DevOps: What's Buried in the Fine PrintJeffery Smith
You've implemented DevOps, but are you experiencing some growing pains? This talk walks through some of the gotchas encountered with rolling out DevOps in your org.
At a time when some say users pose the biggest threat, new tools are emerging that give users more freedom than ever.
451 Analyst, Adrian Sanabria speaks on this bold new approach to application control in our latest webinar.
KEY TOPICS
1. Learn from the past: valuing User Experience, IT workload & business/IT relations.
2. Take off the training wheels: it’s possible to trust users to make the right choices, but still have options if they don”t.
3. Drop unreasonable goals: more restrictions ≠ more security.
What we learned from three years sciencing the crap out of devopsNicole Forsgren
Three years, 20,000 DevOps professionals, and some science... What did we find? Well, the headline is that IT *does* matter if you do it right. With a mix of technology, processes, and a great culture, IT contributes to organizations' profitability, productivity, and market share. We also found that using continuous delivery and lean management practices not only makes IT better -- giving you throughput and stability without tradeoffs -- but it also makes your work feel better -- making your organizational culture better and decreasing burnout. Jez and Nicole will share these findings as well as tips and tricks to help make your own DevOps transformation awesome.
How DevOps is Transforming IT, and What it Can Do for AcademiaNicole Forsgren
Today's business climate is challenging companies to innovate and respond to the market, and forcing them to do so with much greater pressure than ever before. DevOps provides organizations with the ability to respond to this challenge, helping them to innovate and create at velocity and bring value to their business through software, because there really aren't any major companies that aren't software companies.
But the *real* message here is that DevOps is more than just technology. We have been beating our drum for years that DevOps is revolutionary because it goes so far beyond just the technology (tools) -- it is also the practices and the culture. All three of these are required for DevOps to truly effect transformational change. Technology professionals also realized they had to reach out to peers in other silos and collaborate with them in all three areas in order to truly succeed -- and that if the changes were done courageously, with empathy, embracing the new diversity of thought and methodology, things would be amazing. And they ARE.
Academia is facing similar challenges to innovate in the face of new challenges. As a fellow academic (or very recent academic! I still feel like a member of the tribe), I felt these pressures. Perhaps we can look to DevOps methodologies for inspiration and ideas to innovate at velocity. It will take more than just tools, it will take novel practices and collaboration with peers we haven't traditionally worked with.
Endpoint threats have entered a new era, and the security industry has been rushing to catch up. The result is a highly fragmented and confusing market that has doubled in size to over 70 vendors in the last four years. We're in the midst of the second great endpoint security consolidation and will discuss precisely what that means. We'll discuss six progressive stages endpoint security will work through as this market continues to mature over the next five years or so.
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
First presented at Cloud Security World in Boston on June 15th, 2016.
Once upon a time, walls were erected between the Linux/UNIX crowd, Windows admins and the mainframers. Each architecture had its place and its experts, and they rarely mixed. This time around, we didn’t just get a new domain, we got a new way of doing IT and running businesses. Cloud has created new opportunities and DevOps has capitalized on them. The result of this combination is so unrecognizable that it isn’t uncommon to see IT organizations split down the middle by the new and old approaches. As DevOps continues to gain in popularity, the same split is occurring in the security workforce. Will the traditional security practitioner be in danger of becoming obsolete?
Even though large breaches have hit headline news in years past, some companies are still on the fence about investing in cybersecurity. As a security practitioner (or jack of all trades) how can you be expected to cover your assets with zero budget? Thankfully, there are plenty of open-source tools out there that will allow you to secure your organization. Come join me as I discuss how you can track your network assets, perform vulnerability assessments, prevent attacks with intrusion prevention systems, and even deploy HIDS. We will also jump into finding sensitive data and PII in your network, as well as incident response tools and automation. All it costs is your time (and maybe a VM or two). You really can drastically improve the security posture of your network with little to no budget, and you’ll have fun doing it! OK, maybe it won’t be fun, but at least you’ll learn something, right?
