SlideShare a Scribd company logo

Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed

Download as PPTX, PDF
Gene Kim
Gene Kim

This document provides an overview of a presentation given by Joshua Corman and Gene Kim on the topics of security, DevOps, and Rugged DevOps. Some key points: - Joshua Corman is the director of security intelligence at Akamai Technologies and Gene Kim is a researcher and author known for his work on IT performance and DevOps. - They discuss how traditional security models are no longer effective due to increasing development speeds and how Rugged DevOps combines principles of DevOps and security. - Rugged DevOps focuses on operational discipline, situational awareness, and countermeasures to provide security in a way that does not hinder development workflows and speeds. - The presentation

TechnologyBusiness
1 of 94
Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed… Joshua Corman & Gene Kim Session ID: CLD-106 Session Classification: Intermediate
About Joshua Corman  Director of Security Intelligence for Akamai Technologies  Former Research Director, Enterprise Security [The 451 Group]  Former Principal Security Strategist [IBM ISS]  Industry:  Expert Faculty: The Institute for Applied Network Security (IANS)  2009 NetworkWorld Top 10 Tech People to Know  Co-Founder of “Rugged Software” www.ruggedsoftware.org  BLOG: www.cognitivedissidents.com  Things I’ve been researching:  Compliance vs Security  Disruptive Security for Disruptive Innovations  Chaotic Actors  Espionage  Security Metrics 2
About Gene Kim  Researcher, Author  Industry:  Invented and founded Tripwire, CTO (1997-2010)  Co-author: “Visible Ops Handbook”(2006), “Visible Ops Security” (2008)  Co-author: “When IT Fails: The Novel,” “The DevOps Cookbook” (Coming May 2012)  Things I’ve been researching:  Benchmarked 1300+ IT organizations to test effectiveness of IT controls vs. IT performance  DevOps, Rugged DevOps  Scoping PCI Cardholder Data Environment (#FAIL) 3
Agenda  Problem statement  What is DevOps?  What is Rugged?  What is Rugged DevOps?  Things you can do right away 4
Potentially Unfamiliar Words You Will See  Kanban  Andon cord  Sprints  Rugged  DevOps  Bottleneck  Systems thinking  Controls reliance 5
Problem Statement 6
Ludicrous Speed? 7
Ludicrous Speed 8
Ludicrous Speed! 9
Ludicrous Fail?! 10
What Is DevOps? 11
Source: John Allspaw
Source: John Allspaw
Source: John Allspaw
Source: John Allspaw
Source: Theo Schlossnagle
Source: Theo Schlossnagle
Source: Theo Schlossnagle
Source: John Jenkins, Amazon.com
High Performing IT Organizations  High performers maintain a posture of compliance  Fewest number of repeat audit findings  One-third amount of audit preparation effort  High performers find and fix security breaches faster  5 times more likely to detect breaches by automated control  5 times less likely to have breaches result in a loss event  When high performers implement changes…  14 times more changes  One-half the change failure rate  One-quarter the first fix failure rate  10x faster MTTR for Sev 1 outages  When high performers manage IT resources…  One-third the amount of unplanned work  8 times more projects and IT services  6 times more applications Source: IT Process Institute, 2008 Source: IT Process Institute, 2008
2007: Three Controls Predict 60% Of Performance  To what extent does an organization define, monitor and enforce the following?  Standardized configuration strategy  Process discipline  Controlled access to production systems Source: IT Process Institute, 2008
What Is Rugged? 23
Rugged Software Development Joshua Corman, David Rice, Jeff Williams 2010
RUGGED SOFTWARE
…so software not only needs to be…
FAST
AGILE
Are You Rugged?
HARSH
UNFRIENDLY
THE MANIFESTO
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
www.ruggedsoftware.org CrossTalk http://www.crosstalkonline.org/issues/marchapril-2011.html
What Is Rugged DevOps? 39
Source: James Wickett
Source: James Wickett
Survival Guide/Pyramid www.ruggedsoftware.org Defensible Infrastructure
Survival Guide/Pyramid Operational Discipline Defensible Infrastructure
Survival Guide/Pyramid Situational Awareness Operational Discipline Defensible Infrastructure
Survival Guide/Pyramid Countermeasures Situational Awareness Operational Discipline Defensible Infrastructure
Zombie Proof Housing http://all-that-is-interesting.com/post/4956385434/the-first-zombie-proof-house Countermeasure s Situational Awareness Operational Discipline Defensible Infrastructure
Zombie Proof Housing http://all-that-is-interesting.com/post/4956385434/the-first-zombie-proof-house Countermeasure s Situational Awareness Operational Discipline Defensible Infrastructure
Zombie Proof Housing http://all-that-is-interesting.com/post/4956385434/the-first-zombie-proof-house Countermeasure s Situational Awareness Operational Discipline Defensible Infrastructure
