This document discusses the evolution of security practices to enable secure innovation at speed and scale through a DevSecOps approach. It outlines how traditional security controls can be transformed into self-aware, self-reporting components that integrate seamlessly into the DevOps pipeline. Specific examples are provided for how perimeter testing, configuration management, encrypting sensitive data, access management, and multi-factor authentication can move from annual certifications to continuous monitoring and enforcement. The document advocates for collaboration, experimentation, and a focus on simplicity and automation to evolve security practices for DevOps.
Finding Security a Home in a DevOps WorldShannon Lietz
Presented this talk at DevOps Summit in 2015 to a DevOps community. Discovered that security is new to most DevOps teams and this was a very good discussion.
Security at the Speed of Software DevelopmentDevOps.com
There are a lot of DevSecOps offerings that are just DevOps lipstick on a traditional security-as-a-gate pig. Also, security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy an order of magnitude or more faster than human gating can achieve.
What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and coaches and stop thinking of their jobs as gatekeepers.
This webinar will introduce a framework to accomplish this mindset shift. It includes guidance on the characteristics of tools compatible with DevOps. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
Finding Security a Home in a DevOps WorldShannon Lietz
Presented this talk at DevOps Summit in 2015 to a DevOps community. Discovered that security is new to most DevOps teams and this was a very good discussion.
Security at the Speed of Software DevelopmentDevOps.com
There are a lot of DevSecOps offerings that are just DevOps lipstick on a traditional security-as-a-gate pig. Also, security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy an order of magnitude or more faster than human gating can achieve.
What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and coaches and stop thinking of their jobs as gatekeepers.
This webinar will introduce a framework to accomplish this mindset shift. It includes guidance on the characteristics of tools compatible with DevOps. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
Thanks to the cloud and open source tools, DevOps teams have access to unprecedented infrastructure and scale. But that also means they can be approached by some of the most nefarious actors on the Internet, as they risk the security of their business with every application deployment. Perimeter-class security is no longer viable in such a distributed environment, so now companies need to adapt to more micro-level security. This merging of DevOps and security operations – a concept called DevSecOps – is one of the most important new developments in security and IT deployment. In this session, our expert will discuss how teams are now collaborating as peers to achieve optimal security.
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgDevSecOpsSg
DevOps is a cultural shift for more and more organisations, bringing speed and innovation benefits that surpass other SDLC methods. But some of the principles of DevOps aren’t quite aligned with how companies of all sizes will need to incorporate and embed security into this shift. DevSecOps provides a path forward for the transformation and helps companies to shift security to the left so that everyone can take responsibility for it. While automating security testing is an obvious answer to secure applications in the code pipeline, that does not provide 100% coverage until security risks are fully mitigated. Fabian will talk about his journey in making DevSecOps a reality in an organisation. This talk will focus some of the lessons learnt - which includes implementing open source tools to help security team do their jobs better, hacking the culture, whitelisting services, reporting security defects. and also doing Red Team activities.
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
Security will always be our top priority. Agile deployment methods require a set of dynamic built-in security controls that keep pace with innovation and scale. In this session we will utilise the power of automation with the AWS platform to increase the agility of developers while maintaining a strong security posture.
Speaker: David Faulkner, Senior Technical Account Manager, Amazon Web Services
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
Thanks to the cloud and open source tools, DevOps teams have access to unprecedented infrastructure and scale. But that also means they can be approached by some of the most nefarious actors on the Internet, as they risk the security of their business with every application deployment. Perimeter-class security is no longer viable in such a distributed environment, so now companies need to adapt to more micro-level security. This merging of DevOps and security operations – a concept called DevSecOps – is one of the most important new developments in security and IT deployment. In this session, our expert will discuss how teams are now collaborating as peers to achieve optimal security.
