Post on 23-Jan-2017
The big pictureCulture, Processes and Technologies on a high level
Stefan Streichsbier Company: Vantage PointTwitter: @s_streichsbier
Why?
A BriefHistory of DevOps
In the beginning there was…
Source: https://www.flickr.com/photos/37186408@N05/12162302775
Waterfall
• Long release cycles• A lot of “WIP”• Functional silos• Incredibly rigid
…then there was Agile
Source: https://i.ytimg.com/vi/8Hedq2d1H44/maxresdefault.jpg
Agile
• Shorter release cycles• Smaller batch sizes• Cross-functional teams• “Incredibly” agile
Suddenly Ops was the bottleneck
Agile Ops Anyone?
2 major related trends:1. Agile Operations/Infrastructure2. Collaboration between dev and ops
Ultimately led to the first DevOpsDays in 2009…
So, what is DevOps?
• Set of principles and practices for efficient communication and collaboration. (Culture)
• Automated deployment pipeline. (Processes)
• Supporting tool chain (Technologies)
”[…]it seems as though the problems are just between dev and ops, but test is in there, and you have security objectives. These are top-level concerns of Management […] and have become part of the DevOps picture.
In other words, when you hear "DevOps" today, you should probably be thinking DevOpsQATestInfoSec."
- Gene Kim
DevSecOps
Target State
DevSecOps enables organisations to deliver inherently secure software at DevOps speed.
Security challenges in DevOps
• It is clear why companies are moving to DevOps
…but how can security keep up with this?
Source: https://xebialabs.com/assets/files/whitepapers/ITRev_DevOps_Guide_5_2015.pdf
3 key categories of DevSecOps
1. Culture2. Processes3. Technologies
Culture
Culture
• Communication and transparency• High-trust environment “blameless postmortem”• Continuous improvement • Everyone is responsible for security• Automate as much as possible• Everything as code
Culture: Open Space Ideas
• How did your org switch to Dev(Sec)Ops?• Continuous Improvement (Kaizen)• What are you automating at the moment?
Processes
Processes
1. Secure SDLC
2. Security Pipelines
Processes:Secure SDLC
1. Training2. Requirements3. Architecture & Design4. Coding5. Testing6. Deployment7. Post Deployment
Processes:Sec Pipelines
• Opt. critical resource• Reduce friction• Increase visibility • Each step repeatable• Drive up consistency
Security Pipelines
Processes: Open Space Ideas
• How are you managing security requirements?• How are you building security into the SDLC?• AppSec Pipelines in the wild• ChatSecOps
TechnologiesDevOps is not supposed to be about “tools”
DevSecOpsTechnologies
1. Requirements2. Code: IDE Plugins, SAST3. Test: Gauntlt, *AST4. Configure: Sec as Code5. Maintenance:
Patch Management6. Monitor: Auditing, Attack
visibility, RASP
Warning about *AST
Technologies: Open Space Ideas
• Scaling security requirements• TDD and security in testing• Which *AST technologies have you been using?• Experience with IDE Plugins• Environment management (Dev/Prod parity)• Configuration management (configuration drift) • Patch Management and deployment strategies
(e.g. Phoenix)
Summary
• DevSecOps enable organisations to deliver inherently secure software at DevOps speed.
Questions?
Inspirations
• http://itrevolution.com/heres-how-the-amazing-twitter-infosec-team-helps-devops/• http://techbeacon.com/devsecops-9-ways-devops-automation-bolster-security-compliance• https://www.checkmarx.com/2015/11/13/devsecops-4-best-practices-the-pros-teach-us-about-
security-and-devops/• http://www.slideshare.net/zanelackey/effective-approaches-to-web-application-security• http://searchdatacenter.techtarget.com/feature/How-to-adopt-a-successful-DevOps-enterprise• https://opensource.com/business/14/7/devops-red-hat• http://www.infoq.com/news/2014/03/etsy-deploy-50-times-a-day• http://www.slideshare.net/mtesauro/taking-appsec-to-11-appsec-pipeline-devops-and-making-
things-better• https://www.owasp.org/index.php/OWASP_AppSec_Pipeline