Zombie Proof Housing http://all-that-is-interesting.com/post/4956385434/the-first-zombie-proof-house Countermeasure s Situational Awareness Operational Discipline Defensible Infrastructure
Zombie Proof Housing http://all-that-is-interesting.com/post/4956385434/the-first-zombie-proof-house Countermeasure s Situational Awareness Operational Discipline Defensible Infrastructure
Zombie Proof Housing http://all-that-is-interesting.com/post/4956385434/the-first-zombie-proof-house Countermeasure s Situational Awareness Operational Discipline Defensible Infrastructure
Zombie Proof Housing http://all-that-is-interesting.com/post/4956385434/the-first-zombie-proof-house Countermeasure s Situational Awareness Operational Discipline Defensible Infrastructure
Source: James Wickett
DevOps: It’s A Real Movement  I would never do another startup that didn’t employ DevOps like principles  It’s not just startups – it’s happening in the enterprise and in public sector, too  I believe working in DevOps environments will be a necessary skillset 5 years from now
How Do You Do Rugged DevOps? 57
The Prescriptive DevOps Cookbook  “DevOps Cookbook” Authors  Patrick DeBois, Mike Orzen, John Willis  Goals  Codify how to start and finish DevOps transformations  How does Development, IT Operations and Infosec become dependable partners  Describe in detail how to replicate the transformations describe in “When IT Fails: The Novel”
Arc 1: Decrease Cycle Time Of Releases  Create determinism in the release process  Move packaging responsibility to development  Release early and often  Decrease cycle time  Reduce deployment times from 6 hours to 45 minutes  Refactor deployment process that had 1300+ steps spanning 4 weeks  Never again “fix forward,” instead “roll back,” escalating any deviation from plan to Dev  Ensure environments are properly built before deployment begins  Control code and environments down the preproduction runways  Hold Dev, QA, Int, and Staging owners accountable for integrity
Arc 2: Increase Production Resilience  To preserve and increase throughput, elevate preventive projects and maintenance tasks  Document all work, changes and outcomes so that it is repeatable  Protect the flow of planned work (e.g., tickets bouncing around for weeks, causing features to slip into next sprint)  Ops builds Agile standardized deployment stories  Maintains adequate situational awareness so that incidents could be quickly detected and corrected  Standardize unplanned work and escalations  Continually seek to eradicate unplanned work and increase throughput
Arc 3: Remove Complexity, Attack Surface And Waste  Elective complexity adds to technical debt  Infosec (and everyone) wins when we take work out of the system  Understand where controls reliance is placed and what matters to the business 61
Meeting The DevOps Leadership Team  Typically led by Dev, QA, IT Operations and Product Management  Our ultimate goal is to add value at every step in the flow of work  See the end-to-end value flow  Shorten and amplify feedback loops  Help break silos (e.g., server, networking, database)
Definition: Agile Sprints  The basic unit of development in Agile Scrums, typically between one week and one month  At the end of each sprint, team should have potentially deliverable product Aha Moment: shipping product implies not just code – it’s the environment, too! 63
Help Dev And Ops Build Code And Environments  Dev and Ops work together in Sprint 0 and 1 to create code and environments  Create environment that Dev deploys into  Create downstream environments: QA, Staging, Production  Create testable migration procedures from Dev all the way to production  Integrate Infosec and QA into daily sprint activities
Definition: Andon Cord 65
Integrate Ops Into Dev  Embed Ops person into Dev structure  Describes non-functional requirements, use cases and stories from Ops  Responsible for improving “quality at the source” (e.g., reducing technical debt, fix known problems, etc.)  Has special responsibility for pulling the Andon cord
Integrate Dev Into Ops  MobBrowser case study: “Waking up developers at 3am is a great feedback loop: defects get fixed very quickly”  Goal is to get Dev closer to the customer  Infosec can help determine when it’s too close (and when SOD is a requirement)
Keep Shrinking Batch Sizes  Waterfall projects often have cycle time of one year  Sprints have cycle time of 1 or 2 weeks  When IT Operations work is sufficiently fast and cheap, we may decide to decouple deployments from sprint boundaries (e.g., Kanbans)
Definition: Kanban Board  Signaling tool to reduce WIP and increase flow 69
IT Operations Increases Process Rigor  Standardize deployment  Standardize unplanned work: make it repeatable  Modify first response: ensure constrained resources have all data at hand to diagnose  Elevate preventive activities to reduce incidents