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgDevSecOpsSg
DevOps is a cultural shift for more and more organisations, bringing speed and innovation benefits that surpass other SDLC methods. But some of the principles of DevOps aren’t quite aligned with how companies of all sizes will need to incorporate and embed security into this shift. DevSecOps provides a path forward for the transformation and helps companies to shift security to the left so that everyone can take responsibility for it. While automating security testing is an obvious answer to secure applications in the code pipeline, that does not provide 100% coverage until security risks are fully mitigated. Fabian will talk about his journey in making DevSecOps a reality in an organisation. This talk will focus some of the lessons learnt - which includes implementing open source tools to help security team do their jobs better, hacking the culture, whitelisting services, reporting security defects. and also doing Red Team activities.
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
Security will always be our top priority. Agile deployment methods require a set of dynamic built-in security controls that keep pace with innovation and scale. In this session we will utilise the power of automation with the AWS platform to increase the agility of developers while maintaining a strong security posture.
Speaker: David Faulkner, Senior Technical Account Manager, Amazon Web Services
Enabling security at speed and scale requires building security as code which is often provided by software defined networks. The cloud offers software defined networks and some challenges to enabling safe workloads.
DevSecOps is a new way to deliver security as part of the Software Supply Chain. It supports a built-in process and faster security feedback loop for DevOps teams.
The talk from DevOps Days Silicon Valley 2015 conference which describes the signs of having or being a single point of failure expert on your system, and the ways to solve the problem
Chaos patterns - architecting for failure in distributed systemsJos Boumans
As we architect our systems for greater demands, scale, uptime, and performance, the hardest thing to control becomes the environment in which we deploy and the subtle but crucial interactions between complicated systems. Chaos Patterns help us establish and implement a virtuous cycle that let’s us both prove & improve our system along each of these dimensions before the inevitable happens.
While it may seem reckless or counter-intuitive, our experience has proven that it’s a matter of how and when (not if) we will learn about the limitations and failure modes of the system.
This is the story of the pitfalls we encountered, and how, through architecture, convention and common sense, we managed to build an infrastructure that is "Always Up" from the end user perspective and incredibly economical to build, scale & operate; using chaos testing, we learn more about how our system fails from a 10 second controlled failure than a multi-hour uncontrolled outage.
In this session we will cover various implementation techniques, available to any developer & operator, which will vastly increase the resilience of your systems and provide a superior end user experience; from optimizing your use of DNS for failure, to configuring your CDN to have your back, to synthetic responses and expected database outages.
But why stop there? Netflix has pioneered a culture and suite of tools that actively injects ‘once in a blue moon’ failures into its production systems, which lets you battle test your resilience design and let developers & operators sleep comfortably at night knowing their systems are able to handle even the worst of worst case scenarios.
The way in which many (most?) software teams use logging needs a re-think as we move into a world of microservices and remote sensors. Instead of using logging merely to dump out stack traces, our logs become a continuous trace of application state, with unique-enough identifiers for every interesting point of execution. We also use transaction identifiers to trace calls across components, services, and queues, so that we can reconstruct distributed calls after the fact. Logging becomes a rich source of insight for developers and operations people alike, as we 'listen to the logs' and tighten feedback cycles to improve our software systems.
Our monitoring team works in a cycle of 4 phases: Definition, Collection, Visualization and Action. We've found it effective to be clear about what phase we are in to help communicate our needs as well as our progress. This talk was presented as a lightning talk at Monitorama 2015 by Melanie Cey
Devops and Immutable infrastructure - Cloud Expo 2015 NYCJohn Willis
You often hear the two titles of "DevOps" and "Immutable Infrastructure" used independently.
In his session at DevOps Summit, John Willis, Technical Evangelist for Docker, will cover the union between the two topics and why this is important. He will cover an overview of Immutable Infrastructure then show how an Immutable Continuous Delivery pipeline can be applied as a best practice for "DevOps." He will end the session with some interesting case study examples.
