Uploaded bySeniorStoryteller
PPTX, PDF6,437 views

The Journey to DevSecOps

This document discusses the evolution of DevSecOps and provides guidance for security professionals. It notes that DevSecOps approaches have gained popularity as DevOps has grown over the past decade. It recommends that security professionals focus on detection over protection, embrace a blameless culture of continuous improvement, and get involved in DevSecOps communities to help build security tools and practices.

Embed presentation

Downloaded 124 times
Shannon Lietz The Journey to DevSecOps^ @devsecops
Always an Early Adopter Google Trends • DevOps.com was bought in 2004 • Google searches for “DevOps” started to rise in 2010 • Major influences: – Saving your Infrastructure from DevOps / Chicago Tribune – DevOps: A Culture Shift, Not a Technology / Information Week – DevOps: A Sharder’s Tale from Etsy – DevOps.com articles • RuggedSoftware.org was bought in 2010 https://www.google.com/trends/
Chasing Innovation…
Which means, spending most of your career doing this… Bang Head Here
This is the End of Security as We Know It… Say what?!??! 6+ years later, it’s hard to believe we’re still shocked by this quote! This talk will provide you with a path forward… And a survival kit... -Josh Corman
An Ugly Little Secret • DevOps teams make security decisions… several times, everyday! • Hackers find security issues and exploit them... several times, everday! • Security teams hardly ever make security decisions... and really only when risks need to be officially authorized! https://www.flickr.com/photos/denise_rowlands
In a Deming World… • Most decisions are made within the software supply chain by engineering teams • Security decisions are usually made as a result of attempting to balance design constraints • Gating processes are not Deming-like; but it is hard to avoid business catastrophes by applying measure ahead strategies for security • Most security defects are identified during a major event triggering the equivalent of a security “recall” design build deploy operate How do I secure my app? What component is secure enough? How do I secure secrets for the app? Is my app getting attacked? How? Typical gates for security checks & balances Mistakes and drift often happen after design and build phases Most costly mistakes Happen during design Missing and much-needed feedback loop
Hackers have lots of opportunities… People • Susceptible to phishing and email scams • Can be social engineered Process • Humans make mistakes, because they are human (6 Sigma) • Process gaps provide room for fraud Technology • Software complexity increases with reusable components • Technology providers have to do their part, or everyone fails!
Get Grounded in Reality • Secure business is the new black! KTLO! • Everyone must be responsible for security! • Perfection is over-rated… Mistakes are inevitable. • Reacting can be costly… build security in. • Compliance is important but it’s not security! • A blaming culture is dangerous, avoid it! • Continuously test, detect, measure and incrementally improve.
Keep The Lights On! • Keeping the Lights on includes Security… • 66% of companies adopting DevOps • DevOps teams need guardrails and guidelines to move fast • Security decisions that haven’t been made before likely require escalation https://www.flickr.com/photos/darwinbell http://www.rightscale.com/blog/cloud-industry-insights/cloud- computing-trends-2015-state-cloud-survey
Enlist Everyone! • Common ratio for Dev, Ops and Sec => 100, 10, 1 • Numbers matter against attackers! • Skills help, but anyone can identify an anomaly. • Everyone needs to help with security; everyone has a role to play. And this is hard to find...
Mistakes happen… • DevOps utilize customer-driven development processes with incremental changes…Mistakes just happen. • But because of frequent changes, teams have more opportunities to correct defects, on average 30x more • Teams need help deciphering how to self-correct https://www.flickr.com/photos/doobybrain
Protection is ideal; Detection is a must! • The faster a defect is discovered, the faster it can be dealt with. • DevOps has 50% faster MTTR • Transforming security events into incidents and problems helps with resolution rates https://www.flickr.com/photos/daoro
Compliance Programs won’t stop a breach • Point in time assessments don’t go far enough • 0 companies (in 10 years) have been found compliant after a breach • Compliance needs to be paired with rugged security http://www.slideshare.net/VerizonEnterpriseSolutions/webinar-new- insights-to-simplify-pci-compliance-and-manage-risk
High Performing is where it’s at! • High performing teams that focus on a blameless culture improve on average 50% better • Blaming cultures create less engagement, 30% less efficient • MTTR is 5x faster in blameless teams that focus on opportunities first #1
Continuous Improvement • Continuous improvement has been a goal for an endless amount of years • Teams that focus on testing, early detection, and measuring progress have 30% fewer defects in production • Tests are often added to continuous delivery to achieve better results throughout the continuous delivery pipeline https://www.flickr.com/photos/deniscollette
Great! What does this look like in practice for a security professional? Leaning in over Always Saying “No” Data & Security Science over Fear, Uncertainty and Doubt Open Contribution & Collaboration over Security-Only Requirements Consumable Security Services with APIs over Mandated Security Controls & Paperwork Business Driven Security Scores over Rubber Stamp Security Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident Shared Threat Intelligence over Keeping Info to Ourselves Compliance Operations over Clipboards & Checklists
Use Security Skills to Build Tools
Migrate to Security as Code
Get Involved and Join the Community • devsecops.org • @devsecops on Twitter • DevSecOps on LinkedIn • DevSecOps on Github • RuggedSoftware.org • Compliance at Velocity • Join Us !!! • Spread the word!!!
#RuggedDevOps If you see something cool…
Thank You to Our Sponsors
Get today’s Rugged DevOps presentations in your inbox mmiller@sonatype.com

