This document discusses how DevOps affects information security. It begins by motivating the talk and explaining that information systems need higher quality and faster delivery. Security is often an afterthought in development. The document then discusses what DevOps truly means, debunking several myths including that it replaces Agile or is incompatible with security and compliance. DevOps is explained as a way of thinking about work that emphasizes team collaboration across development and operations. This enables more efficient risk mitigation and implementation of security principles throughout the software development lifecycle.

1. DevOps and the Future of Information
Security
Darin Morris
@techdevdari
n
in/darinmorris
2018

2. In General:
What we’re going talk about
2. How “doing DevOps” affects how we
secure Data and Computer-centric
Information Systems
In Particular:
1. What it really means to do DevOps
Thoughts I’ve had around DevOps and Security

3. Motivation for this talk
• I want “information technology practitioners” to become more professional, more productive and
happier at work.
Many reasons, but some of the more major reasons are:
• Information systems need to be of higher quality and delivered faster – we need to really
understand the DevOps philosophy to do that well.
• Security is often an afterthought in the IT systems lifecycle – that needs to change.
• We need a common, meaningful language – not buzzwords!

5. DevOps and Security are
very broad domains!

6. So can we cover enough in
only 35 minutes?!

7. SOMEONE ONCE TOLD ME NOT TO BITE
OFF MORE THAN I COULD CHEW…
I said I’d rather
CHOKE ON GREATNESS
THAN NIBBLE ON
MEDIOCRITY.

8. Let’s get to know each
other a little better!

9. Sales or Relationship
Management
Does this sound like your role?
Marketing Finance Leadership (C-Suite)
Human Resources
Business Analyst / Big
Data Analyst General Administrator In-house Legal

10. Project Manager or
Coordinator Product Manager/Owner Software Architect Software Engineer
Test Engineer
Provision and Manage
IT Infrastructure (IT Ops)
Does this sound like your role?
Dedicated Security or
Compliance Something else?
?

11. OK! Less about you.
More about me!

12. Fun facts about me
Most used programming languages:
C#, JavaScript
“SiliconCape Native”
First PC: Pentium 1 with
Windows 95
First programming language: Java (JDK 1.3)

13. Professional background
• I’m a self-taught “Technologist” and I solve problems using
technology.
• I've been a founder, manager, team lead and software engineer,
in various sectors, and in teams of different shapes and sizes.
• Microsoft Certified Professional
• Certified ScrumMaster
• In the process of completing CSSLP, ITIL and ISTQB certifications.
• Member of a number of professional IT associations and
bodies i.e. OWASP, ISACA, IITPSA
• Fulltime full stack software engineer for the past 13 years,
primarily focussed on web and cloud-native software.

14. Let’s play a game!

15. True or False?
DevOps is only done by
technical staff.
Question #1

16. True or False?
DevOps is a Role.
Question #2

17. True or False?
DevOps is a way of thinking
about how we do work.
Question #3

18. What is DevOps really?

20. • DevOps Principles and Practices are compatible with Agile
• DevOps is a logical continuation of Agile
• Agile serves as an effective enabler of DevOps
Myth #1: DevOps replaces Agile

21. • Can be made compatible - many
areas just become automated.
Myth #2: DevOps is incompatible with ITIL

22. • Controls are
integrated into
every stage of
daily work of the
SDLC resulting in
better quality and
security and
compliance
outcomes.
Myth #3: DevOps is incompatible with InfoSec and Compliance
Image credit: Checkmarx Software Exposure platform (www.checkmarx.com)

23. • Rarely the case. Nature of IT Operations work just
changes.
• Collaborates far earlier in SDLC with development.
• Enables developer productivity through APIs and
self-service platforms that create environments, test
and deploy code, monitor and display production
telemetry, etc.
• IT Ops become more like Development
• i.e. engaged in product development for developers.
Myth #4: DevOps means eliminating IT Operations

24. • “DevOps isn’t about
automation, just as astronomy
isn’t about telescopes” -
Christopher Little
Myth #5: DevOps is just Infrastructure as Code

25. DevOps is about Team Work
that enables efficient creation of value
What DevOp really boils down to

26. So, how is Security
affected?

27. Security and DevOps - DevSecOps?
• Security is fundamentally about mitigating risk
(you’ll never be 100% secure).
• Mitigating risk is enabled by maintaining
integrity, availability and confidentially.
• Security principles haven’t changed, the way
we implement security has.

28. Security
Fail Securely
Minimize attack
surface
Least
Privilege
Integrity
Auditing
Keep Things Simple
(Economy of mechanism)
Separation of
duties/privilege
Confidentiality
Psychological
Acceptability
Availability
Single Point of
Failure
Defense in
Depth
Leverage Existing
Components
Open Design
Complete
Mediation
Security Principles and Concepts

29. That’s a wrap!
@techdevdarin
in/darinmorris
Connect with me: