2. Webinar Logistics
• Enable pop-ups within your browser
• Turn on your system’s sound to hear the streaming presentation
• Questions? Submit them to the presenters at anytime on the console
• Technical problems? Click “Help” or submit a question for assistance
Optimize your experience today
3. Featured Presenters
Our knowledgeable speakers today are:
Lawrence Hecht
Principal
Lawrence Hecht Consulting
Carl Calum
Technical Marketing
Manager
Puppet
Tim Zonca
Sr. Dir of Product Marketing
Puppet
4. What We’ll Talk About
• What’s DevOps?
– Definition
– Diagrams
– Other DevOps Concepts
– DevOps More Than a Process to Some
• The Security Problem/Opportunity
– Common Meme
– Different Perspectives
– Security Pros More Concerned With Who Owns “Security”
– And They’re Right To Be Concerned
– It Takes More Than a Week for ~50% of Organizations to Fix a Vulnerability
– 50% Think Security and Compliance Measures Are Important for DevOps But Aren’t Done With Implementing It Yet
– Security Pros Think They Slow Down DevOps, BUT There Has Been Progress
• DevOps Security Opportunity
– KPIs for DevOps
– Save Time and Money by “Shifting Left”
– Shifting Left
– DevOps + Security = SecDevOps
– What It Looks Like When Dev and Sec Collaborate
• Recommendations
– Seven Habits of Rugged
– Suggestions
– Tools
This outline will be replaced with a much briefer slide in a later version
6. Definition
• DevOps (a clipped compound of development and operations) is a
culture, movement or practice that emphasizes the collaboration and
communication of both software developers and other information-
technology (IT) professionals while automating the process of
software delivery and infrastructure changes.
(https://en.wikipedia.org/wiki/DevOps)
• Motivation: speed, quality
13. Security Pros More Concerned With Who
Owns “Security”
Credit/Source: https://blog.newrelic.com/2016/06/27/forrester-security-development-survey/
14. And They’re Right To Be Concerned
• Developers are much more likely than Security to be responsible for
identifying known open source vulnerabilities and tracking
remediation.
• Only 29% are doing identifying/tracking/remediating in a way that
could be considered DevOps-like
– 10% identified, tracked and remediated by a third party vendor
– 19% - identified automatically, and the remediation is tracked
automatically using internal resources
Credit/Source: Black Duck Future of Open Source Survey
15. It Takes More Than a Week for ~50% of
Organizations to Fix a Vulnerability
Credit/Source: 2015 State of Application Security: Closing the Gap
16. 50% Think Security and Compliance Measures
Are Important for DevOps But Aren’t Done With
Implementing It Yet
Credit/Source: CA Survey: http://rewrite.ca.com/us/articles/devops/do-you-have-all-the-pieces-of-the-devops-jigsaw.html
17. Security Pros Think They Slow Down
DevOps, BUT There Has Been Progress
Credit/Source: https://www.cloudpassage.com/company/press-releases/cloudpassage-unveils-results-2016-
survey-information-security-community-linkedin
19. Measure KPIs for DevOps to Achieve Savings
From Reduced Downtime and Rework
High
Performance
↔Low
Performance
Deployment
frequency
On demand
(multiple
deploys per day)
Between once
per month and
once every 6
months
Lead time for
changes
Less than one
hour
Between one
month and 6
months
Mean time to
recover (MTTR)
Less than one
hour
Less than one
day*
Change failure
rate
0-15% 16-30%
• High performers spend 50%
less time remediating security
issues than low performers.
• Besides Security, Product
Development should also 1)
shift left and 2) become more
continuous
Credit/Source: Puppet’s 2016 State of DevOps Report
20. Save Time and Money by “Shifting Left”
Credit/Source: http://blog.sonatype.com/2015/12/getting-rugged-devops-right/
22. DevOps + Security = SecDevOps
• Also known as Rugged DevOps
• New Relic’s Stevan Arychuk: “SecDevOps seeks to embed security
inside the development process as deeply as DevOps has done with
operations.”
• Later we will provide examples of adding security to:
– DevOps processes
– Deployment processes
Credit/Source: New Relic, Fredric Pau and Stevan Arychuk
23. What It Looks Like When Dev and Sec
Collaborate
Credit/Source: https://blog.newrelic.com/2016/06/27/forrester-security-development-survey/
25. Seven Habits of Rugged
• Increase Trust And Transparency Between Dev, Sec, And Ops
• Understand The Probability And Impact Of Specific Risks
• Discard Detailed Security Road Maps In Favor Of Incremental Improvements
• Use The Continuous Delivery Pipeline To Incrementally Improve
Security Practices
• Standardize Third-Party Software And Then Keep Current
• Govern With Automated Audit Trails
• Test Preparedness With Security Games
Credit/Source: Amy DeMartine and Kurt Bittner of Forrester
26. Suggestions
• Encourage the development team to care about its code in
production
• Introduce a test-driven development environment.
• Automate deployments
• Include security as acceptance criteria when developers writing user
stories for development. (Andrew Storm)
• Configure the dev, test and deployment environments identically.
28. Questions?
Please submit your questions via the text box below
Lawrence Hecht
Principal
Lawrence Hecht Consulting
Carl Calum
Technical Marketing
Manager
Puppet
Tim Zonca
Sr. Dir of Product Marketing
Puppet
29. Thank you for attending
• Lorem ipmsum
Please visit our sponsor and any of the resources below: