SlideShare ist ein Scribd-Unternehmen logo

Continuous Security / DevSecOps- Why How and What

Marc Hornbeek
Marc Hornbeek

This presentation explains what Continuous Security / DevSecOps is, Why it is important, How it works and What you can do to realized a well-engineered DevSecOps solution in your own organization or enterprise.

Ingenieurwesen
1 von 24
Downloaden Sie, um offline zu lesen
Marc Hornbeek a.k.a. DevOps_the_Gray esq. CEO and Principal Consultant Engineering DevOps Consulting Author – Engineering DevOps mhornbeek@engineeringdevops.com Continuous Security / DevSecOps Evolving from Security-as-an-audit strategies to Lifecycle Security-as-code strategies mybook.to/engineeringdevops https://devops.com/9-pillars-of-continuous-security-best-practices/
Enterprise, Manufacturers, Service Providers and Institutions DevOps / QA / DevSecOps / SRE www.engineeringdevops.com mhornbeek@engineeringdevops.com Training and Certifications DevOps, DevSecOps QA, SRE Assessments DevOps, DevSecOps, QA, SRE Strategic Planning Agile plans for 26 topics Speaking Engagements Conferences, Events, Onsite or Online Advisory Services Workshops, mentoring Content Writing Blogs, White papers, eBooks Webinars Content and delivery Engineering DevOps Consulting
www.engineeringdevops.com What You Will Learn • What is Continuous Security / DevSecOps? • Why is continuous security important to DevOps? • How is security integrated into Continuous DevOps environments? • What do you need to integrate continuous security? • Typical Q&A
What is Continuous Security / DevSecOps? Leadership Culture Design Integration Testing Infrastructure Monitoring Deployment
What is Continuous Security / DevSecOps? Continuous Security as an integral part of continuous delivery cultures, processes and value streams. Integrating security practices into DevOps, such as Security as Code, is a way for security practitioners to operate and contribute value with less friction. Security practices must adapt dynamically to ensure data security and privacy issues are not left behind in the fast-paced world of DevOps.
Why is continuous security important to DevOps? DevOps without DevSecOps generates security risks.
Why is continuous security important to DevOps? DevOps without DevSecOps generates security risks. DevOps without DevSecOps is dangerous! Like Fusion energy: powerful but dangerous if not controlled Acceleration of dev and deployment without DevSecOps practices can result in unintended security risks (E.g. OWASP Top 10) - Designs without security considerations - New Attack surfaces: IOT, Mobile, home offices - Vulnerabilities embedded in code - Credentials embedded in dev artifacts - Additional Infrastructure attack surfaces - Poor Database from SQL injections - Exposing sensitive data - 3rd party code – Open source - Software supply chain (E.g., SolarWinds) - Inadequate login and monitoring capabilities.
Why is continuous security important to DevOps? DevSecOps is an opportunity to integrate security into the DevOps value stream.
Why is continuous security important to DevOps? DevSecOps is an opportunity to integrate security into the DevOps value stream. • DevSecOps is a Holy Grail for cybersecurity • Like fusion power – sophisticated controls are needed • Change security structure from “expert governance role” to “educated workforce supported by integrated technologies and practices”: - Education and training - Design with Security practices - Automated security scanning - Automated testing - End-to-end monitoring - Immutable Infrastructure as code practices - Security monkey.
How is security integrated into Continuous DevOps environments? 9 Pillars of DevSecOps practices https://devops.com/9- pillars-of-continuous- security-best-practices/
How is security integrated into Continuous DevOps environments? Foundations • Orchestration and automation of security tools and processes • Governance through monitoring and “as-code” controls 9 Pillars • Leadership: Evangelist, sponsor, budget, behavior reinforcement • Culture: Education, Empowerment, Communication, collaboration • Design: Security design standards and practices • Integration: Security Scanning dependency tracking, source and image control • Testing: security tests • Monitoring: security logs and analysis • Security as a pillar: security center of excellence • Infrastructure: Immutable infra as code • Delivery/Deployment: Deployment strategies, quick detection and recovery Arches • Value Streams make security visible end to end. • Planning and operations based on continuous leaning • Releases gated with security metrics • CI/CD Security tools orchestration and automation DevSecOps Practices
Continuous Security / DevSecOps Engineering Blueprint DevSecOps provides an opportunity to reduce security risks if security is integrated into the continuous delivery pipeline according to good engineering practices.
How is security integrated into Continuous DevOps environments? Security instrumentation, automation and observability
