Rundeck, profile picture
Uploaded byRundeck
PDF, PPTX717 views

The "Ops" Side of DevSecOps

The document discusses the challenges faced by operations teams in a DevSecOps framework, emphasizing issues like siloed information and queues that lead to inefficiencies. It proposes an 'Operations as a Service' model to enhance collaboration, decentralize control, and improve security and compliance through automation and self-service. Key steps include establishing a secure ops hub, developing a software development lifecycle for operational procedures, and linking with enterprise management systems for better visibility and audit trails.

Technology
Related topics:
IT Security

Embed presentation

Download as PDF, PPTX
The “Ops” Side of DevSecOps Damon Edwards @damonedwards DevSecOps@RSA AJP - 25 July 2017
Ops Improvement DevOps Ops Tools Community Damon Edwards
Teamwork echo “$WISE_QUOTE”
Some DevOps History DevOps
Some DevOps History DevOps
Now here comes DevSecOps DevOps
Now here comes DevSecOps Dev Ops
Now here comes DevSecOps Dev OpsSec
Now here comes DevSecOps Dev OpsSec
Now here comes DevSecOps Dev OpsSec
Operations is getting squeezed OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!”
Operations is getting squeezed OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!”
What Keeps Ops Under This Pressure? Silos Queues Centralization Backlog Information I need X PrioritiesTools Backlog I do X Requests for X Silo A Information Priorities Silo B Tools ?? Silo A Silo B Ticket Queue
Silos Backlog Information PrioritiesTools
Backlog Information I need X PrioritiesTools Silos
Backlog Information I need X PrioritiesTools Silos Backlog I do X Requests for X Silo A Information Priorities Silo B Tools
Silos cause disconnects and mismatches Backlog Information I need X PrioritiesTools Backlog I do X Requests for X Silo A Information Priorities Silo B Tools Context Context Process Process Tooling Tooling Capacity Capacity
Function A Function B Function C Org becomes siloed pools of functional specialists Requests fulfilled by semi- manual or manual effort Primary management focus is on protecting team capacity
How do we cover for our silos disconnects and mismatches? Silo A Silo B
How do we cover for our silos disconnects and mismatches? Silo A Silo B Ticket Queue
?? Silo A Silo B We all know how well that works Ticket Queue
Request queues are an expensive way to manage work Ticket Queue Queues Create… Longer Cycle Time Increased Risk More Variability More Overhead Lower Quality Less Motivation Adapted from Donald G. Reinertsen, The Principles of Product Development Flow: Second Generation Lean Product Development
Tickets queues become “snowflake makers” ?? Silo A Silo B Ticket Queue
Tickets queues become “snowflake makers” ?? Silo A Silo B Ticket Queue Snowflakes (each unique, technically acceptable but unreproducible and brittle)
Tickets queues become “snowflake makers” ?? Silo A Silo B Ticket Queue Snowflakes (each unique, technically acceptable but unreproducible and brittle) Unintended variability = Security risks!
Where are decisions made? Who can take action? escalate 1° 2° 3° 4° escalate escalateor
Where are decisions made? Who can take action? escalate 1° 2° 3° 4° escalate escalateor Most common decision methods: 1. Similar history 2. Folklore 3. Mostly guessing
All work is contextual John Allspaw
All work is contextual rm -rf $PATHNAME John Allspaw
All work is contextual rm -rf $PATHNAME Is this dangerous? John Allspaw
All work is contextual rm -rf $PATHNAME John Allspaw
All work is contextual rm -rf $PATHNAME John Allspaw
All work is contextual rm -rf $PATHNAME Is this dangerous? John Allspaw
All work is contextual rm -rf $PATHNAME John Allspaw
All work is contextual rm -rf $PATHNAME Answer is always “it depends” John Allspaw
escalate 1° 2° 3° 4° escalate escalateor Context Where are decisions made? Who can take action?
“Shift Left” the ability to take action Push the ability to take action this direction escalate 1° 2° 3° 4° escalate escalateor
How can you help operations? (and help yourself) OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!” Silos 
 Queues
 Centralization Backlog Information I need X PrioritiesTools Backlog I do X Requests for X Silo A Information Priorities Silo B Tools ?? Silo A Silo B Ticket Queue
How can you help operations? (and help yourself) OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!” Silos 
 Queues
 Centralization Backlog Information I need X PrioritiesTools Backlog I do X Requests for X Silo A Information Priorities Silo B Tools ?? Silo A Silo B Ticket Queue
How can you help operations? (and help yourself) OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!” Silos 
 Queues
 Centralization Backlog Information I need X PrioritiesTools Backlog I do X Requests for X Silo A Information Priorities Silo B Tools ?? Silo A Silo B Ticket Queue Self-Service
How can you help operations? (and help yourself) OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!” Silos 
 Queues
 Centralization Backlog Information I need X PrioritiesTools Backlog I do X Requests for X Silo A Information Priorities Silo B Tools ?? Silo A Silo B Ticket Queue Self-Service
How do we decentralize control, but stay under control?
Automated Procedures have three essential elements Definition of the automated procedure Execution of the automated procedure Governance of the automated procedure Define Execute Govern
Automated Procedures have three essential elements Definition of the automated procedure Execution of the automated procedure Governance of the automated procedure Define Execute Govern (security, oversight, compliance, etc.)
Traditional Ops Silo Define Execute Govern “Consumers of Ops” (Dev, QA, Release, NOC, Security, etc.) Ops
Rigid Self-Service Define Execute Govern “Consumers of Ops” (Dev, QA, Release, NOC, Security, etc.) Ops
Define Execute Govern Execute “Consumers of Ops” (Dev, QA, Release, NOC, Security, etc.) Ops Rigid Self-Service (ends up being limited)
High-Velocity Handoffs Define Govern Execute “Consumers of Ops” (Dev, QA, Release, NOC, Security, etc.) Ops
Self-Service Operations Define Govern Execute “Consumers of Ops” (Dev, QA, Release, NOC, Security, etc.) Ops
Self-Service Operations Define Govern Execute Govern “Consumers of Ops” (Dev, QA, Release, NOC, Security, etc.) Ops
