This document contains the transcript of a presentation on DevOps. It discusses the traditional separation between development and operations teams and some of the problems it caused. It then talks about how DevOps aims to break down the walls between dev and ops so they work more collaboratively towards shared goals. It provides examples of practices like automating infrastructure provisioning and deployment, implementing monitoring of applications and infrastructure with metrics, and sharing ownership and accountability for the overall service. It also briefly touches on how security teams can be integrated into DevOps practices through a model like DevSecOps.

1. @petecheslock
Pick Any 3:
Good, Fast, or Safe
DevOps from Scratch

2. @petecheslock
Who Am I?
Pete Cheslock
@petecheslock
Technical Operations at Threat Stack

3. @petecheslock

4. @petecheslock
GOOD
FAST
SAFE

5. @petecheslock!5
Companies are Choosing
Speed Over Security
52%
of Companies Admit to
Sacrificing Security for Speed
64%
of Sales professionals say
they have had a deal slowed
down by insufficient security

6. 6
Let Threat Stack Help You Build
a Cloud SecOps Program

7. @petecheslock
What Even is The DevOps?

8. @petecheslock

9. @petecheslock

10. @petecheslock

11. @petecheslock

12. @petecheslock

13. @petecheslock
DevOps is
Anything Your Heart Desires

14. @petecheslock

15. @petecheslock
http://html5zombo.com/

16. @petecheslock
Let’s Talk About the
Bad Old Days

17. @petecheslock

18. @petecheslock

19. @petecheslock

20. Crop image to fit inside this box
The Bad
Old Days
Software

21. Crop image to fit inside this box
The Bad
Old Days
Software
Devs would rarely even have access to
production systems…
…which means Ops would have to take
the code and install it based on Dev’s
instructions

22. @petecheslock
The Bad
Old Days
Infrastructure
Lead time for new servers would be
measured in weeks (best) or months (worst)
Code could be ready before servers were
available.
Long feedback loops in running code on
actual hardware, wasted time and money.

23. @petecheslock

24. @petecheslock@petecheslock
Dev’s job is to
add new
features
Ops’s job is to
keep the site
stable and fast
Traditional Thinking

25. @petecheslock
I want
stability!
I want
change!
WallofConfusion
Development Operations

26. @petecheslock

27. @petecheslock
Devs Ops Security
WallofConfusion

29. @petecheslock
DevOps
Operations job is NOT to keep the site stable
and fast.
Operations (and Dev’s) job is to enable the
business.

30. @petecheslock
Tools Culture&
Lowering the risk of change through

31. @petecheslock
1 2 3
This is a Story in Three Acts
ACT THREE
Ownership and
Accountability.
ACT TWO
Metrics are a first class
citizen.
ACT ONE
Optimize for ease of
software deployment.

32. @petecheslock
Simplify the act of getting new
software to Customers.
Iterate and improve upon that
process.
Leverage tools like Canary
Deployments and Dark Shipping
Ship the code when its “Ready”
Software Deployment

33. @petecheslock
Simplify the act of getting new
software to Customers.
Iterate and improve upon that
process.
Leverage tools like Canary
Deployments and Dark Shipping
Ship the code when its “Ready”
Software Deployment

34. @petecheslock
COMPILE
YOUR SOURCE
BUILD A
PACKAGE
SIGN THE
PACKAGE
TEST THE
PACKAGE
DEPLOY THE
PACKAGE
Software Deployment

35. @petecheslock
COMPILE
YOUR SOURCE
BUILD A
PACKAGE
SIGN THE
PACKAGE
TEST THE
PACKAGE
DEPLOY THE
PACKAGE
Software Deployment
THIS IS KIND OF
IMPORTANT

36. @petecheslock
What even IS ready?
Ready means…
Reviewed by other engineers
Passed a series of unit,
integration, and functional tests
Reviewed to ensure that it meets
other business or security
requirements

37. @petecheslock

38. @petecheslock

39. @petecheslock

40. @petecheslock
“If you want metrics for your apps - send your data here”
Ops responsibility is to build the systems and make them easy to use
Dev’s responsibility is to instrument their application to understand perf
What About Metrics?

41. @petecheslock
collectd -> write_graphite ->
statsd_plugin
app1 app2 app3
Graphite

42. @petecheslock
Devs AND Ops work together to ensure we are
using the right instance types for the workloads.
Metrics

43. @petecheslock
Devs AND Ops work together to ensure we are
using the right instance types for the workloads.
Metrics

44. @petecheslock
How do we know this is working?

45. @petecheslock
We own the overall health of the
infrastructure.
Ensure we are making the right choices for
Scalability, Availability, and Cost.
We build the tools that enable teams to
deploy, manage, and update their
applications.
Ownership & Accountability
Operations owns the infrastructure

46. @petecheslock
They are on-call and get paged when their
application runs into problems
They manage the life of the service from
idea to deployment and scaling.
Ownership & Accountability
Development owns their applications

47. @petecheslock
Everyone cares about the
health of Threat Stack

48. @petecheslock
How we do DevOps

49. @petecheslock
Ops needs to
trust dev to
involve them on
feature
discussions
How we do DevOps

50. @petecheslock
Devs need to
trust Ops to
discuss
infrastructure
changes.
How we do DevOps
Ops needs to
trust dev to
involve them on
feature
discussions

51. @petecheslock
Everyone needs to trust
that everyone is doing
their best for the business

52. @petecheslock@petecheslock
What About DevOpsSec?

53. @petecheslock@petecheslock
What About DevOpsSec?
SecDevOps?

54. @petecheslock@petecheslock
What About DevOpsSec?
SecDevOps?
OpsDevSec?

55. @petecheslock@petecheslock
What About DevOpsSec?
SecDevOps?
OpsDevSec?
DevSecOps?

56. @petecheslock@petecheslock
What About DevOpsSec?
SecDevOps?
OpsDevSec?
DevSecOps?
OpsDevSec?

57. @petecheslock

58. @petecheslock

59. Crop image to fit inside this box
How to Integrate SecOps?
Similar to integrating Dev and Ops
teams.
Adding Security into the mix - leverage
your shared tools and processes.
Threat Stack uses Threat Stack to
protect Threat Stack.

61. @petecheslock
"Abrasive individuals will single-handed do
more to undermine the security brand and
culture at your company than anything else.”
https://speakerdeck.com/iodboi/crafting-an-effective-security-organisation-kiwicon-8
- Rich Smith (Etsy)

62. @petecheslock
The best security
culture is collaborative
not prescriptive.

63. @petecheslock

64. @petecheslock
Thank You
threatstack.com