida.net DevOpsis development andoperations DevOpsis treatingyour DevOps isusing forOps? DevOps isfeature DevOps is deployments
Ø Not merely development and operations collaborating Ø A culture and mindset for collaborating between developers and operations Ø Developing with ops/tools/usage in mind Ø Deploying with automation, emergency fixes in mind Ø Test driven development with user experience frustrations in mind Ø Bug triaging with fix cost estimation and plan in mind Ø Provisioning/procurement with automatic scaling in mind Ø Release planning with an A/B production switch in mind Ø Faster deployments, even faster response times, improved quality and health of systems Ø Correct people, processes and tools/products leveraged Ø Reduced costs overall, reinforce trust across organization Desert Code Camp 2019 What is DevOps?
Desert Code Camp 2019 What DevOps Isn’t DevOps means caring about your job enough to not pass the buck, wanting to learn all the parts as a whole, and not just your little world. — John Vincent • Caring for your system does not require you to be an expert in everything, you still continue doing what you are good at, paying more attention to other areas of the system • Owner v/s Renter analogy – owners don’t walk away from a problem • Specialization, domain expertise still valuable over generalist work, DevOps is merely asking cross awareness (cross pollinated skills) • Documentation, training and communication tools overcome challenges
Desert Code Camp 2019 Tools of the TradeImage Source: https://eduinpro.com/blog/top-devops-tools-in-the-digital-market/Image & medium.com
Desert Code Camp 2019 Tools of the Trade • Dashboards, traceability, incremental delivery of value • Agile methods like Scrum and Kanban used effectively • Continuous Integration and release pipelines • Automation where needed, IaC (Infrastructure as Code) • Application monitoring and alerting, incident management • Business and support in co-ordination with developers • Shared responsibility for ops, same as security
• Treat templates, scripts, orchestration code or provisioning like code artifacts (yaml/json/xml) • Any tools or config scripts also go in codebase/scm • Follow change management practices for infrastructure as well (version, manifest, CM approvals) • Record changes in visible log (Slack channel/Jira work log) • Security concerns called out in planning and properly tracked during implementation Desert Code Camp 2019 Infrastructure as Code
Desert Code Camp 2019 DevSecOps • What about security? IT InfoSec used to take care of it. • Security is a shared responsibility as well • Never treat security as an afterthought (reactionary) • DevSecOps (DevOps with security in mind) • Clear Communication Pathways • Streamlined Communication • Security As Code • Training • Integrate Security into DevOps cycle
Desert Code Camp 2019 Communication Development Operations Security Ops tools, metrics, alerts Security Review,Data classification,security fixes Major defects, highlight pain points, drive improvements/incident action items Pen testcode,Com pliance, Security action item s,policy Security m onitoring tools, firewall review, access log scan, vulnerability, Outdated hardware/software Application scan, Pen test infra, access control rules NO: ⨯ Excel checklists ⨯ Word document reports or policy documents ⨯ Email attachments ⨯ Private communication – adhoc cc list ⨯ Private chat/tribal knowledge, verbal approval YES: ü Backlogs/boards (like jira/scrum tools/MS project) ü Support ticketing (like remedy/zendesk) ü Markup and Git (readme.md, confluence) ü Traceable tool, CM (confluence, google docs with versioning, author, slack history, work logs)