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
Penetration testing has long been a tried and tested method to simulate an attack against companies’ IT systems to find exploitable vulnerabilities before anyone does. But is the price tag worth it?
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
DevSecOps adds on the DevOps by making Application Security part of the daily workflow of the team in order to improve the quality and security of a product. Shift AppSec practices left is the key enabler to making AppSec a first-class citizen in the development effort rather than an afterthought with limited ability to be successful.
Failure is inevitable but it isn't permanentTom Stiehm
Agile Transformation is harder than it needs to be because we often find ways to consciously or subconsciously sabotage our efforts if we can recognize this behavior it is possible to intervene and make a change for the positive.
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
There are over 100 endpoint security products that claim to stop malware and other attacks against Windows. Nearly every major security incident or breach that has made media headlines had two things in common: Windows running one of these 100 products. This workshop won't spend any time bashing vendors, however. In fact, many of these products can be valuable assets when part of a more comprehensive endpoint protection strategy.
Part one of this workshop will address the anatomy of malware and why it succeeds so often.
The second part will dive down into practical defensive strategies, including passive prevention, detection, response, and remediation.
- Passive prevention is effectively free and ideal
- Prevention will always fail a percentage of the time, so detection is essential
- Response, if practiced and efficient, has a chance of stopping attacks before they reach their goal
- Remediation, because someone has to clean up this mess...
Every successful security strategy includes planning to handle failure quickly and effectively.
The remainder of the workshop will be hands-on.
Part three will review the native defensive capabilities in Windows and the pros/cons associated with using them.
For the finale, brave and trusting attendees will be invited to run neutered malware on the virtual Windows systems provided for this workshop to test out our newfound defensive skills. If not, there's no shame in watching your neighbor infect themselves with ransomware as you take notes.
DevSecOps Personas – what Developers, Security, and Operations think when it comes to people/tech/processes/culture when it comes to rolling out DevSecOps programs.
Each of these teams have different drivers, ambitions, blockers, and challenges when it comes to a successful DevSecOps program. As Dale Carnegie said, ‘The only way to get anyone to do anything, is to make them want to do it’ - all the tech and process in the world isn’t going to make it successful if the people and culture (and heart) are not in it. So let’s share what we’ve seen from 100s of company interactions, understand better where everyone is coming from, and how to approach a DevSecOps program that can move the needle like Marty McFly playing Doc Brown’s guitar. We’ve love this to be interactive, so bring your stories and questions.
Gary's Bio
Gary Robinson has been working in software and cyber security for 20+ years, as a coder, pen tester, consultant, Security Architect at Citi, Global Board member at OWASP, and heading up Uleska to focus on DevSecOps for the last 5 years. Gary’s focused on the people, process, technology, and culture aspect of DevSecOps – as someone who’s worked in all three spaces during his time – and what drivers, blockers, etc each experience with ‘DevSecOps’, ‘shift-left’, ‘secure by design’, and the rest.
--------
Find out more about us www.uleska.com/
Follow us on LinkedIn https://www.linkedin.com/company/uleska/
Follow us on Twitter https://twitter.com/uleska_sec/
DevOps: What's Buried in the Fine PrintJeffery Smith
You've implemented DevOps, but are you experiencing some growing pains? This talk walks through some of the gotchas encountered with rolling out DevOps in your org.
At a time when some say users pose the biggest threat, new tools are emerging that give users more freedom than ever.
451 Analyst, Adrian Sanabria speaks on this bold new approach to application control in our latest webinar.
KEY TOPICS
1. Learn from the past: valuing User Experience, IT workload & business/IT relations.
2. Take off the training wheels: it’s possible to trust users to make the right choices, but still have options if they don”t.
3. Drop unreasonable goals: more restrictions ≠ more security.
What we learned from three years sciencing the crap out of devopsNicole Forsgren
Three years, 20,000 DevOps professionals, and some science... What did we find? Well, the headline is that IT *does* matter if you do it right. With a mix of technology, processes, and a great culture, IT contributes to organizations' profitability, productivity, and market share. We also found that using continuous delivery and lean management practices not only makes IT better -- giving you throughput and stability without tradeoffs -- but it also makes your work feel better -- making your organizational culture better and decreasing burnout. Jez and Nicole will share these findings as well as tips and tricks to help make your own DevOps transformation awesome.