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
Respresenting Cyber Defense Community (cdef.id) to present and share my view on Secure DevOps / DevSecOps. Through this presentation, I shared several insights about:
1. How to balance the risk and controls in the "great shift left" paradigm (agile)
2. DevOps activities
3. How to seamlessly integrate security into DevOps
4. How to "shift left" the security"
5. Get started with Secure DevOps / DevSecOps
6. Case Study about DevSecOps implementation
For further discussion, especially how to secure digital and agile transformation in your organization, don't hesitate to contact me :)
DevSecOps - It can change your life (cycle)Qualitest
QualiTest explains how a secured DevOps (DevSecOps) delivery process can be achieved using automated code scan, enabling significant shift left of issues detection and minimizing the time to fix. Whether you are considering DevSecOps, on the path, or already there, this slide is for you.
For more information, please visit www.QualiTestGroup.com
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
For today’s digital organizations, even a few minutes of downtime can mean millions of dollars lost and customers who go elsewhere. To keep up with customer expectations, organizations must handle and prioritize real-time operations at a scale that didn’t exist before. However, developing this competency is easier said than done, especially without a solid understanding of the capabilities needed to drive real-time operations across cloud and on-premises environments. In this session, we explore how innovations around machine learning, automation, and analytics, when combined with modern incident management best practices, can improve operational performance, team productivity, and drive business results. This session is brought to you by AWS partner, PagerDuty, Inc.
As public and private cloud adoption skyrockets, the number of attacks against cloud infrastructure is also increasing dramatically. Now more than ever, it is crucial to secure your cloud assets and data against advanced threats.
We’ll dig into what it means to be successful in the cloud and what successful organizations do more of (and less of) than their less successful peers. We’ll look across technologies adopted, organizational and operational practices, and vendors embraced.
Recorded webinar: https://youtu.be/Og1-xcc7JNs
The idea behind DevOps is to demolish the wall between development and operations, and encourage more collaboration and accountability between both groups so that everyone feels responsible for the code no matter where it is in the software development lifecycle. For better understanding of DevOps, we have answered the 5Ws of DevOps.
Continuous Testing: A Key to DevOps SuccessTechWell
As IT organizations adopt a DevOps strategy, continuous testing (CT) becomes a key ingredient of the DevOps ecosystem. CT enables faster release cycles, more changes per release, upfront isolation of risks, and reduced operations costs. The approach to scale the traditional automation testing infrastructure, test environments, and test data management requires a culture shift using new tools and techniques. Sujay Honnamane discusses a CT strategy for aspiring and already implemented DevOps organizations. Sujay shares examples of tools, techniques, and practical solutions that include continuous integration using the Jenkins CI server, service virtualization through CA Lisa tools, automated code coverage analysis to create impact-based tests, automated test script load balancing for effective use of test environments, and faster test cycles, providing a holistic approach/workflow for CT. Sujay and his teams have successfully implemented CT for several clients in their DevOps journey to achieve a repeatable and highly predictable software delivery process.
AWS re:Invent 2016: Lift and Evolve – Saving Money in the Cloud is Easy, Maki...Amazon Web Services
Every enterprise knows by now that it can save money by simply lifting and shifting workloads to the cloud, but many are missing the larger opportunity to also make money by moving. While quick costs savings are good for the bottom line, they do little to move the top line numbers. To achieve both savings and earnings, corporate thinking about technologies must change in order to enable faster processes leveraged enterprise-wide. In this session we will explore multiple customer success stories where the customers have evolved from leveraging basic compute and storage products (EC2 and S3) to integrating new services into operations by leveraging Lambda, DynamoDB, CodeDeploy, etc. Once this is achieved, enterprises are enabled to manage and deploy code rapidly in a programmatic and elastic secure network, ensuring governance and security standards across the globe. We will look at the migration process trusted by hundreds of clients as well as how to cope with the process and people components that are so important to enable agility, while focusing heavily on the technology. The Coca-Cola Company (TCCC) and 2nd Watch story will dive deep into the technology that allows TCCC to manage hundreds of AWS Accounts, hundreds of workloads, thousands of instances, and hundreds of business partners around the globe. TCCC’s Configuration Management System has Puppet at the core and relies on over a dozen core and emerging AWS products across accounts, availability zones and regions. This complex and globally-available system ensures all of TCCC’s workloads in AWS meet corporate policies but also allows for rapid scale of both consumer and enterprise workloads. Session sponsored by 2nd Watch.