• Application Source Code incorporates Security libraries/platforms • Infrastructure follows security guideline (Cloudformation, templates) • Server Configuration – Chef, Puppet, DSC, Wuzah • Traceable, checked in code into repository (leverage git + CI/CD) • Check in not just source, but also policy as code artifacts • Monitoring/operations configuration also should be checked in as code in form of a script/template • Testing & scanning tools/policy also can be checked in/automated • Document the process to deploy run the above for easy reuse • Firewall rules, access control changes, permission requests Desert Code Camp 2019 Security as Code
Desert Code Camp 2019 Training • We can’t be experts in Dev, Sec and Ops at once • We need cross pollination of skills • Developer that understands app vulnerability • IT/Ops that can understand code • Security expert that can review infrastructure • Starts at day 0 (Can’t be postponed) • Leverage existing tools used in DevOps for security • Common training with Devops tools • Don’t assume non-technical staff (or one particular group of the org) as only source of security issues
• What to measure in your code? (And why) • Latency, Volume, Errors and Exceptions • Understand the repercussions of failure • Fault tolerance and logging necessary details • What constitutes an alert? • Business impairment/impact • System impairment/load • Severity • Log triage, root cause analysis, forensics • Red herrings and known outlying cases • Statistics – Average, worst case, best case, 99th percentile Desert Code Camp 2019 Monitoring and Alerting
• Incident priority and severity, business impact • Pager alerts, response protocol • Monitoring, dashboards, analysis tools • Post Mortems • Ops Tools • Communication Desert Code Camp 2019 Incident Management Image: PagerDuty.com
• After Incident • Post Mortem / Correction of Errors – trackable document • Deeper dive, provide graphs/logs • Immediate actions to prevent repeat occurrence (Kanban) • Longer term actions (scrum) Desert Code Camp 2019 Incident Management • During Incident • Standard Operational Procedure (SOP) • Notetaker and Liaison • Paging hierarchy • Log each action with timestamp, record effect • Continuous Improvement • Tune Alarms, update SOP (ops proc) • Review dashboards • Automate manual steps, ops tools
• Sample Dashboard (Gitlab) • AWS Cloudwatch & PagerDuty walkthrough • SumoLogic walkthrough (Log analysis) • Sentry and real time exception watches • Reviewing and tracking alarms and dashboards • Red/orange lines for warning and alerts • Standard ops procedure consults dashboard & vice versa Desert Code Camp 2019 Monitoring and Alerting
Desert Code Camp 2019 Final Thoughts • Dealing with Operations Overload/Security Events Overload • Eisenhower Decision Matrix for backlog prioritization • Web Application Firewalls (AWS WAF) • Forensics after outages/events • Speed up log analysis – share triage information • Vulnerability management – urgent upgrades • Don’t postpone critical vulnerability patches • A/B labs for runtime switches (management) • Deploy new feature to production hidden by on off switch • Allow ”dial up” of feature to certain percentage of customers
Reference Links • https://devops.com/35-tools-every-devops-expert-must-know/ • https://dev.to/pavanbelagatti/here-are-8-devops-trends-to-watch-for-in-2019-mcf • https://www.slideshare.net/AmazonWebServices/introduction-to-devsecops • https://www.redhat.com/en/topics/devops/what-is-devsecops • https://aws.amazon.com/cloudformation/aws-cloudformation-templates/ • https://dashboards.gitlab.com/d/RZmbBr7mk/gitlab-triage?orgId=1&refresh=30s • https://pagerduty.com | https://sumologic.com | https://sentry.com Thank You! & Questions?