How DevOps is Transforming IT, and What it Can Do for AcademiaNicole Forsgren
Today's business climate is challenging companies to innovate and respond to the market, and forcing them to do so with much greater pressure than ever before. DevOps provides organizations with the ability to respond to this challenge, helping them to innovate and create at velocity and bring value to their business through software, because there really aren't any major companies that aren't software companies.
But the *real* message here is that DevOps is more than just technology. We have been beating our drum for years that DevOps is revolutionary because it goes so far beyond just the technology (tools) -- it is also the practices and the culture. All three of these are required for DevOps to truly effect transformational change. Technology professionals also realized they had to reach out to peers in other silos and collaborate with them in all three areas in order to truly succeed -- and that if the changes were done courageously, with empathy, embracing the new diversity of thought and methodology, things would be amazing. And they ARE.
Academia is facing similar challenges to innovate in the face of new challenges. As a fellow academic (or very recent academic! I still feel like a member of the tribe), I felt these pressures. Perhaps we can look to DevOps methodologies for inspiration and ideas to innovate at velocity. It will take more than just tools, it will take novel practices and collaboration with peers we haven't traditionally worked with.
Endpoint threats have entered a new era, and the security industry has been rushing to catch up. The result is a highly fragmented and confusing market that has doubled in size to over 70 vendors in the last four years. We're in the midst of the second great endpoint security consolidation and will discuss precisely what that means. We'll discuss six progressive stages endpoint security will work through as this market continues to mature over the next five years or so.
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
First presented at Cloud Security World in Boston on June 15th, 2016.
Once upon a time, walls were erected between the Linux/UNIX crowd, Windows admins and the mainframers. Each architecture had its place and its experts, and they rarely mixed. This time around, we didn’t just get a new domain, we got a new way of doing IT and running businesses. Cloud has created new opportunities and DevOps has capitalized on them. The result of this combination is so unrecognizable that it isn’t uncommon to see IT organizations split down the middle by the new and old approaches. As DevOps continues to gain in popularity, the same split is occurring in the security workforce. Will the traditional security practitioner be in danger of becoming obsolete?
Even though large breaches have hit headline news in years past, some companies are still on the fence about investing in cybersecurity. As a security practitioner (or jack of all trades) how can you be expected to cover your assets with zero budget? Thankfully, there are plenty of open-source tools out there that will allow you to secure your organization. Come join me as I discuss how you can track your network assets, perform vulnerability assessments, prevent attacks with intrusion prevention systems, and even deploy HIDS. We will also jump into finding sensitive data and PII in your network, as well as incident response tools and automation. All it costs is your time (and maybe a VM or two). You really can drastically improve the security posture of your network with little to no budget, and you’ll have fun doing it! OK, maybe it won’t be fun, but at least you’ll learn something, right?
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
Penetration testing has long been a tried and tested method to simulate an attack against companies’ IT systems to find exploitable vulnerabilities before anyone does. But is the price tag worth it?
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
DevSecOps adds on the DevOps by making Application Security part of the daily workflow of the team in order to improve the quality and security of a product. Shift AppSec practices left is the key enabler to making AppSec a first-class citizen in the development effort rather than an afterthought with limited ability to be successful.
Failure is inevitable but it isn't permanentTom Stiehm
Agile Transformation is harder than it needs to be because we often find ways to consciously or subconsciously sabotage our efforts if we can recognize this behavior it is possible to intervene and make a change for the positive.
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
There are over 100 endpoint security products that claim to stop malware and other attacks against Windows. Nearly every major security incident or breach that has made media headlines had two things in common: Windows running one of these 100 products. This workshop won't spend any time bashing vendors, however. In fact, many of these products can be valuable assets when part of a more comprehensive endpoint protection strategy.
Part one of this workshop will address the anatomy of malware and why it succeeds so often.
The second part will dive down into practical defensive strategies, including passive prevention, detection, response, and remediation.
