CloudPassage, profile picture
Uploaded byCloudPassage
PPTX, PDF3,853 views

SecDevOps: The New Black of IT

The document discusses the integration of security within DevOps, termed 'SecDevOps,' emphasizing collaboration and automation to enhance security measures across the development cycle. It outlines practices such as continuous compliance monitoring, automated testing, and stakeholder involvement to reduce silos and improve overall security posture. Practical examples illustrate how organizations can leverage DevOps momentum to incorporate security more effectively into their processes.

Embed presentation

Downloaded 117 times
SecDevOps: The New Black of IT Andrew Storms CloudPassage Director of DevOps Alan Shimmel DevOps.com CEO & Co-founder
1994 1995 2009
Cloud or Not – Still the Same • Infrastructure • Data & Storage • Identity & Access Controls • Privacy • Governance • Audit & Compliance 3
Infrastructure as code Instrumentation What about DevOps? Orchestration Continuous everything
about security DevOps? What with
DevOps & Security Division 6 This is NOT how we do DevOps at CloudPassage. Collaboration Division DevOps Security Plan Code Test Release Deploy Operate
SecDevOps • Less division – More collaboration • Less silos – More sharing • Less pipeline – More chains & links • Less manual – More automation 7 Security Plan Release Code Test Operate Deploy
Plan • Release Sherpa – Ops, Dev, QA – See a release thru from start to finish • Change risk management – What infrastructure changes? – Unexpected or large code changes? – Security risk assessment – Threat vector analysis Security Plan Release Code Test Operate Deploy
Code • Standards enforcement – Rubocop, Food Critic, Knife-Spork • Review Process – Peer & code review – Continuous application & infrastructure testing • Git feature branching – Change control & isolation Security Plan Release Code Test Operate Deploy
Test • Automated code testing – Over 10k tests run automatically at check in – Over 10k QA assertions – Over 130 smoke test suites • All the modules & third party integrations • Deploy verifications • External automated testing • External code review Security Plan Release Code Test Operate Deploy
Release & Deploy • Stakeholders approval • Standardized tools – Capistrano, Chef • Deploy testing – 2-man rule • System segregation – Only Ops has production access Security Plan Release Code Test Operate Deploy
• Continuous compliance monitoring – All systems (prod & non-prod) – Hourly & daily – Halo • Infrastructure security orchestration – Thousands of control/change points enforced hourly (Chef) – Validated by Halo • Continuous risk assessment – Third-party vulnerability testing of all systems Operate Security Plan Release Code Test Operate Deploy
JIRAgitChefCapistranoHalo Initiate Approve Implement Audit Records Deploy (Infrastructure) Audit Records Deploy (App Code) Audit Records Audit Records Update Baselines Continuous Monitoring Audit Records End to end audit trail, built into the agile process… “AGILE ASSURANCE”
Practical SecDevOps Examples • Security automation potential – Cloud APIs have exploded • Latch on to DevOps momentum – Take advantage of change – Make Dev and Ops security stakeholders • Use IFTTT thinking – Channels, Triggers, Actions, Ingredients  Recipes 14
Practical SecDevOps Automation 15
Practical SecDevOps Automation 16 git-push
Practical SecDevOps Automation 17
Practical SecDevOps Automation 18
SecDevOps in Summary 19 Old is new Still solving the same problems, but in new ways SecDevOps Automation DevOps is here SecDevOps is required Security automation is here And is required in the cloud
More Resources 20 Explore: www.DevOps.com Learn: blog.cloudpassage.com Start: www.cloudpassage.com/halo
Thank you! 21 Q&A

More Related Content

PDF
Embracing the Rise of SecDevOps
byTom Cappetta
 
PPTX
we45 SecDevOps Presentation - ISACA Chennai
byAbhay Bhargav
 
PDF
we45 - SecDevOps Concept Presentation
byAbhay Bhargav
 
KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
PDF
Integrating DevOps and Security
byStijn Muylle
 
PDF
Continuous Security Testing - DevSecCon
byStephen de Vries
 
PPTX
Automating security tests for Continuous Integration
byStephen de Vries
 
PDF
A Secure DevOps Journey
bySonatype
 
Embracing the Rise of SecDevOps
byTom Cappetta
 
we45 SecDevOps Presentation - ISACA Chennai
byAbhay Bhargav
 
we45 - SecDevOps Concept Presentation
byAbhay Bhargav
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
Integrating DevOps and Security
byStijn Muylle
 