Recommended

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Amazon Web Services
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introductionMettje Heegstra
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsFrancesco Garavaglia
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Identacor
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsHawkman Academy
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 

Recommended

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Amazon Web Services
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introductionMettje Heegstra
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsFrancesco Garavaglia
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Identacor
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsHawkman Academy
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsAhmed Adel
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Leveraging Azure DevOps across the Enterprise
Leveraging Azure DevOps across the EnterpriseLeveraging Azure DevOps across the Enterprise
Leveraging Azure DevOps across the EnterpriseAndrew Kelleher
 
Feature Flags.pdf
Feature Flags.pdfFeature Flags.pdf
Feature Flags.pdfMarc Hornbeek
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsCheah Eng Soon
 
Overview of AWS by Andy Jassy - SVP, AWS
Overview of AWS by Andy Jassy - SVP, AWSOverview of AWS by Andy Jassy - SVP, AWS
Overview of AWS by Andy Jassy - SVP, AWSAmazon Web Services
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsRavindu Fernando
 
DevOps Best Practices
DevOps Best PracticesDevOps Best Practices
DevOps Best PracticesGiragadurai Vallirajan
 
DevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOpsDevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOpsRed Gate Software
 
Devops Devops Devops
Devops Devops DevopsDevops Devops Devops
Devops Devops DevopsKris Buytaert
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
What Is DevOps?
What Is DevOps?What Is DevOps?
What Is DevOps?Soumya De
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWSAmazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
SonarQube - Como avaliar seus fornecedores e garantir a qualidade de suas ent...
SonarQube - Como avaliar seus fornecedores e garantir a qualidade de suas ent...SonarQube - Como avaliar seus fornecedores e garantir a qualidade de suas ent...
SonarQube - Como avaliar seus fornecedores e garantir a qualidade de suas ent...Igor Rosa Macedo
 
Making software development processes to work for you
Making software development processes to work for youMaking software development processes to work for you
Making software development processes to work for youAmbientia
 
Productionising Machine Learning Models
Productionising Machine Learning ModelsProductionising Machine Learning Models
Productionising Machine Learning ModelsTash Bickley
 

More Related Content

What's hot

How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsAhmed Adel
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Leveraging Azure DevOps across the Enterprise
Leveraging Azure DevOps across the EnterpriseLeveraging Azure DevOps across the Enterprise
Leveraging Azure DevOps across the EnterpriseAndrew Kelleher
 
Overview of AWS by Andy Jassy - SVP, AWS
Overview of AWS by Andy Jassy - SVP, AWSOverview of AWS by Andy Jassy - SVP, AWS
Overview of AWS by Andy Jassy - SVP, AWSAmazon Web Services
 
DevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOpsDevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOpsRed Gate Software
 
Devops Devops Devops
Devops Devops DevopsDevops Devops Devops
Devops Devops DevopsKris Buytaert
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
What Is DevOps?
What Is DevOps?What Is DevOps?
What Is DevOps?Soumya De
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
SonarQube - Como avaliar seus fornecedores e garantir a qualidade de suas ent...
SonarQube - Como avaliar seus fornecedores e garantir a qualidade de suas ent...SonarQube - Como avaliar seus fornecedores e garantir a qualidade de suas ent...
SonarQube - Como avaliar seus fornecedores e garantir a qualidade de suas ent...Igor Rosa Macedo
 

What's hot (20)

How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
Leveraging Azure DevOps across the Enterprise
Leveraging Azure DevOps across the EnterpriseLeveraging Azure DevOps across the Enterprise
Leveraging Azure DevOps across the Enterprise
 
Feature Flags.pdf
Feature Flags.pdfFeature Flags.pdf
Feature Flags.pdf
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Overview of AWS by Andy Jassy - SVP, AWS
Overview of AWS by Andy Jassy - SVP, AWSOverview of AWS by Andy Jassy - SVP, AWS
Overview of AWS by Andy Jassy - SVP, AWS
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
DevOps Best Practices
DevOps Best PracticesDevOps Best Practices
DevOps Best Practices
 
DevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOpsDevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOps
 
Devops Devops Devops
Devops Devops DevopsDevops Devops Devops
Devops Devops Devops
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
What Is DevOps?
What Is DevOps?What Is DevOps?
What Is DevOps?
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
SonarQube - Como avaliar seus fornecedores e garantir a qualidade de suas ent...
SonarQube - Como avaliar seus fornecedores e garantir a qualidade de suas ent...SonarQube - Como avaliar seus fornecedores e garantir a qualidade de suas ent...
SonarQube - Como avaliar seus fornecedores e garantir a qualidade de suas ent...
 

Similar to DevOps and DevSecOps, Incident Management

Making software development processes to work for you
Making software development processes to work for youMaking software development processes to work for you
Making software development processes to work for youAmbientia
 
Productionising Machine Learning Models
Productionising Machine Learning ModelsProductionising Machine Learning Models
Productionising Machine Learning ModelsTash Bickley
 
DevOps and Digital Transformation
DevOps and Digital TransformationDevOps and Digital Transformation
DevOps and Digital TransformationOmid Shariati
 
Elite mindz introduction
Elite mindz introductionElite mindz introduction
Elite mindz introductionSimerjeet Singh
 
EliteMindz: Who are we? Where do we serve ? What are our products & services?
EliteMindz: Who are we? Where do we serve ? What are our products & services?EliteMindz: Who are we? Where do we serve ? What are our products & services?
EliteMindz: Who are we? Where do we serve ? What are our products & services?Simerjeet Singh
 