How is security integrated into Continuous DevOps environments? Security instrumentation, automation and observability SHIFT VERY LEFT IS THE KEY TO DEVSECOPS • Top DevSecOps organizations focus on embedding security in the design and build stage of agile development. • Revamp the security operation model • Organization structure: from focus on security domains to Product focus • Communication: from formal governance to embedded culture • Roles and responsibilities: from Expert Assessor to Coaches and practitioners • Continuous Improvement: from Unconstructive KPIs to observable SLO/SLIs Center of Security Excellence Approach 1. Educate and empower others rather than policing compliance. 2. Automate security to help IT and the business achieve their agility goal 3. Monitor exceptions rather than police non-compliance. Employ Observability and SLO/SLO concepts.
Seven-Step Transformation Blueprint 1. Visioning 2. Alignment 3. Assessment 4. Solution 5. Realize 6. Operationalize 7. Expansion What do you need to integrate continuous security? Kickoff Meeting Discovery Surveys Solution Mapping Workshops & Interviews Recommended Solution Follow-up Typical duration 21 days Rapid Strategic DevSecOps Assessment
DevOps Adoption Blueprint Leadership / Culture Initiative Model Application m Application m + 1 • Adoption goals • Leaders training • Organization preparation • Model project selection • Investment (team & tools) • Architecture team • Monitoring and incentives • Team and organization • Training (CI/CD practices) • Goals, Assessment, Value Stream • Tool chain with ARA backbone • Automate CI and QA automation • Automate CD , containers, G/B, A/B • DevSecOps, SRE practices • KPIs, SLOs and monitoring tools • Site Reliability Engineering • Optimize (Kaizen) • App Selection • Self contained product teams (squads, tribes, SREs) • Proactive sharing or practices (Yokoten) • Info sharing (Chapters and Guilds) SCALE ! Systematic, measured, adoption progression POC MVP 2nd Way 1st Way 3rd Way Application m + 2 Application m + n . . . Scaling DevSecOps – Progressive Adoption Blueprint
DevOps Adoption Blueprint Scaling DevSecOps – Progressive Adoption Blueprint The DevOps Progressive Adoption blueprint ensures all applications targeted for DevOps transformation progress towards continuous improvement instead of stalling out. Scaling DevOps to other applications across the enterprise will typically occur nearly in parallel with the development of DevOps for the Model application. Success patterns learned from the model application are communicated across the enterprise and applied to other applications proactively in a way referred to as “Yokoten”. The priorities for applications follow the same application selection criterion as the model. As DevOps scales to more and more applications across the enterprise, more of the organization is restructured into tightly coupled product teams while maintaining a culture of proactive cross-team sharing of DevOps practices. Establishing cross-team Chapters and Guilds is a good approach to facilitate sharing and communication.
Summary / Takeaways Continuous security/DevSecOps is at once a transformation challenge to an opportunity for dramatic security improvement. There is no “standard” DevSecOps approach in the industry. The Continuous Security approach based on the Continuous Security Blueprint, 9 Pillars Assessment, Seven-Step Transformation Blueprint and Progressive Adoption Blueprint is proven, progressive and adaptable approach. Refer to www.engineeringdevops.com for more information regarding the Continuous Security/ DevSecOps approach.
Discussion Questions What % of organizations are embracing continuous security? QA (10%) – DevOps (70%) – DevSecOps (?)- SRE/Security (?) World Software Quality 2020 Upskilling Report – DevOps Institute 42% project level 23% enterprise level 16% planning 81% overall Of those 52% state SECURITY SKILLS ARE MUST-HAVE
What are some myths and realities for continuous security? Myth: tools and automation alone are the answer Reality: leadership, culture, training, automaton, observability Myth: Adopting DevSecOps means giving up control. Reality: SAC improves governance and compliance to security standards through automation.
What are impediments to implementing continuous security? Need to establish a Center of Security Excellence Approach 1.Strategy Alignment 2.Culture - Educate and empower others rather than policing compliance. 3.Tools and Automation – strategy selection and work 4.Monitor exceptions rather than police non-compliance. Employ Observability and SLO/SLO concepts.
How can you determine a roadmap to continuous security? There no one way or standard. What has proven to work: • Seven-Step Transformation Blueprint, starting with strategy alignment • Strategic Progressive Adoption Blueprint
How will emerging technologies affect continuous security? • New attack surfaces – Work from home, IOT,5G Access networks • Supply chain – open source and 3rd part • DevSecOps embedded into applications, pipelines and infrastructure • Cloud-native, containers, microservices • DevSecOps as a service • AI/ML to help improve scans, observability and determine best actions
DevOps / DevSecOps / SRE Tools Blueprints, Scorecards, Engineering Practices, Assessment tool, calculators, templates DevOps / DevSecOps / SRE Services Assessments, Strategic Planning, Training, Content www.EngineeringDevOps.com DevOps / DevSecOps / SRE White Papers & Book