More Related Content

PDF
The State of DevSecOps
byDevOps Indonesia
 
PPTX
DevSecOps : an Introduction
byPrashanth B. P.
 
PPTX
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
PPTX
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PDF
DevSecOps What Why and How
byNotSoSecure Global Services
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PDF
DevSecOps Implementation Journey
byDevOps Indonesia
 
PPTX
DevSecOps
byJoel Divekar
 
The State of DevSecOps
byDevOps Indonesia
 
DevSecOps : an Introduction
byPrashanth B. P.
 
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps What Why and How
byNotSoSecure Global Services
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
DevSecOps Implementation Journey
byDevOps Indonesia
 
DevSecOps
byJoel Divekar
 

What's hot

PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PDF
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
PDF
Shift Left Security - The What, Why and How
byDevOps.com
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PPTX
DevSecOps Training Bootcamp - A Practical DevSecOps Course
byTonex
 
PDF
Practical DevSecOps - Arief Karfianto
byidsecconf
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
PPTX
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
PDF
2019 DevSecOps Reference Architectures
bySonatype
 
PDF
Demystifying DevSecOps
byArchana Joshi
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PPTX
DevSecOps
byCheah Eng Soon
 
PDF
DevSecOps
byTomas Honzak
 
PDF
DevSecOps : de la théorie à la pratique
bybertrandmeens
 
PPTX
DEVSECOPS.pptx
byMohammadSaif904342
 
PDF
Security Process in DevSecOps
byOpsta
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
Shift Left Security - The What, Why and How
byDevOps.com
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
Introduction to DevSecOps
byabhimanyubhogwan
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
byTonex
 
Practical DevSecOps - Arief Karfianto
byidsecconf
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
2019 DevSecOps Reference Architectures
bySonatype
 
Demystifying DevSecOps
byArchana Joshi
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
DevSecOps
byCheah Eng Soon
 
DevSecOps
byTomas Honzak
 
DevSecOps : de la théorie à la pratique
bybertrandmeens
 
DEVSECOPS.pptx
byMohammadSaif904342
 
Security Process in DevSecOps
byOpsta
 
Introduction to DevSecOps
bySetu Parimi
 
DevSecOps in Baby Steps
byPriyanka Aash
 

Viewers also liked

KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
PDF
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
PPTX
DevOps & Security: Here & Now
byCheckmarx
 
PPTX
Implementing an Application Security Pipeline in Jenkins
bySuman Sourav
 
PPTX
Threat Modeling And Analysis
byLalit Kale
 
PPTX
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
PPTX
Cybersecurity by the numbers
byAPNIC
 
PPTX
DevOps AppSec Pipeline Velcocity NY 2015
byAaron Weaver
 
PPTX
Security testautomation
byLinkesh Kanna Velu
 
PDF
DevSecOps - Building Rugged Software
bySeniorStoryteller
 
PDF
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
byDenim Group
 
PPTX
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
PPTX
Continuous Security Testing with Devops - OWASP EU 2014
byStephen de Vries
 