- Passive prevention is effectively free and ideal
- Prevention will always fail a percentage of the time, so detection is essential
- Response, if practiced and efficient, has a chance of stopping attacks before they reach their goal
- Remediation, because someone has to clean up this mess...
Every successful security strategy includes planning to handle failure quickly and effectively.
The remainder of the workshop will be hands-on.
Part three will review the native defensive capabilities in Windows and the pros/cons associated with using them.
For the finale, brave and trusting attendees will be invited to run neutered malware on the virtual Windows systems provided for this workshop to test out our newfound defensive skills. If not, there's no shame in watching your neighbor infect themselves with ransomware as you take notes.
DevSecOps Personas – what Developers, Security, and Operations think when it comes to people/tech/processes/culture when it comes to rolling out DevSecOps programs.
Each of these teams have different drivers, ambitions, blockers, and challenges when it comes to a successful DevSecOps program. As Dale Carnegie said, ‘The only way to get anyone to do anything, is to make them want to do it’ - all the tech and process in the world isn’t going to make it successful if the people and culture (and heart) are not in it. So let’s share what we’ve seen from 100s of company interactions, understand better where everyone is coming from, and how to approach a DevSecOps program that can move the needle like Marty McFly playing Doc Brown’s guitar. We’ve love this to be interactive, so bring your stories and questions.
Gary's Bio
Gary Robinson has been working in software and cyber security for 20+ years, as a coder, pen tester, consultant, Security Architect at Citi, Global Board member at OWASP, and heading up Uleska to focus on DevSecOps for the last 5 years. Gary’s focused on the people, process, technology, and culture aspect of DevSecOps – as someone who’s worked in all three spaces during his time – and what drivers, blockers, etc each experience with ‘DevSecOps’, ‘shift-left’, ‘secure by design’, and the rest.
--------
Find out more about us www.uleska.com/
Follow us on LinkedIn https://www.linkedin.com/company/uleska/
Follow us on Twitter https://twitter.com/uleska_sec/
2016 - Safely Removing the Last Roadblock to Continuous Deliverydevopsdaysaustin
Presentation by Shannon Lietz
Software needs to be awesome, resilient, available and “secure”, but Security has long been a big roadblock to fast deployments and software improvement. What if it wasn’t?
Continuous delivery requires operational functions to shift left and for an iterative approach to be taken. Security has not been easy to shift left and taking an iterative approach requires everyone to take responsibility. With a continuos security approach and everyone in the Software Supply Chain taking on the tasks of including security, its possible to achieve Rugged Software. This talk aims to provide a journey towards this approach and provide the path.
Software needs to be awesome, resilient, available and “secure”, but Security has long been a big roadblock to fast deployments and software improvement. What if it wasn’t?
Continuous delivery requires operational functions to shift left and for an iterative approach to be taken. Security has not been easy to shift left and taking an iterative approach requires everyone to take responsibility. With a continuos security approach and everyone in the Software Supply Chain taking on the tasks of including security, its possible to achieve Rugged Software. This talk aims to provide a journey towards this approach and provide the path.
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
DevOps is a revolution starting to deliver. The “shift left” security approach is trying to catch up, but challenges remain. We will go over concrete security approaches and real data that overcome these challenges.
It takes more than adding “hard to find” security talent to your DevOps team to reach DevSecOps benefits. Our discussion focuses on the practical side and lessons-learned from helping organizations gear up for this paradigm shift.
A high level introduction to DevOps. Explains what it is, how popular DevOps has become, why DevOps is popular, how DevOps differs from traditional approaches and some next steps to implementation.
A talk about DevOps that I gave at a SysARmy meetup while visiting MuleSoft's Buenos Aires DevOps team. I've been thinking a lot recently about what DevOps is, what it means to be a DevOps Engineer (or in my case a DevOps Engineering Manager). Putting this together was really helpful to clarify some ideas I've been kicking around.
DevOps continues to be a buzzword in the software development and operations world, but is it really a paradigm shift? It depends on what lens you view it through.
