Alert Logic , profile picture
Uploaded byAlert Logic
PDF, PPTX121 views

The Intersection of Security and DevOps

The document discusses the intersection of security and DevOps, emphasizing the role of developers in driving cloud adoption for innovation. It outlines critical questions for integrating security into DevOps workflows and proposes a blueprint model for cloud security that includes threat modeling and exposure analysis. The document also describes various security maturity levels, from basic cloud security to mature DevOps security integration, highlighting the importance of agility without compromising security.

Embed presentation

Download as PDF, PPTX
Thank you.The Intersection of Security & DevOps Ryan Holland – Sr. Director of Cloud Arch., Alert Logic
Summary 1. DevOps implications on Security 2. Developing a Blueprint approach to cloud security
What Drives Cloud Adoption? • Developers are the driving force behind cloud adoption • Main reason developers are using cloud services? Innovation ability to move fast deploy infrastructure without IT overhead ship code without delays
Software Drives Business Innovation
Developer Perspective 2013 2017 89% of developers use public cloud * RightScale Survey 2016
The Innovation Power Shift ITSECURITY COMPLIANCE SOFTWARE DEVELOPERS
DevOps Drives Security Agility Sonatype 72 % NO
Aligning DevOps with Security Critical questions to answer: 1. What are we protecting? 2. What controls must be in place? 3. How do you integrate security into your daily workflow?
Reshaping the Security/Dev/Ops Relationship old school classic IT new school sec/dev/ops
Rules of the Road No Yes 1 Random opinions Everyone works from same security blueprint 2 General set of controls Controls specific to your cloud blueprint 3 Security gateways and overlays Security is part of immutable infrastructure 4 Periodic audits Security testing part of regression framework 5 Vulnerabilities are escalated and negotiated for resolution Vulnerabilities are bugs Critical vulnerabilities are critical bugs
Perception vs Reality Our ability to accurately estimate attack surface is compromised by our weak sense of perception More reliable approach: 1. Identify your cloud assets 2. Measure your exposure 3. Implement controls
Blueprint Model for DevOps Security
Enumerate Your Cloud Footprint Generalize common workloads into infrastructure-’blueprints’ Blueprint Driven Approach Key target assets Across the Full Stack 1. Magento application and plugins 2. PHP 3. Apache 4. NGINX 5. Redis 6. Maria DB, Elastic Search 7. Linux OS and system tools 8. AWS services EC2 instances EC2 instances VPC Route 53 Users Internet gateway ELB MariaDB MariaDB AvailabilityzoneAAvailabilityzoneB Auto scaling group Apache PHP Auto scaling group EC2 instances EC2 instances FPM S3
Threat model Identify Most Relevant Threats Create a threat model for these blueprints Blueprint Threat Model Blueprint Threat Model Exposure analysis Post compromise analysis Configuration & Vulnerability Coverage Required Threat Coverage (pre-compromise) Required Threat Coverage (post-compromise) Required threat analytics pre-compromise post-compromise Required incident analytics Required data-sources Pre compromise analysis
Integrated Alert Logic Controls for Broad Coverage Build Coverage Model Blueprint 3-Tier Classic Web Micro- service E-Com Blueprint CMS Blueprint Magento Blueprint Wordpress Blueprint Drupal Blueprint OWASP Top 10 SQL-Injection attacks LAMP target coverage Critical application coverage Deep HTTP inspection with anomaly detection Supervised Machine learning Data-driven intrusion defense Coverage for key app components
Full Stack Security Coverage Pre-compromise Compromise Lateral Movement Incident Investigation System Visual | Context | Hunt Collect web, host, network data Automatic Detection Block | Alert | Log ML Algorithms Rules & Analytics SECURITY EXPERTS Assess Exposure Block Critical Attacks
Cloud Security Maturity Model Basic Cloud Security Tooling 2 2. Basic Cloud Security • Agile development team, coupled to immature security program • Minimal use of cloud provider and OSS security tools Traditional Security 1. Non-Cloud Native • Lift & Ship infrastructure migration • Traditional on-premises security tools and processes • Limited agility 1 DevOps Integration 3 3. Cloud Native Security • Security infrastructure part of deployment pipeline • Full stack protection across networks, systems and applications • Security does not slow down innovation SecDevOps Integration D 4. Cloud Security Lifecycle • Security process part of continuous integration pipeline • Mature security assessment and testing program part of code deployment process • Maximum agility and security