PDF
Agile Secure Software Development in a Large Software Development Organisatio...
byAchim D. Brucker
 
PPTX
Continuous Security Testing in a Devops World #OWASPHelsinki
byStephen de Vries
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PDF
Continous Integration of (JS) projects & check-build philosophy
byFrançois-Guillaume Ribreau
 
PDF
Rugged DevOps: Bridging Security and DevOps
byJames Wickett
 
PDF
Automated Security Testing
byseleniumconf
 
PDF
Pythonista も ls を読むべきか?
byKatsunori FUJIWARA
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
DevOps & Security: Here & Now
byCheckmarx
 
Implementing an Application Security Pipeline in Jenkins
bySuman Sourav
 
Threat Modeling And Analysis
byLalit Kale
 
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
Cybersecurity by the numbers
byAPNIC
 
DevOps AppSec Pipeline Velcocity NY 2015
byAaron Weaver
 
Security testautomation
byLinkesh Kanna Velu
 
DevSecOps - Building Rugged Software
bySeniorStoryteller
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
byDenim Group
 
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
Continuous Security Testing with Devops - OWASP EU 2014
byStephen de Vries
 
Agile Secure Software Development in a Large Software Development Organisatio...
byAchim D. Brucker
 
Continuous Security Testing in a Devops World #OWASPHelsinki
byStephen de Vries
 
DevSecOps in Baby Steps
byPriyanka Aash
 
Continous Integration of (JS) projects & check-build philosophy
byFrançois-Guillaume Ribreau
 
Rugged DevOps: Bridging Security and DevOps
byJames Wickett
 
Automated Security Testing
byseleniumconf
 
Pythonista も ls を読むべきか?
byKatsunori FUJIWARA
 

Similar to The Journey to DevSecOps

PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
PDF
Protecting Agile Transformation through Secure DevOps (DevSecOps)
byEryk Budi Pratama
 
PDF
DevSecOps at Agile 2019
byElizabeth Ayer
 
PPTX
DevSecCon KeyNote London 2015
byShannon Lietz
 
PPTX
DevSecOps-Revolutionizing-Secure-Software-Design.pptx
byshivamsourav1406
 
PPTX
What is devsecops and what is the characteristics of it
byamalsalah25
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
PDF
Building Security Into Your Cloud IT Practices
byMighty Guides, Inc.
 
PPTX
DevSecOps-Explained-converted.pptx
byGurajalanaganarasimh
 
PPTX
DevSecOps Best Practices-Safeguarding Your Digital Landscape
bystevecooper930744
 
PPTX
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
PPTX
DevSecCon Keynote
byShannon Lietz
 
PPTX
ISACA Ireland Keynote 2015
byShannon Lietz
 
PPTX
The End of Security as We Know It - Shannon Lietz
bySeniorStoryteller
 
PPTX
S360 2015 dev_secops_program
byShannon Lietz
 
PPTX
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
byPerforce
 
PDF
Scale security for a dollar or less
byMohammed A. Imran
 
PDF
DevSecOps Implement Making Security Central to Your DevOps Pipeline
byEnov8
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
byEryk Budi Pratama
 
DevSecOps at Agile 2019
byElizabeth Ayer
 
DevSecCon KeyNote London 2015
byShannon Lietz
 
DevSecOps-Revolutionizing-Secure-Software-Design.pptx
byshivamsourav1406
 
What is devsecops and what is the characteristics of it
byamalsalah25
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
Building Security Into Your Cloud IT Practices
byMighty Guides, Inc.
 