AWS Competency Partner
Chris Munns, DevOps @ Amazon: Microservices, 2 Pizza Teams, & 50 Million Depl...TriNimbus
Keynote presentation from Vancouver's 2016 Canadian Executive DevOps & Cloud Summit on Thursday, May 5th.
Speaker: Chris Munns, Business Development Manager, DevOps at Amazon Web Services
Title: DevOps @ Amazon: Microservices, 2 Pizza Teams, & 50 Million Deploys a Year
DevOps is the combination of cultural philosophies, practices, and tools that increases an organization's ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes.
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.
For a beginner, this is a good quality pictorial representation of DevOps and DevOps Center of Excellence.
Opex Software focuses on consulting, implementation and development of DevOps tools and platforms. Have helped small and large data centers! This presentation talks about Continuous Integration, Continuous Delivery at a high level. For detailed presentations and flows, please ping us.
Thanks again, Enjoy!
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Monitoring Java Application Security with JDK Tools and JFR Events
DevSecCon KeyNote London 2015
1. LONDON 2015Join the conversation #devseccon
Securing Innovation @ Speed &
Scale via DevSecOps
DEVSECCON LONDON 2015
@devsecops
2. Who am I?
• 25+ yrs Technology & Security
Experience
• Background in Security R&D
• Working with the Cloud before it was
called the “Cloud”
• Manage teams using DevOps, Agile &
Scrum
• Incident Response & Crisis
Management
-- FOUNDER --
3. The Race for Competitive Advantage…
Indicators that demonstrate change:
• Tailoring business to the needs of customers
to achieve large-scale business returns is
driving Cloud & DevOps adoption
• Small businesses and entrepreneurs are
enabled to compete in complex business
models with boutique appeal against
Enterprises
• High performing teams are being developed
and incubated in Enterprises to mimic the
DevOps teams found in Start-ups.
4. Startups on the Rise in 2015…
From 1996 to 2015:
• Increase in Startups in
2015, shows rebound
• Entrepreneurs over 55
has nearly doubled
• Significant Rise in
Immigrant
Entrepreneurs
• New Entrepreneurs are
on the rise again
• More men than women
are becoming first time
Entrepreneurs
kauffman.org
5. DevOps Growth…
Google Trends
• DevOps.com was bought in
2004
• Google searches for “DevOps”
started to rise in 2010
• Major influences:
• Saving your Infrastructure
from DevOps / Chicago Tribune
• DevOps: A Culture Shift, Not a
Technology / Information Week
• DevOps: A Sharder’s Tale from
Etsy
• DevOps.com articles
• RuggedSoftware.org was
bought in 2010
https://www.google.com/trends/
6. Cloud Security Boom…
• Cloud Platform security
features are on the rise the
last few years
• Security in the Cloud is
becoming the norm
• Default configurations are
still not quite there but will
become the focus with
growing thought leadership
• Cloud Provider’s must solve
for providing security
features that scale
• Security teams need to learn
to use these features quickly2007 2008 2009 2010 2011 2012 2013 2014 2015
48 61
82
159
280
514
?
AWS re:Invent 2015
7. Big Data?
• Reflecting on this
2013 article
• Devices & IoT drive
bigger data
• Instrumentation <-
Security needs this
• Asset management
& monitoring
• Service Support
http://www.enterprisecioforum.com/big-data-case-study-utilities/
8. DevOps increases speed & scale…
This collaborative effort can help DevOps-led
projects make IT operational metrics 100 times
better, and in so doing offers “an evolutionary fork
in the road” which could lead to the “end of
security as we know it,” added Joshua Corman
– founder of Rugged DevOps and I am the
Cavalry.
http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security
9. So what hinders “secure” innovation @
speed & scale?