Help Development…  Help them see downstream effects  Unplanned work comes at the expense of planned work  Technical debt retards feature throughput  Environment matters as much as the code  Allocate time for fault modeling, asking “what could go wrong?” and implementing countermeasures
Help QA…  Ensure test plans cover not only code functionality, but also:  Suitability of the environment the code runs in  The end-to-end deployment process  Help find variance…  Functionality, performance, configuration  Duration, wait time and handoff errors, rework, …
Help IT Operations…  “The best way to avoid failure is to fail constantly”  Harden the production environment  Have scheduled drills to “crash the data center”  Create your “chaos monkeys” to introduce faults into the system (e.g., randomly kill processes, take out servers, etc.)  Rehearse and improve responding to unplanned work  NetFlix: Hardened AWS service  StackOverflow  Amazon firedrills (Jesse Allspaw)  The Monkey (Mac)
You Don’t Choose Chaos Monkey… Chaos Monkey Chooses You
Help Product Management… Lesson: Allocate 20% of Dev cycles to paying down technical debt
What Does Rugged DevOps Feel Like? 76
Case Studies And Early Indicators  Almost every major Internet online services company  VERACODE Rapid SaaS Fix Blog Post  http://www.veracode.com/blog/2012/01/vulnerability- response-done-right/  Pervasive Monitoring  Analytics at LinkedIn viewed by CEO daily: LinkedIn Engineering: “The Birth Of inGraphs: Eric The Intern”
Applying RuggedDevOps 80
Things To Put Into Practice Tomorrow  Identify your Dev/Ops/QA/PM counterparts  Discuss your mutual interdependence and shared objectives  Harden and instrument the production builds  Integrate automated security testing into the build and deploy mechanisms  Create your Evil/Hostile/Fuzzy Chaos Monkey  Cover your untested branches  Enforce the 20% allocation of Dev cycles to non- functional requirement
Resources  From the IT Process Institute www.itpi.org  Both Visible Ops Handbooks  ITPI IT Controls Performance Study  Rugged Software by Corman, et al: http://ruggedsoftware.org  “Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation” by Humble, Farley  Follow us…  @JoshCorman, @RealGeneKim  mailto:genek@realgenekim.me  http://realgenekim.me/blog
Interested In “The DevOps Cookbook?” Give Gene your business card, and get exclusive access to the first 100 pages of "When IT Fails: The Novel" and "The DevOps Cookbook" for free We’ll send it to you as soon as it’s ready!
Thank You 84
Appendix 85
Common Traits of High Performers Culture of… Change management  Integration of IT operations/security via problem/change management  Processes that serve both organizational needs and business objectives  Highest rate of effective change Causality  Highest service levels (MTTR, MTBF)  Highest first fix rate (unneeded rework) Compliance and continual reduction of operational variance  Production configurations  Highest level of pre-production staffing  Effective pre-production controls  Effective pairing of preventive and detective controls Source: IT Process Institute
Visible Ops: Playbook of High Performers  The IT Process Institute has been studying high-performing organizations since 1999  What is common to all the high performers?  What is different between them and average and low performers?  How did they become great?  Answers have been codified in the Visible Ops Methodology  The “Visible Ops Handbook” is available from the ITPI www.ITPI.org
What These Breakthroughs Look Like
A Reframed IT Operations Problem Statement  Increase flow from Dev to Production  Increase throughput  Decrease WIP  Our goal is to create a system of operations that allows  Planned work to quickly move to production  Ensure service is quickly restored when things go wrong  Information security built in every stage of Development, Project Management, and IT Operations  How does this relate to Visible Ops?  We focused much on “unplanned work”  What’s happening to all the planned work?  At any given time, what should IT Ops be working on?  Now we are focusing on the flow of planned work
How To Reduce The Transformation Activation Energy
Framing The Moral Crusade
By The Visible Ops Team: Gene Kim, Kevin Behr, George Spafford
The Theory of Constraints Approach To Visible Ops  Dr. Goldratt wrote The Goal in 1984, describing Alex’s challenge to fix his plant’s cost and due date issues within 90 days  Some tenets that went against common wisdom:  Every flow of work has a constraint/bottleneck  Any improvement not made at the bottleneck is merely an illusion  Fallacy of cost accounting as operational management tool
Interested? If you’re interested in When IT Fails: The Novel or The DevOps Cookbook, signup for the list at http://whenitfails.org Or: # mail genek@realgenekim.me Subject: [ slides | research | list ]

