SlideShare a Scribd company logo
Back to the roots
Patrick Debois | patrick.debois@snyk.io
Dev,Sec,Ops & More of the Same
1
A team centric view
Patrick Debois | patrick.debois@snyk.io
Working on DevSecOps Culture
2
Dev(Sec)Ops Friction Points
Know your pains
Understand the bottlenecks
introduced by Silos you need to
overcome.
Technical
stack, environment, tools
Management
prioritisation, budget , authority,
hiring , incentives
Personal
education, knowledge, motivation
3
Command
& Control
Customer
Ops
Devs Security
Pressure / Shifts
Forces At Work
Different forces at work will
cause movement.
Shift Down - Agile
Shift Right - DevOps
Shift Left - DevSecOps
Shift Up - Cloud
4
DevOps
Agile
CLOUD DevSecOps
Ops
Customer
Devs Security
Team
https://itrevolution.com/devops-books/
Power to the Team
Focus on team
Empower the people doing
the work to make the right
decisions. Delegation of
authority does not happen
magically overnight.
Management becomes
supportive vs control.
5
DevOps
Agile
CLOUD DevSecOps
Ops
Customer
Devs Security
Autonomous
Team
https://davidmarquet.com/books/
Company Collaboration Culture
Your CEO will set the tone
Organisation have different
cultures. Depending on your
context you will focus more on
automation, metrics,
empowerment or command
and control. You need to work
on ALL layers to embed it in
the organization.
6
https://www.reinventingorganizations.com/
Automation - Order & Stability
Measure - Scientific & KPIs
Command & Control
Empower - Customer Centric
Evolutionary
Collaborative
Meritocracy
Hierarchy
Power
Centric
Autonomy - Meaning
Dev(Sec)Ops Team Patterns
How will security interact?
Different topologies exist ,
some are more efficient than
others but it depends on your
organization culture.
7
https://web.devopstopologies.com/
Dev and Ops
Collaboration
Fully Shared Ops
Responsibilities
Devops
with Expiry date
Container-Driven
Collaboration
DevOps
Evangelist Team
Team Interaction Modes How will your security team
collaborate?
Interaction will happen
through automation,
abstraction AND
collaboration
8
https://teamtopologies.com/
Building & Gaining Trust
Trust is a Choice
Trust is Bi-Directional
Asking for Trust vs
being Trustworthy
9
https://www.thinbook.com
SINCERITY
COMPETENCE
RELIABILITY
Choice to Trust
CARE
Outcome
4 DevSecOps Areas
10
Areas influence each other
Is what we are delivering secure?
Is how we are delivering it secure?
Do we understand why we are
securing it?
Do we trust who is delivering it ?
What ~ Dev
How ~ DevOps
Why ~ Sec
Who ~ DevSecOps
Secure
Stack
Secure
Delivery
Security
Governance
Security
Empowerment
Team
Secure Stack
As a developer we want to make
sure that the application is secure
and can be operated securely.
11
Code
Dependencies
Code
Container
Container Mgmt
Cloud & Infra
External
Services
API
Management
User Mgmt &
Authentication
Authorisation
Secret & Key Mgmt
Security
Development Operational
Monitoring &
Metrics
Error & Exception
Handling
Logging
Data
Privacy Data
Licenses
Business
https://www.manning.com/books/secure-by-design
Secure Delivery
As a developer we want to
make sure we can build,
deliver & operate the service
in a secure way
12
Secure Code
Secure Code
Environment
Secure Toolchain
Secure
Repositories
Secure Build
Environment
Secure Testing
CI/Test
Development Production
Secure Deployment
Secure Inventory
Asset Mgmt
Secure Logging &
Monitoring
Security Controls
Secure Execution
Debugging
Secure Patch Mgmt
Operations
Secure Artifacts
https://itrevolution.com/devops-books/
Secure Governance
As a developer we want
to participate in the
processes for managing
security better
13
https://threatmodelingbook.com/
Vulnerability Management
Threat Management
Risk Management
Backlog Prioritisation
Supplier Management
Compliance & Legal
Requirements
Security Incident Management
Security Service Level
Management
Security Team
Team
Secure Empowerment
As a developer we want to
take ownership of the
security of our application
14
Learning
Culture
Collaboration
Accountability
Authority
https://itrevolution.com/agile-conversations/
We want the team to interact with
security team to share worries,
insights and feedback
We want the team to acquire security
knowledge and keep learning
We want the team to be accountable
for security in their stack
We want the team to be able to take
security decisions autonomously
DevSecOps Maturity
15
Level up each of the aspects
gradually - they all
influence the progress of
the ownership handover
Stack Delivery
Governance
Empowerment
Sec
Owned
Team
Embedded
16
Tools & Culture
Patrick Debois - #thinktogether
Dev(sec)Ops: everything you do to overcome the friction
created by silos ... All the rest is plain engineering
Paradoxes
You are never done
Each of these improvements
will be countered by a
paradox. You will need to keep
investing.
17
Automation - Order & Stability
Measure - Scientific & KPIs
Command & Control
Empower - Customer Centric
Evolutionary
Collaborative
Meritocracy
Hierarchy
Power
Centric
Autonomy - Meaning
https://www.amazon.com/Tyranny-Metrics
-Jerry-Z-Muller/dp/0691174954
Love to hear your feedback !
patrick.debois@snyk.io
@patrickdebois
#ThinkingTogether
18