1. Friction for friction’s sake
2. Manual processes & meeting culture
3. Point in time assessments
4. Decisions being made outside of value creation
5. Contextual misunderstandings
6. Late constraints and requirements
7. Big commitments, big teams, and big failures
8. Fear of failure, lack of learning
9. Lack of inspiration
10. Management and political interference (approvals, exceptions)
10. And then there’s… Security &
Compliance!
• The discipline is very complex
• Majority of the Security
Industry is Vendor dependent
• Requires Meetings,
Appointments, and Point in
Time evaluations with low
context
• Requirements are dependent
on what is developed
• The art of “No” has
become its own science
11. Can Security evolve?
OPS
SEC
DEV
• Security as Code
• Self-Service Testing
• Red Team/Blue Team
• Inline Enforcement
• Analytics & Insights
• Detect & Contain
• Incident Response
• Investigations
• Forensics
AppSec
12. What’s the DevSecOps Mission?
…creating targeted customer value
through secure iterative innovation
at speed & scale …
Security is
Everyone’s
Job!
13. What should we value to evolve Security
for DevOps?
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls &
Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
In essence, don’t waste people’s time with
Fear -> Uncertainty -> Doubt
devsecops.org
14. Imagine adding Security into the DevOps
pipeline…
Security Self-Service
skills Biz UX Dev Data App Sec Sec Eng Science
Comp
Ops
Sec Ops Ops Training
Software & Infrastructure Platforms
Software Components & Resources
YOUR APP STACK GOES HERE
Operational Tools & Monitoring
collaboration, partnership, value creation, self-service
[DevOps, Agile, Scrum, Cloud]
15. The Art of DevSecOps (Security View)
DevSecOps
Security
Engineering
Experiment,
Automate, Test
Security
Operations
Hunt, Detect,
Contain
Compliance
Operations
Respond,
Manage, Train
Security
Science
Learn, Measure,
Forecast
16. Can we make it simple? Yes!
• Smaller Teams
• Smaller Services
• Smaller Failures
• Rest APIs drive culture
• Customer focus
• Deep problem understanding throughout org
• Deliberate dedication to solving and simplifying tech challenges
• Products and Services have security built-in along the supply chain
• Security removes barriers and roadblocks as self-service for DevOps
• Managers map, magnify and multiply to create culture
blast radius
17. How can we get started?
Small Project Migration Big Project
Approach is tailored to small
experiments and pipeline testing.
Pros:
• Requires DevOps Approach
• Fast failures
• Team learns to collaborate
• Higher Productivity, Less waste
Cons:
• Skill shortages
• Team needs vision to avoid
micro-focus churn
Approach allows organization to
map and adjust for what they
already know.
Pros:
• Allows companies to keep
operating while teams figure
out what’s needed
Cons:
• Overload
• Can be slower to accomplish
completion
• Failures can become complex
Approach is “all-in” and used to
transform an organization as a
whole.
Pros:
• Firm commitment alleviates
political back and forth
• Focus & All-in Speed
Cons:
• Bigger Failures
• Difficult for everyone to learn
from mistakes and
experiments
18. Small Project -> The Provocation
How can we transform a control into a self-aware, self-reporting, self-healing component that can
be consumed at speed & scale?
Our challenge is to begin the process of creating self-aware and self-reporting components. This
process can be achieved using configuration management tools, open source and log management
systems. Let’s work with the IA Controls from NIST 800-53 today and use the implementation of
MFA as an example. Specifically, IA-2 calls for multi-factor authentication which is available in
some Software Defined Environments as a feature. Let’s look at how we can enable MFA within
our Stack and the different use cases that are present and require security baseline components.
Questions to answer:
1. How can baseline components be shared and extended?
2. Once the component is ready to be used, implemented, then what?
3. What about the feedback loop?
4. What is the best way to create an automated report that is continuously built and maintained?
5. How can we report across a full-stack?
6. What tools can assist?
FW ?
Web ?
Compliance at Velocity (https://medium.com/compliance-at-velocity)
19. Migrations -> One foot in… One foot
out...
