The big pictureCulture, Processes and Technologies on a high level

Stefan Streichsbier Company: Vantage PointTwitter: @s_streichsbier

Why?

A BriefHistory of DevOps

In the beginning there was…

Source: https://www.flickr.com/photos/37186408@N05/12162302775

Waterfall

• Long release cycles• A lot of “WIP”• Functional silos• Incredibly rigid

…then there was Agile

Source: https://i.ytimg.com/vi/8Hedq2d1H44/maxresdefault.jpg

Agile

• Shorter release cycles• Smaller batch sizes• Cross-functional teams• “Incredibly” agile

Suddenly Ops was the bottleneck

Agile Ops Anyone?

2 major related trends:1. Agile Operations/Infrastructure2. Collaboration between dev and ops

Ultimately led to the first DevOpsDays in 2009…

So, what is DevOps?

• Set of principles and practices for efficient communication and collaboration. (Culture)

• Automated deployment pipeline. (Processes)

• Supporting tool chain (Technologies)

”[…]it seems as though the problems are just between dev and ops, but test is in there, and you have security objectives. These are top-level concerns of Management […] and have become part of the DevOps picture.

In other words, when you hear "DevOps" today, you should probably be thinking DevOpsQATestInfoSec."

- Gene Kim

DevSecOps

Target State

DevSecOps enables organisations to deliver inherently secure software at DevOps speed.

Security challenges in DevOps

• It is clear why companies are moving to DevOps

…but how can security keep up with this?

Source: https://xebialabs.com/assets/files/whitepapers/ITRev_DevOps_Guide_5_2015.pdf

3 key categories of DevSecOps

1. Culture2. Processes3. Technologies

Culture

Culture

• Communication and transparency• High-trust environment “blameless postmortem”• Continuous improvement • Everyone is responsible for security• Automate as much as possible• Everything as code

Culture: Open Space Ideas

• How did your org switch to Dev(Sec)Ops?• Continuous Improvement (Kaizen)• What are you automating at the moment?

Processes

Processes

1. Secure SDLC

2. Security Pipelines

Processes:Secure SDLC

1. Training2. Requirements3. Architecture & Design4. Coding5. Testing6. Deployment7. Post Deployment

Processes:Sec Pipelines

• Opt. critical resource• Reduce friction• Increase visibility • Each step repeatable• Drive up consistency

Security Pipelines

Processes: Open Space Ideas

• How are you managing security requirements?• How are you building security into the SDLC?• AppSec Pipelines in the wild• ChatSecOps

TechnologiesDevOps is not supposed to be about “tools”

DevSecOpsTechnologies

1. Requirements2. Code: IDE Plugins, SAST3. Test: Gauntlt, *AST4. Configure: Sec as Code5. Maintenance:

Patch Management6. Monitor: Auditing, Attack

visibility, RASP

Warning about *AST

Technologies: Open Space Ideas

• Scaling security requirements• TDD and security in testing• Which *AST technologies have you been using?• Experience with IDE Plugins• Environment management (Dev/Prod parity)• Configuration management (configuration drift) • Patch Management and deployment strategies

(e.g. Phoenix)

Summary

• DevSecOps enable organisations to deliver inherently secure software at DevOps speed.

Questions?

Inspirations

• http://itrevolution.com/heres-how-the-amazing-twitter-infosec-team-helps-devops/• http://techbeacon.com/devsecops-9-ways-devops-automation-bolster-security-compliance• https://www.checkmarx.com/2015/11/13/devsecops-4-best-practices-the-pros-teach-us-about-

security-and-devops/• http://www.slideshare.net/zanelackey/effective-approaches-to-web-application-security• http://searchdatacenter.techtarget.com/feature/How-to-adopt-a-successful-DevOps-enterprise• https://opensource.com/business/14/7/devops-red-hat• http://www.infoq.com/news/2014/03/etsy-deploy-50-times-a-day• http://www.slideshare.net/mtesauro/taking-appsec-to-11-appsec-pipeline-devops-and-making-

things-better• https://www.owasp.org/index.php/OWASP_AppSec_Pipeline