This document discusses the concepts of DevSecOps at a high level. It begins with a brief history of development methodologies, from Waterfall to Agile, and how Ops became a bottleneck. This led to trends in Agile Operations and collaboration between Dev and Ops, known as DevOps. DevSecOps expands this to incorporate security. It discusses the importance of culture, processes, and technologies for effective communication, automation, and collaboration across Dev, Ops, and Security. The goal is to enable organizations to deliver inherently secure software at DevOps speed through a high-trust environment and automated security pipelines integrated into the software development lifecycle.
10. Agile Ops Anyone?
2 major related trends:
1. Agile Operations/Infrastructure
2. Collaboration between dev and ops
Ultimately led to the first DevOpsDays in 2009…
11. So, what is DevOps?
• Set of principles and practices for efficient
communication and collaboration. (Culture)
• Automated deployment pipeline. (Processes)
• Supporting tool chain (Technologies)
12. ”[…]it seems as though the problems are
just between dev and ops, but test is in
there, and you have security objectives.
These are top-level concerns of
Management […] and have become part of
the DevOps picture.
In other words, when you hear "DevOps"
today, you should probably be thinking
DevOpsQATestInfoSec."
- Gene Kim
15. Security challenges in DevOps
• It is clear why companies are moving to DevOps
…but how can security keep up with this?
Source: https://xebialabs.com/assets/files/whitepapers/ITRev_DevOps_Guide_5_2015.pdf
18. Culture
• Communication and transparency
• High-trust environment “blameless postmortem”
• Continuous improvement
• Everyone is responsible for security
• Automate as much as possible
• Everything as code
19. Culture:
Open Space Ideas
• How did your org switch to Dev(Sec)Ops?
• Continuous Improvement (Kaizen)
• What are you automating at the moment?
25. Processes:
Open Space Ideas
• How are you managing security requirements?
• How are you building security into the SDLC?
• AppSec Pipelines in the wild
• ChatSecOps
28. Technologies:
Open Space Ideas
• Scaling security requirements
• TDD and security in testing
• Which *AST technologies have you been using?
• Experience with IDE Plugins
• Environment management (Dev/Prod parity)
• Configuration management (configuration drift)
• Patch Management and deployment strategies
(e.g. Phoenix)
Architecting Enterprise wide security programs
Integrating security activities into the SDLC
Achieving security at DevOps speed
How many have been at the devopsdays singapore last year?
Us security guys typically only mingle in dedicated security meetups and conferences and talk about the latest way of how to break stuff, but as most of my work is spent in development teams I really enjoy the conversations with people that build software and I don’t just mean devs. So when I heard that devopsdays are being hosted in Singapore I was very excited, their line up of speakers was fantastic we even had John Willis giving a keynote. As with every DevOpsDays conference the whole afternoon was dedicated to openspace topics and I was really keen to know about others are integrating security into agile and devops. The topic was eventually selected and I counted 40+ people that joined the session. And even though we had some people share their experiences, what really struck me was the fact that so many people were genuinely interested in how to integrate security but there weren’t many concrete answers given. So that’s why, in the spirit of devops, I wanted to contribute to the community and created devsecops to achieve exactly that. Find solutions that help create secure applications at the speed of DevOps.
WIP: Work that you have started, but that isn’t completed yet.
Infrastructure wasn’t able to deal with rapid changes coming out of production
Understanding of the value of throughout SDLC
And since then has spread around the globe.
Starts with agile, but goes well beyond
Amplify Feedback loops
And everyone’s job is to enable the business!
In fact, many believe that it’s not a matter of if your company is adopting devops, but when.
This is quite interesting because devXops is still evolving.especially in the area of devSecOps.
The exciting thing is that DevSecOps is still very young and great new ideas of how to improve things are being discovered daily.
Every single conversation we have can push the envelope.
“DevOps works because dev and ops teams understand each other better and can make more informed decisions. Rather than solving problems in silos, they’re solving for the stream of activity and the goal. If you show DevOps teams how security can make them better, then as a reciprocation they tend to ask, “Well, are there any choices we make that would make your life easier?”
Companies like the Etsy online marketplace have also demonstrated that providing an environment in which it's safe to talk about failure makes it much more likely that problems are discovered early and information gets shared more quickly and more widely.
Josh is talking about how the culture of transparency and sharing information between teams has allowed the development and operations teams to better understand where the other team is coming from – allowing everyone to be on the same page. Especially in an environment where speed is of utmost importance, knowing exactly what is going on at any given time is going to be essential for the health of organization as a whole.
Transparency is an essential part of the DevSecOps world, and security processes and monitoring has to be seen by all stakeholders if it is going to thrive in a DevOps world.
See more at: https://www.checkmarx.com/2015/11/13/devsecops-4-best-practices-the-pros-teach-us-about-security-and-devops/?utm_content=buffer04d69&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer#sthash.mRgdPnKn.dpuf
You don’t start with
Everyone is responsible for security, make it easy to “win”
In order to deliver inherently secure applications at devops speed, we need to have team members that embrace security.
Failing unit tests
Fix things quickly.
Metrics
An AppSec Pipelines takes the principles of DevOps and Lean and applies that to an application security program.
We could probably spend the next 6 sessions talking about this alone
You don’t start with
A quick word on *AST, only covers about 50% of the potential findings. It’s important to understand what they can identify and what they can’t.
(RUNTIME APPLICATION SELF-PROTECTION)
You don’t start with
So in order for devsecops to live up to its full potential and enable organisations to deliver inherently secure software at devops speed, Culture, Processes and Technologies have to come together as one towards the same goal.
Thank you