This document discusses the concepts of DevSecOps at a high level. It begins with a brief history of development methodologies, from Waterfall to Agile, and how Ops became a bottleneck. This led to trends in Agile Operations and collaboration between Dev and Ops, known as DevOps. DevSecOps expands this to incorporate security. It discusses DevSecOps in terms of culture, processes, and technologies, with a focus on secure software development lifecycles, security pipelines, requirements management, and automated testing and monitoring. The goal of DevSecOps is to enable organizations to deliver inherently secure software at DevOps speed.

1. The big picture
Culture, Processes and Technologies on a high level

2. Stefan Streichsbier
Company: Vantage Point
Twitter: @s_streichsbier
Why?

4. A Brief
History of
DevOps

5. In the beginning there was…
Source: https://www.flickr.com/photos/37186408@N05/12162302775

6. Waterfall
• Long release cycles
• A lot of “WIP”
• Functional silos
• Incredibly rigid

7. …then there was Agile
Source: https://i.ytimg.com/vi/8Hedq2d1H44/maxresdefault.jpg

8. Agile
• Shorter release cycles
• Smaller batch sizes
• Cross-functional teams
• “Incredibly” agile

9. Suddenly Ops was the bottleneck

10. Agile Ops Anyone?
2 major related trends:
1. Agile Operations/Infrastructure
2. Collaboration between dev and ops
Ultimately led to the first DevOpsDays in 2009…

11. So, what is DevOps?
• Set of principles and practices for efficient
communication and collaboration. (Culture)
• Automated deployment pipeline. (Processes)
• Supporting tool chain (Technologies)

12. ”[…]it seems as though the problems are
just between dev and ops, but test is in
there, and you have security objectives.
These are top-level concerns of
Management […] and have become part of
the DevOps picture.
In other words, when you hear "DevOps"
today, you should probably be thinking
DevOpsQATestInfoSec."
- Gene Kim

13. DevSecOps

14. Target State
DevSecOps enables organisations to
deliver inherently secure software at
DevOps speed.

15. Security challenges in DevOps
• It is clear why companies are moving to DevOps
…but how can security keep up with this?
Source: https://xebialabs.com/assets/files/whitepapers/ITRev_DevOps_Guide_5_2015.pdf

16. 3 key categories
of DevSecOps
1. Culture
2. Processes
3. Technologies

17. Culture

18. Culture
• Communication and transparency
• High-trust environment “blameless postmortem”
• Continuous improvement
• Everyone is responsible for security
• Automate as much as possible
• Everything as code

19. Culture:
Open Space Ideas
• How did your org switch to Dev(Sec)Ops?
• Continuous Improvement (Kaizen)
• What are you automating at the moment?

20. Processes

21. Processes
1. Secure SDLC
2. Security Pipelines

22. Processes:
Secure SDLC
1. Training
2. Requirements
3. Architecture & Design
4. Coding
5. Testing
6. Deployment
7. Post Deployment

23. Processes:
Sec Pipelines
• Opt. critical resource
• Reduce friction
• Increase visibility
• Each step repeatable
• Drive up consistency

24. Security Pipelines

25. Processes:
Open Space Ideas
• How are you managing security requirements?
• How are you building security into the SDLC?
• AppSec Pipelines in the wild
• ChatSecOps

26. TechnologiesDevOps is not supposed to be about “tools”

27. DevSecOps
Technologies
1. Requirements
2. Code: IDE Plugins, SAST
3. Test: Gauntlt, *AST
4. Configure: Sec as Code
5. Maintenance:
Patch Management
6. Monitor: Auditing, Attack
visibility, RASP
Warning about *AST

28. Technologies:
Open Space Ideas
• Scaling security requirements
• TDD and security in testing
• Which *AST technologies have you been using?
• Experience with IDE Plugins
• Environment management (Dev/Prod parity)
• Configuration management (configuration drift)
• Patch Management and deployment strategies
(e.g. Phoenix)

29. Summary
• DevSecOps enable organisations to deliver inherently
secure software at DevOps speed.

30. Questions?

31. Inspirations
• http://itrevolution.com/heres-how-the-amazing-twitter-infosec-team-helps-devops/
• http://techbeacon.com/devsecops-9-ways-devops-automation-bolster-security-compliance
• https://www.checkmarx.com/2015/11/13/devsecops-4-best-practices-the-pros-teach-us-about-
security-and-devops/
• http://www.slideshare.net/zanelackey/effective-approaches-to-web-application-security
• http://searchdatacenter.techtarget.com/feature/How-to-adopt-a-successful-DevOps-enterprise
• https://opensource.com/business/14/7/devops-red-hat
• http://www.infoq.com/news/2014/03/etsy-deploy-50-times-a-day
• http://www.slideshare.net/mtesauro/taking-appsec-to-11-appsec-pipeline-devops-and-making-
things-better
• https://www.owasp.org/index.php/OWASP_AppSec_Pipeline