Recommended

Achieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesAchieving CI/CD with Kubernetes
Achieving CI/CD with Kubernetes
Ramit Surana
 
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...
Gene Kim
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)
Gene Kim
 
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
Gene Kim
 
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
Gene Kim
 
The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)
Gene Kim
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released
Gene Kim
 
Leading A DevOps Transformation: Lessons Learned
Leading A DevOps Transformation: Lessons LearnedLeading A DevOps Transformation: Lessons Learned
Leading A DevOps Transformation: Lessons Learned
Gene Kim
 

Recommended

Achieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesAchieving CI/CD with Kubernetes
Achieving CI/CD with Kubernetes
Ramit Surana
 
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...
Gene Kim
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)
Gene Kim
 
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
Gene Kim
 
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
Gene Kim
 
The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)
Gene Kim
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released
Gene Kim
 
Leading A DevOps Transformation: Lessons Learned
Leading A DevOps Transformation: Lessons LearnedLeading A DevOps Transformation: Lessons Learned
Leading A DevOps Transformation: Lessons Learned
Gene Kim
 
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesKeeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Gene Kim
 
2014 State Of DevOps Findings! Velocity Conference
2014 State Of DevOps Findings! Velocity Conference2014 State Of DevOps Findings! Velocity Conference
2014 State Of DevOps Findings! Velocity Conference
Gene Kim
 
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?Gene Kim
 
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
Gene Kim
 
How Can We Better Sell DevOps?
How Can We Better Sell DevOps?How Can We Better Sell DevOps?
How Can We Better Sell DevOps?Gene Kim
 
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology OrgsWhy Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Gene Kim
 
Kevin Behr: Integrating Controls and Process Improvement
Kevin Behr: Integrating Controls and Process ImprovementKevin Behr: Integrating Controls and Process Improvement
Kevin Behr: Integrating Controls and Process ImprovementGene Kim
 
SecureWorld - Communicating With Your CFO
SecureWorld - Communicating With Your CFOSecureWorld - Communicating With Your CFO
SecureWorld - Communicating With Your CFO
Gene Kim
 
2012 Velocity London: DevOps Patterns Distilled
2012 Velocity London: DevOps Patterns Distilled2012 Velocity London: DevOps Patterns Distilled
2012 Velocity London: DevOps Patterns Distilled
Gene Kim
 
PuppetConf2012GeneKim
PuppetConf2012GeneKimPuppetConf2012GeneKim
PuppetConf2012GeneKim
Gene Kim
 
United2012 Rugged DevOps Rocks
United2012 Rugged DevOps RocksUnited2012 Rugged DevOps Rocks
United2012 Rugged DevOps Rocks
Gene Kim
 
Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps Gene Kim
 
When IT Fails The Business Fails...
When IT Fails The Business Fails...When IT Fails The Business Fails...
When IT Fails The Business Fails...
Gene Kim
 
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev opsKim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev opsGene Kim
 
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6aKim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6aGene Kim
 
2012 05 corp fin 1c
2012 05 corp fin 1c2012 05 corp fin 1c
2012 05 corp fin 1cGene Kim
 
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6aSecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6aGene Kim
 
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOpsServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOpsGene Kim
 
Winnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsWinnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsGene Kim
 
SecureWorld: Security is Dead, Rugged DevOps 1f
SecureWorld: Security is Dead, Rugged DevOps 1fSecureWorld: Security is Dead, Rugged DevOps 1f
SecureWorld: Security is Dead, Rugged DevOps 1fGene Kim
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 

More Related Content

More from Gene Kim

Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesKeeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Gene Kim
 
2014 State Of DevOps Findings! Velocity Conference
2014 State Of DevOps Findings! Velocity Conference2014 State Of DevOps Findings! Velocity Conference
2014 State Of DevOps Findings! Velocity Conference
Gene Kim
 
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?Gene Kim
 
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
Gene Kim
 
How Can We Better Sell DevOps?
How Can We Better Sell DevOps?How Can We Better Sell DevOps?
How Can We Better Sell DevOps?Gene Kim
 
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology OrgsWhy Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Gene Kim
 
Kevin Behr: Integrating Controls and Process Improvement
Kevin Behr: Integrating Controls and Process ImprovementKevin Behr: Integrating Controls and Process Improvement
Kevin Behr: Integrating Controls and Process ImprovementGene Kim
 
SecureWorld - Communicating With Your CFO
SecureWorld - Communicating With Your CFOSecureWorld - Communicating With Your CFO
SecureWorld - Communicating With Your CFO
Gene Kim
 
2012 Velocity London: DevOps Patterns Distilled
2012 Velocity London: DevOps Patterns Distilled2012 Velocity London: DevOps Patterns Distilled
2012 Velocity London: DevOps Patterns Distilled
Gene Kim
 
PuppetConf2012GeneKim
PuppetConf2012GeneKimPuppetConf2012GeneKim
PuppetConf2012GeneKim
Gene Kim
 