More Related Content

What's hot

DevOps Certification
DevOps CertificationDevOps Certification
DevOps Certification
Aakash Yadav
 
DevOps: Benefits & Future Trends
DevOps: Benefits & Future TrendsDevOps: Benefits & Future Trends
DevOps: Benefits & Future Trends
9 series
 
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...
Gene Kim
 
DevOps Transition Strategies
DevOps Transition StrategiesDevOps Transition Strategies
DevOps Transition Strategies
Alec Lazarescu
 
DevOps Deep Dive Webinar: Building a business case for agile and devops
DevOps Deep Dive Webinar: Building a business case for agile and devopsDevOps Deep Dive Webinar: Building a business case for agile and devops
DevOps Deep Dive Webinar: Building a business case for agile and devops
Basis Technologies
 
What Is DevOps?
What Is DevOps?What Is DevOps?
What Is DevOps?
Soumya De
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introduction
Sridhara T V
 
DevOps: IT's Automation Revolution
DevOps: IT's Automation RevolutionDevOps: IT's Automation Revolution
DevOps: IT's Automation Revolution
IBM UrbanCode Products
 
Moving to Continuous Delivery with XebiaLabs XL Release
Moving to Continuous Delivery with XebiaLabs XL ReleaseMoving to Continuous Delivery with XebiaLabs XL Release
Moving to Continuous Delivery with XebiaLabs XL Release
XebiaLabs
 
DevOps Process
DevOps ProcessDevOps Process
DevOps Process
Amal Dev
 
Devops skills you got what it takes ?
Devops skills   you got what it takes ?Devops skills   you got what it takes ?
Devops skills you got what it takes ?
Initcron Systems Private Limited
 
What is DevOps?
What is DevOps?What is DevOps?
What is DevOps?
Mukta Aphale
 
DevOps Challenges and Best Practices
DevOps Challenges and Best PracticesDevOps Challenges and Best Practices
DevOps Challenges and Best Practices
Brian Chorba
 
What is-not-devops!
What is-not-devops!What is-not-devops!
What is-not-devops!
Narayanan Krishnamurthy
 
The Journey to DevOps #MFSummit2017
The Journey to DevOps #MFSummit2017The Journey to DevOps #MFSummit2017
The Journey to DevOps #MFSummit2017
Micro Focus
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
Matthew David
 
DevOps-Redefining your IT Strategy-28thJan15
DevOps-Redefining your IT Strategy-28thJan15DevOps-Redefining your IT Strategy-28thJan15
DevOps-Redefining your IT Strategy-28thJan15
Edureka!
 
Salesforce DevOps: Where Do You Start?
Salesforce DevOps: Where Do You Start?Salesforce DevOps: Where Do You Start?
Salesforce DevOps: Where Do You Start?
Chandler Anderson
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
SlideTeam
 
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows DevDOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
Gene Kim
 

What's hot (20)

DevOps Certification
DevOps CertificationDevOps Certification
DevOps Certification
 
DevOps: Benefits & Future Trends
DevOps: Benefits & Future TrendsDevOps: Benefits & Future Trends
DevOps: Benefits & Future Trends
 
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...
 