More Related Content

PDF
The Intersection of Security & DevOps
byAlert Logic
 
PDF
The Intersection of Security & DevOps
byAlert Logic
 
PDF
Security Implications of the Cloud
byAlert Logic
 
PDF
Security Implications of the Cloud - CSS ATX 2017
byAlert Logic
 
PDF
Reality Check: Security in the Cloud
byAlert Logic
 
PDF
Realities of Security in the Cloud
byAlert Logic
 
PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
byAlert Logic
 
PDF
The Intersection of Security & DevOps
byAlert Logic
 
The Intersection of Security & DevOps
byAlert Logic
 
The Intersection of Security & DevOps
byAlert Logic
 
Security Implications of the Cloud
byAlert Logic
 
Security Implications of the Cloud - CSS ATX 2017
byAlert Logic
 
Reality Check: Security in the Cloud
byAlert Logic
 
Realities of Security in the Cloud
byAlert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
byAlert Logic
 
The Intersection of Security & DevOps
byAlert Logic
 

What's hot

PPTX
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
byAgileNetwork
 
PPTX
The path of secure software by Katy Anton
byDevSecCon
 
PDF
Realities of Security in the Cloud
byAlert Logic
 
PDF
The AWS Shared Responsibility Model in Practice
byAlert Logic
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PDF
Reducing Your Attack Surface
byAlert Logic
 
PPTX
Top 5 Priorities for Cloud Security
by2nd Sight Lab
 
PDF
Security Starts at the Endpoint
byElasticsearch
 
PDF
Dev week cloud world conf2021
byArchana Joshi
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
byAchim D. Brucker
 
PPTX
#ALSummit: Cyber Resiliency: Surviving the Breach
byAlert Logic
 
PPTX
#ALSummit: Architecting Security into your AWS Environment
byAlert Logic
 
PDF
CSS17: Houston - Stories from the Security Operations Center
byAlert Logic
 
PDF
Realities of Security in the Cloud - CSS ATX 2017
byAlert Logic
 
PDF
Security Implications of the Cloud - CSS Dallas Azure
byAlert Logic
 
PPTX
DevSecOps outline
byNickleus Jimenez
 
PPTX
Shared Security Responsibility in the AWS Public Cloud
byAlert Logic
 
PPTX
#ALSummit: Live Cyber Hack Demonstration
byAlert Logic
 
PDF
Journey to the Cloud: Securing Your AWS Applications - April 2015
byAlert Logic
 
PPTX
Practical DevSecOps Using Security Instrumentation
byVMware Tanzu
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
byAgileNetwork
 
The path of secure software by Katy Anton
byDevSecCon
 
Realities of Security in the Cloud
byAlert Logic
 
The AWS Shared Responsibility Model in Practice
byAlert Logic
 
Introduction to DevSecOps
byabhimanyubhogwan
 
Reducing Your Attack Surface
byAlert Logic
 
Top 5 Priorities for Cloud Security
by2nd Sight Lab
 
Security Starts at the Endpoint
byElasticsearch
 
Dev week cloud world conf2021
byArchana Joshi
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
byAchim D. Brucker
 
#ALSummit: Cyber Resiliency: Surviving the Breach
byAlert Logic
 
#ALSummit: Architecting Security into your AWS Environment
byAlert Logic
 
CSS17: Houston - Stories from the Security Operations Center
byAlert Logic
 
Realities of Security in the Cloud - CSS ATX 2017
byAlert Logic
 
Security Implications of the Cloud - CSS Dallas Azure
byAlert Logic
 
DevSecOps outline
byNickleus Jimenez
 
Shared Security Responsibility in the AWS Public Cloud
byAlert Logic
 
#ALSummit: Live Cyber Hack Demonstration
byAlert Logic
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
byAlert Logic
 
Practical DevSecOps Using Security Instrumentation
byVMware Tanzu
 

Similar to The Intersection of Security and DevOps

PDF
Introduction to DevSecOps
bySetu Parimi
 
PPTX
Overcoming Security Challenges in DevOps
byAlert Logic
 
PDF
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
byNorm Barber
 
PDF
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
byUnifyCloud
 
PDF
A Different Approach to Securing Your Cloud Journey
byCloudflare
 
PPTX
Building and Operating Clouds
byBMC Software
 
PPTX
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
byShannon Lietz
 
PPTX
Unc charlotte prezo2016
bySanjay R. Gupta
 
PPTX
Container Workload Security Solution Ideas by Mandy Sidana.pptx
byMandy Sidana
 