United2012 Rugged DevOps Rocks
United2012 Rugged DevOps RocksUnited2012 Rugged DevOps Rocks
United2012 Rugged DevOps Rocks
Gene Kim
 
Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps Gene Kim
 
When IT Fails The Business Fails...
When IT Fails The Business Fails...When IT Fails The Business Fails...
When IT Fails The Business Fails...
Gene Kim
 
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev opsKim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev opsGene Kim
 
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6aKim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6aGene Kim
 
2012 05 corp fin 1c
2012 05 corp fin 1c2012 05 corp fin 1c
2012 05 corp fin 1cGene Kim
 
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6aSecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6aGene Kim
 
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOpsServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOpsGene Kim
 
Winnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsWinnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsGene Kim
 
SecureWorld: Security is Dead, Rugged DevOps 1f
SecureWorld: Security is Dead, Rugged DevOps 1fSecureWorld: Security is Dead, Rugged DevOps 1f
SecureWorld: Security is Dead, Rugged DevOps 1fGene Kim
 

More from Gene Kim (20)

Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesKeeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
 
2014 State Of DevOps Findings! Velocity Conference
2014 State Of DevOps Findings! Velocity Conference2014 State Of DevOps Findings! Velocity Conference
2014 State Of DevOps Findings! Velocity Conference
 
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
 
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
 
How Can We Better Sell DevOps?
How Can We Better Sell DevOps?How Can We Better Sell DevOps?
How Can We Better Sell DevOps?
 
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology OrgsWhy Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
 
Kevin Behr: Integrating Controls and Process Improvement
Kevin Behr: Integrating Controls and Process ImprovementKevin Behr: Integrating Controls and Process Improvement
Kevin Behr: Integrating Controls and Process Improvement
 
SecureWorld - Communicating With Your CFO
SecureWorld - Communicating With Your CFOSecureWorld - Communicating With Your CFO
SecureWorld - Communicating With Your CFO
 
2012 Velocity London: DevOps Patterns Distilled
2012 Velocity London: DevOps Patterns Distilled2012 Velocity London: DevOps Patterns Distilled
2012 Velocity London: DevOps Patterns Distilled
 
PuppetConf2012GeneKim
PuppetConf2012GeneKimPuppetConf2012GeneKim
PuppetConf2012GeneKim
 
United2012 Rugged DevOps Rocks
United2012 Rugged DevOps RocksUnited2012 Rugged DevOps Rocks
United2012 Rugged DevOps Rocks
 
Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps
 
When IT Fails The Business Fails...
When IT Fails The Business Fails...When IT Fails The Business Fails...
When IT Fails The Business Fails...
 
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev opsKim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
 
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6aKim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
 
2012 05 corp fin 1c
2012 05 corp fin 1c2012 05 corp fin 1c
2012 05 corp fin 1c
 
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6aSecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
 
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOpsServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
 
Winnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsWinnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOps
 
SecureWorld: Security is Dead, Rugged DevOps 1f
SecureWorld: Security is Dead, Rugged DevOps 1fSecureWorld: Security is Dead, Rugged DevOps 1f
SecureWorld: Security is Dead, Rugged DevOps 1f
 

Recently uploaded

Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 

Recently uploaded (20)

Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 

Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed

  • 1. Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed… Joshua Corman & Gene Kim Session ID: CLD-106 Session Classification: Intermediate
  • 2. About Joshua Corman  Director of Security Intelligence for Akamai Technologies  Former Research Director, Enterprise Security [The 451 Group]  Former Principal Security Strategist [IBM ISS]  Industry:  Expert Faculty: The Institute for Applied Network Security (IANS)  2009 NetworkWorld Top 10 Tech People to Know  Co-Founder of “Rugged Software” www.ruggedsoftware.org  BLOG: www.cognitivedissidents.com  Things I’ve been researching:  Compliance vs Security  Disruptive Security for Disruptive Innovations  Chaotic Actors  Espionage  Security Metrics 2
  • 3. About Gene Kim  Researcher, Author  Industry:  Invented and founded Tripwire, CTO (1997-2010)  Co-author: “Visible Ops Handbook”(2006), “Visible Ops Security” (2008)  Co-author: “When IT Fails: The Novel,” “The DevOps Cookbook” (Coming May 2012)  Things I’ve been researching:  Benchmarked 1300+ IT organizations to test effectiveness of IT controls vs. IT performance  DevOps, Rugged DevOps  Scoping PCI Cardholder Data Environment (#FAIL) 3
  • 4. Agenda  Problem statement  What is DevOps?  What is Rugged?  What is Rugged DevOps?  Things you can do right away 4
  • 5. Potentially Unfamiliar Words You Will See  Kanban  Andon cord  Sprints  Rugged  DevOps  Bottleneck  Systems thinking  Controls reliance 5
  • 14.
  • 20. Source: John Jenkins, Amazon.com
  • 21. High Performing IT Organizations  High performers maintain a posture of compliance  Fewest number of repeat audit findings  One-third amount of audit preparation effort  High performers find and fix security breaches faster  5 times more likely to detect breaches by automated control  5 times less likely to have breaches result in a loss event  When high performers implement changes…  14 times more changes  One-half the change failure rate  One-quarter the first fix failure rate  10x faster MTTR for Sev 1 outages  When high performers manage IT resources…  One-third the amount of unplanned work  8 times more projects and IT services  6 times more applications Source: IT Process Institute, 2008 Source: IT Process Institute, 2008
  • 22. 2007: Three Controls Predict 60% Of Performance  To what extent does an organization define, monitor and enforce the following?  Standardized configuration strategy  Process discipline  Controlled access to production systems Source: IT Process Institute, 2008
  • 24. Rugged Software Development Joshua Corman, David Rice, Jeff Williams 2010
  • 25.
  • 26.
  • 28. …so software not only needs to be…
  • 29. FAST
  • 30. AGILE
  • 32. HARSH
  • 35.
  • 36. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
  • 37.
  • 38. www.ruggedsoftware.org CrossTalk http://www.crosstalkonline.org/issues/marchapril-2011.html
  • 39. What Is Rugged DevOps? 39
  • 42.
  • 43. Survival Guide/Pyramid www.ruggedsoftware.org Defensible Infrastructure
  • 44. Survival Guide/Pyramid Operational Discipline Defensible Infrastructure
  • 45. Survival Guide/Pyramid Situational Awareness Operational Discipline Defensible Infrastructure
  • 46. Survival Guide/Pyramid Countermeasures Situational Awareness Operational Discipline Defensible Infrastructure
  • 47. Zombie Proof Housing http://all-that-is-interesting.com/post/4956385434/the-first-zombie-proof-house Countermeasure s Situational Awareness Operational Discipline Defensible Infrastructure
  • 48. Zombie Proof Housing http://all-that-is-interesting.com/post/4956385434/the-first-zombie-proof-house Countermeasure s Situational Awareness Operational Discipline Defensible Infrastructure
  • 49. Zombie Proof Housing http://all-that-is-interesting.com/post/4956385434/the-first-zombie-proof-house Countermeasure s Situational Awareness Operational Discipline Defensible Infrastructure
  • 50. Zombie Proof Housing http://all-that-is-interesting.com/post/4956385434/the-first-zombie-proof-house Countermeasure s Situational Awareness Operational Discipline Defensible Infrastructure
  • 51. Zombie Proof Housing http://all-that-is-interesting.com/post/4956385434/the-first-zombie-proof-house Countermeasure s Situational Awareness Operational Discipline Defensible Infrastructure
  • 52. Zombie Proof Housing http://all-that-is-interesting.com/post/4956385434/the-first-zombie-proof-house Countermeasure s Situational Awareness Operational Discipline Defensible Infrastructure
  • 53. Zombie Proof Housing http://all-that-is-interesting.com/post/4956385434/the-first-zombie-proof-house Countermeasure s Situational Awareness Operational Discipline Defensible Infrastructure
  • 55.
  • 56. DevOps: It’s A Real Movement  I would never do another startup that didn’t employ DevOps like principles  It’s not just startups – it’s happening in the enterprise and in public sector, too  I believe working in DevOps environments will be a necessary skillset 5 years from now
  • 57. How Do You Do Rugged DevOps? 57
  • 58. The Prescriptive DevOps Cookbook  “DevOps Cookbook” Authors  Patrick DeBois, Mike Orzen, John Willis  Goals  Codify how to start and finish DevOps transformations  How does Development, IT Operations and Infosec become dependable partners  Describe in detail how to replicate the transformations describe in “When IT Fails: The Novel”
  • 59. Arc 1: Decrease Cycle Time Of Releases  Create determinism in the release process  Move packaging responsibility to development  Release early and often  Decrease cycle time  Reduce deployment times from 6 hours to 45 minutes  Refactor deployment process that had 1300+ steps spanning 4 weeks  Never again “fix forward,” instead “roll back,” escalating any deviation from plan to Dev  Ensure environments are properly built before deployment begins  Control code and environments down the preproduction runways  Hold Dev, QA, Int, and Staging owners accountable for integrity
  • 60. Arc 2: Increase Production Resilience  To preserve and increase throughput, elevate preventive projects and maintenance tasks  Document all work, changes and outcomes so that it is repeatable  Protect the flow of planned work (e.g., tickets bouncing around for weeks, causing features to slip into next sprint)  Ops builds Agile standardized deployment stories  Maintains adequate situational awareness so that incidents could be quickly detected and corrected  Standardize unplanned work and escalations  Continually seek to eradicate unplanned work and increase throughput
  • 61. Arc 3: Remove Complexity, Attack Surface And Waste  Elective complexity adds to technical debt  Infosec (and everyone) wins when we take work out of the system  Understand where controls reliance is placed and what matters to the business 61