DevOps Transition Strategies
DevOps Transition StrategiesDevOps Transition Strategies
DevOps Transition Strategies
 
DevOps Deep Dive Webinar: Building a business case for agile and devops
DevOps Deep Dive Webinar: Building a business case for agile and devopsDevOps Deep Dive Webinar: Building a business case for agile and devops
DevOps Deep Dive Webinar: Building a business case for agile and devops
 
What Is DevOps?
What Is DevOps?What Is DevOps?
What Is DevOps?
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introduction
 
DevOps: IT's Automation Revolution
DevOps: IT's Automation RevolutionDevOps: IT's Automation Revolution
DevOps: IT's Automation Revolution
 
Moving to Continuous Delivery with XebiaLabs XL Release
Moving to Continuous Delivery with XebiaLabs XL ReleaseMoving to Continuous Delivery with XebiaLabs XL Release
Moving to Continuous Delivery with XebiaLabs XL Release
 
DevOps Process
DevOps ProcessDevOps Process
DevOps Process
 
Devops skills you got what it takes ?
Devops skills   you got what it takes ?Devops skills   you got what it takes ?
Devops skills you got what it takes ?
 
What is DevOps?
What is DevOps?What is DevOps?
What is DevOps?
 
DevOps Challenges and Best Practices
DevOps Challenges and Best PracticesDevOps Challenges and Best Practices
DevOps Challenges and Best Practices
 
What is-not-devops!
What is-not-devops!What is-not-devops!
What is-not-devops!
 
The Journey to DevOps #MFSummit2017
The Journey to DevOps #MFSummit2017The Journey to DevOps #MFSummit2017
The Journey to DevOps #MFSummit2017
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
DevOps-Redefining your IT Strategy-28thJan15
DevOps-Redefining your IT Strategy-28thJan15DevOps-Redefining your IT Strategy-28thJan15
DevOps-Redefining your IT Strategy-28thJan15
 
Salesforce DevOps: Where Do You Start?
Salesforce DevOps: Where Do You Start?Salesforce DevOps: Where Do You Start?
Salesforce DevOps: Where Do You Start?
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
 
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows DevDOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
 

Similar to Working on DevSecOps culture - a team centric view

Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
Shannon Lietz
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
Steven Carlson
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
devopsdaysaustin
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
Shannon Lietz
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
Mighty Guides, Inc.
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
Mohammed A. Imran
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
DevOps Indonesia
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
Amazon Web Services
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
Nadira Bajrei
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdf
Techugo
 

Similar to Working on DevSecOps culture - a team centric view (20)

Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdf
 

Recently uploaded

Female Service Girls Call Thane 9910780858 Provide Best And Top Girl Service ...
Female Service Girls Call Thane 9910780858 Provide Best And Top Girl Service ...Female Service Girls Call Thane 9910780858 Provide Best And Top Girl Service ...
Female Service Girls Call Thane 9910780858 Provide Best And Top Girl Service ...
saroni night girls
 
Protect YugabyteDB with Hashicorp Vault.pdf
Protect YugabyteDB with Hashicorp Vault.pdfProtect YugabyteDB with Hashicorp Vault.pdf
Protect YugabyteDB with Hashicorp Vault.pdf
Gwenn Etourneau
 
,*$/?!~00971508021841^(سعر حبوب الإجهاض في دبي
,*$/?!~00971508021841^(سعر حبوب الإجهاض في دبي,*$/?!~00971508021841^(سعر حبوب الإجهاض في دبي
,*$/?!~00971508021841^(سعر حبوب الإجهاض في دبي
nafizanafzal
 
REVOLUTIONISING TRANSLATION TECHNOLOGY: A COMPARATIVE STUDY OF VARIANT TRANSF...
REVOLUTIONISING TRANSLATION TECHNOLOGY: A COMPARATIVE STUDY OF VARIANT TRANSF...REVOLUTIONISING TRANSLATION TECHNOLOGY: A COMPARATIVE STUDY OF VARIANT TRANSF...
REVOLUTIONISING TRANSLATION TECHNOLOGY: A COMPARATIVE STUDY OF VARIANT TRANSF...
CSEIJJournal
 
Basic information about the indian constitutions and professional ethics
Basic information about the indian constitutions and professional ethicsBasic information about the indian constitutions and professional ethics
Basic information about the indian constitutions and professional ethics
mpa7083
 
the potential for the development of autonomous aircraft
the potential for the development of autonomous aircraftthe potential for the development of autonomous aircraft
the potential for the development of autonomous aircraft
huseindihon
 