PPTX
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
byDaniel Bryant
 
PPTX
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
byJAXLondon_Conference
 
PDF
cloud security lecture abcedfghigklmnopqrstucvbnm,
byarfaouisalim
 
PPTX
Automating your AWS Security Operations
byEvident.io
 
PDF
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
byapidays
 
PPTX
Cloud Cmputing Security
byDevyani Vaidya
 
PPTX
Managing Performance in the Cloud
byDevOpsGroup
 
PPTX
Novel cloud computingsecurity issues
byJoo Manthar
 
PPTX
cloudComputingSec_p3.pptx
bySteven Quach
 
PPTX
7 Innovations That Will Transform IT Operations
byOpsRamp
 
PPTX
CloudHesive x Datadog Multi Generational Observability
byCloudHesive
 
Introduction to DevSecOps
bySetu Parimi
 
Overcoming Security Challenges in DevOps
byAlert Logic
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
byNorm Barber
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
byUnifyCloud
 
A Different Approach to Securing Your Cloud Journey
byCloudflare
 
Building and Operating Clouds
byBMC Software
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
byShannon Lietz
 
Unc charlotte prezo2016
bySanjay R. Gupta
 
Container Workload Security Solution Ideas by Mandy Sidana.pptx
byMandy Sidana
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
byDaniel Bryant
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
byJAXLondon_Conference
 
cloud security lecture abcedfghigklmnopqrstucvbnm,
byarfaouisalim
 
Automating your AWS Security Operations
byEvident.io
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
byapidays
 
Cloud Cmputing Security
byDevyani Vaidya
 
Managing Performance in the Cloud
byDevOpsGroup
 
Novel cloud computingsecurity issues
byJoo Manthar
 
cloudComputingSec_p3.pptx
bySteven Quach
 
7 Innovations That Will Transform IT Operations
byOpsRamp
 
CloudHesive x Datadog Multi Generational Observability
byCloudHesive
 

More from Alert Logic

PDF
Managed Threat Detection & Response for AWS Applications
byAlert Logic
 
PDF
Extending Amazon GuardDuty with Cloud Insight Essentials
byAlert Logic
 
PDF
Managed Threat Detection and Response
byAlert Logic
 
PDF
Extending Amazon GuardDuty with Cloud Insight Essentials
byAlert Logic
 
PDF
The AWS Shared Responsibility Model in Practice
byAlert Logic
 
PDF
Security Spotlight: Presidio
byAlert Logic
 
PDF
Security Spotlight: Rent-A-Center
byAlert Logic
 
PDF
Security Spotlight: Presidio
byAlert Logic
 
PDF
Security Implications of the Cloud
byAlert Logic
 
PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
byAlert Logic
 
PDF
Realities of Security in the Cloud
byAlert Logic
 
PDF
CSS 2018 Trivia
byAlert Logic
 
PDF
The AWS Shared Responsibility Model in Practice
byAlert Logic
 
PDF
Realities of Security in the Cloud
byAlert Logic
 
PDF
Security Spotlight: The Coca Cola Company
byAlert Logic
 
PDF
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
byAlert Logic
 
PDF
The AWS Shared Responsibility Model in Practice
byAlert Logic
 
PDF
Security Implications of the Cloud
byAlert Logic
 
PDF
Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure
byAlert Logic
 
PDF
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
byAlert Logic
 
Managed Threat Detection & Response for AWS Applications
byAlert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
byAlert Logic
 
Managed Threat Detection and Response
byAlert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
byAlert Logic
 
The AWS Shared Responsibility Model in Practice
byAlert Logic
 
Security Spotlight: Presidio
byAlert Logic
 
Security Spotlight: Rent-A-Center
byAlert Logic
 
Security Spotlight: Presidio
byAlert Logic
 
Security Implications of the Cloud
byAlert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
byAlert Logic
 
Realities of Security in the Cloud
byAlert Logic
 
CSS 2018 Trivia
byAlert Logic
 
The AWS Shared Responsibility Model in Practice
byAlert Logic
 
Realities of Security in the Cloud
byAlert Logic
 
Security Spotlight: The Coca Cola Company
byAlert Logic
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
byAlert Logic
 
The AWS Shared Responsibility Model in Practice
byAlert Logic
 
Security Implications of the Cloud
byAlert Logic
 
Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure
byAlert Logic
 
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
byAlert Logic
 

Recently uploaded

PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 

The Intersection of Security and DevOps

  • 1.
    Thank you.The Intersectionof Security & DevOps Ryan Holland – Sr. Director of Cloud Arch., Alert Logic
  • 2.
    Summary 1. DevOps implicationson Security 2. Developing a Blueprint approach to cloud security
  • 3.
    What Drives CloudAdoption? • Developers are the driving force behind cloud adoption • Main reason developers are using cloud services? Innovation ability to move fast deploy infrastructure without IT overhead ship code without delays
  • 4.
  • 5.
    Developer Perspective 2013 2017 89%of developers use public cloud * RightScale Survey 2016
  • 6.
    The Innovation PowerShift ITSECURITY COMPLIANCE SOFTWARE DEVELOPERS
  • 7.
    DevOps Drives SecurityAgility Sonatype 72 % NO
  • 8.
    Aligning DevOps withSecurity Critical questions to answer: 1. What are we protecting? 2. What controls must be in place? 3. How do you integrate security into your daily workflow?
  • 9.
    Reshaping the Security/Dev/OpsRelationship old school classic IT new school sec/dev/ops
  • 10.
    Rules of theRoad No Yes 1 Random opinions Everyone works from same security blueprint 2 General set of controls Controls specific to your cloud blueprint 3 Security gateways and overlays Security is part of immutable infrastructure 4 Periodic audits Security testing part of regression framework 5 Vulnerabilities are escalated and negotiated for resolution Vulnerabilities are bugs Critical vulnerabilities are critical bugs
  • 11.
    Perception vs Reality Ourability to accurately estimate attack surface is compromised by our weak sense of perception More reliable approach: 1. Identify your cloud assets 2. Measure your exposure 3. Implement controls
  • 12.
  • 13.
    Enumerate Your CloudFootprint Generalize common workloads into infrastructure-’blueprints’ Blueprint Driven Approach Key target assets Across the Full Stack 1. Magento application and plugins 2. PHP 3. Apache 4. NGINX 5. Redis 6. Maria DB, Elastic Search 7. Linux OS and system tools 8. AWS services EC2 instances EC2 instances VPC Route 53 Users Internet gateway ELB MariaDB MariaDB AvailabilityzoneAAvailabilityzoneB Auto scaling group Apache PHP Auto scaling group EC2 instances EC2 instances FPM S3
  • 14.
    Threat model Identify MostRelevant Threats Create a threat model for these blueprints Blueprint Threat Model Blueprint Threat Model Exposure analysis Post compromise analysis Configuration & Vulnerability Coverage Required Threat Coverage (pre-compromise) Required Threat Coverage (post-compromise) Required threat analytics pre-compromise post-compromise Required incident analytics Required data-sources Pre compromise analysis
  • 15.
    Integrated Alert LogicControls for Broad Coverage Build Coverage Model Blueprint 3-Tier Classic Web Micro- service E-Com Blueprint CMS Blueprint Magento Blueprint Wordpress Blueprint Drupal Blueprint OWASP Top 10 SQL-Injection attacks LAMP target coverage Critical application coverage Deep HTTP inspection with anomaly detection Supervised Machine learning Data-driven intrusion defense Coverage for key app components
  • 16.
    Full Stack SecurityCoverage Pre-compromise Compromise Lateral Movement Incident Investigation System Visual | Context | Hunt Collect web, host, network data Automatic Detection Block | Alert | Log ML Algorithms Rules & Analytics SECURITY EXPERTS Assess Exposure Block Critical Attacks
  • 17.
    Cloud Security MaturityModel Basic Cloud Security Tooling 2 2. Basic Cloud Security • Agile development team, coupled to immature security program • Minimal use of cloud provider and OSS security tools Traditional Security 1. Non-Cloud Native • Lift & Ship infrastructure migration • Traditional on-premises security tools and processes • Limited agility 1 DevOps Integration 3 3. Cloud Native Security • Security infrastructure part of deployment pipeline • Full stack protection across networks, systems and applications • Security does not slow down innovation SecDevOps Integration D 4. Cloud Security Lifecycle • Security process part of continuous integration pipeline • Mature security assessment and testing program part of code deployment process • Maximum agility and security