Technology and Digital Platform | 2019 partner summit
Technology and Digital Platform | 2019 partner summitTechnology and Digital Platform | 2019 partner summit
Technology and Digital Platform | 2019 partner summitAndrew Kumar
 
DOES15 - Mirco Hering - Adopting DevOps Practices for Systems of Record – An ...
DOES15 - Mirco Hering - Adopting DevOps Practices for Systems of Record – An ...DOES15 - Mirco Hering - Adopting DevOps Practices for Systems of Record – An ...
DOES15 - Mirco Hering - Adopting DevOps Practices for Systems of Record – An ...Gene Kim
 
Mirco hering devops for systems of record final
Mirco hering devops for systems of record finalMirco hering devops for systems of record final
Mirco hering devops for systems of record finalMirco Hering
 
Measure and increase developer productivity with help of Severless by Kazulki...
Measure and increase developer productivity with help of Severless by Kazulki...Measure and increase developer productivity with help of Severless by Kazulki...
Measure and increase developer productivity with help of Severless by Kazulki...Vadym Kazulkin
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceBlack Duck by Synopsys
 
Bridging the Gap: from Data Science to Production
Bridging the Gap: from Data Science to ProductionBridging the Gap: from Data Science to Production
Bridging the Gap: from Data Science to ProductionFlorian Wilhelm
 
Software Measurement: Lecture 3. Metrics in Organization
Software Measurement: Lecture 3. Metrics in OrganizationSoftware Measurement: Lecture 3. Metrics in Organization
Software Measurement: Lecture 3. Metrics in OrganizationProgrameter
 
Mage Titans USA 2016 - Mathew Beane - Edit Fully Stacked: Less OOPS, More OPS...
Mage Titans USA 2016 - Mathew Beane - Edit Fully Stacked: Less OOPS, More OPS...Mage Titans USA 2016 - Mathew Beane - Edit Fully Stacked: Less OOPS, More OPS...
Mage Titans USA 2016 - Mathew Beane - Edit Fully Stacked: Less OOPS, More OPS...Stacey Whitney
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Software Modernization for the Digital Economy
Software Modernization for the Digital EconomySoftware Modernization for the Digital Economy
Software Modernization for the Digital EconomyZinnov
 
DevOps CTO Masterclass | Webinar Oct. 2020
DevOps CTO Masterclass | Webinar Oct. 2020DevOps CTO Masterclass | Webinar Oct. 2020
DevOps CTO Masterclass | Webinar Oct. 2020Cyber-Duck
 
Measure and Increase Developer Productivity with Help of Serverless at Server...
Measure and Increase Developer Productivity with Help of Serverless at Server...Measure and Increase Developer Productivity with Help of Serverless at Server...
Measure and Increase Developer Productivity with Help of Serverless at Server...Vadym Kazulkin
 
Transforming CI/CD at ABN AMRO to Accelerate Software Delivery and Improve Se...
Transforming CI/CD at ABN AMRO to Accelerate Software Delivery and Improve Se...Transforming CI/CD at ABN AMRO to Accelerate Software Delivery and Improve Se...
Transforming CI/CD at ABN AMRO to Accelerate Software Delivery and Improve Se...DevOps.com
 

Similar to DevOps and DevSecOps, Incident Management (20)

Making software development processes to work for you
Making software development processes to work for youMaking software development processes to work for you
Making software development processes to work for you
 
Productionising Machine Learning Models
Productionising Machine Learning ModelsProductionising Machine Learning Models
Productionising Machine Learning Models
 
DevOps and Digital Transformation
DevOps and Digital TransformationDevOps and Digital Transformation
DevOps and Digital Transformation
 
Elite mindz introduction
Elite mindz introductionElite mindz introduction
Elite mindz introduction
 
EliteMindz: Who are we? Where do we serve ? What are our products & services?
EliteMindz: Who are we? Where do we serve ? What are our products & services?EliteMindz: Who are we? Where do we serve ? What are our products & services?
EliteMindz: Who are we? Where do we serve ? What are our products & services?
 