Empfohlen

Gap Assessment for DevOps
Gap Assessment for DevOpsGap Assessment for DevOps
Gap Assessment for DevOpsMarc Hornbeek
 
Engineering DevOps and Cloud
Engineering DevOps and CloudEngineering DevOps and Cloud
Engineering DevOps and CloudMarc Hornbeek
 
The Quest for Quality at Speed
The Quest for Quality at SpeedThe Quest for Quality at Speed
The Quest for Quality at SpeedMarc Hornbeek
 
Gap assessment kubernetes
Gap assessment kubernetesGap assessment kubernetes
Gap assessment kubernetesMarc Hornbeek
 
Engineering Continuous Delivery Architectures
Engineering Continuous Delivery ArchitecturesEngineering Continuous Delivery Architectures
Engineering Continuous Delivery ArchitecturesMarc Hornbeek
 
Engineering DevOps Right the First Time
Engineering DevOps Right the First TimeEngineering DevOps Right the First Time
Engineering DevOps Right the First TimeMarc Hornbeek
 
Gap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsGap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsMarc Hornbeek
 
DevOps Test Engineering - Marc Hornbeek - July 2017
DevOps Test Engineering - Marc Hornbeek - July 2017DevOps Test Engineering - Marc Hornbeek - July 2017
DevOps Test Engineering - Marc Hornbeek - July 2017Marc Hornbeek
 

Empfohlen

Gap Assessment for DevOps
Gap Assessment for DevOpsGap Assessment for DevOps
Gap Assessment for DevOpsMarc Hornbeek
 
Engineering DevOps and Cloud
Engineering DevOps and CloudEngineering DevOps and Cloud
Engineering DevOps and CloudMarc Hornbeek
 
The Quest for Quality at Speed
The Quest for Quality at SpeedThe Quest for Quality at Speed
The Quest for Quality at SpeedMarc Hornbeek
 
Gap assessment kubernetes
Gap assessment kubernetesGap assessment kubernetes
Gap assessment kubernetesMarc Hornbeek
 
Engineering Continuous Delivery Architectures
Engineering Continuous Delivery ArchitecturesEngineering Continuous Delivery Architectures
Engineering Continuous Delivery ArchitecturesMarc Hornbeek
 
Engineering DevOps Right the First Time
Engineering DevOps Right the First TimeEngineering DevOps Right the First Time
Engineering DevOps Right the First TimeMarc Hornbeek
 
Gap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsGap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsMarc Hornbeek
 
DevOps Test Engineering - Marc Hornbeek - July 2017
DevOps Test Engineering - Marc Hornbeek - July 2017DevOps Test Engineering - Marc Hornbeek - July 2017
DevOps Test Engineering - Marc Hornbeek - July 2017Marc Hornbeek
 