  • 62. Meeting The DevOps Leadership Team  Typically led by Dev, QA, IT Operations and Product Management  Our ultimate goal is to add value at every step in the flow of work  See the end-to-end value flow  Shorten and amplify feedback loops  Help break silos (e.g., server, networking, database)
  • 63. Definition: Agile Sprints  The basic unit of development in Agile Scrums, typically between one week and one month  At the end of each sprint, team should have potentially deliverable product Aha Moment: shipping product implies not just code – it’s the environment, too! 63
  • 64. Help Dev And Ops Build Code And Environments  Dev and Ops work together in Sprint 0 and 1 to create code and environments  Create environment that Dev deploys into  Create downstream environments: QA, Staging, Production  Create testable migration procedures from Dev all the way to production  Integrate Infosec and QA into daily sprint activities
  • 66. Integrate Ops Into Dev  Embed Ops person into Dev structure  Describes non-functional requirements, use cases and stories from Ops  Responsible for improving “quality at the source” (e.g., reducing technical debt, fix known problems, etc.)  Has special responsibility for pulling the Andon cord
  • 67. Integrate Dev Into Ops  MobBrowser case study: “Waking up developers at 3am is a great feedback loop: defects get fixed very quickly”  Goal is to get Dev closer to the customer  Infosec can help determine when it’s too close (and when SOD is a requirement)
  • 68. Keep Shrinking Batch Sizes  Waterfall projects often have cycle time of one year  Sprints have cycle time of 1 or 2 weeks  When IT Operations work is sufficiently fast and cheap, we may decide to decouple deployments from sprint boundaries (e.g., Kanbans)
  • 69. Definition: Kanban Board  Signaling tool to reduce WIP and increase flow 69
  • 70. IT Operations Increases Process Rigor  Standardize deployment  Standardize unplanned work: make it repeatable  Modify first response: ensure constrained resources have all data at hand to diagnose  Elevate preventive activities to reduce incidents
  • 71. Help Development…  Help them see downstream effects  Unplanned work comes at the expense of planned work  Technical debt retards feature throughput  Environment matters as much as the code  Allocate time for fault modeling, asking “what could go wrong?” and implementing countermeasures
  • 72. Help QA…  Ensure test plans cover not only code functionality, but also:  Suitability of the environment the code runs in  The end-to-end deployment process  Help find variance…  Functionality, performance, configuration  Duration, wait time and handoff errors, rework, …
  • 73. Help IT Operations…  “The best way to avoid failure is to fail constantly”  Harden the production environment  Have scheduled drills to “crash the data center”  Create your “chaos monkeys” to introduce faults into the system (e.g., randomly kill processes, take out servers, etc.)  Rehearse and improve responding to unplanned work  NetFlix: Hardened AWS service  StackOverflow  Amazon firedrills (Jesse Allspaw)  The Monkey (Mac)
  • 74. You Don’t Choose Chaos Monkey… Chaos Monkey Chooses You
  • 75. Help Product Management… Lesson: Allocate 20% of Dev cycles to paying down technical debt
  • 76. What Does Rugged DevOps Feel Like? 76
  • 77.
  • 78.
  • 79. Case Studies And Early Indicators  Almost every major Internet online services company  VERACODE Rapid SaaS Fix Blog Post  http://www.veracode.com/blog/2012/01/vulnerability- response-done-right/  Pervasive Monitoring  Analytics at LinkedIn viewed by CEO daily: LinkedIn Engineering: “The Birth Of inGraphs: Eric The Intern”
  • 81. Things To Put Into Practice Tomorrow  Identify your Dev/Ops/QA/PM counterparts  Discuss your mutual interdependence and shared objectives  Harden and instrument the production builds  Integrate automated security testing into the build and deploy mechanisms  Create your Evil/Hostile/Fuzzy Chaos Monkey  Cover your untested branches  Enforce the 20% allocation of Dev cycles to non- functional requirement
  • 82. Resources  From the IT Process Institute www.itpi.org  Both Visible Ops Handbooks  ITPI IT Controls Performance Study  Rugged Software by Corman, et al: http://ruggedsoftware.org  “Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation” by Humble, Farley  Follow us…  @JoshCorman, @RealGeneKim  mailto:genek@realgenekim.me  http://realgenekim.me/blog
  • 83. Interested In “The DevOps Cookbook?” Give Gene your business card, and get exclusive access to the first 100 pages of "When IT Fails: The Novel" and "The DevOps Cookbook" for free We’ll send it to you as soon as it’s ready!
  • 84. Thank You 84
  • 85. Appendix 85
  • 86. Common Traits of High Performers Culture of… Change management  Integration of IT operations/security via problem/change management  Processes that serve both organizational needs and business objectives  Highest rate of effective change Causality  Highest service levels (MTTR, MTBF)  Highest first fix rate (unneeded rework) Compliance and continual reduction of operational variance  Production configurations  Highest level of pre-production staffing  Effective pre-production controls  Effective pairing of preventive and detective controls Source: IT Process Institute
  • 87. Visible Ops: Playbook of High Performers  The IT Process Institute has been studying high-performing organizations since 1999  What is common to all the high performers?  What is different between them and average and low performers?  How did they become great?  Answers have been codified in the Visible Ops Methodology  The “Visible Ops Handbook” is available from the ITPI www.ITPI.org
  • 89. A Reframed IT Operations Problem Statement  Increase flow from Dev to Production  Increase throughput  Decrease WIP  Our goal is to create a system of operations that allows  Planned work to quickly move to production  Ensure service is quickly restored when things go wrong  Information security built in every stage of Development, Project Management, and IT Operations  How does this relate to Visible Ops?  We focused much on “unplanned work”  What’s happening to all the planned work?  At any given time, what should IT Ops be working on?  Now we are focusing on the flow of planned work
  • 90. How To Reduce The Transformation Activation Energy
  • 91. Framing The Moral Crusade
  • 92. By The Visible Ops Team: Gene Kim, Kevin Behr, George Spafford
  • 93. The Theory of Constraints Approach To Visible Ops  Dr. Goldratt wrote The Goal in 1984, describing Alex’s challenge to fix his plant’s cost and due date issues within 90 days  Some tenets that went against common wisdom:  Every flow of work has a constraint/bottleneck  Any improvement not made at the bottleneck is merely an illusion  Fallacy of cost accounting as operational management tool
  • 94. Interested? If you’re interested in When IT Fails: The Novel or The DevOps Cookbook, signup for the list at http://whenitfails.org Or: # mail genek@realgenekim.me Subject: [ slides | research | list ]