Technology and Digital Platform | 2019 partner summit
Technology and Digital Platform | 2019 partner summitTechnology and Digital Platform | 2019 partner summit
Technology and Digital Platform | 2019 partner summit
 
DOES15 - Mirco Hering - Adopting DevOps Practices for Systems of Record – An ...
DOES15 - Mirco Hering - Adopting DevOps Practices for Systems of Record – An ...DOES15 - Mirco Hering - Adopting DevOps Practices for Systems of Record – An ...
DOES15 - Mirco Hering - Adopting DevOps Practices for Systems of Record – An ...
 
Mirco hering devops for systems of record final
Mirco hering devops for systems of record finalMirco hering devops for systems of record final
Mirco hering devops for systems of record final
 
Measure and increase developer productivity with help of Severless by Kazulki...
Measure and increase developer productivity with help of Severless by Kazulki...Measure and increase developer productivity with help of Severless by Kazulki...
Measure and increase developer productivity with help of Severless by Kazulki...
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of Excellence
 
Bridging the Gap: from Data Science to Production
Bridging the Gap: from Data Science to ProductionBridging the Gap: from Data Science to Production
Bridging the Gap: from Data Science to Production
 
Software Measurement: Lecture 3. Metrics in Organization
Software Measurement: Lecture 3. Metrics in OrganizationSoftware Measurement: Lecture 3. Metrics in Organization
Software Measurement: Lecture 3. Metrics in Organization
 
Mage Titans USA 2016 - Mathew Beane - Edit Fully Stacked: Less OOPS, More OPS...
Mage Titans USA 2016 - Mathew Beane - Edit Fully Stacked: Less OOPS, More OPS...Mage Titans USA 2016 - Mathew Beane - Edit Fully Stacked: Less OOPS, More OPS...
Mage Titans USA 2016 - Mathew Beane - Edit Fully Stacked: Less OOPS, More OPS...
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Software Modernization for the Digital Economy
Software Modernization for the Digital EconomySoftware Modernization for the Digital Economy
Software Modernization for the Digital Economy
 
DevOps CTO Masterclass | Webinar Oct. 2020
DevOps CTO Masterclass | Webinar Oct. 2020DevOps CTO Masterclass | Webinar Oct. 2020
DevOps CTO Masterclass | Webinar Oct. 2020
 
Measure and Increase Developer Productivity with Help of Serverless at Server...
Measure and Increase Developer Productivity with Help of Serverless at Server...Measure and Increase Developer Productivity with Help of Serverless at Server...
Measure and Increase Developer Productivity with Help of Serverless at Server...
 
Transforming CI/CD at ABN AMRO to Accelerate Software Delivery and Improve Se...
Transforming CI/CD at ABN AMRO to Accelerate Software Delivery and Improve Se...Transforming CI/CD at ABN AMRO to Accelerate Software Delivery and Improve Se...
Transforming CI/CD at ABN AMRO to Accelerate Software Delivery and Improve Se...
 

Recently uploaded

Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 

Recently uploaded (20)

Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 

DevOps and DevSecOps, Incident Management

  • 1. DevOps = Development + Operations; DevSecOps = DevOps + Security; Shrini Kulkarni skulkarni@fastspring.comDesert Code Camp 2019
  • 2. - Desert Code Camp 2019 Before DevOps Team Ops Team Dev Image Courtesy: Kieran Jacobsen, Readify, Microsoft
  • 3. Desert Code Camp 2019 Before DevOps Team Dev(Engg) • Release management and deployments • IT admin and InfoSec • Infrastructure, DBA and maintenance • Reliability Engineering • Business Operations • Requirements -> design • SCM & Code revisioning • Coding, feature dev • Testing, QA • Delivering release candidate • Bug fixes and/or triageTeam (Sys)Ops
  • 4. Outperforming teams are collaborate extensively with their counterparts 54% more likely to Developers 26.7% No executive support 56.7% Cultural inhibitors 43.3% Fragmentedprocesses Collaboration blockers DevOps was being initiated by more development teams than IT Ops teams by about a 40% to 33% margin Agile methodologieshave adopted 3/4 of teams BusinessIT Ops The average hourly cost of infrastructure failure is $100,000 per hour It takes on average 200 minutes to diagnose and repair a production issue A bug caught in production ends up costing than if the same bug was found earlier in the development cycle 100x more IT decision makers are still unfamiliar with the term DevOps 61 in 40% … of implementations end up getting reworked because they don’t meet the users’ original requirements … of development budgets for software, IT staff and external professional services will be consumed by poor requirements 41% IT drives business success! High IT performance correlates with strong business performance, helps boost productivity, market share and profit. Responding to ongoing needs for efficiency and growth Always keeping all systems safe and secure dual goals … for companies that try toadapt theirexisting toolsfor DevOps practices 80% failure rate … CIOs 70 % to reduce IT costs Would increase risk and accelerate business agility of
  • 5. Desert Code Camp 2019 DevOps Cycle By 2022 DevOps will be the norm for majority of the software developed. HP Enterprise in 2017 - Ship Code 30x faster - 55% more responsive to business needs - 50% fewer failures - 38% improved code quality Puppetlabs in 2013 DevOps means caring about your job enough to not pass the buck, wanting to learn all the parts as a whole, and not just your little world. — John Vincent According to Statista, many business organizations are adopting DevOps and there is an increase up to 17% in 2018 than what was about 10% in the year 2017. Image source: Kieran Jacobsen, Readify & Microsoft
  • 6. Desert Code Camp 2019 What is DevOps? Slide source: Thiago Almeida| @nzthiago | talmeida.net DevOpsis development andoperations DevOpsis treatingyour DevOps isusing forOps? DevOps isfeature DevOps is deployments
  • 7. Ø Not merely development and operations collaborating Ø A culture and mindset for collaborating between developers and operations Ø Developing with ops/tools/usage in mind Ø Deploying with automation, emergency fixes in mind Ø Test driven development with user experience frustrations in mind Ø Bug triaging with fix cost estimation and plan in mind Ø Provisioning/procurement with automatic scaling in mind Ø Release planning with an A/B production switch in mind Ø Faster deployments, even faster response times, improved quality and health of systems Ø Correct people, processes and tools/products leveraged Ø Reduced costs overall, reinforce trust across organization Desert Code Camp 2019 What is DevOps?
  • 8. Desert Code Camp 2019 What DevOps Isn’t DevOps means caring about your job enough to not pass the buck, wanting to learn all the parts as a whole, and not just your little world. — John Vincent • Caring for your system does not require you to be an expert in everything, you still continue doing what you are good at, paying more attention to other areas of the system • Owner v/s Renter analogy – owners don’t walk away from a problem • Specialization, domain expertise still valuable over generalist work, DevOps is merely asking cross awareness (cross pollinated skills) • Documentation, training and communication tools overcome challenges
  • 9. Desert Code Camp 2019 Tools of the TradeImage Source: https://eduinpro.com/blog/top-devops-tools-in-the-digital-market/Image & medium.com
  • 10. Desert Code Camp 2019 Tools of the Trade • Dashboards, traceability, incremental delivery of value • Agile methods like Scrum and Kanban used effectively • Continuous Integration and release pipelines • Automation where needed, IaC (Infrastructure as Code) • Application monitoring and alerting, incident management • Business and support in co-ordination with developers • Shared responsibility for ops, same as security
  • 11. • Treat templates, scripts, orchestration code or provisioning like code artifacts (yaml/json/xml) • Any tools or config scripts also go in codebase/scm • Follow change management practices for infrastructure as well (version, manifest, CM approvals) • Record changes in visible log (Slack channel/Jira work log) • Security concerns called out in planning and properly tracked during implementation Desert Code Camp 2019 Infrastructure as Code