Roman Garber, an active software security engineering and software team lead thinks so. Ed Adams, Security Innovation CEO, a 20-year software quality veteran and former mechanical engineer, curmudgeonly disagrees.
In 2009 Patrick Dubois coined the term "DevOps" when he organised the first "DevOpsDays" In Ghent, Belgium. Since then the term has become a term to explain the collaboration between all organisational stakeholders in IT projects (developers, operations, QA, marketing, security, legal, …) to deliver high quality, reliable solutions where issues are tackled early on in the value stream.
But reality shows that many businesses that implement "DevOps" are actually talking about a collaboration between development, QA and operations (DQO). Solutions are being provided but lack the security and/or legal regulations causing hard-to-fix problems in production environments.
In this talk I will explain how the original idea of Patrick to include all stakeholders got reduced to development, QA and operations and why it's so difficult to apply security or compliance improvements in this model. I will also talk about ways to make the DQO model welcoming for security experts and legal teams and why "DevSecOps" is now the term to be used to ensure security is no longer omitted from the value process.
Finally we'll have a vote if we keep the term "DevOps" as an all-inclusive representation for all stakeholders or if we need to start using "DevSecOps" to ensure the business understands can no longer ignore the importance of security.
Top concerns that we hear from customers are “How can we release on-time?”, “How can we have a stable release?” We answer them in a simple one-liner, “Embrace DevOps”
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...Dan Cundiff
DevOps should not be thought of as a frontier where cowboy developers are free to ignore security and do what they want to. When applied appropriately, pioneering DevOps in your organization can lead to improved security outcomes across development and operations work. I’ll share real world examples how facets of DevOps culture, tools, and techniques can be directly mapped to many aspects of security.
Dev secops indonesia-devsecops as a service-Amien HarisenNadira Bajrei
DevSecOps is gaining popularity to recent years, thanks to the rapid expansion and adoptions of DevOps. The traditional penetration testing is considered a blocker in a rapid CI/CD deployment. So integrating security in a seamless manner is considered an important upgrade to the DevOps environment.
However, the traditional DevSecOps require huge amount of time, money and effort to implement. Traditional and DevSecOps principle is a culture that depends on teamwork between, the Dev ,Sec, and Ops team, which in real life situation its pretty difficult to realize.
This talk is about how to minimize the whole effort to implement DevSecOps in the current DevOps environment.
Talk in TechParty 2019.
DevOps word in itself is a combination of two words;
One is Development and other is Operations. It is neither
an application nor a tool; instead, it is just a culture to
promote development and Operation process
collaboratively.
In other words, we can say that DevOps is the process of
alignment of IT and development operations with better
and improved communication
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
Eureka, I found it! - Special Libraries Association 2021 Presentation
DevOps and the Future of InfoSec
1. DevOps and the Future of InfoSec
Darin Morris
@techdevdari
n
in/darinmorris
2. In General:
What we’re going talk about
2. How “doing DevOps” affects how we
secure Data and Computer-centric
Information Systems
In Particular:
1. What it really means to do DevOps
Thoughts I’ve had around DevOps and Security
3. Motivation for this talk
• I want “information technology practitioners” to become more professional, more productive and
happier at work.
Many reasons, but some of the more major reasons are:
• Information systems need to be of higher quality and delivered faster – we need to really
understand the DevOps philosophy to do that well.
• Security is often an afterthought in the IT systems lifecycle – that needs to change.
• We need a common language – not buzzwords.
7. Fun facts about me
Most used programming languages:
C#, JavaScript
“SiliconCape Native”
First PC: Pentium 1 with
Windows 95
First programming language: Java (JDK 1.3)
8. Professional background
• I’m a self-taught “Technologist” and I solve problems using
technology.
• I've been a founder, manager, team lead and software engineer,
in various sectors, and in teams of different shapes and sizes.
• Microsoft Certified Professional
• Certified ScrumMaster
• In the process of completing CSSLP, ITIL and ISTQB certifications.
• Member of a number of professional IT associations and
bodies i.e. OWASP, ISACA, IITPSA
• Fulltime full stack software engineer for the past 13 years,
primarily focussed on web and cloud-native software.