“Operations as a Service” design pattern is the key enabler fdfd Operations as a Service E Define/Approve actions Define security policy Oversight Define actions Execute actions Execute actions Ops“Consumers of Ops” (Dev, QA, Release, NOC, etc.) D G
“Operations as a Service” design pattern is the key enabler Split definition, execution, and governance and move to where most effective use of labor fdfd Operations as a Service E Define/Approve actions Define security policy Oversight Define actions Execute actions Execute actions Ops“Consumers of Ops” (Dev, QA, Release, NOC, etc.) D G
Building out your Operations as a Service capability
Step 1: Establish a Secure Ops Hub Operations as a Service Engineers get visibility and controlled self-service Secrets Ops Procedures “Status” “Firewall Change” "Restart" deny allow Identity Audit Logs Infrastructure view Service health System metrics Ops Support use for remediation procedures Inventory and Health Execute + Observability/Monitoring Security and Ops manages access, configuration, and compliance
Step 2: Establish a SDLC for Ops Procedures Operations as a Service Engineers get visibility and controlled self-service Secrets Ops Procedures “Status” “Firewall Change” "Restart" deny allow Identity Audit Logs Infrastructure view Service health System metrics Ops Support use for remediation procedures Inventory and Health Execute Source Repo if (($state==wait)) then kill -9 $PID fi Change Product Engineers produce automated procedures and health checks. RISKY Automated Procedures and Health Checks FIX Code review + Observability/Monitoring Security and Ops manages access, configuration, and compliance Package Repo CI
Step 3: Connect with Enterprise Management Systems Service Desk CustomersOps Support get visibility and audit trail updated by support tools Service Ticket Execute Software Supply Chain Ops integrate with artifact flow Operations as a Service Engineers get visibility and controlled self-service Secrets Ops Procedures “Status” “Firewall Change” "Restart" deny allow Identity Audit Logs Infrastructure view Service health System metrics Ops Support use for remediation procedures Inventory and Health + Monitoring Tools Security and Ops manages access, configuration, and compliance Source Repo if (($state==wait)) then kill -9 $PID fi Change Product Engineers produce automated procedures and health checks. RISKY Automated Procedures and Health Checks FIX Code review Package Repo CI
Step 4: Reap the security and compliance benefits Service Desk CustomersOps Support get visibility and audit trail updated by support tools Service Ticket Execute Software Supply Chain Ops integrate with artifact flow Who reviewed it? Who ran it? When? Where? Approval trail? Who created the procedure? Who created the policy? Operations as a Service Engineers get visibility and controlled self-service Secrets Ops Procedures “Status” “Firewall Change” "Restart" deny allow Identity Audit Logs Infrastructure view Service health System metrics Ops Support use for remediation procedures Inventory and Health + Monitoring Tools Security and Ops manages access, configuration, and compliance Source Repo if (($state==wait)) then kill -9 $PID fi Change Product Engineers produce automated procedures and health checks. RISKY Automated Procedures and Health Checks FIX Code review Package Repo CI
Recap Understand the pressure on Ops Leverage the Operations as a Service design pattern “Shift-Left” control and decision making. Queues Create… Longer Cycle Time Increased Risk More Variability More Overhead Lower Quality Less Motivation Adapted from Donald G. Reinertsen, The Principles of Product Development Flow: Second Generation Lean Product Development Understand the cost of silos and queues Self-service to remove silos and queues OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!” Team A (Dev) Team B (Ops) Ticket System ?? Service Desk CustomersOps Support get visibility and audit trail updated by support tools Service Ticket Execute Software Supply Chain Ops integrate with artifact flow Who reviewed it? Who ran it? When? Where? Approval trail? Who created the procedure? Who created the policy? Operations as a Service Engineers get visibility and controlled self-service Secrets Ops Procedures “Status” “Firewall Change” "Restart" deny allow Identity Audit Logs Infrastructure view Service health System metrics Ops Support use for remediation procedures Inventory and Health + Monitoring Tools Security and Ops manages access, configuration, and compliance Source Repo if (($state==wait)) then kill -9 $PID fi Change Product Engineers produce automated procedures and health checks. RISKY Automated Procedures and Health Checks FIX Code review Package Repo CI Reap the security and compliance benefits
Recap Understand the pressure on Ops Leverage the Operations as a Service design pattern “Shift-Left” control and decision making. Queues Create… Longer Cycle Time Increased Risk More Variability More Overhead Lower Quality Less Motivation Adapted from Donald G. Reinertsen, The Principles of Product Development Flow: Second Generation Lean Product Development Understand the cost of silos and queues Self-service to remove silos and queues OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!” Team A (Dev) Team B (Ops) Ticket System ?? Service Desk CustomersOps Support get visibility and audit trail updated by support tools Service Ticket Execute Software Supply Chain Ops integrate with artifact flow Who reviewed it? Who ran it? When? Where? Approval trail? Who created the procedure? Who created the policy? Operations as a Service Engineers get visibility and controlled self-service Secrets Ops Procedures “Status” “Firewall Change” "Restart" deny allow Identity Audit Logs Infrastructure view Service health System metrics Ops Support use for remediation procedures Inventory and Health + Monitoring Tools Security and Ops manages access, configuration, and compliance Source Repo if (($state==wait)) then kill -9 $PID fi Change Product Engineers produce automated procedures and health checks. RISKY Automated Procedures and Health Checks FIX Code review Package Repo CI Reap the security and compliance benefits https://www.rundeck.com/oaas
Let’s talk… @damonedwards damon@rundeck.com
Let’s talk… @damonedwards damon@rundeck.com https://www.rundeck.com/oaas

