SlideShare a Scribd company logo

Security Implications for a DevOps Transformation

Download as PPTX, PDF
Deborah Schalm
Deborah Schalm

DevOps aims to break down silos between development and operations teams through collaboration, automation, and continuous delivery. While this provides benefits, it can also introduce security risks if security is not properly included. The presentation discusses five key aspects of a DevOps transformation and their security implications. It argues that DevOps and security are not mutually exclusive if security is incorporated through collaboration, automated testing of security requirements, and accelerating remediation of vulnerabilities.

1 of 60
Security Implications of a DevOps transformation
Greg Sarjeant - Puppet - Manager of Professional Services - 20 Years in IT - Puppet user since 2012
Agenda ● Overview ● Technical baseline ● Implications for security Practical DevOps
Overview What do we mean by DevOps? Practical DevOps
Most DevOps conversation is loosely defined ● What DevOps isn’t ● Value proposition ● High-level characteristics — Fewer silos — Common tools — Tech closer to customers Practical DevOps
This makes it hard to quantify What are the impacts on security?
Practical DevOps Let’s Simplify Application Dev Server Ops
Disclaimer: None of the examples in this presentation are endorsements
Technical Foundation How did we get here? Practical DevOps
DevOps needs a “Hello, World”
Proposal Five Key Components ● Version Control ● Package Management ● Automated Testing ● Continuous Integration ● Infrastructure as Code Practical DevOps
Let’s start a company Keep it simple ● Get a host ● Install web server ● Write the app Practical DevOps
Initial development workflow ● Log on to production server ● Write the webpage Practical DevOps
Wait, there’s more than one language? Practical DevOps
Time for reinforcements Harry Hello Can say “Hello” in 57 languages Wendy World Can say “World” in 62 languages Practical DevOps
Complication 1: Collaboration ● Who owns the file? ● Is someone else editing it? ● How do I request a change? ● What changed last? Practical DevOps
Improvement 1: Version Control Authoritative source for application code ● File history ● Change tracking ● Conflict resolution ● Version rollback Practical DevOps
Version Control: Security Implications ● Attack vector ● Access controls — View code — Commit code ● Sensitive data Practical DevOps
Revised workflow ● Commit files to git repository ● Log in to prod ● Check files out Practical DevOps
Complication 2: Distribution ● No validation ● No dependencies ● Version management ● Dev tools on Prod servers Practical DevOps
Improvement 2: Package Management Atomic collections of related files ● Metadata ● Standard inspection tools ● Programmatic deployment tools ● Pre- and post- install tasks ● Uninstall/rollback functionality Practical DevOps
Package Management: Security Implications ● Installation is generally trusted ● Validate package integrity — MD5 sums Practical DevOps
Revised workflow ● Commit files to git repository ● Build package ● Log in to prod ● Install package Practical DevOps
Time to make the magic happen Let’s ship this thing…
Nice work, Harry. Practical DevOps
Let’s build a test server! Practical DevOps How about “Harry”? What do we call it? Test Prod
Complication 3: Validation Manual testing has weaknesses ● Slow: a person has to perform the steps ● Unreliable: people miss steps ● Late: can’t happen until after deployment Practical DevOps Test Prod
Improvement 3: Automated tests ● Fast ● Consistent ● Run early and often — Locally — On check-in — On deployment Practical DevOps
Automated tests: Security Implications ● Generally positive! ● Validate code, behavior ● Validate package contents Practical DevOps
Revised workflow ● Commit to git repository ● Invoke tests ● Build package ● Invoke tests ● Deploy to test ● Invoke tests ● Deploy to prod ● Invoke tests Practical DevOps Test Prod Tests Pass
Now we’re cooking with gas
Complication 4: Orchestration We’re just telling the computers what to do ● Manage code ● Run tests ● Build packages ● Deploy packages Practical DevOps
Improvement 4: Continuous Integration Continuous Integration Servers ● Define jobs ● Run tests ● Build packages ● Deploy apps ● Run jobs on target servers ● Chain jobs together ● Stop execution if a job fails Practical DevOps
Continuous Integration: Security Implications ● Single point of entry to infrastructure ● Elevated access to managed servers ● Arbitrary job execution Practical DevOps
All the pieces are in place Practical DevOps Test Prod I’ll take it from here
The test server just failed Somebody call the sysadmin!
Here I come to save the day Practical DevOps
Complication 5: Systems administration Practical DevOps
Progressively smaller anchors ● Run books ● Pile of shell scripts ● Golden images ● VM templates Practical DevOps
Improvement 5: Infrastructure as code ● Rewrite configuration instructions ● Interpreted by computers ● Managed identically to app code Practical DevOps
Infrastructure as code: Security implications ● Agents run as root on all servers ● Code is generally trusted ● Wide-ranging abilities — Package installation — Service reconfiguration — Arbitrary script execution ● Runs unattended Practical DevOps
Sysadmins join the pipeline Practical DevOps Test Prod
DevOps The directed use of automation to build a common workflow for developers and operations DevOps The directed use of automation to build a common workflow for developers and operations
But what about all those security questions?
Implications: Security Are DevOps and security mutually exclusive? Practical DevOps
There is a perception that DevOps is incompatible with strong security.
We feed this perception ● Emphasize trust over verification ● Purist mentality — If it interferes with efficiency, it’s not DevOps ● Security is an afterthought – deal with it in Production Practical DevOps Is security the new ops?
Security organizations have real concerns
Security concerns ● Financial protection ● Intellectual property ● Customer data Practical DevOps Compromises are costly and on the rise
Requirements of security organizations ● Rigor — Minimize opportunities to introduce vulnerabilities ● Visibility — Understand what has changed, so that effects can be evaluated ● Responsiveness — When a vulnerability is identified, remediate it as quickly as possible Practical DevOps
DevOps strengths: security weaknesses?
DevOps Strength: Collaboration ● Dev and Ops teams working together is a huge benefit ● Security often gets left out ● Stop throwing over the wall to ops, keep throwing over the wall to security Practical DevOps
DevOps Strength: Automation ● Fewer eyes and minds on the code ● Less consideration of concerns outside of direct application functionality — We’re only validating what we test Practical DevOps
DevOps Strength: Speed ● More changes introduced to production more frequently ● Less time to measure the impact of a change ● Often making updates before previous changes have been validated Practical DevOps
These aren’t fundamental flaws We’ve just been insufficiently inclusive
Collaboration: Include Security ● Design for security ● Assess security implications of changes in tickets ● Incorporate security patches into the delivery pipeline Practical DevOps
Automation: Automate tests and validation ● Trigger vulnerability scans on deploy to test — This can be expensive — Tie to deployment schedule, but leave time for remediation ● Build tests for security — System configuration — Package versions — Input validation ● Incorporate monitoring, logging — Install and configure servers and agents — Detect, repor, and alertt on anomalous behavior Practical DevOps
Speed: Accelerate remediation ● Use delivery pipeline to push OS patches to production ● Update, test, and deploy custom applications more quickly ● Use monitoring and logging to identify vulnerabilities and anomalous behavior more quickly Practical DevOps
Use the pipeline to our advantage Practical DevOps Test Prod
Security Implications for a DevOps Transformation