Continuous Security Testing - DevSecCon
byStephen de Vries
 
Automating security tests for Continuous Integration
byStephen de Vries
 
A Secure DevOps Journey
bySonatype
 

What's hot

PPTX
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
byAbhay Bhargav
 
PDF
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
byChristian Schneider
 
PPTX
Integrating Security into DevOps
byCloudPassage
 
PDF
DevSecCon London 2017: Shift happens ... by Colin Domoney
byDevSecCon
 
PDF
we45 DEFCON Workshop - Building AppSec Automation with Python
byAbhay Bhargav
 
PDF
Proactive Security AppSec Case Study
byAndy Hoernecke
 
PDF
T23 HTML5 Security Testing at Spotify
byTechWell
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
PDF
Devops, Secops, Opsec, DevSec *ops *.* ?
byKris Buytaert
 
PDF
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
byAbhay Bhargav
 
PDF
SecDevOps Risk Workflow - v0.6
byDinis Cruz
 
PPTX
DevOps & Security: Here & Now
byCheckmarx
 
PDF
Ast in CI/CD by Ofer Maor
byDevSecCon
 
PPTX
Continuous Security Testing with Devops - OWASP EU 2014
byStephen de Vries
 
PPTX
Continuous Security Testing in a Devops World #OWASPHelsinki
byStephen de Vries
 
PDF
Security in a Continuous Delivery World
byDinis Cruz
 
PPTX
DevSecOps
byCheah Eng Soon
 
PDF
SecDevOps
byPeter Lamar
 
PPTX
Integrating security into Continuous Delivery
byTom Stiehm
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
byAbhay Bhargav
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
byChristian Schneider
 
Integrating Security into DevOps
byCloudPassage
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
byDevSecCon
 
we45 DEFCON Workshop - Building AppSec Automation with Python
byAbhay Bhargav
 
Proactive Security AppSec Case Study
byAndy Hoernecke
 
T23 HTML5 Security Testing at Spotify
byTechWell
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
Devops, Secops, Opsec, DevSec *ops *.* ?
byKris Buytaert
 
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
byAbhay Bhargav
 
SecDevOps Risk Workflow - v0.6
byDinis Cruz
 
DevOps & Security: Here & Now
byCheckmarx
 
Ast in CI/CD by Ofer Maor
byDevSecCon
 
Continuous Security Testing with Devops - OWASP EU 2014
byStephen de Vries
 
Continuous Security Testing in a Devops World #OWASPHelsinki
byStephen de Vries
 
Security in a Continuous Delivery World
byDinis Cruz
 
DevSecOps
byCheah Eng Soon
 
SecDevOps
byPeter Lamar
 
Integrating security into Continuous Delivery
byTom Stiehm
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 

Similar to SecDevOps: The New Black of IT

PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PPTX
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
PPTX
Are your DevOps and Security teams friends or foes?
byReuven Harrison
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PPTX
You Build It, You Secure It: Introduction to DevSecOps
bySumo Logic
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
PDF
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
PDF
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
PPTX
DevSecOps Best Practices-Safeguarding Your Digital Landscape
bystevecooper930744
 
PDF
Dev secops opsec, devsec, devops ?
byKris Buytaert
 
PPTX
What_is_DevOps_how_it's_very_useful_in_daily_Life.
byanilpmuvvala
 
PPTX
What is DevOps And How It Is Useful In Real life.
byanilpmuvvala
 
PPTX
How to get the best out of DevSecOps - an operations perspective
byColin Domoney
 
PDF
Scale security for a dollar or less
byMohammed A. Imran
 
PPTX
What_is_DevOps.pptx
bymridulsharma774687
 
PDF
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
byDevOps.com
 
PDF
How DevOps Development Companies Streamline Operations.pdf
byAgile Infoways LLC
 
PDF
DevOps Automation: Boosting Efficiency and Productivity
byFredReynolds2
 
PDF
You build it - Cyber Chicago Keynote
byJohn Willis
 
PDF
Divine and felonios cyber security devopsdays austin 2018
byJohn Willis
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
Are your DevOps and Security teams friends or foes?
byReuven Harrison
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
You Build It, You Secure It: Introduction to DevSecOps
bySumo Logic
 