More Related Content

PDF
Self-Service Operations: Because Ops Still Happens
byRundeck
 
PDF
Keeping Your DevOps Transformation From Crushing Your Ops Capacity
byRundeck
 
PDF
Modern Operations: Solving DevOps’ Last Mile Problem
byRundeck
 
PDF
Operations as a Service: Because Failure Still Happens
byRundeck
 
PDF
Self-Service Operations: Because Failure Still Happens (Developer Edition)
byRundeck
 
PDF
Helping Ops Help You: Development’s Role in Enabling Self-Service Operations
byRundeck
 
PDF
Failure Happens: Improving Incident Response In Enterprises
byRundeck
 
PDF
Ops Happens: Improving Incident Response Using DevOps and SRE Practices
byRundeck
 
Self-Service Operations: Because Ops Still Happens
byRundeck
 
Keeping Your DevOps Transformation From Crushing Your Ops Capacity
byRundeck
 
Modern Operations: Solving DevOps’ Last Mile Problem
byRundeck
 
Operations as a Service: Because Failure Still Happens
byRundeck
 
Self-Service Operations: Because Failure Still Happens (Developer Edition)
byRundeck
 
Helping Ops Help You: Development’s Role in Enabling Self-Service Operations
byRundeck
 
Failure Happens: Improving Incident Response In Enterprises
byRundeck
 
Ops Happens: Improving Incident Response Using DevOps and SRE Practices
byRundeck
 

What's hot

PDF
The Last Mile Continued: Incident Management
byRundeck
 
PDF
Incident Management in the Age of DevOps and SRE
byRundeck
 
PDF
Incident Management in the Age of DevOps and SRE
byRundeck
 
PDF
Incident Management in the Age of DevOps and SRE
byRundeck
 
PDF
Clearing the Way For SRE In the Enterprise
byRundeck
 
PDF
SysAdmin to SRE: Solving the Last Mile Problem
byRundeck
 
PDF
Innovation and Architecture
byAdrian Cockcroft
 
PDF
Operations: The Last Mile Problem For DevOps
byRundeck
 
PDF
SRE for Everyone: Making Tomorrow Better Than Today
byRundeck
 
PDF
SRE From Scratch
byGrier Johnson
 
PDF
All daydevops 2016 - Turning Human Capital into High Performance Organizati...
byJohn Willis
 
PDF
DOES16 London - Better Faster Cheaper .. How?
byJohn Willis
 
PDF
Tickets Make Operations Work Unnecessarily Miserable
byRundeck
 
PDF
SysAdmin to SRE: Creating Capacity to Make Tomorrow Better Than Today
byRundeck
 
PDF
Operations: The Last Mile
byRundeck
 
PDF
Operations: The Last Mile
byRundeck
 
PDF
Making Tomorrow Better than Today - Unlocking the Full Potential of Operations
byRundeck
 
PDF
SRE Lessons for the Enterprise
byRundeck
 
PDF
Immutable Service Delivery Shenzhen 2016
byJohn Willis
 
PDF
Empower Devs, Simplify Ops, and Accelerate your Digital Transformation
byRundeck
 
The Last Mile Continued: Incident Management
byRundeck
 
Incident Management in the Age of DevOps and SRE
byRundeck
 
Incident Management in the Age of DevOps and SRE
byRundeck
 
Incident Management in the Age of DevOps and SRE
byRundeck
 
Clearing the Way For SRE In the Enterprise
byRundeck
 
SysAdmin to SRE: Solving the Last Mile Problem
byRundeck
 
Innovation and Architecture
byAdrian Cockcroft
 
Operations: The Last Mile Problem For DevOps
byRundeck
 
SRE for Everyone: Making Tomorrow Better Than Today
byRundeck
 
SRE From Scratch
byGrier Johnson
 
All daydevops 2016 - Turning Human Capital into High Performance Organizati...
byJohn Willis
 
DOES16 London - Better Faster Cheaper .. How?
byJohn Willis
 
Tickets Make Operations Work Unnecessarily Miserable
byRundeck
 
SysAdmin to SRE: Creating Capacity to Make Tomorrow Better Than Today
byRundeck
 
Operations: The Last Mile
byRundeck
 
Operations: The Last Mile
byRundeck
 
Making Tomorrow Better than Today - Unlocking the Full Potential of Operations
byRundeck
 
SRE Lessons for the Enterprise
byRundeck
 
Immutable Service Delivery Shenzhen 2016
byJohn Willis
 
Empower Devs, Simplify Ops, and Accelerate your Digital Transformation
byRundeck
 

Similar to The "Ops" Side of DevSecOps

PPTX
Finding-Security-A-Home-In-A-DevOps-World.pptx
byalejandro415203
 
PPTX
DevSecCon KeyNote London 2015
byShannon Lietz
 
PPTX
Is DevOps Braking Your Company?
byconjur_inc
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PDF
DSC UTeM DevOps Session#1: Intro to DevOps Presentation Slides
byDSC UTeM
 
PPTX
The Teams Behind DevSecOps
byUleska
 
PDF
Tickets Make Ops Unnecessarily Miserable: The Journey to Self-Service
byRundeck
 
PDF
Agile and compliant firewall ACL configuration management for DevOps
byJ On The Beach
 
PDF
Devops, Secops, Opsec, DevSec *ops *.* ?
byKris Buytaert
 
PPTX
Finding Security a Home in a DevOps World
byShannon Lietz
 
ODP
Dev ops
byEslam El Husseiny
 
PPTX
DevSecCon Keynote
byShannon Lietz
 
PPTX
BsidesMCR_2016-what-can-infosec-learn-from-devops
byJames '​-- Mckinlay
 
PPTX
2011 06 15 velocity conf from visible ops to dev ops final
byGene Kim
 
PDF
DevOps & Security from an Enterprise Toolsmith's Perspective
bydev2ops
 
PPTX
2011 09 19 LSPE Dev Ops Cookbook 1a
byGene Kim
 
PDF
Good-cyber-hygiene-at-scale-and-speed
byJames '​-- Mckinlay
 
PDF
How to address operational aspects effectively with Agile practices - Matthew...
bySkelton Thatcher Consulting Ltd
 