Recommended

Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Deborah Schalm
 
How to plug the data gap in DevOps
How to plug the data gap in DevOpsHow to plug the data gap in DevOps
How to plug the data gap in DevOps
Deborah Schalm
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
Jules Pierre-Louis
 
Scaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBeesScaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBees
Deborah Schalm
 
Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast
Compuware
 
Building an Automated Database Deployment Pipeline
Building an Automated Database Deployment PipelineBuilding an Automated Database Deployment Pipeline
Building an Automated Database Deployment Pipeline
Grant Fritchey
 
DevOps Explained
DevOps ExplainedDevOps Explained
DevOps Explained
Richard Seroter
 
The Art of Container Monitoring
The Art of Container MonitoringThe Art of Container Monitoring
The Art of Container Monitoring
Derek Chen
 

Recommended

Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Deborah Schalm
 
How to plug the data gap in DevOps
How to plug the data gap in DevOpsHow to plug the data gap in DevOps
How to plug the data gap in DevOps
Deborah Schalm
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
Jules Pierre-Louis
 
Scaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBeesScaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBees
Deborah Schalm
 
Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast
Compuware
 
Building an Automated Database Deployment Pipeline
Building an Automated Database Deployment PipelineBuilding an Automated Database Deployment Pipeline
Building an Automated Database Deployment Pipeline
Grant Fritchey
 
DevOps Explained
DevOps ExplainedDevOps Explained
DevOps Explained
Richard Seroter
 
The Art of Container Monitoring
The Art of Container MonitoringThe Art of Container Monitoring
The Art of Container Monitoring
Derek Chen
 
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationEnterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Compuware
 
Introduction to devops
Introduction to devopsIntroduction to devops
Introduction to devops
UtpalenduChakrobortt1
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
Sonatype
 
How to Build a DevOps Toolchain
How to Build a DevOps ToolchainHow to Build a DevOps Toolchain
How to Build a DevOps Toolchain
IBM UrbanCode Products
 
What Is DevOps?
What Is DevOps?What Is DevOps?
What Is DevOps?
Soumya De
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOps
Jules Pierre-Louis
 
Enterprise DevOps and the Cloud
Enterprise DevOps and the CloudEnterprise DevOps and the Cloud
Enterprise DevOps and the Cloud
CloudCheckr
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
Devops
DevopsDevops
Devops
JyothirmaiG4
 
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
DevOpsDays Tel Aviv
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICD
Knoldus Inc.
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
Scaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBeesScaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBees
DevOps.com
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
Francesco Garavaglia
 
DevOps and the Case for ROI to Executives
DevOps and the Case for ROI to ExecutivesDevOps and the Case for ROI to Executives
DevOps and the Case for ROI to ExecutivesIBM UrbanCode Products
 
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeDOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - Sonatype
Gene Kim
 
#speakgell - Continuous Integration in iconnect360
#speakgell - Continuous Integration in iconnect360#speakgell - Continuous Integration in iconnect360
#speakgell - Continuous Integration in iconnect360
Derek Chan
 