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
bystevecooper930744
 
Dev secops opsec, devsec, devops ?
byKris Buytaert
 
What_is_DevOps_how_it's_very_useful_in_daily_Life.
byanilpmuvvala
 
What is DevOps And How It Is Useful In Real life.
byanilpmuvvala
 
How to get the best out of DevSecOps - an operations perspective
byColin Domoney
 
Scale security for a dollar or less
byMohammed A. Imran
 
What_is_DevOps.pptx
bymridulsharma774687
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
byDevOps.com
 
How DevOps Development Companies Streamline Operations.pdf
byAgile Infoways LLC
 
DevOps Automation: Boosting Efficiency and Productivity
byFredReynolds2
 
You build it - Cyber Chicago Keynote
byJohn Willis
 
Divine and felonios cyber security devopsdays austin 2018
byJohn Willis
 

More from CloudPassage

PDF
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
byCloudPassage
 
PPTX
CloudPassage Careers
byCloudPassage
 
PPTX
Transforming the CSO Role to Business Enabler
byCloudPassage
 
PPTX
Rethinking Security: The Cloud Infrastructure Effect
byCloudPassage
 
PPTX
Webinar compiled powerpoint
byCloudPassage
 
PPTX
Security and Compliance for Enterprise Cloud Infrastructure
byCloudPassage
 
PPTX
Technologies You Need to Safely Use the Cloud
byCloudPassage
 
PPT
Cloud Security: Make Your CISO Successful
byCloudPassage
 
PDF
Secure Cloud Development Resources with DevOps
byCloudPassage
 
PPTX
45 Minutes to PCI Compliance in the Cloud
byCloudPassage
 
PPTX
Comprehensive Cloud Security Requires an Automated Approach
byCloudPassage
 
PPTX
Security that works with, not against, your SaaS business
byCloudPassage
 
PDF
What You Need To Know About The New PCI Cloud Guidelines
byCloudPassage
 
PPTX
What You Haven't Heard (Yet) About Cloud Security
byCloudPassage
 
PPTX
Meeting PCI DSS Requirements with AWS and CloudPassage
byCloudPassage
 
PPTX
Delivering Secure OpenStack IaaS for SaaS Products
byCloudPassage
 
PPTX
CloudPassage Overview
byCloudPassage
 
PPTX
PCI and the Cloud
byCloudPassage
 
PDF
Halo Installfest Slides
byCloudPassage
 
PPTX
Automating Security for the Cloud - Make it Easy, Make it Safe
byCloudPassage
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
byCloudPassage
 
CloudPassage Careers
byCloudPassage
 
Transforming the CSO Role to Business Enabler
byCloudPassage
 
Rethinking Security: The Cloud Infrastructure Effect
byCloudPassage
 
Webinar compiled powerpoint
byCloudPassage
 
Security and Compliance for Enterprise Cloud Infrastructure
byCloudPassage
 
Technologies You Need to Safely Use the Cloud
byCloudPassage
 
Cloud Security: Make Your CISO Successful
byCloudPassage
 
Secure Cloud Development Resources with DevOps
byCloudPassage
 
45 Minutes to PCI Compliance in the Cloud
byCloudPassage
 
Comprehensive Cloud Security Requires an Automated Approach
byCloudPassage
 
Security that works with, not against, your SaaS business
byCloudPassage
 
What You Need To Know About The New PCI Cloud Guidelines
byCloudPassage
 
What You Haven't Heard (Yet) About Cloud Security
byCloudPassage
 
Meeting PCI DSS Requirements with AWS and CloudPassage
byCloudPassage
 
Delivering Secure OpenStack IaaS for SaaS Products
byCloudPassage
 
CloudPassage Overview
byCloudPassage
 
PCI and the Cloud
byCloudPassage
 
Halo Installfest Slides
byCloudPassage
 
Automating Security for the Cloud - Make it Easy, Make it Safe
byCloudPassage
 

Recently uploaded

PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
PDF
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
PDF
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PPTX
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 

SecDevOps: The New Black of IT

Editor's Notes

  • #16 Apply IFTTT thinking If This Then That Channels, Triggers, Actions, Ingredients Recipes (need a graphic here. Something like a funnel or other where Channels, Triggers, Actions, Ingredients converge to make a recipe)
  • #17 Examples (The same graphic from previous slide, but small) If code gets checked in, then run static analysis
  • #18 Examples If firewall policy changes, then initiate remote scanner
  • #19 Examples If breach, then quarantine
  • #21 Feel free to change these points to you sales next steps.
  • #22 Feel free to change these points to you sales next steps.