DevOps aims to shorten feedback loops and allow teams to quickly iterate on changes and ship features. However, continuously deploying changes also introduces security risks that must be monitored. SecDevOps seeks to address this by continually monitoring the security implications of operational changes, improving security response times while still allowing for continuous deployment. Implementing continuous security through a SecDevOps methodology is an important challenge that companies need to solve in order to fully benefit from DevOps practices.

1. THE CASE FOR
CONTINUOUS SECURITY
By Pete Cheslock
Senior Director of Ops and Support at Threat Stack
@petecheslock

2. DevOps is a term that has absolutely
blown up in the last 5 years.

3. However, many had an immediate adverse
reaction towards Yet Another Buzzword

4. …especially when the core concepts of
“DevOps” were things people
had been doing for YEARS!

6. To shorten the feedback loop
in development cycles,
allowing teams to iterate quickly on changes
and ship features to customer sooner.
The Core Tenant of DevOps

7. Mainstream DevOps
=
Easily accessible cloud infrastructure
+
Maturity of operational tooling

8. For companies starting new
product development initiatives,
using Configuration Management
is table stakes to iterate quickly!

9. IaaS providers today make it
as easy as possible to provision systems
to meet infrastructure needs — and quickly.

10. Physical Data Center
Public Compute Resources
for flexibility and accessibility
provided by Amazon, Google, Microsoft

11. Companies leverage Infrastructure as Code
for major speed to market benefits
The Competitive Advantage

12. Companies can now provision
hundreds (or thousands) of compute
instances in mere minutes.
!
This is an every day activity!

13. Continuous Integration
Continuous Deployment
But who (or what) is continually monitoring the state of your
operational security?!

15. Junior sysadmins can now make changes to:
!
• a Chef Recipe
• a Puppet Manifest
• an Ansible Playbook
!
!
…and deploy it to production — in minutes…
Today…

16. What is the scope of that change?

17. to be slowed down by the security team
!
or
!
configuration management changes to be
passed through a Change Control Board
Sysadmins DON’T Want:

18. to change a variable, open a pull request,
and once merged, their operational
tooling to do the rest!
!
They want their change
to hit production servers ASAP.
Sysadmins Want:

19. This is where SecDevOps (or SecOps) comes in.
(ignore the fact that it’s a silly buzzword just like DevOps…)

20. If DevOps seeks to value empathy
between these two teams that traditionally
had different incentives for their positions…
Developers Operations
value constant change value stability

21. …then SecDevOps seeks to evoke the SAME outcome
with Security teams
(and the rest of the business)

22. If you’re continually deploying changes,
you must be continually monitoring
security implications for operational changes.

23. Often times there is no single person that is able
to say with absolute certainty which changes to
infrastructure have additional risks towards your
security posture.

24. And, if you have a
traditional network security organization
that manually reviews and approves changes to production…
!
!
You’ve introduced the newest bottleneck in your organization.
!
!
!
!
!
!

25. A SecDevOps methodology allows you to
improve your security monitoring
and response times, while maintaining
your ability to continually
deploy changes
SecDevOps is the answer to this discussion.

26. This is the most important (and exciting!) problem
to solve in many organizations!

27. But it is also one of the hardest problems to solve.
!
This is why at Threat Stack, we’re all excited
to be in a unique position to actively
help companies solve this.

28. Start Implementing
Continuous Security Today!
!
threatstack.com