PDF
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
byTexas.gov
 
PPTX
THE RISE AND FALL OF SERVERLESS COSTS - TAMING THE (SERVERLESS) BEAST
byOpher Dubrovsky
 
Finding-Security-A-Home-In-A-DevOps-World.pptx
byalejandro415203
 
DevSecCon KeyNote London 2015
byShannon Lietz
 
Is DevOps Braking Your Company?
byconjur_inc
 
The What, Why, and How of DevSecOps
byCprime
 
DSC UTeM DevOps Session#1: Intro to DevOps Presentation Slides
byDSC UTeM
 
The Teams Behind DevSecOps
byUleska
 
Tickets Make Ops Unnecessarily Miserable: The Journey to Self-Service
byRundeck
 
Agile and compliant firewall ACL configuration management for DevOps
byJ On The Beach
 
Devops, Secops, Opsec, DevSec *ops *.* ?
byKris Buytaert
 
Finding Security a Home in a DevOps World
byShannon Lietz
 
Dev ops
byEslam El Husseiny
 
DevSecCon Keynote
byShannon Lietz
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
byJames '​-- Mckinlay
 
2011 06 15 velocity conf from visible ops to dev ops final
byGene Kim
 
DevOps & Security from an Enterprise Toolsmith's Perspective
bydev2ops
 
2011 09 19 LSPE Dev Ops Cookbook 1a
byGene Kim
 
Good-cyber-hygiene-at-scale-and-speed
byJames '​-- Mckinlay
 
How to address operational aspects effectively with Agile practices - Matthew...
bySkelton Thatcher Consulting Ltd
 
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
byTexas.gov
 
THE RISE AND FALL OF SERVERLESS COSTS - TAMING THE (SERVERLESS) BEAST
byOpher Dubrovsky
 

More from Rundeck

PDF
Rundeck Overview
byRundeck
 
PPTX
Introducing PagerDuty Process Automation
byRundeck
 
PDF
Self Service Cloud Operations: Safely Delegate the Management of your Cloud ...
byRundeck
 
PDF
Rundeck Office Hours: Best Practices Access Control Policies
byRundeck
 
PPTX
Automated Remediation with Rundeck + Sensu
byRundeck
 
PDF
Datadog + Rundeck at DASH 2020
byRundeck
 
PDF
What's New in Rundeck 3.4
byRundeck
 
PDF
Modernizing Incident Response
byRundeck
 
PDF
How to Build a Custom Plugin in Rundeck
byRundeck
 
PPTX
Introduction to Rundeck
byRundeck
 
PPTX
Mastering Secrets Management in Rundeck
byRundeck
 
PDF
Rundeck Community Office Hours: Using Variables with Job Steps
byRundeck
 
PDF
Lunch and learn: Getting started with Rundeck & Ansible
byRundeck
 
PDF
Maximizing Your Rundeck Migration
byRundeck
 
PPTX
Advanced Cluster Settings
byRundeck
 
PDF
Runbook Automation: Old News or a Key to Unlock Performance? [DOES2020]
byRundeck
 
PDF
Automate Yourself Out of a Job: Safely Delegate the Management of your Azure...
byRundeck
 
PDF
Business Continuity for Humans: Keeping Your Business Running When Your Peopl...
byRundeck
 
PDF
Empower Devs, Simplify Ops, and Accelerate your Digital Transformation
byRundeck
 
PDF
Super-Charge Your Site Reliability Practices with Runbook Automation
byRundeck
 
Rundeck Overview
byRundeck
 
Introducing PagerDuty Process Automation
byRundeck
 
Self Service Cloud Operations: Safely Delegate the Management of your Cloud ...
byRundeck
 