DevSecOps-Explained-converted.pptx
byGurajalanaganarasimh
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
bystevecooper930744
 
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
DevSecCon Keynote
byShannon Lietz
 
ISACA Ireland Keynote 2015
byShannon Lietz
 
The End of Security as We Know It - Shannon Lietz
bySeniorStoryteller
 
S360 2015 dev_secops_program
byShannon Lietz
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
byPerforce
 
Scale security for a dollar or less
byMohammed A. Imran
 
DevSecOps Implement Making Security Central to Your DevOps Pipeline
byEnov8
 

More from SeniorStoryteller

PPTX
Leveraging Nexus Repository Manager at the Heart of DevOps
bySeniorStoryteller
 
PDF
Building Security In - A Tale of Two Stories - Laksh Raghavan
bySeniorStoryteller
 
PPTX
NuGet Package Management Done Right
bySeniorStoryteller
 
PPTX
Safely Removing the Last Roadblock to Continuous Delivery
bySeniorStoryteller
 
PPTX
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
bySeniorStoryteller
 
PDF
Ops Happens: DevOps Beyond Deployment - Damon Edwards
bySeniorStoryteller
 
PPTX
Making Security Agile - Oleg Gryb
bySeniorStoryteller
 
PPTX
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
bySeniorStoryteller
 
PDF
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
bySeniorStoryteller
 
PPTX
Create Rugged Applications: Managing Your Software Supply Chain
bySeniorStoryteller
 
PDF
Heroes’ Journey: Learning from Successful DevOps Transformations
bySeniorStoryteller
 
PPTX
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
bySeniorStoryteller
 
PDF
Implementing DevOps in a Regulated Environment - DJ Schleen
bySeniorStoryteller
 
PPTX
Aligning Your Team and Your Powers for Success
bySeniorStoryteller
 
PDF
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
bySeniorStoryteller
 
PDF
Breaking Bad Equilibruim - John Willis
bySeniorStoryteller
 
PPTX
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
bySeniorStoryteller
 
PPTX
Rugged DevOps: Aligning Your Team and Your Powers for Success
bySeniorStoryteller
 
PPTX
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
bySeniorStoryteller
 
PDF
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
bySeniorStoryteller
 
Leveraging Nexus Repository Manager at the Heart of DevOps
bySeniorStoryteller
 
Building Security In - A Tale of Two Stories - Laksh Raghavan
bySeniorStoryteller
 
NuGet Package Management Done Right
bySeniorStoryteller
 
Safely Removing the Last Roadblock to Continuous Delivery
bySeniorStoryteller
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
bySeniorStoryteller
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
bySeniorStoryteller
 
Making Security Agile - Oleg Gryb
bySeniorStoryteller
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
bySeniorStoryteller
 
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
bySeniorStoryteller
 
Create Rugged Applications: Managing Your Software Supply Chain
bySeniorStoryteller
 
Heroes’ Journey: Learning from Successful DevOps Transformations
bySeniorStoryteller
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
bySeniorStoryteller
 
Implementing DevOps in a Regulated Environment - DJ Schleen
bySeniorStoryteller
 
Aligning Your Team and Your Powers for Success
bySeniorStoryteller
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
bySeniorStoryteller
 
Breaking Bad Equilibruim - John Willis
bySeniorStoryteller
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
bySeniorStoryteller
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
bySeniorStoryteller
 