Web
App
Web
DB
App
DB
Traditional IT & Security DevOps + DevSecOps
FW/IDS FW/IDS
ELB
App
ELB
DBAAS
App
DBAAS
20. Big Project -> The Hail Mary
Web
App
Web
DB
App
DB
Traditional IT & Security DevOps? + DevSecOps?
FW/IDS FW/IDS
Web
App
Web
DB
App
DB
FW/IDS FW/IDS
What is this?
21. Why is approach so important?
API KEY EXPOSURE -> 8 HRS
DEFAULT CONFIGS -> 24 HRS
SECURITY GROUPS -> 24 HRS
ESCALATION OF PRIVS -> 5 D
KNOWN VULN -> 8 HRS
22. So let’s recap before we move on to
examples…
DevSecOps needs:
• Active Collaboration
• High Engagement
• Experimentation
• Open Contribution
• Fail Fast Culture
• Ability to adapt and learn
• DevOps Understanding
• Focusing on Simplicity
Not this one…
This one!!
23. Perimeter Testing
THEN
PCI DSS1.1.1 –
Approve/Test/Detect firewall
changes
NOW
Scan API, Ingest
Config/Cloudtrail, trigger firewall
audits and revert unapproved
changes to heal to spec
Labor: 40 hours/Annually
Tools: Excel, Text Pad, Open Source or Commercial
Config Management
Labor: 40 hours/First Year, 8 hours per yr maintain
Tools: APIs, Logs, Open Source, Commercial
Measure: Certify annually
Impact: High
Measure: Mean time to Detection, Mean time to Resolve
Impact: Depends on Resource
24. Configuration Management/Baselines
THEN
PCI DSS2.2 - Develop & Assure
configuration standards for all
system components.
NOW
Track known good CF stacks &
AMIs, alert or neutralize non-
compliant/non-approved
deploys
Labor: 40 hours/Annually/Per Major Component
Tools: Excel, Text Pad, Open Source or Commercial
Config Management
Labor: 40 hours/First Year, 1 hour per yr maintain/Per
Component
Tools: APIs, Logs, Open Source, Commercial
Measure: Certify annually
Impact: High
Measure: Mean time to Detection, Mean time to Resolve
Impact: High
25. Encrypting Sensitive Data
THEN
HIPAA 164.312(a)(2)(iv):
Implement a method to
encrypt and decrypt electronic
protected health information.
NOW
Enforce encryption of all assets
by platform or data
classification tags. Continuous
enforcement and automated
detection.
Labor: 1 FTE minimum per 3 DevOps Teams
Tools: Commercial, Open Source
Labor: 8 hours
Tools: APIs, Logs, Open Source, Commercial
Measure: Certify annually
Impact: High
Measure: Mean time to Detection, Mean time to Resolve
Impact: High
26. Access Management
THEN
NIST800-53 AC2(12) –
Monitors and report atypical
usage of information system
accounts.
NOW
Cloudtrail/Config user
attribution of use/abuse, ability
to reduce team size and allow
for smaller containers
Labor: 1 FTE minimum
Tools: Commercial, Open Source
Labor: 40 hours Dev, 8 hours Maintain
Tools: APIs, Logs, Open Source, Commercial
Measure: Certify quarterly, annually
Impact: High
Measure: Mean time to Detection, Mean time to Resolve
Impact: High
27. Multi-Factor Authentication
THEN
NIST800-53 IA-2 – The
information system uniquely
identifies and authenticates
organizational users
NOW
MFA built into APIs and Cloud
Platforms can be exposed for
authorization decisions
Labor: 1 FTE minimum
Tools: Commercial, Open Source
Labor: 1 hour per week
Tools: APIs, Logs, Open Source, Commercial
Measure: Certify annually
Impact: High
Measure: Mean time to Resolve
Impact: High
Global
Call to
Action
2015
28. Get Involved and Join the Community
• devsecops.org
• @devsecops on Twitter
• DevSecOps on LinkedIn
• DevSecOps on Github
• RuggedSoftware.org
• Compliance at Velocity
• Join Us !!!
• Spread the word!!!