Editor's Notes

  1. Tell story of Amazon, Netflix: they care about, availability, securityIt’s not a push, it’s a pull – they’re looking for our help (#1 concern: fear of disintermediation and being marginalized)
  2. At RSA 2009, Josh Corman, Jeff Williams, and David Rice were chatting at the Greylock cocktail party.
  3. So software not only need
  4. …fast, and…
  5. …agile, but it also needs to be…
  6. …rugged. Capable of withstanding…
  7. …the harshest conditions…
  8. …and most unfriendly environments…
  9. [ text ] My personal goal is to prescriptively define 1) what does Dev need to do to become a reliable partner, 2) what does IT Operations need to do to become a realiable partner, and then 3) how do they work together to deliver unbelievable value to the business.Of course, the goal is more than happy coexistence. It’s to replicate the Etsy and LinkedIn stories:Increase the rate of features that we can put into production, while simultaneously maintaining the reliability, stability, security and survivability of the production environment.
  10. [ picture of stock graph ]There are two main characters: Steve the hard-driving CEO, of a $4B/yr manufacturing/retailing company. In an emergency board meeting, the board conveys two messages:You’ve promised us two projects for over years, to close the gap with the competition. It’s now a year late, $10MM over budget. Your competition is Best Buy, and you’re Circuit City. Hold your CIO accountable. Our job is to hire great CEOs, and fire the ones who can’t deliver. If you can’t fix this, we’ll find one who can.
  11. This story is about how Bill, the thoughtful and methodical VP IT Operations, who saves some of the largest problems of the company. It’s a story about a Visible Ops and DevOps style transformation. It’s how Bill saves the company, helping it achieves their project goals, operational goals, security and compliance goals.And Steve the CEO realizes that Bill, the lowly VP of IT Operations, is the person who saved the company.
  12. [ picture of When IT Fails ]But how do we make this an issue that CEOs actually care about, instead of strictly a grass-roots movement?For five years, I’ve been working on a book called “When IT Fails: The Novel.” Which I think can help.The goal of the book is to help bridge the dysfunctional marriage that often exists between the CIO and the CEO.When I told the CIO of Columbia Sportswear about it, he said, “When you finish that book, not only will everyone on my team need to read this, but my boss will need to read this, and my bosses boss will need to read this.”I was so moved by it, that it was one of the main reasons I wrote Tripwire – make completion of the book my sole focus.