Digital Image Processing - Module 4 Chapter 2
Digital Image Processing - Module 4 Chapter 2Digital Image Processing - Module 4 Chapter 2
Digital Image Processing - Module 4 Chapter 2
821priyankaj
 
Fix Production Bugs Quickly - The Power of Structured Logging in Ruby on Rail...
Fix Production Bugs Quickly - The Power of Structured Logging in Ruby on Rail...Fix Production Bugs Quickly - The Power of Structured Logging in Ruby on Rail...
Fix Production Bugs Quickly - The Power of Structured Logging in Ruby on Rail...
John Gallagher
 
Modified O-RAN 5G Edge Reference Architecture using RNN
Modified O-RAN 5G Edge Reference Architecture using RNNModified O-RAN 5G Edge Reference Architecture using RNN
Modified O-RAN 5G Edge Reference Architecture using RNN
ijwmn
 
AI chapter1 introduction to artificial intelligence
AI chapter1 introduction to artificial intelligenceAI chapter1 introduction to artificial intelligence
AI chapter1 introduction to artificial intelligence
GeethaAL
 
Human_assault project using jetson nano new
Human_assault project using jetson nano newHuman_assault project using jetson nano new
Human_assault project using jetson nano new
frostflash010
 
Generative AI and Large Language Models (LLMs)
Generative AI and Large Language Models (LLMs)Generative AI and Large Language Models (LLMs)
Generative AI and Large Language Models (LLMs)
rkpv2002
 
III B.TECH CSE_flutter Lab manual (1).docx
III B.TECH CSE_flutter Lab manual (1).docxIII B.TECH CSE_flutter Lab manual (1).docx
III B.TECH CSE_flutter Lab manual (1).docx
divijareddy0502
 
Agricultural Profitability through Resilience: Smallholder Farmers' Strategie...
Agricultural Profitability through Resilience: Smallholder Farmers' Strategie...Agricultural Profitability through Resilience: Smallholder Farmers' Strategie...
Agricultural Profitability through Resilience: Smallholder Farmers' Strategie...
IJAEMSJORNAL
 
1. DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf
1. DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf1. DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf
1. DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf
AsiimweJulius2
 
System Analysis and Design in a changing world 5th edition
System Analysis and Design in a changing world 5th editionSystem Analysis and Design in a changing world 5th edition
System Analysis and Design in a changing world 5th edition
mnassar75g
 
3.DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf
3.DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf3.DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf
3.DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf
AsiimweJulius2
 
constitutionofindia-fgfg191129033126.pptx
constitutionofindia-fgfg191129033126.pptxconstitutionofindia-fgfg191129033126.pptx
constitutionofindia-fgfg191129033126.pptx
zarinajinna7432
 
NOVEC 1230 Fire Suppression System Presentation
NOVEC 1230 Fire Suppression System PresentationNOVEC 1230 Fire Suppression System Presentation
NOVEC 1230 Fire Suppression System Presentation
miniruwan1
 
# Smart Parking Management System.pptx using IOT
# Smart Parking Management System.pptx using IOT# Smart Parking Management System.pptx using IOT
# Smart Parking Management System.pptx using IOT
Yesh20
 

Recently uploaded (20)

Female Service Girls Call Thane 9910780858 Provide Best And Top Girl Service ...
Female Service Girls Call Thane 9910780858 Provide Best And Top Girl Service ...Female Service Girls Call Thane 9910780858 Provide Best And Top Girl Service ...
Female Service Girls Call Thane 9910780858 Provide Best And Top Girl Service ...
 
Protect YugabyteDB with Hashicorp Vault.pdf
Protect YugabyteDB with Hashicorp Vault.pdfProtect YugabyteDB with Hashicorp Vault.pdf
Protect YugabyteDB with Hashicorp Vault.pdf
 
,*$/?!~00971508021841^(سعر حبوب الإجهاض في دبي
,*$/?!~00971508021841^(سعر حبوب الإجهاض في دبي,*$/?!~00971508021841^(سعر حبوب الإجهاض في دبي
,*$/?!~00971508021841^(سعر حبوب الإجهاض في دبي
 
REVOLUTIONISING TRANSLATION TECHNOLOGY: A COMPARATIVE STUDY OF VARIANT TRANSF...
REVOLUTIONISING TRANSLATION TECHNOLOGY: A COMPARATIVE STUDY OF VARIANT TRANSF...REVOLUTIONISING TRANSLATION TECHNOLOGY: A COMPARATIVE STUDY OF VARIANT TRANSF...
REVOLUTIONISING TRANSLATION TECHNOLOGY: A COMPARATIVE STUDY OF VARIANT TRANSF...
 