DevOps Evolution - The Next Generation ?
DevOps Evolution - The Next Generation ?DevOps Evolution - The Next Generation ?
DevOps Evolution - The Next Generation ?Marc Hornbeek
 
Dev ops metrics
Dev ops metricsDev ops metrics
Dev ops metricsShivagami Gugan
 
Gap assessment Continuous Testing
Gap assessment Continuous TestingGap assessment Continuous Testing
Gap assessment Continuous TestingMarc Hornbeek
 
Gap assessment containers
Gap assessment containersGap assessment containers
Gap assessment containersMarc Hornbeek
 
DevOps as-a-Service (DaaS) value
DevOps as-a-Service (DaaS) valueDevOps as-a-Service (DaaS) value
DevOps as-a-Service (DaaS) valueMarc Hornbeek
 
Seven step transformation blueprint
Seven step transformation blueprintSeven step transformation blueprint
Seven step transformation blueprintMarc Hornbeek
 
Envisioning improving productivity and qaulity through better backlogs agi...
Envisioning improving productivity and qaulity through better backlogs agi...Envisioning improving productivity and qaulity through better backlogs agi...
Envisioning improving productivity and qaulity through better backlogs agi...Tatlock
 
Rapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsRapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsMarc Hornbeek
 
Reliable SAP
Reliable SAPReliable SAP
Reliable SAPPrideVel Business Solutions
 
Engineering DevOps to meet Business Goals
Engineering DevOps to meet Business Goals Engineering DevOps to meet Business Goals
Engineering DevOps to meet Business GoalsMarc Hornbeek
 
Agile Testing Transformation is as Easy as 1, 2, 3 by Michael Buening
Agile Testing Transformation is as Easy as 1, 2, 3 by Michael BueningAgile Testing Transformation is as Easy as 1, 2, 3 by Michael Buening
Agile Testing Transformation is as Easy as 1, 2, 3 by Michael BueningQA or the Highway
 
Webinar: DevOps challenges facing QA
Webinar: DevOps challenges facing QAWebinar: DevOps challenges facing QA
Webinar: DevOps challenges facing QAQualitest
 
Continuous testing webinar 041017 slideshare
Continuous testing webinar 041017 slideshareContinuous testing webinar 041017 slideshare
Continuous testing webinar 041017 slideshareQualiQuali
 
QAAgility Trainings
QAAgility TrainingsQAAgility Trainings
QAAgility TrainingsAshish Mishra
 
Observability Shivagami Gugan
Observability Shivagami GuganObservability Shivagami Gugan
Observability Shivagami GuganShivagami Gugan
 
Secrets of Value Stream Mapping for Future State
Secrets of Value Stream Mapping for Future StateSecrets of Value Stream Mapping for Future State
Secrets of Value Stream Mapping for Future StateDevOps.com
 
Value stream mapping for DevOps
Value stream mapping for DevOpsValue stream mapping for DevOps
Value stream mapping for DevOpsMarc Hornbeek
 
How Do You Measure The KM Maturity Of Your Organization Final Ver.
How Do You Measure The KM Maturity Of Your Organization Final Ver.How Do You Measure The KM Maturity Of Your Organization Final Ver.
How Do You Measure The KM Maturity Of Your Organization Final Ver.Art Schlussel
 
No more excuses QASymphony
No more excuses QASymphonyNo more excuses QASymphony
No more excuses QASymphonyQASymphony
 
QA metrics in Agile (GUIDE)
QA metrics in Agile (GUIDE)QA metrics in Agile (GUIDE)
QA metrics in Agile (GUIDE)Vladimir Primakov (Volodymyr Prymakov)
 
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfMobibizIndia1
 
Introduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptxIntroduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptxLAKSHMIS553566
 

Weitere ähnliche Inhalte

Was ist angesagt?

