Amy DeMartine
Seven Habits of Rugged DevOps
© 2015 Forrester Research, Inc. Reproduction Prohibited 2
Security breaches seem to be getting worse not better…
© 2015 Forrester Research, Inc. Reproduction Prohibited 3
Lack of application security is systemic
› 3rd party software is used with latent
vulnerabilities
›Use of unsafe development methods
› Inability to quickly fix security issues as they
arise
›Misconfigured application supporting systems
© 2015 Forrester Research, Inc. Reproduction Prohibited 4
Source: “DevOps Makes Modern Service Delivery Modern” Forrester report.
Old method: no
coordinated effort,
oftentimes too little
too late in the life
cycle
New method: security visibility across development life cycle to decrease discovery and remediation time
© 2015 Forrester Research, Inc. Reproduction Prohibited 5
DevOps uses integrated product teams
Security and Risk pros
Infrastructure and Operations pros
Developers
Can Take Advantage Of DevOps To
Increase Application Security
Habit 1: Increase Trust And
Transparency Between Dev, Sec, And
Ops
© 2015 Forrester Research, Inc. Reproduction Prohibited 8
Stereotypes hold us back…
Infrastructure &
Operations
Department of NO
Application
Development
Department of
Anything Goes
Security and Risk
Department of
Persistent Nagging
© 2015 Forrester Research, Inc. Reproduction Prohibited 9
Learn To Talk About Security Issues In Their Language…
Outages,
Performance
glitches
Unplanned,
unscheduled
work
Breaches,
vulnerabilities
Infrastructure &
Operations
Application
Development
Security and Risk
Habit 2: Understand The Probability And
Impact Of Specific Risks
© 2015 Forrester Research, Inc. Reproduction Prohibited 11
Increase knowledge
› Increase visibility into security issues
›Make Dev and Ops part of the conversation
›Use real life examples…discuss
Habit 3: Discard Detailed Security Road
Maps In Favor Of Incremental
Improvements
Discard detailed security roadmap
Create a vision instead
Example vision: We will improve
cybersecurity by having real time
actionable measurements and data
across the life cycle to decrease
remediation time for discovered
vulnerabilities
© 2015 Forrester Research, Inc. Reproduction Prohibited 14
Source: “Embrace Deming's PDCA Cycle To Continuously Optimize Modern Service Delivery” Forrester Report
Learn to incrementally improve
Habit 4: Use The Continuous Delivery
Pipeline To Incrementally Improve
Security Practices
© 2015 Forrester Research, Inc. Reproduction Prohibited 16
Source: “The Seven Habits Of Rugged DevOps” Forrester report
Habit 5: Standardize Third-Party
Software And Then Keep Current
© 2015 Forrester Research, Inc. Reproduction Prohibited 18
1 out of every 16
open source
component
download request is
for a component
with a known
vulnerability
97% of the successfully exploited
vulnerabilities in 2014 trace back to
10 common vulnerabilities and
exposures, eight of which have been
patched for 10 to 12 years
90% of code in modern
applications is open source
31% of companies have
had or suspect a breach in
an open source component
© 2015 Forrester Research, Inc. Reproduction Prohibited 19
Tackling the risk of 3rd party software including open source
› Use new components
› Use components that do not have any reported CVEs
› Create component library
› Reduce number of versions of a single component
› Don’t forget middleware, OS, network, database, and performance
management tools
› Use continuous delivery pipeline tools to catalog which 3rd party
software is used and where it’s located
And when a vulnerability is identified, use the
continuous delivery pipeline to find all affected
applications, quickly generate a fix and deploy
Habit 6: Govern With Automated Audit
Trails
© 2015 Forrester Research, Inc. Reproduction Prohibited 21
Automated tools create an audit trail…
›Each tool in the continuous delivery pipeline
includes tracking and logging
›Ability to know exactly who (attackers,
developers, I&O pros, S&R pros, users)
performed what change and when
Protect IP and flag potential insider threat
automatically without ruining the collaboration
© 2015 Forrester Research, Inc. Reproduction Prohibited 22
Source: “DevOps Makes Modern Service Delivery Modern” and “The Seven Habits Of Rugged DevOps “ Forrester reports
1. Create automatic
security alerts2. Flag high risk
changes
3. Enable proper authentication and authorization
on all systems
5. Define security
based quality gates
4. Track drift across development, testing,
and production environments
Protect IP and flag potential insider threat
automatically without ruining the collaboration
Habit 7: Test Preparedness With Security
Games
© 2015 Forrester Research, Inc. Reproduction Prohibited 24
Rules of engagement for red teaming
›Pick integrated team for both red and blue teams
›Red team attacks with any resources
›Blue team defends with tools and technology
available in production
›Rotate members to get equal participation
›Can be performed regularly e.g. every Monday
or intermittently
›Make changes in application, infrastructure or
tools as a response
© 2015 Forrester Research, Inc. Reproduction Prohibited 25
Focus on metrics of visibility and speed while red teaming
› How fast are you at identifying the problem? Do you have the right tools and technology to identify an intrusion?
› How fast are you at remediating a vulnerability? Can you produce and deploy a fix quickly in response?
› Is this an attack that has been tested for?
© 2015 Forrester Research, Inc. Reproduction Prohibited 26
Seven Habits of Rugged DevOps
Increase Trust And Transparency Between Dev, Sec, And Ops
Understand The Probability And Impact Of Specific Risks
Discard Detailed Security Road Maps In Favor Of Incremental Improvements
Use The Continuous Delivery Pipeline To Incrementally Improve Security Practices
Standardize Third-Party Software And Then Keep Current
Govern With Automated Audit Trails
Test Preparedness With Security Games
1
2
3
4
5
6
7
Top Related