Basic information about the indian constitutions and professional ethics
Basic information about the indian constitutions and professional ethicsBasic information about the indian constitutions and professional ethics
Basic information about the indian constitutions and professional ethics
 
the potential for the development of autonomous aircraft
the potential for the development of autonomous aircraftthe potential for the development of autonomous aircraft
the potential for the development of autonomous aircraft
 
Digital Image Processing - Module 4 Chapter 2
Digital Image Processing - Module 4 Chapter 2Digital Image Processing - Module 4 Chapter 2
Digital Image Processing - Module 4 Chapter 2
 
Fix Production Bugs Quickly - The Power of Structured Logging in Ruby on Rail...
Fix Production Bugs Quickly - The Power of Structured Logging in Ruby on Rail...Fix Production Bugs Quickly - The Power of Structured Logging in Ruby on Rail...
Fix Production Bugs Quickly - The Power of Structured Logging in Ruby on Rail...
 
Modified O-RAN 5G Edge Reference Architecture using RNN
Modified O-RAN 5G Edge Reference Architecture using RNNModified O-RAN 5G Edge Reference Architecture using RNN
Modified O-RAN 5G Edge Reference Architecture using RNN
 
AI chapter1 introduction to artificial intelligence
AI chapter1 introduction to artificial intelligenceAI chapter1 introduction to artificial intelligence
AI chapter1 introduction to artificial intelligence
 
Human_assault project using jetson nano new
Human_assault project using jetson nano newHuman_assault project using jetson nano new
Human_assault project using jetson nano new
 
Generative AI and Large Language Models (LLMs)
Generative AI and Large Language Models (LLMs)Generative AI and Large Language Models (LLMs)
Generative AI and Large Language Models (LLMs)
 
III B.TECH CSE_flutter Lab manual (1).docx
III B.TECH CSE_flutter Lab manual (1).docxIII B.TECH CSE_flutter Lab manual (1).docx
III B.TECH CSE_flutter Lab manual (1).docx
 
Agricultural Profitability through Resilience: Smallholder Farmers' Strategie...
Agricultural Profitability through Resilience: Smallholder Farmers' Strategie...Agricultural Profitability through Resilience: Smallholder Farmers' Strategie...
Agricultural Profitability through Resilience: Smallholder Farmers' Strategie...
 
1. DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf
1. DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf1. DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf
1. DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf
 
System Analysis and Design in a changing world 5th edition
System Analysis and Design in a changing world 5th editionSystem Analysis and Design in a changing world 5th edition
System Analysis and Design in a changing world 5th edition
 
3.DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf
3.DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf3.DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf
3.DEE 1203 ELECTRICAL ENGINEERING DRAWING.pdf
 
constitutionofindia-fgfg191129033126.pptx
constitutionofindia-fgfg191129033126.pptxconstitutionofindia-fgfg191129033126.pptx
constitutionofindia-fgfg191129033126.pptx
 
NOVEC 1230 Fire Suppression System Presentation
NOVEC 1230 Fire Suppression System PresentationNOVEC 1230 Fire Suppression System Presentation
NOVEC 1230 Fire Suppression System Presentation
 
# Smart Parking Management System.pptx using IOT
# Smart Parking Management System.pptx using IOT# Smart Parking Management System.pptx using IOT
# Smart Parking Management System.pptx using IOT
 