Rundeck Office Hours: Best Practices Access Control Policies
byRundeck
 
Automated Remediation with Rundeck + Sensu
byRundeck
 
Datadog + Rundeck at DASH 2020
byRundeck
 
What's New in Rundeck 3.4
byRundeck
 
Modernizing Incident Response
byRundeck
 
How to Build a Custom Plugin in Rundeck
byRundeck
 
Introduction to Rundeck
byRundeck
 
Mastering Secrets Management in Rundeck
byRundeck
 
Rundeck Community Office Hours: Using Variables with Job Steps
byRundeck
 
Lunch and learn: Getting started with Rundeck & Ansible
byRundeck
 
Maximizing Your Rundeck Migration
byRundeck
 
Advanced Cluster Settings
byRundeck
 
Runbook Automation: Old News or a Key to Unlock Performance? [DOES2020]
byRundeck
 
Automate Yourself Out of a Job: Safely Delegate the Management of your Azure...
byRundeck
 
Business Continuity for Humans: Keeping Your Business Running When Your Peopl...
byRundeck
 
Empower Devs, Simplify Ops, and Accelerate your Digital Transformation
byRundeck
 
Super-Charge Your Site Reliability Practices with Runbook Automation
byRundeck
 

Recently uploaded

PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
API-First Architecture in Financial Systems
bycyy111112
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 