  • 12. Desert Code Camp 2019 DevSecOps • What about security? IT InfoSec used to take care of it. • Security is a shared responsibility as well • Never treat security as an afterthought (reactionary) • DevSecOps (DevOps with security in mind) • Clear Communication Pathways • Streamlined Communication • Security As Code • Training • Integrate Security into DevOps cycle
  • 13. Desert Code Camp 2019 Communication Development Operations Security Ops tools, metrics, alerts Security Review,Data classification,security fixes Major defects, highlight pain points, drive improvements/incident action items Pen testcode,Com pliance, Security action item s,policy Security m onitoring tools, firewall review, access log scan, vulnerability, Outdated hardware/software Application scan, Pen test infra, access control rules NO: ⨯ Excel checklists ⨯ Word document reports or policy documents ⨯ Email attachments ⨯ Private communication – adhoc cc list ⨯ Private chat/tribal knowledge, verbal approval YES: ü Backlogs/boards (like jira/scrum tools/MS project) ü Support ticketing (like remedy/zendesk) ü Markup and Git (readme.md, confluence) ü Traceable tool, CM (confluence, google docs with versioning, author, slack history, work logs)
  • 14. • Application Source Code incorporates Security libraries/platforms • Infrastructure follows security guideline (Cloudformation, templates) • Server Configuration – Chef, Puppet, DSC, Wuzah • Traceable, checked in code into repository (leverage git + CI/CD) • Check in not just source, but also policy as code artifacts • Monitoring/operations configuration also should be checked in as code in form of a script/template • Testing & scanning tools/policy also can be checked in/automated • Document the process to deploy run the above for easy reuse • Firewall rules, access control changes, permission requests Desert Code Camp 2019 Security as Code
  • 15. Desert Code Camp 2019 Training • We can’t be experts in Dev, Sec and Ops at once • We need cross pollination of skills • Developer that understands app vulnerability • IT/Ops that can understand code • Security expert that can review infrastructure • Starts at day 0 (Can’t be postponed) • Leverage existing tools used in DevOps for security • Common training with Devops tools • Don’t assume non-technical staff (or one particular group of the org) as only source of security issues
  • 16. • What to measure in your code? (And why) • Latency, Volume, Errors and Exceptions • Understand the repercussions of failure • Fault tolerance and logging necessary details • What constitutes an alert? • Business impairment/impact • System impairment/load • Severity • Log triage, root cause analysis, forensics • Red herrings and known outlying cases • Statistics – Average, worst case, best case, 99th percentile Desert Code Camp 2019 Monitoring and Alerting
  • 17. • Incident priority and severity, business impact • Pager alerts, response protocol • Monitoring, dashboards, analysis tools • Post Mortems • Ops Tools • Communication Desert Code Camp 2019 Incident Management Image: PagerDuty.com
  • 18. • After Incident • Post Mortem / Correction of Errors – trackable document • Deeper dive, provide graphs/logs • Immediate actions to prevent repeat occurrence (Kanban) • Longer term actions (scrum) Desert Code Camp 2019 Incident Management • During Incident • Standard Operational Procedure (SOP) • Notetaker and Liaison • Paging hierarchy • Log each action with timestamp, record effect • Continuous Improvement • Tune Alarms, update SOP (ops proc) • Review dashboards • Automate manual steps, ops tools
  • 19. • Sample Dashboard (Gitlab) • AWS Cloudwatch & PagerDuty walkthrough • SumoLogic walkthrough (Log analysis) • Sentry and real time exception watches • Reviewing and tracking alarms and dashboards • Red/orange lines for warning and alerts • Standard ops procedure consults dashboard & vice versa Desert Code Camp 2019 Monitoring and Alerting
  • 20. Desert Code Camp 2019 Final Thoughts • Dealing with Operations Overload/Security Events Overload • Eisenhower Decision Matrix for backlog prioritization • Web Application Firewalls (AWS WAF) • Forensics after outages/events • Speed up log analysis – share triage information • Vulnerability management – urgent upgrades • Don’t postpone critical vulnerability patches • A/B labs for runtime switches (management) • Deploy new feature to production hidden by on off switch • Allow ”dial up” of feature to certain percentage of customers
  • 21. Reference Links • https://devops.com/35-tools-every-devops-expert-must-know/ • https://dev.to/pavanbelagatti/here-are-8-devops-trends-to-watch-for-in-2019-mcf • https://www.slideshare.net/AmazonWebServices/introduction-to-devsecops • https://www.redhat.com/en/topics/devops/what-is-devsecops • https://aws.amazon.com/cloudformation/aws-cloudformation-templates/ • https://dashboards.gitlab.com/d/RZmbBr7mk/gitlab-triage?orgId=1&refresh=30s • https://pagerduty.com | https://sumologic.com | https://sentry.com Thank You! & Questions?