Working on DevSecOps culture - a team centric view

  • 1. Back to the roots Patrick Debois | patrick.debois@snyk.io Dev,Sec,Ops & More of the Same 1
  • 2. A team centric view Patrick Debois | patrick.debois@snyk.io Working on DevSecOps Culture 2
  • 3. Dev(Sec)Ops Friction Points Know your pains Understand the bottlenecks introduced by Silos you need to overcome. Technical stack, environment, tools Management prioritisation, budget , authority, hiring , incentives Personal education, knowledge, motivation 3 Command & Control Customer Ops Devs Security
  • 4. Pressure / Shifts Forces At Work Different forces at work will cause movement. Shift Down - Agile Shift Right - DevOps Shift Left - DevSecOps Shift Up - Cloud 4 DevOps Agile CLOUD DevSecOps Ops Customer Devs Security Team https://itrevolution.com/devops-books/
  • 5. Power to the Team Focus on team Empower the people doing the work to make the right decisions. Delegation of authority does not happen magically overnight. Management becomes supportive vs control. 5 DevOps Agile CLOUD DevSecOps Ops Customer Devs Security Autonomous Team https://davidmarquet.com/books/
  • 6. Company Collaboration Culture Your CEO will set the tone Organisation have different cultures. Depending on your context you will focus more on automation, metrics, empowerment or command and control. You need to work on ALL layers to embed it in the organization. 6 https://www.reinventingorganizations.com/ Automation - Order & Stability Measure - Scientific & KPIs Command & Control Empower - Customer Centric Evolutionary Collaborative Meritocracy Hierarchy Power Centric Autonomy - Meaning
  • 7. Dev(Sec)Ops Team Patterns How will security interact? Different topologies exist , some are more efficient than others but it depends on your organization culture. 7 https://web.devopstopologies.com/ Dev and Ops Collaboration Fully Shared Ops Responsibilities Devops with Expiry date Container-Driven Collaboration DevOps Evangelist Team
  • 8. Team Interaction Modes How will your security team collaborate? Interaction will happen through automation, abstraction AND collaboration 8 https://teamtopologies.com/
  • 9. Building & Gaining Trust Trust is a Choice Trust is Bi-Directional Asking for Trust vs being Trustworthy 9 https://www.thinbook.com SINCERITY COMPETENCE RELIABILITY Choice to Trust CARE Outcome
  • 10. 4 DevSecOps Areas 10 Areas influence each other Is what we are delivering secure? Is how we are delivering it secure? Do we understand why we are securing it? Do we trust who is delivering it ? What ~ Dev How ~ DevOps Why ~ Sec Who ~ DevSecOps Secure Stack Secure Delivery Security Governance Security Empowerment Team
  • 11. Secure Stack As a developer we want to make sure that the application is secure and can be operated securely. 11 Code Dependencies Code Container Container Mgmt Cloud & Infra External Services API Management User Mgmt & Authentication Authorisation Secret & Key Mgmt Security Development Operational Monitoring & Metrics Error & Exception Handling Logging Data Privacy Data Licenses Business https://www.manning.com/books/secure-by-design
  • 12. Secure Delivery As a developer we want to make sure we can build, deliver & operate the service in a secure way 12 Secure Code Secure Code Environment Secure Toolchain Secure Repositories Secure Build Environment Secure Testing CI/Test Development Production Secure Deployment Secure Inventory Asset Mgmt Secure Logging & Monitoring Security Controls Secure Execution Debugging Secure Patch Mgmt Operations Secure Artifacts https://itrevolution.com/devops-books/
  • 13. Secure Governance As a developer we want to participate in the processes for managing security better 13 https://threatmodelingbook.com/ Vulnerability Management Threat Management Risk Management Backlog Prioritisation Supplier Management Compliance & Legal Requirements Security Incident Management Security Service Level Management Security Team Team
  • 14. Secure Empowerment As a developer we want to take ownership of the security of our application 14 Learning Culture Collaboration Accountability Authority https://itrevolution.com/agile-conversations/ We want the team to interact with security team to share worries, insights and feedback We want the team to acquire security knowledge and keep learning We want the team to be accountable for security in their stack We want the team to be able to take security decisions autonomously
  • 15. DevSecOps Maturity 15 Level up each of the aspects gradually - they all influence the progress of the ownership handover Stack Delivery Governance Empowerment Sec Owned Team Embedded
  • 16. 16 Tools & Culture Patrick Debois - #thinktogether Dev(sec)Ops: everything you do to overcome the friction created by silos ... All the rest is plain engineering
  • 17. Paradoxes You are never done Each of these improvements will be countered by a paradox. You will need to keep investing. 17 Automation - Order & Stability Measure - Scientific & KPIs Command & Control Empower - Customer Centric Evolutionary Collaborative Meritocracy Hierarchy Power Centric Autonomy - Meaning https://www.amazon.com/Tyranny-Metrics -Jerry-Z-Muller/dp/0691174954
  • 18. Love to hear your feedback ! patrick.debois@snyk.io @patrickdebois #ThinkingTogether 18