Transforming Organizations with CI/CD
Transforming Organizations with CI/CDTransforming Organizations with CI/CD
Transforming Organizations with CI/CD
Cprime
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
DevOps Roadmap.pptx
DevOps Roadmap.pptxDevOps Roadmap.pptx
DevOps Roadmap.pptx
HARSH MANVAR
 
Dev ops
Dev opsDev ops
Dev ops
farzanehvar
 
DevTestOps
DevTestOpsDevTestOps
DevTestOps
Paul Mateos
 

More Related Content

What's hot

Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationEnterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Compuware
 
Introduction to devops
Introduction to devopsIntroduction to devops
Introduction to devops
UtpalenduChakrobortt1
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
Sonatype
 
How to Build a DevOps Toolchain
How to Build a DevOps ToolchainHow to Build a DevOps Toolchain
How to Build a DevOps Toolchain
IBM UrbanCode Products
 
What Is DevOps?
What Is DevOps?What Is DevOps?
What Is DevOps?
Soumya De
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOps
Jules Pierre-Louis
 
Enterprise DevOps and the Cloud
Enterprise DevOps and the CloudEnterprise DevOps and the Cloud
Enterprise DevOps and the Cloud
CloudCheckr
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
Devops
DevopsDevops
Devops
JyothirmaiG4
 
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
DevOpsDays Tel Aviv
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICD
Knoldus Inc.
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
Scaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBeesScaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBees
DevOps.com
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
Francesco Garavaglia
 
DevOps and the Case for ROI to Executives
DevOps and the Case for ROI to ExecutivesDevOps and the Case for ROI to Executives
DevOps and the Case for ROI to ExecutivesIBM UrbanCode Products
 
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeDOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - Sonatype
Gene Kim
 
#speakgell - Continuous Integration in iconnect360
#speakgell - Continuous Integration in iconnect360#speakgell - Continuous Integration in iconnect360
#speakgell - Continuous Integration in iconnect360
Derek Chan
 
Transforming Organizations with CI/CD
Transforming Organizations with CI/CDTransforming Organizations with CI/CD
Transforming Organizations with CI/CD
Cprime
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 

What's hot (19)

Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationEnterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast Presentation
 
Introduction to devops
Introduction to devopsIntroduction to devops
Introduction to devops
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
How to Build a DevOps Toolchain
How to Build a DevOps ToolchainHow to Build a DevOps Toolchain
How to Build a DevOps Toolchain
 
What Is DevOps?
What Is DevOps?What Is DevOps?
What Is DevOps?
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOps
 
Enterprise DevOps and the Cloud
Enterprise DevOps and the CloudEnterprise DevOps and the Cloud
Enterprise DevOps and the Cloud
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
 
Devops
DevopsDevops
Devops
 
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICD
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
 
Scaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBeesScaling Enterprise DevOps with CloudBees
Scaling Enterprise DevOps with CloudBees
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
DevOps and the Case for ROI to Executives
DevOps and the Case for ROI to ExecutivesDevOps and the Case for ROI to Executives
DevOps and the Case for ROI to Executives
 
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeDOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - Sonatype
 
#speakgell - Continuous Integration in iconnect360
#speakgell - Continuous Integration in iconnect360#speakgell - Continuous Integration in iconnect360
#speakgell - Continuous Integration in iconnect360
 
Transforming Organizations with CI/CD
Transforming Organizations with CI/CDTransforming Organizations with CI/CD
Transforming Organizations with CI/CD
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 

Similar to Security Implications for a DevOps Transformation

DevOps Roadmap.pptx
DevOps Roadmap.pptxDevOps Roadmap.pptx
DevOps Roadmap.pptx
HARSH MANVAR
 
Dev ops
Dev opsDev ops
Dev ops
farzanehvar
 
DevTestOps
DevTestOpsDevTestOps
DevTestOps
Paul Mateos
 
DevOps overview 2019-04-13 Nelkinda April Meetup
DevOps overview 2019-04-13 Nelkinda April MeetupDevOps overview 2019-04-13 Nelkinda April Meetup
DevOps overview 2019-04-13 Nelkinda April Meetup
Shweta Sadawarte
 
Understanding DevOps in simpler way with Continuous Delivery
Understanding DevOps in simpler way with Continuous DeliveryUnderstanding DevOps in simpler way with Continuous Delivery
Understanding DevOps in simpler way with Continuous Delivery
Swapnil Jain
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
DevOps Overview in my own words
DevOps Overview in my own wordsDevOps Overview in my own words
DevOps Overview in my own words
SUBHENDU KARMAKAR
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
Mohammad Emran Hasan
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
Bringing CD to the DoD
Bringing CD to the DoDBringing CD to the DoD
Bringing CD to the DoD
Gene Gotimer
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+Ops
Shalu Ahuja
 
Software architecture in a DevOps world
Software architecture in a DevOps worldSoftware architecture in a DevOps world
Software architecture in a DevOps world
Bert Jan Schrijver
 
First Steps to DevOps
First Steps to DevOpsFirst Steps to DevOps
First Steps to DevOps
Inductive Automation
 