The "Ops" Side of DevSecOps

  • 1.
    The “Ops” Sideof DevSecOps Damon Edwards @damonedwards DevSecOps@RSA AJP - 25 July 2017
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
    Now here comesDevSecOps DevOps
  • 7.
    Now here comesDevSecOps Dev Ops
  • 8.
    Now here comesDevSecOps Dev OpsSec
  • 9.
    Now here comesDevSecOps Dev OpsSec
  • 10.
    Now here comesDevSecOps Dev OpsSec
  • 11.
    Operations is gettingsqueezed OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!”
  • 12.
    Operations is gettingsqueezed OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!”
  • 13.
    What Keeps OpsUnder This Pressure? Silos Queues Centralization Backlog Information I need X PrioritiesTools Backlog I do X Requests for X Silo A Information Priorities Silo B Tools ?? Silo A Silo B Ticket Queue
  • 14.
  • 15.
    Backlog Information I needX PrioritiesTools Silos
  • 16.
    Backlog Information I needX PrioritiesTools Silos Backlog I do X Requests for X Silo A Information Priorities Silo B Tools
  • 17.
    Silos cause disconnectsand mismatches Backlog Information I need X PrioritiesTools Backlog I do X Requests for X Silo A Information Priorities Silo B Tools Context Context Process Process Tooling Tooling Capacity Capacity
  • 18.
    Function A Function B FunctionC Org becomes siloed pools of functional specialists Requests fulfilled by semi- manual or manual effort Primary management focus is on protecting team capacity
  • 19.
    How do wecover for our silos disconnects and mismatches? Silo A Silo B
  • 20.
    How do wecover for our silos disconnects and mismatches? Silo A Silo B Ticket Queue
  • 21.
    ?? Silo A SiloB We all know how well that works Ticket Queue
  • 22.
    Request queues arean expensive way to manage work Ticket Queue Queues Create… Longer Cycle Time Increased Risk More Variability More Overhead Lower Quality Less Motivation Adapted from Donald G. Reinertsen, The Principles of Product Development Flow: Second Generation Lean Product Development
  • 23.
    Tickets queues become“snowflake makers” ?? Silo A Silo B Ticket Queue
  • 24.
    Tickets queues become“snowflake makers” ?? Silo A Silo B Ticket Queue Snowflakes (each unique, technically acceptable but unreproducible and brittle)
  • 25.
    Tickets queues become“snowflake makers” ?? Silo A Silo B Ticket Queue Snowflakes (each unique, technically acceptable but unreproducible and brittle) Unintended variability = Security risks!
  • 26.
    Where are decisionsmade? Who can take action? escalate 1° 2° 3° 4° escalate escalateor
  • 27.
    Where are decisionsmade? Who can take action? escalate 1° 2° 3° 4° escalate escalateor Most common decision methods: 1. Similar history 2. Folklore 3. Mostly guessing
  • 28.
    All work iscontextual John Allspaw
  • 29.
    All work iscontextual rm -rf $PATHNAME John Allspaw
  • 30.
    All work iscontextual rm -rf $PATHNAME Is this dangerous? John Allspaw
  • 31.
    All work iscontextual rm -rf $PATHNAME John Allspaw
  • 32.
    All work iscontextual rm -rf $PATHNAME John Allspaw
  • 33.
    All work iscontextual rm -rf $PATHNAME Is this dangerous? John Allspaw
  • 34.
    All work iscontextual rm -rf $PATHNAME John Allspaw
  • 35.
    All work iscontextual rm -rf $PATHNAME Answer is always “it depends” John Allspaw
  • 36.
    escalate 1° 2° 3°4° escalate escalateor Context Where are decisions made? Who can take action?
  • 37.
    “Shift Left” theability to take action Push the ability to take action this direction escalate 1° 2° 3° 4° escalate escalateor
  • 38.
    How can youhelp operations? (and help yourself) OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!” Silos 
 Queues
 Centralization Backlog Information I need X PrioritiesTools Backlog I do X Requests for X Silo A Information Priorities Silo B Tools ?? Silo A Silo B Ticket Queue
  • 39.
    How can youhelp operations? (and help yourself) OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!” Silos 
 Queues
 Centralization Backlog Information I need X PrioritiesTools Backlog I do X Requests for X Silo A Information Priorities Silo B Tools ?? Silo A Silo B Ticket Queue
  • 40.
    How can youhelp operations? (and help yourself) OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!” Silos 
 Queues
 Centralization Backlog Information I need X PrioritiesTools Backlog I do X Requests for X Silo A Information Priorities Silo B Tools ?? Silo A Silo B Ticket Queue Self-Service
  • 41.
    How can youhelp operations? (and help yourself) OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!” Silos 
 Queues
 Centralization Backlog Information I need X PrioritiesTools Backlog I do X Requests for X Silo A Information Priorities Silo B Tools ?? Silo A Silo B Ticket Queue Self-Service
  • 42.
    How do wedecentralize control, but stay under control?
  • 43.
    Automated Procedures havethree essential elements Definition of the automated procedure Execution of the automated procedure Governance of the automated procedure Define Execute Govern
  • 44.
    Automated Procedures havethree essential elements Definition of the automated procedure Execution of the automated procedure Governance of the automated procedure Define Execute Govern (security, oversight, compliance, etc.)
  • 45.
    Traditional Ops Silo Define Execute Govern “Consumersof Ops” (Dev, QA, Release, NOC, Security, etc.) Ops
  • 46.
    Rigid Self-Service Define Execute Govern “Consumers ofOps” (Dev, QA, Release, NOC, Security, etc.) Ops
  • 47.
    Define Execute Govern Execute “Consumers of Ops” (Dev,QA, Release, NOC, Security, etc.) Ops Rigid Self-Service (ends up being limited)
  • 48.
    High-Velocity Handoffs Define Govern Execute “Consumers ofOps” (Dev, QA, Release, NOC, Security, etc.) Ops
  • 49.
    Self-Service Operations Define Govern Execute “Consumers ofOps” (Dev, QA, Release, NOC, Security, etc.) Ops
  • 50.
    Self-Service Operations Define Govern Execute Govern “Consumers ofOps” (Dev, QA, Release, NOC, Security, etc.) Ops
  • 51.
    “Operations as aService” design pattern is the key enabler fdfd Operations as a Service E Define/Approve actions Define security policy Oversight Define actions Execute actions Execute actions Ops“Consumers of Ops” (Dev, QA, Release, NOC, etc.) D G