DevOps Evolution - The Next Generation ?
DevOps Evolution - The Next Generation ?DevOps Evolution - The Next Generation ?
DevOps Evolution - The Next Generation ?Marc Hornbeek
 
Gap assessment Continuous Testing
Gap assessment Continuous TestingGap assessment Continuous Testing
Gap assessment Continuous TestingMarc Hornbeek
 
Gap assessment containers
Gap assessment containersGap assessment containers
Gap assessment containersMarc Hornbeek
 
DevOps as-a-Service (DaaS) value
DevOps as-a-Service (DaaS) valueDevOps as-a-Service (DaaS) value
DevOps as-a-Service (DaaS) valueMarc Hornbeek
 
Seven step transformation blueprint
Seven step transformation blueprintSeven step transformation blueprint
Seven step transformation blueprintMarc Hornbeek
 
Envisioning improving productivity and qaulity through better backlogs agi...
Envisioning improving productivity and qaulity through better backlogs agi...Envisioning improving productivity and qaulity through better backlogs agi...
Envisioning improving productivity and qaulity through better backlogs agi...Tatlock
 
Rapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsRapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsMarc Hornbeek
 
Engineering DevOps to meet Business Goals
Engineering DevOps to meet Business Goals Engineering DevOps to meet Business Goals
Engineering DevOps to meet Business GoalsMarc Hornbeek
 
Agile Testing Transformation is as Easy as 1, 2, 3 by Michael Buening
Agile Testing Transformation is as Easy as 1, 2, 3 by Michael BueningAgile Testing Transformation is as Easy as 1, 2, 3 by Michael Buening
Agile Testing Transformation is as Easy as 1, 2, 3 by Michael BueningQA or the Highway
 
Webinar: DevOps challenges facing QA
Webinar: DevOps challenges facing QAWebinar: DevOps challenges facing QA
Webinar: DevOps challenges facing QAQualitest
 
Continuous testing webinar 041017 slideshare
Continuous testing webinar 041017 slideshareContinuous testing webinar 041017 slideshare
Continuous testing webinar 041017 slideshareQualiQuali
 
Observability Shivagami Gugan
Observability Shivagami GuganObservability Shivagami Gugan
Observability Shivagami GuganShivagami Gugan
 
Secrets of Value Stream Mapping for Future State
Secrets of Value Stream Mapping for Future StateSecrets of Value Stream Mapping for Future State
Secrets of Value Stream Mapping for Future StateDevOps.com
 
Value stream mapping for DevOps
Value stream mapping for DevOpsValue stream mapping for DevOps
Value stream mapping for DevOpsMarc Hornbeek
 
How Do You Measure The KM Maturity Of Your Organization Final Ver.
How Do You Measure The KM Maturity Of Your Organization Final Ver.How Do You Measure The KM Maturity Of Your Organization Final Ver.
How Do You Measure The KM Maturity Of Your Organization Final Ver.Art Schlussel
 
No more excuses QASymphony
No more excuses QASymphonyNo more excuses QASymphony
No more excuses QASymphonyQASymphony
 

Was ist angesagt? (20)

DevOps Evolution - The Next Generation ?
DevOps Evolution - The Next Generation ?DevOps Evolution - The Next Generation ?
DevOps Evolution - The Next Generation ?
 
Dev ops metrics
Dev ops metricsDev ops metrics
Dev ops metrics
 
Gap assessment Continuous Testing
Gap assessment Continuous TestingGap assessment Continuous Testing
Gap assessment Continuous Testing
 
Gap assessment containers
Gap assessment containersGap assessment containers
Gap assessment containers
 
DevOps as-a-Service (DaaS) value
DevOps as-a-Service (DaaS) valueDevOps as-a-Service (DaaS) value
DevOps as-a-Service (DaaS) value
 
Seven step transformation blueprint
Seven step transformation blueprintSeven step transformation blueprint
Seven step transformation blueprint
 
Envisioning improving productivity and qaulity through better backlogs agi...
Envisioning improving productivity and qaulity through better backlogs agi...Envisioning improving productivity and qaulity through better backlogs agi...
Envisioning improving productivity and qaulity through better backlogs agi...
 
Rapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsRapid Strategic SRE Assessments
Rapid Strategic SRE Assessments
 
Reliable SAP
Reliable SAPReliable SAP
Reliable SAP
 
Engineering DevOps to meet Business Goals
Engineering DevOps to meet Business Goals Engineering DevOps to meet Business Goals
Engineering DevOps to meet Business Goals
 
Agile Testing Transformation is as Easy as 1, 2, 3 by Michael Buening
Agile Testing Transformation is as Easy as 1, 2, 3 by Michael BueningAgile Testing Transformation is as Easy as 1, 2, 3 by Michael Buening
Agile Testing Transformation is as Easy as 1, 2, 3 by Michael Buening
 
Webinar: DevOps challenges facing QA
Webinar: DevOps challenges facing QAWebinar: DevOps challenges facing QA
Webinar: DevOps challenges facing QA
 
Continuous testing webinar 041017 slideshare
Continuous testing webinar 041017 slideshareContinuous testing webinar 041017 slideshare
Continuous testing webinar 041017 slideshare
 
QAAgility Trainings
QAAgility TrainingsQAAgility Trainings
QAAgility Trainings
 
Observability Shivagami Gugan
Observability Shivagami GuganObservability Shivagami Gugan
Observability Shivagami Gugan
 
Secrets of Value Stream Mapping for Future State
Secrets of Value Stream Mapping for Future StateSecrets of Value Stream Mapping for Future State
Secrets of Value Stream Mapping for Future State
 
Value stream mapping for DevOps
Value stream mapping for DevOpsValue stream mapping for DevOps
Value stream mapping for DevOps
 
How Do You Measure The KM Maturity Of Your Organization Final Ver.
How Do You Measure The KM Maturity Of Your Organization Final Ver.How Do You Measure The KM Maturity Of Your Organization Final Ver.
How Do You Measure The KM Maturity Of Your Organization Final Ver.
 
No more excuses QASymphony
No more excuses QASymphonyNo more excuses QASymphony
No more excuses QASymphony
 
QA metrics in Agile (GUIDE)
QA metrics in Agile (GUIDE)QA metrics in Agile (GUIDE)
QA metrics in Agile (GUIDE)
 

Ähnlich wie Continuous Security / DevSecOps- Why How and What

Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfMobibizIndia1
 
Introduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptxIntroduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptxLAKSHMIS553566
 
DevOps vs DevSecOps: How to Balance Speed and Security in Software Development
DevOps vs DevSecOps: How to Balance Speed and Security in Software DevelopmentDevOps vs DevSecOps: How to Balance Speed and Security in Software Development
DevOps vs DevSecOps: How to Balance Speed and Security in Software DevelopmentDev Software
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
DevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptxDevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptxGurajalanaganarasimh
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
The Importance of DevOps Security and the Emergence of DevSecOps
The Importance of DevOps Security and the Emergence of DevSecOpsThe Importance of DevOps Security and the Emergence of DevSecOps
The Importance of DevOps Security and the Emergence of DevSecOpsDev Software
 
DevOps Vs SRE Major Differences That You Need To Know - Hidden Brains Infotech
DevOps Vs SRE Major Differences That You Need To Know - Hidden Brains InfotechDevOps Vs SRE Major Differences That You Need To Know - Hidden Brains Infotech
DevOps Vs SRE Major Differences That You Need To Know - Hidden Brains InfotechRosalie Lauren
 
DevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDev Software
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenNadira Bajrei
 
DevSecOpsMaturityModel.pdf
DevSecOpsMaturityModel.pdfDevSecOpsMaturityModel.pdf
DevSecOpsMaturityModel.pdfcdsk335
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Enov8
 
Devops online training ppt
Devops online training pptDevops online training ppt
Devops online training ppteduxfactor .com
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.Techugo
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.Techugo
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdfTechugo
 
DevOps Online Training
DevOps Online Training DevOps Online Training
DevOps Online Training VijayVijji8
 

Ähnlich wie Continuous Security / DevSecOps- Why How and What (20)

Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
 
Introduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptxIntroduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptx
 
DevOps vs DevSecOps: How to Balance Speed and Security in Software Development
DevOps vs DevSecOps: How to Balance Speed and Security in Software DevelopmentDevOps vs DevSecOps: How to Balance Speed and Security in Software Development
DevOps vs DevSecOps: How to Balance Speed and Security in Software Development
 