The Continuous delivery value - Funaro
The Continuous delivery value - FunaroThe Continuous delivery value - Funaro
The Continuous delivery value - Funaro
Codemotion
 
The Continuous delivery Value @ codemotion 2014
The Continuous delivery Value @ codemotion 2014The Continuous delivery Value @ codemotion 2014
The Continuous delivery Value @ codemotion 2014
David Funaro
 
Load Testing using Continuous Integration tools
Load Testing using Continuous Integration toolsLoad Testing using Continuous Integration tools
Load Testing using Continuous Integration tools
Rick Pitts
 
DevOps is a Journey - Choose Your Own Adventure
DevOps is a Journey - Choose Your Own AdventureDevOps is a Journey - Choose Your Own Adventure
DevOps is a Journey - Choose Your Own Adventure
Fabian Iannarella
 
Agile, DevOps & Test
Agile, DevOps & TestAgile, DevOps & Test
Agile, DevOps & Test
Qualitest
 
Continuous everything
Continuous everythingContinuous everything
Continuous everything
TEST Huddle
 

Similar to Security Implications for a DevOps Transformation (20)

DevOps Roadmap.pptx
DevOps Roadmap.pptxDevOps Roadmap.pptx
DevOps Roadmap.pptx
 
Dev ops
Dev opsDev ops
Dev ops
 
DevTestOps
DevTestOpsDevTestOps
DevTestOps
 
DevOps overview 2019-04-13 Nelkinda April Meetup
DevOps overview 2019-04-13 Nelkinda April MeetupDevOps overview 2019-04-13 Nelkinda April Meetup
DevOps overview 2019-04-13 Nelkinda April Meetup
 
Understanding DevOps in simpler way with Continuous Delivery
Understanding DevOps in simpler way with Continuous DeliveryUnderstanding DevOps in simpler way with Continuous Delivery
Understanding DevOps in simpler way with Continuous Delivery
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
DevOps Overview in my own words
DevOps Overview in my own wordsDevOps Overview in my own words
DevOps Overview in my own words
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Bringing CD to the DoD
Bringing CD to the DoDBringing CD to the DoD
Bringing CD to the DoD
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+Ops
 
Software architecture in a DevOps world
Software architecture in a DevOps worldSoftware architecture in a DevOps world
Software architecture in a DevOps world
 
First Steps to DevOps
First Steps to DevOpsFirst Steps to DevOps
First Steps to DevOps
 
The Continuous delivery value - Funaro
The Continuous delivery value - FunaroThe Continuous delivery value - Funaro
The Continuous delivery value - Funaro
 
The Continuous delivery Value @ codemotion 2014
The Continuous delivery Value @ codemotion 2014The Continuous delivery Value @ codemotion 2014
The Continuous delivery Value @ codemotion 2014
 
Load Testing using Continuous Integration tools
Load Testing using Continuous Integration toolsLoad Testing using Continuous Integration tools
Load Testing using Continuous Integration tools
 
DevOps is a Journey - Choose Your Own Adventure
DevOps is a Journey - Choose Your Own AdventureDevOps is a Journey - Choose Your Own Adventure
DevOps is a Journey - Choose Your Own Adventure
 
Agile, DevOps & Test
Agile, DevOps & TestAgile, DevOps & Test
Agile, DevOps & Test
 
Continuous everything
Continuous everythingContinuous everything
Continuous everything
 

More from Deborah Schalm

Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Deborah Schalm
 
Discovering Dark Debt in your Culture
Discovering Dark Debt in your CultureDiscovering Dark Debt in your Culture
Discovering Dark Debt in your Culture
Deborah Schalm
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleA Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example
Deborah Schalm
 
Protect Your Organization Against Known Security Defects
Protect Your Organization Against Known Security DefectsProtect Your Organization Against Known Security Defects
Protect Your Organization Against Known Security Defects
Deborah Schalm
 
Putting the Ops in DevOps
Putting the Ops in DevOpsPutting the Ops in DevOps
Putting the Ops in DevOps
Deborah Schalm
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Deborah Schalm
 
Post-Equifax: How to Trust But Verify Your Software Supply Chain
Post-Equifax: How to Trust But Verify Your Software Supply ChainPost-Equifax: How to Trust But Verify Your Software Supply Chain
Post-Equifax: How to Trust But Verify Your Software Supply Chain
Deborah Schalm
 
30 Minutes to a Private Cloud
30 Minutes to a Private Cloud30 Minutes to a Private Cloud
30 Minutes to a Private Cloud
Deborah Schalm
 
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
Deborah Schalm
 
Top 5 Considerations for Operating a Kubernetes Environment at Scale
Top 5 Considerations for Operating a Kubernetes Environment at ScaleTop 5 Considerations for Operating a Kubernetes Environment at Scale
Top 5 Considerations for Operating a Kubernetes Environment at Scale
Deborah Schalm
 
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
Deborah Schalm
 
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
Deborah Schalm
 
Application Discovery! The Gift That Keeps on Giving
Application Discovery! The Gift That Keeps on GivingApplication Discovery! The Gift That Keeps on Giving
Application Discovery! The Gift That Keeps on Giving
Deborah Schalm
 
Top 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield EnvironmentsTop 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield Environments
Deborah Schalm
 