10. Sales or Relationship
Management
Does this sound like your role?
Marketing Finance Leadership (C-Suite)
Human Resources
Business Analyst / Big
Data Analyst General Administrator In-house Legal
11. Project Manager or
Coordinator Product Manager/Owner Software Architect Software Engineer
Test Engineer
Provision and Manage
IT Infrastructure (IT Ops)
Does this sound like your role?
Dedicated Security or
Compliance Something else?
?
19. • DevOps Principles and Practices are compatible with Agile
• DevOps is a logical continuation of Agile
• Agile serves as an effective enabler of DevOps
Myth #1: DevOps replaces Agile
20. • Can be made compatible - many
areas just become automated.
Myth #2: DevOps is incompatible with ITIL
21. • Controls are
integrated into
every stage of
daily work of the
SDLC resulting in
better quality and
security and
compliance
outcomes.
Myth #3: DevOps is incompatible with InfoSec and Compliance
Image credit: Checkmarx Software Exposure platform (www.checkmarx.com)
22. • Rarely the case. Nature of IT Operations work just
changes.
Myth #4: DevOps means eliminating IT Operations
• Collaborates far earlier in SDLC with development.
• Enables developer productivity through APIs and
self-service platforms that create environments, test
and deploy code, monitor and display production
telemetry, etc.
• IT Ops become more like Development
i.e. engaged in product development for developers.
23. • “DevOps isn’t about
automation, just as
astronomy isn’t
about telescopes”
- Christopher Little
Myth #5: DevOps is just Infrastructure as Code
24. DevOps is about Team Work
that enables efficient creation of value
What DevOp really boils down to
25. Not convinced?
Read these books!
Gene KimPatrick Debois
John Willis
Jez Humble
Kevin
Behr
George
Spafford
27. Security and DevOps - DevSecOps?
1. Security is
fundamentally
about mitigating risk
Image Credit:
The Cyber Security Hub
(i.e. you’ll never be 100% secure).
28. Security and DevOps - DevSecOps?
2. Mitigating risk is
enabled by maintaining
integrity, availability
and confidentially.
Image Credit: University of Toronto, Security Matters
29. Security and DevOps - DevSecOps?
3. Security principles
haven’t changed, the
way we implement
security has.
30. Security
Fail Securely
Minimize attack
surface
Least
Privilege
Auditing
Keep Things Simple
(Economy of mechanism)
Confidentiality
Psychological
Acceptability
Availability
Single Point of
Failure
Defense in
Depth
Leverage Existing
Components
Open Design
Complete
Mediation
We must focus on Security Principles
Separation of
duties/privilege
Integrity
32. Key Take-aways!
1. DevOps is primarily about a culture of teamwork that enables
efficient creation of value at all levels of an organization.
2. Security principles haven’t changed, security and compliance
just happens more often and at more localized scale.
Aims:
1.1. Cover key principles.
1.2. Take audience on a journey to my AHA moment.
2. Delve into the impact of DevOps on security
Clarify Terms and Concepts (Information Technology, Technology, DevOps, QA, Security)
Provoke reflection on the way the audience currently does work and thought about what can be done better.
Drive home the importance of security in software
Is a pen and paper information technology?
Disclaimer 1:
I’ve been thinking about this stuff a lot lately, but I’m probably ignorant to something.
There is enough content to write about, never mind a short talk.
Disclaimer 2:
There is potentially a lot we could cover, but we have very little time.
I make joke. Har har.
Answer: False
Reason: DevOps isn't any single person's job. It's everyone's job.
Answer: False
Reason: DevOps isn't any single person's job. It's everyone's job.
Answer: False
Reason: DevOps isn't any single person's job. It's everyone's job.
DevOps is a lot like the Standard Model of particle physics.
Agile Toronto Conference 2008
Patrick Debois coined to the term DevOps when he organized the first DevOpsDays conference in 2009.
DevOps is a lot like the Standard Model of particle physics
DevOps is a lot like the Standard Model of particle physics