The document discusses moving from traditional to modern operational models using real-time operations and DevSecOps. It promotes adopting PagerDuty to help with real-time operations by providing a platform for on-call management, event intelligence, visibility across 300+ integrations. Adopting cloud technologies provides an opportunity to redefine operational models to be more collaborative, automated, proactive and learning-focused.
5. Operational Models – a Journey to Real-time Operations
Real-time Operations includes DevSecOps
Best Practices for DevSecOps
Demo: Real-time Operations with AWS+PagerDuty
Q & Eh?
AGENDA
5
9. 9
“Giving developers operational responsibilities
has greatly enhanced the quality of the
services, both from a customer and a
technology point of view.”
- ???, 2005
10. 10
“This brings developers into contact with the day-
to-day operation of their software. It also brings
them into day-to-day contact with the customer.
This customer feedback loop is essential for
improving the quality of the service.”
- ???, 2005
11. 11
“… you build it, you run it.”
--Werner Vogels, CTO
Amazon, 2005
15. Signal-to-Action from 300+ integrations – especially AWS
15
DevOps
ITOps
Security
Industrial
BizOps
Support
Drive
Real-Time
Operations
Harness Digital Signals
Enable Human Response
16. 16
“Digital operations are becoming life
changing and disruptive.
We are moving beyond the dysfunctional
ways of behaving, and into new paradigms
for operations.”
- Charlie Betz, Forrester
17. What is Digital Operations?
17
Queued
Siloed
Manual
Reactive
Static
Real-time
Collaborative
Automated
Proactive
Learning
TRADITIONAL MODERN
18. 18
What if I told you …
It requires more than just developers
and operations?
19. MY pseudo JOURNEY LINE... HOW I SPEND MY DAYS...WHAT MAKES ME HUMAN...
Sugar plum
fairies
DEV
SEC
OPS
DSO
RGD
1984
1989
1996
2001
2011
COMICS
Shannon Lietz (@devsecops)
19
20. Why does it take
so long for
features?
?
YOU YOUR
CUSTOMER
CISO
Hopefully it’s not
going to be
another round of
“No’s”…
20
"designed by Twitter from Flaticon"
23. What is DevSecOps?
IS
• A Mindset and Holistic Approach
• A Collection of Processes & Tools
• A Means of Building Security and
Compliance into Software
• A Community-Driven Effort
• A Strategy Driven by Learning and
Experiments
IS NOT
• A One-Size-Fits-All Approach
• A Single Tool or Method
• Just a means of adding Security into
Continuous Delivery
• Invented by Vendors
• A Strategy Driven by Perfection and
Compliance
DevSecOps is the practice of developing safer software sooner by involving all needed
parties in the creative process and practicing continuous improvement from high fidelity
actionable feedback with context.
Shares concepts with Rugged Software, Rugged DevOps, SecDevOps, DevOpsSec, DevOps
25. Is it like a Supply Chain?
• Gating processes are not Deming-like
• Security is a design constraint
• Decisions made by engineering teams
Typical gates for
security checks &
balances
Mistakes and drift often happen after
design and build phases that result in
weaknesses and potentially exploits
Most costly mistakes
happen during design
• Hard to avoid business catastrophes by applying
one-size-fits-all strategies
• Security defects is more like a security “recall”
design build deploy operate
What component is
secure enough?
How do I secure
secrets for the app?
Is my app getting
attacked? How?
How do I secure my
app?
Faster security feedback loop
26. Can you provide an example of a difference?
API KEY EXPOSURE -> 8 HRS
DEFAULT CONFIGS -> 24 HRS
SECURITY GROUPS -> 24 HRS
ESCALATION OF PRIVS -> 5 D
KNOWN VULN -> 8 HRS
27. How do we change the game?
27
Security Researchers
events billions millions thousands hundreds defects
Red Team
Pen Test
Gauntit
Nessus
Nexpose
NMAP
Maltego
Qualys
Threat Intel
Bug Bounty
Logs & Events
IOCs
Security Science
TB per
Day
Correlation
Case
Management
Developer
Backlog
Security Workflow and Pipeline Actionable Security Features and Defects
28. Is There A Playbook?
28
Operating Model Processes Tooling
• Determine defect and feature flows for
Security to funnel to distributed teams
• Inventory work processes, guidelines,
policies, experiments, data and tools
• Identify groups, roles and skills required to
support processes
• Identify friction and measure speed of MTTR
• Identify types of decisions
• Identify metrics for measuring experiments
and adapting processes
• Implement Code & Infrastructure Guidelines
• Implement Rules Engineering Processes
• Implement Security Defect Reporting
• Implement Consulting and Requests Process
• Implement Infrastructure Templates
• Implement Red Team & SOC Processes
• Implement Manual Staging Processes
• Implement a Decisions Process
• Implement an Escalation Process with clear
stakeholders
• All systems should be run with API inspection
available via a Security Fabric. (Systems without
inspection require manual intervention.)
• Implement Security Portal for feedback
consolidation across security processes
• Implement Case Management for Requests,
Defects, and Incidents
• Implement Testing framework
• Implement Correlation engine
• Implement foundational security controls
• Integrate with core organizational systems
• Identified opportunities to develop capacity
without increasing risk to too high a level
• Inventory provides information for Decisions
board to help with risk decisions
• Decisions board with clear escalation path by
type of decision
• Ability to Communicate and Train on initial
processes
• Consistent Ins/Outs of Dynamic Work with
standard templates
• SDE helps with reducing manual efforts
• Ability to build up capacity for Stage Two
Expected Issues: Communication changes, adaptation of skills, decisions processes, expectations, audits and risk guidelines mismatch
n number of experiments to refine processes and automate where possible
outcomes
29. What’s it like to have devsecops fully functioning?
Data
Security
Insights
Developer Security
Incident Response
Anomaly
33. Meet David – a software developer
33
I Build It,
I Run It!
Automation
Bugs
Incidents
Alerts
Tests
Planned
Features
Postmortems Operability
Improvements
Yak-shaving
Revenue-Generating
Unplanned
34.
35. How PagerDuty supports DevSecOps
35
Self-service Platform / Expertise on-demand
Tooling that provides guardrails, metrics, and frictionless escalation when help is needed
Build Common
Ground
Align terminology,
visibility, and response
process for security and
development
Drive Security
Hygiene
Tighten feedback loops
from your security-
integrated CI/CD pipeline
& hand-offs to ITSM /
chat
Share Security
Accountability
Make security
everyone’s job through
rich context and flexible
routing
38. ITOps Industrial Ops
Customer
Support
DevOps Business OpsSecOps
Analytics
Modern Incident
Response
Enterprise Class Platform
EXTENSIBLE | SECURE | RELIABLE | SCALABLE
PagerDuty – Platform for Real-time Operations
PLATFORM
PRODUCTS
USE CASES
On-Call Management
Event Intelligence
Visibility
300+ Integrations
39. Summary
39
1. Cloud adoption is an ideal time for changing your
operational model.
2. Security must shift to meet developers where they’re at:
#DevSecOps.
3. PagerDuty is built for distributing operational
accountability - self-service & visibility with less friction.
41. Come visit PagerDuty
at Booth #1023
for a chance to win a
$500 Airbnb Gift Card*
Take our free, 2-min survey to see where you
stand in terms of real-time operations maturity.