The Coming Earthquake in WebSphere Application Server Configuration Management
The Coming Earthquake in WebSphere Application Server Configuration ManagementThe Coming Earthquake in WebSphere Application Server Configuration Management
The Coming Earthquake in WebSphere Application Server Configuration Management
Deborah Schalm
 
Planet of the APIs: Monitoring Transactions in the Wild
Planet of the APIs: Monitoring Transactions in the WildPlanet of the APIs: Monitoring Transactions in the Wild
Planet of the APIs: Monitoring Transactions in the Wild
Deborah Schalm
 
Get Loose! Microservices and Loosely Coupled Architectures
Get Loose! Microservices and Loosely Coupled ArchitecturesGet Loose! Microservices and Loosely Coupled Architectures
Get Loose! Microservices and Loosely Coupled Architectures
Deborah Schalm
 
Proactive Monitoring: Playing Offense for the Win
Proactive Monitoring: Playing Offense for the WinProactive Monitoring: Playing Offense for the Win
Proactive Monitoring: Playing Offense for the Win
Deborah Schalm
 
No Tool is an Island: Building DevOps into your business
No Tool is an Island: Building DevOps into your businessNo Tool is an Island: Building DevOps into your business
No Tool is an Island: Building DevOps into your business
Deborah Schalm
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
Deborah Schalm
 

More from Deborah Schalm (20)

Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
 
Discovering Dark Debt in your Culture
Discovering Dark Debt in your CultureDiscovering Dark Debt in your Culture
Discovering Dark Debt in your Culture
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleA Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example
 
Protect Your Organization Against Known Security Defects
Protect Your Organization Against Known Security DefectsProtect Your Organization Against Known Security Defects
Protect Your Organization Against Known Security Defects
 
Putting the Ops in DevOps
Putting the Ops in DevOpsPutting the Ops in DevOps
Putting the Ops in DevOps
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOps
 
Post-Equifax: How to Trust But Verify Your Software Supply Chain
Post-Equifax: How to Trust But Verify Your Software Supply ChainPost-Equifax: How to Trust But Verify Your Software Supply Chain
Post-Equifax: How to Trust But Verify Your Software Supply Chain
 
30 Minutes to a Private Cloud
30 Minutes to a Private Cloud30 Minutes to a Private Cloud
30 Minutes to a Private Cloud
 
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
 
Top 5 Considerations for Operating a Kubernetes Environment at Scale
Top 5 Considerations for Operating a Kubernetes Environment at ScaleTop 5 Considerations for Operating a Kubernetes Environment at Scale
Top 5 Considerations for Operating a Kubernetes Environment at Scale
 
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
 
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
 
Application Discovery! The Gift That Keeps on Giving
Application Discovery! The Gift That Keeps on GivingApplication Discovery! The Gift That Keeps on Giving
Application Discovery! The Gift That Keeps on Giving
 
Top 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield EnvironmentsTop 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield Environments
 
The Coming Earthquake in WebSphere Application Server Configuration Management
The Coming Earthquake in WebSphere Application Server Configuration ManagementThe Coming Earthquake in WebSphere Application Server Configuration Management
The Coming Earthquake in WebSphere Application Server Configuration Management
 
Planet of the APIs: Monitoring Transactions in the Wild
Planet of the APIs: Monitoring Transactions in the WildPlanet of the APIs: Monitoring Transactions in the Wild
Planet of the APIs: Monitoring Transactions in the Wild
 
Get Loose! Microservices and Loosely Coupled Architectures
Get Loose! Microservices and Loosely Coupled ArchitecturesGet Loose! Microservices and Loosely Coupled Architectures
Get Loose! Microservices and Loosely Coupled Architectures
 
Proactive Monitoring: Playing Offense for the Win
Proactive Monitoring: Playing Offense for the WinProactive Monitoring: Playing Offense for the Win
Proactive Monitoring: Playing Offense for the Win
 
No Tool is an Island: Building DevOps into your business
No Tool is an Island: Building DevOps into your businessNo Tool is an Island: Building DevOps into your business
No Tool is an Island: Building DevOps into your business
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
 

Recently uploaded

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 

Recently uploaded (20)