  • 52.
    “Operations as aService” design pattern is the key enabler Split definition, execution, and governance and move to where most effective use of labor fdfd Operations as a Service E Define/Approve actions Define security policy Oversight Define actions Execute actions Execute actions Ops“Consumers of Ops” (Dev, QA, Release, NOC, etc.) D G
  • 53.
    Building out yourOperations as a Service capability
  • 54.
    Step 1: Establisha Secure Ops Hub Operations as a Service Engineers get visibility and controlled self-service Secrets Ops Procedures “Status” “Firewall Change” "Restart" deny allow Identity Audit Logs Infrastructure view Service health System metrics Ops Support use for remediation procedures Inventory and Health Execute + Observability/Monitoring Security and Ops manages access, configuration, and compliance
  • 55.
    Step 2: Establisha SDLC for Ops Procedures Operations as a Service Engineers get visibility and controlled self-service Secrets Ops Procedures “Status” “Firewall Change” "Restart" deny allow Identity Audit Logs Infrastructure view Service health System metrics Ops Support use for remediation procedures Inventory and Health Execute Source Repo if (($state==wait)) then kill -9 $PID fi Change Product Engineers produce automated procedures and health checks. RISKY Automated Procedures and Health Checks FIX Code review + Observability/Monitoring Security and Ops manages access, configuration, and compliance Package Repo CI
  • 56.
    Step 3: Connectwith Enterprise Management Systems Service Desk CustomersOps Support get visibility and audit trail updated by support tools Service Ticket Execute Software Supply Chain Ops integrate with artifact flow Operations as a Service Engineers get visibility and controlled self-service Secrets Ops Procedures “Status” “Firewall Change” "Restart" deny allow Identity Audit Logs Infrastructure view Service health System metrics Ops Support use for remediation procedures Inventory and Health + Monitoring Tools Security and Ops manages access, configuration, and compliance Source Repo if (($state==wait)) then kill -9 $PID fi Change Product Engineers produce automated procedures and health checks. RISKY Automated Procedures and Health Checks FIX Code review Package Repo CI
  • 57.
    Step 4: Reapthe security and compliance benefits Service Desk CustomersOps Support get visibility and audit trail updated by support tools Service Ticket Execute Software Supply Chain Ops integrate with artifact flow Who reviewed it? Who ran it? When? Where? Approval trail? Who created the procedure? Who created the policy? Operations as a Service Engineers get visibility and controlled self-service Secrets Ops Procedures “Status” “Firewall Change” "Restart" deny allow Identity Audit Logs Infrastructure view Service health System metrics Ops Support use for remediation procedures Inventory and Health + Monitoring Tools Security and Ops manages access, configuration, and compliance Source Repo if (($state==wait)) then kill -9 $PID fi Change Product Engineers produce automated procedures and health checks. RISKY Automated Procedures and Health Checks FIX Code review Package Repo CI
  • 58.
    Recap Understand the pressureon Ops Leverage the Operations as a Service design pattern “Shift-Left” control and decision making. Queues Create… Longer Cycle Time Increased Risk More Variability More Overhead Lower Quality Less Motivation Adapted from Donald G. Reinertsen, The Principles of Product Development Flow: Second Generation Lean Product Development Understand the cost of silos and queues Self-service to remove silos and queues OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!” Team A (Dev) Team B (Ops) Ticket System ?? Service Desk CustomersOps Support get visibility and audit trail updated by support tools Service Ticket Execute Software Supply Chain Ops integrate with artifact flow Who reviewed it? Who ran it? When? Where? Approval trail? Who created the procedure? Who created the policy? Operations as a Service Engineers get visibility and controlled self-service Secrets Ops Procedures “Status” “Firewall Change” "Restart" deny allow Identity Audit Logs Infrastructure view Service health System metrics Ops Support use for remediation procedures Inventory and Health + Monitoring Tools Security and Ops manages access, configuration, and compliance Source Repo if (($state==wait)) then kill -9 $PID fi Change Product Engineers produce automated procedures and health checks. RISKY Automated Procedures and Health Checks FIX Code review Package Repo CI Reap the security and compliance benefits
  • 59.
    Recap Understand the pressureon Ops Leverage the Operations as a Service design pattern “Shift-Left” control and decision making. Queues Create… Longer Cycle Time Increased Risk More Variability More Overhead Lower Quality Less Motivation Adapted from Donald G. Reinertsen, The Principles of Product Development Flow: Second Generation Lean Product Development Understand the cost of silos and queues Self-service to remove silos and queues OpsBusiness Idea Shorter Time-to-Market Fast Feedback from Users Dev Ops Running Services Improved Quality Digital and DevOps Availability Auditing Security Compliance "Go faster!" “Be flexible!” “Lock it down!” Team A (Dev) Team B (Ops) Ticket System ?? Service Desk CustomersOps Support get visibility and audit trail updated by support tools Service Ticket Execute Software Supply Chain Ops integrate with artifact flow Who reviewed it? Who ran it? When? Where? Approval trail? Who created the procedure? Who created the policy? Operations as a Service Engineers get visibility and controlled self-service Secrets Ops Procedures “Status” “Firewall Change” "Restart" deny allow Identity Audit Logs Infrastructure view Service health System metrics Ops Support use for remediation procedures Inventory and Health + Monitoring Tools Security and Ops manages access, configuration, and compliance Source Repo if (($state==wait)) then kill -9 $PID fi Change Product Engineers produce automated procedures and health checks. RISKY Automated Procedures and Health Checks FIX Code review Package Repo CI Reap the security and compliance benefits https://www.rundeck.com/oaas
  • 60.
  • 61.