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
bySeniorStoryteller
 
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
bySeniorStoryteller
 

Recently uploaded

PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 

The Journey to DevSecOps

  • 1.
    Shannon Lietz The Journeyto DevSecOps^ @devsecops
  • 2.
    Always an EarlyAdopter Google Trends • DevOps.com was bought in 2004 • Google searches for “DevOps” started to rise in 2010 • Major influences: – Saving your Infrastructure from DevOps / Chicago Tribune – DevOps: A Culture Shift, Not a Technology / Information Week – DevOps: A Sharder’s Tale from Etsy – DevOps.com articles • RuggedSoftware.org was bought in 2010 https://www.google.com/trends/
  • 3.
  • 4.
    Which means, spendingmost of your career doing this… Bang Head Here
  • 5.
    This is theEnd of Security as We Know It… Say what?!??! 6+ years later, it’s hard to believe we’re still shocked by this quote! This talk will provide you with a path forward… And a survival kit... -Josh Corman
  • 6.
    An Ugly LittleSecret • DevOps teams make security decisions… several times, everyday! • Hackers find security issues and exploit them... several times, everday! • Security teams hardly ever make security decisions... and really only when risks need to be officially authorized! https://www.flickr.com/photos/denise_rowlands
  • 7.
    In a DemingWorld… • Most decisions are made within the software supply chain by engineering teams • Security decisions are usually made as a result of attempting to balance design constraints • Gating processes are not Deming-like; but it is hard to avoid business catastrophes by applying measure ahead strategies for security • Most security defects are identified during a major event triggering the equivalent of a security “recall” design build deploy operate How do I secure my app? What component is secure enough? How do I secure secrets for the app? Is my app getting attacked? How? Typical gates for security checks & balances Mistakes and drift often happen after design and build phases Most costly mistakes Happen during design Missing and much-needed feedback loop
  • 8.
    Hackers have lotsof opportunities… People • Susceptible to phishing and email scams • Can be social engineered Process • Humans make mistakes, because they are human (6 Sigma) • Process gaps provide room for fraud Technology • Software complexity increases with reusable components • Technology providers have to do their part, or everyone fails!
  • 9.
    Get Grounded inReality • Secure business is the new black! KTLO! • Everyone must be responsible for security! • Perfection is over-rated… Mistakes are inevitable. • Reacting can be costly… build security in. • Compliance is important but it’s not security! • A blaming culture is dangerous, avoid it! • Continuously test, detect, measure and incrementally improve.
  • 10.
    Keep The LightsOn! • Keeping the Lights on includes Security… • 66% of companies adopting DevOps • DevOps teams need guardrails and guidelines to move fast • Security decisions that haven’t been made before likely require escalation https://www.flickr.com/photos/darwinbell http://www.rightscale.com/blog/cloud-industry-insights/cloud- computing-trends-2015-state-cloud-survey
  • 11.
    Enlist Everyone! • Commonratio for Dev, Ops and Sec => 100, 10, 1 • Numbers matter against attackers! • Skills help, but anyone can identify an anomaly. • Everyone needs to help with security; everyone has a role to play. And this is hard to find...
  • 12.
    Mistakes happen… • DevOpsutilize customer-driven development processes with incremental changes…Mistakes just happen. • But because of frequent changes, teams have more opportunities to correct defects, on average 30x more • Teams need help deciphering how to self-correct https://www.flickr.com/photos/doobybrain
  • 13.
    Protection is ideal;Detection is a must! • The faster a defect is discovered, the faster it can be dealt with. • DevOps has 50% faster MTTR • Transforming security events into incidents and problems helps with resolution rates https://www.flickr.com/photos/daoro
  • 14.
    Compliance Programs won’tstop a breach • Point in time assessments don’t go far enough • 0 companies (in 10 years) have been found compliant after a breach • Compliance needs to be paired with rugged security http://www.slideshare.net/VerizonEnterpriseSolutions/webinar-new- insights-to-simplify-pci-compliance-and-manage-risk
  • 15.
    High Performing iswhere it’s at! • High performing teams that focus on a blameless culture improve on average 50% better • Blaming cultures create less engagement, 30% less efficient • MTTR is 5x faster in blameless teams that focus on opportunities first #1
  • 16.
    Continuous Improvement • Continuousimprovement has been a goal for an endless amount of years • Teams that focus on testing, early detection, and measuring progress have 30% fewer defects in production • Tests are often added to continuous delivery to achieve better results throughout the continuous delivery pipeline https://www.flickr.com/photos/deniscollette
  • 17.
    Great! What doesthis look like in practice for a security professional? Leaning in over Always Saying “No” Data & Security Science over Fear, Uncertainty and Doubt Open Contribution & Collaboration over Security-Only Requirements Consumable Security Services with APIs over Mandated Security Controls & Paperwork Business Driven Security Scores over Rubber Stamp Security Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident Shared Threat Intelligence over Keeping Info to Ourselves Compliance Operations over Clipboards & Checklists
  • 18.
    Use Security Skillsto Build Tools
  • 19.
  • 20.
    Get Involved andJoin the Community • devsecops.org • @devsecops on Twitter • DevSecOps on LinkedIn • DevSecOps on Github • RuggedSoftware.org • Compliance at Velocity • Join Us !!! • Spread the word!!!
  • 21.
    #RuggedDevOps If you seesomething cool…
  • 22.
    Thank You toOur Sponsors
  • 23.
    Get today’s RuggedDevOps presentations in your inbox mmiller@sonatype.com