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 

Security Implications for a DevOps Transformation

  • 1. Security Implications of a DevOps transformation
  • 2. Greg Sarjeant - Puppet - Manager of Professional Services - 20 Years in IT - Puppet user since 2012
  • 3. Agenda ● Overview ● Technical baseline ● Implications for security Practical DevOps
  • 4. Overview What do we mean by DevOps? Practical DevOps
  • 5. Most DevOps conversation is loosely defined ● What DevOps isn’t ● Value proposition ● High-level characteristics — Fewer silos — Common tools — Tech closer to customers Practical DevOps
  • 6. This makes it hard to quantify What are the impacts on security?
  • 8. Disclaimer: None of the examples in this presentation are endorsements
  • 9. Technical Foundation How did we get here? Practical DevOps
  • 11. Proposal Five Key Components ● Version Control ● Package Management ● Automated Testing ● Continuous Integration ● Infrastructure as Code Practical DevOps
  • 12. Let’s start a company Keep it simple ● Get a host ● Install web server ● Write the app Practical DevOps
  • 13. Initial development workflow ● Log on to production server ● Write the webpage Practical DevOps
  • 14. Wait, there’s more than one language? Practical DevOps
  • 15. Time for reinforcements Harry Hello Can say “Hello” in 57 languages Wendy World Can say “World” in 62 languages Practical DevOps
  • 16. Complication 1: Collaboration ● Who owns the file? ● Is someone else editing it? ● How do I request a change? ● What changed last? Practical DevOps
  • 17. Improvement 1: Version Control Authoritative source for application code ● File history ● Change tracking ● Conflict resolution ● Version rollback Practical DevOps
  • 18. Version Control: Security Implications ● Attack vector ● Access controls — View code — Commit code ● Sensitive data Practical DevOps
  • 19. Revised workflow ● Commit files to git repository ● Log in to prod ● Check files out Practical DevOps
  • 20. Complication 2: Distribution ● No validation ● No dependencies ● Version management ● Dev tools on Prod servers Practical DevOps
  • 21. Improvement 2: Package Management Atomic collections of related files ● Metadata ● Standard inspection tools ● Programmatic deployment tools ● Pre- and post- install tasks ● Uninstall/rollback functionality Practical DevOps
  • 22. Package Management: Security Implications ● Installation is generally trusted ● Validate package integrity — MD5 sums Practical DevOps
  • 23. Revised workflow ● Commit files to git repository ● Build package ● Log in to prod ● Install package Practical DevOps
  • 24. Time to make the magic happen Let’s ship this thing…
  • 26. Let’s build a test server! Practical DevOps How about “Harry”? What do we call it? Test Prod
  • 27. Complication 3: Validation Manual testing has weaknesses ● Slow: a person has to perform the steps ● Unreliable: people miss steps ● Late: can’t happen until after deployment Practical DevOps Test Prod
  • 28. Improvement 3: Automated tests ● Fast ● Consistent ● Run early and often — Locally — On check-in — On deployment Practical DevOps
  • 29. Automated tests: Security Implications ● Generally positive! ● Validate code, behavior ● Validate package contents Practical DevOps
  • 30. Revised workflow ● Commit to git repository ● Invoke tests ● Build package ● Invoke tests ● Deploy to test ● Invoke tests ● Deploy to prod ● Invoke tests Practical DevOps Test Prod Tests Pass
  • 32. Complication 4: Orchestration We’re just telling the computers what to do ● Manage code ● Run tests ● Build packages ● Deploy packages Practical DevOps
  • 33. Improvement 4: Continuous Integration Continuous Integration Servers ● Define jobs ● Run tests ● Build packages ● Deploy apps ● Run jobs on target servers ● Chain jobs together ● Stop execution if a job fails Practical DevOps
  • 34. Continuous Integration: Security Implications ● Single point of entry to infrastructure ● Elevated access to managed servers ● Arbitrary job execution Practical DevOps
  • 35. All the pieces are in place Practical DevOps Test Prod I’ll take it from here
  • 36. The test server just failed Somebody call the sysadmin!
  • 37. Here I come to save the day Practical DevOps
  • 38. Complication 5: Systems administration Practical DevOps
  • 39. Progressively smaller anchors ● Run books ● Pile of shell scripts ● Golden images ● VM templates Practical DevOps
  • 40. Improvement 5: Infrastructure as code ● Rewrite configuration instructions ● Interpreted by computers ● Managed identically to app code Practical DevOps
  • 41. Infrastructure as code: Security implications ● Agents run as root on all servers ● Code is generally trusted ● Wide-ranging abilities — Package installation — Service reconfiguration — Arbitrary script execution ● Runs unattended Practical DevOps
  • 42. Sysadmins join the pipeline Practical DevOps Test Prod
  • 43. DevOps The directed use of automation to build a common workflow for developers and operations DevOps The directed use of automation to build a common workflow for developers and operations
  • 44. But what about all those security questions?
  • 45. Implications: Security Are DevOps and security mutually exclusive? Practical DevOps
  • 46. There is a perception that DevOps is incompatible with strong security.
  • 47. We feed this perception ● Emphasize trust over verification ● Purist mentality — If it interferes with efficiency, it’s not DevOps ● Security is an afterthought – deal with it in Production Practical DevOps Is security the new ops?
  • 49. Security concerns ● Financial protection ● Intellectual property ● Customer data Practical DevOps Compromises are costly and on the rise
  • 50. Requirements of security organizations ● Rigor — Minimize opportunities to introduce vulnerabilities ● Visibility — Understand what has changed, so that effects can be evaluated ● Responsiveness — When a vulnerability is identified, remediate it as quickly as possible Practical DevOps
  • 52. DevOps Strength: Collaboration ● Dev and Ops teams working together is a huge benefit ● Security often gets left out ● Stop throwing over the wall to ops, keep throwing over the wall to security Practical DevOps
  • 53. DevOps Strength: Automation ● Fewer eyes and minds on the code ● Less consideration of concerns outside of direct application functionality — We’re only validating what we test Practical DevOps
  • 54. DevOps Strength: Speed ● More changes introduced to production more frequently ● Less time to measure the impact of a change ● Often making updates before previous changes have been validated Practical DevOps
  • 55. These aren’t fundamental flaws We’ve just been insufficiently inclusive
  • 56. Collaboration: Include Security ● Design for security ● Assess security implications of changes in tickets ● Incorporate security patches into the delivery pipeline Practical DevOps
  • 57. Automation: Automate tests and validation ● Trigger vulnerability scans on deploy to test — This can be expensive — Tie to deployment schedule, but leave time for remediation ● Build tests for security — System configuration — Package versions — Input validation ● Incorporate monitoring, logging — Install and configure servers and agents — Detect, repor, and alertt on anomalous behavior Practical DevOps
  • 58. Speed: Accelerate remediation ● Use delivery pipeline to push OS patches to production ● Update, test, and deploy custom applications more quickly ● Use monitoring and logging to identify vulnerabilities and anomalous behavior more quickly Practical DevOps
  • 59. Use the pipeline to our advantage Practical DevOps Test Prod

Editor's Notes

  1. Introduce yourself
  2. When you’re learning something new, you don’t dive in at the end – you start at the beginning. So let’s take that approach to familiarizing ourselves with DevOps. We’ll take the case of a new startup, and build to a DevOps toolchain as we encounter – and solve – the common problems in a software development process.
  3. This is by design
  4. We need a more concrete frame of reference in order to assess operational impacts of a DevOps transformation.
  5. Peopleoften talk about a DevOps Toolchain, and present it like this. There’s an awful lot going on here, and this can only overwhelm people who don’t have a clear conception of DevOps. Fundamentally, DevOps can be best understood as the latest step in a series of improvements to the way that IT organizations write software and deliver it to servers. By placing DevOps on a continuum in this way, we can give it context and define a company’s “DevOps transformation” in terms of the larger technological transformations that have led us to DevOps. Let’s strip away all this complexity now and get back to basics.
  6. Okay, so how did we get here?
  7. When you’re learning something new, you don’t dive in at the end – you start at the beginning. So let’s take that approach to familiarizing ourselves with DevOps. We’ll take the case of a new startup, and build to a DevOps toolchain as we encounter – and solve – the common problems in a software development process.
  8. When we’re just getting started, building our application is pretty easy.
  9. When we’re just getting started, building our application is pretty easy.
  10. It’s almost not worth calling it a workflow at this point. I’m just logging on to my single server and writing the webpage live. Easy-peasy.
  11. Inevitably, when we go live we discover complications. In this case, we can’t very well say “Hello, world!” to the world if we only say it in English. Looks like we need to do some more work. But I can’t keep up with this. I’m not a language expert and I don’t have the time to go around looking up translations while doing the business of running my incredibly popular website. Let’s hire some developers.
  12. So we hire some developers to handle the increasing demand for features.
  13. Now that we have two people, our initial approach is already starting to break down. We need a more effective way to collaborate so we aren’t endlessly stepping on each other’s toes or spending lots of time trying to figure out what’s changed and who did what. It’s a pain for people to keep track of all this
  14. This is where a good version control system excels. It facilitates collaboration by handling all of the bookkeeping (change tracking, versioning, conflict resolution), and freeing the developers to focus more on writing code.
  15. This is still mostly a manual process, and has some weaknesses. There’s no validation that I’m checking out the right thing, or putting it in the right place with the right permissions. I can’t manage dependencies. I need knowledge of the underlying VCS structure in order to manage versions. Some orgs have restrictions against having dev tools (such as VCS clients) on production systems. Ask: How can we solve this one?
  16. With a version control server in place, we can make our first revision to the workflow. Now, instead of making changes directly on the production server, we commit our changes to the version control server and then check out the new files on the production server.
  17. This is still mostly a manual process, and has some weaknesses. There’s no validation that I’m checking out the right thing, or putting it in the right place with the right permissions. I can’t manage dependencies. I need knowledge of the underlying VCS structure in order to manage versions. Some orgs have restrictions against having dev tools (such as VCS clients) on production systems. Ask: How can we solve this one?
  18. We can overcome most of these limitations by introducing package management. Instead of copying files directly to our destination server, we can bundle them into a single, atomic package that contains metatdata (version info, installation location, dependencies) and provides facilities for automated installation and uninstallation activities.
  19. This is still mostly a manual process, and has some weaknesses. There’s no validation that I’m checking out the right thing, or putting it in the right place with the right permissions. I can’t manage dependencies. I need knowledge of the underlying VCS structure in order to manage versions. Some orgs have restrictions against having dev tools (such as VCS clients) on production systems. Ask: How can we solve this one?
  20. Now we revise our workflow further. After checking the latest version of code, we build a package that contains all of the files. We then deploy that single package to the server, rather than copying a lot of files. This results in deployments that are faster, more reproducible, and more reliable than was previously possible.
  21. ThinWe now have effective collaboaration and easy deployments. We can get our multi-lingual greeting site out to the people. Let’s do it.
  22. Whoops. Automation without validation just gets bugs to production faster.
  23. The most straightforward way to validate our code’s quality is to set up a test server, and deploy to it first before we deploy to production. That allows us to validate the test application before it hits production.
  24. This helps, but our test process has the same weaknesses that all manual processes share. They are slow and unreliable. People aren’t as good at repetitive, systematic tasks like validation as machines are. This testing also happens late. By the time we run the first test, we’ve already committed the code to version control, built a package, and deployed it to one environment. That’s a lot of work when we have no idea whether the code is any good. It would be better to catch the problems earlier.
  25. If we can come up with a way to allow the computer to do our tests, then we gain all the benefits of automation. Because of this, people have written a variety of automated testing frameworks that do just that. Once we’ve automated our tests, it’s easier to apply them earlier (and more frequently) in the lifecycle.
  26. If we can come up with a way to allow the computer to do our tests, then we gain all the benefits of automation. Because of this, people have written a variety of automated testing frameworks that do just that. Once we’ve automated our tests, it’s easier to apply them earlier (and more frequently) in the lifecycle.
  27. So now we revise the workflow again. Rather that a single, monolithic, manual test late in the process, we inject a series of automated tests throughout. This gets the tests dome more quickly and helps to ensure the quality of the code at each step of the process. Remember, this is iterative.
  28. Now, computers are doing the bulk of our work for us. They track the versions of the code, run tests on the code, bundle it into packages, deploy it to our servers. Outside of writing the code, just about the only thing that people are doing is telling the computers what to do and when. Turns out we can offload that to computers, too.
  29. Continuous Integration servers, at their root, are job execution engines. They can monitor entities (like a VCS repo) and kick off jobs in response to events, or they can be made to kick jobs off by invoking an API. The jobs can be invoked on any servers to which the CI server has access (generally via SSH or an installed agent). This gives us a way to let the computers. Jobs can be chained to other jobs, creating what is commonly known as a “pipeline.” You can even define workflow and reporting logic, so a pipeline run can be stopped and the proper people notified automatically if a job fails. This allows us to take still more work out of the hands of people and transfer it to a machine.
  30. If we can come up with a way to allow the computer to do our tests, then we gain all the benefits of automation. Because of this, people have written a variety of automated testing frameworks that do just that. Once we’ve automated our tests, it’s easier to apply them earlier (and more frequently) in the lifecycle.
  31. Now we’ve automated all of the steps of the development process that lend themselves to automation. Our developers can focus solely on writing code, and as soon as they check something in, our automated workflow kicks in and does the rest. We’ve attained nirvana…
  32. …almost. Things always fail, and usually at the worst time. We’ve got a great app development and delivery process, but what happens when a piece of the infrastructure breaks?
  33. We call in the sysadmin, of course. And this is where agile dreams have been dashed for decades. For a surprisingly long time, there was no good way to write the instructions for (re)building a server in a way that a computer could interpret. Instead, sysadmins operated from memory or from giant runbooks (paper or electronic).
  34. We call in the sysadmin, of course. And this is where agile dreams have been dashed for decades. For a surprisingly long time, there was no good way to write the instructions for (re)building a server in a way that a computer could interpret. Instead, sysadmins operated from memory or from giant runbooks (paper or electronic).
  35. Over time, we created a series of progressively smaller anchors, but we almost always came back to the giant runbook. Sometimes a shell script would replace a paragraph or two, but we’d still have a line in our tome that said “and then run this script.” Golden images and VM snapshots removed some of the drift and repetition, but those starting points were still generally built by hand an then imaged. If anything in the underlying image needed to change, we made the change by had and rebuilt the image.
  36. What we really needed was the same thing the developers had all along: a way to rewrite the instructions that we followed for building a machine – that is, our runbook – in a way that allows a computer to interpret and act upon them. This breakthrough was infrastructure as code.
  37. Over time, we created a series of progressively smaller anchors, but we almost always came back to the giant runbook. Sometimes a shell script would replace a paragraph or two, but we’d still have a line in our tome that said “and then run this script.” Golden images and VM snapshots removed some of the drift and repetition, but those starting points were still generally built by hand an then imaged. If anything in the underlying image needed to change, we made the change by had and rebuilt the image.
  38. Once we have an implementation of infrastructure as code, we can apply all of the same tools that our developers have been using with such success to system configuration. This was the shift from agile development with an anchor to DevOps. It’s important to recognize that there is almost nothing new here – most of the technology and practice has existed for years in software development circles. The one thing that changed was the introduction of a way to express system configurations in a manner that allowed us to bring those software development practices to bear on system configuration management.
  39. Please don’t call it DevOpsSec But in a lot of ways, the DevOps community regards security orgs in a similar manner to ops in the past. We throw things over the wall for security to deal with later.
  40. Even if a compromise doesn’t cause direct harm in the form of IP theft or financial loss, the negative publicity associated with disclosure can cause significant harm.
  41. None of this is unreasonable. Though sometimes the processes to ensure them can be burdensome, the requirements themselves are sound.
  42. The very things that make DevOps so successful as a development methodolgy undermine the confidence of security organizations.
  43. Were you wondering when I’d get to the part where this is actually good for security?
  44. Each of the testing and CI points in the pipeline represents an opportunity to incorporate security. We can also extend this pipeline in order to incorporate automated logging and monitoring systems.