Devops
DevopsDevops
Devops
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
DevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptxDevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptx
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
The Importance of DevOps Security and the Emergence of DevSecOps
The Importance of DevOps Security and the Emergence of DevSecOpsThe Importance of DevOps Security and the Emergence of DevSecOps
The Importance of DevOps Security and the Emergence of DevSecOps
 
DevOps Vs SRE Major Differences That You Need To Know - Hidden Brains Infotech
DevOps Vs SRE Major Differences That You Need To Know - Hidden Brains InfotechDevOps Vs SRE Major Differences That You Need To Know - Hidden Brains Infotech
DevOps Vs SRE Major Differences That You Need To Know - Hidden Brains Infotech
 
Dev secops engineering-marketing-sheet
Dev secops engineering-marketing-sheetDev secops engineering-marketing-sheet
Dev secops engineering-marketing-sheet
 
DevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and Delivery
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
DevSecOpsMaturityModel.pdf
DevSecOpsMaturityModel.pdfDevSecOpsMaturityModel.pdf
DevSecOpsMaturityModel.pdf
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
 
Devops online training ppt
Devops online training pptDevops online training ppt
Devops online training ppt
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
 
DevOps Online Training
DevOps Online Training DevOps Online Training
DevOps Online Training
 

Kürzlich hochgeladen

multiple access in wireless communication
multiple access in wireless communicationmultiple access in wireless communication
multiple access in wireless communicationpanditadesh123
 
priority interrupt computer organization
priority interrupt computer organizationpriority interrupt computer organization
priority interrupt computer organizationchnrketan
 
Levelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodLevelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodManicka Mamallan Andavar
 
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Erbil Polytechnic University
 
STATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subjectSTATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subjectGayathriM270621
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfDrew Moseley
 
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Sumanth A
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier Fernández Muñoz
 
Theory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdfTheory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdfShreyas Pandit
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionSneha Padhiar
 
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmComputer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmDeepika Walanjkar
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONjhunlian
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsResearcher Researcher
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Romil Mishra
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxsiddharthjain2303
 
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书rnrncn29
 
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfModule-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfManish Kumar
 
Robotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdfRobotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdfsahilsajad201
 
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.elesangwon
 

Kürzlich hochgeladen (20)

multiple access in wireless communication
multiple access in wireless communicationmultiple access in wireless communication
multiple access in wireless communication
 
priority interrupt computer organization
priority interrupt computer organizationpriority interrupt computer organization
priority interrupt computer organization
 
Levelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodLevelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument method
 
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
 
STATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subjectSTATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subject
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
 
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptx
 
Theory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdfTheory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdf
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based question
 
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmComputer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending Actuators
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptx
 
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
 
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfModule-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
 
Robotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdfRobotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdf
 
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
 

Continuous Security / DevSecOps- Why How and What

  • 1. Marc Hornbeek a.k.a. DevOps_the_Gray esq. CEO and Principal Consultant Engineering DevOps Consulting Author – Engineering DevOps mhornbeek@engineeringdevops.com Continuous Security / DevSecOps Evolving from Security-as-an-audit strategies to Lifecycle Security-as-code strategies mybook.to/engineeringdevops https://devops.com/9-pillars-of-continuous-security-best-practices/
  • 2. Enterprise, Manufacturers, Service Providers and Institutions DevOps / QA / DevSecOps / SRE www.engineeringdevops.com mhornbeek@engineeringdevops.com Training and Certifications DevOps, DevSecOps QA, SRE Assessments DevOps, DevSecOps, QA, SRE Strategic Planning Agile plans for 26 topics Speaking Engagements Conferences, Events, Onsite or Online Advisory Services Workshops, mentoring Content Writing Blogs, White papers, eBooks Webinars Content and delivery Engineering DevOps Consulting
  • 3. www.engineeringdevops.com What You Will Learn • What is Continuous Security / DevSecOps? • Why is continuous security important to DevOps? • How is security integrated into Continuous DevOps environments? • What do you need to integrate continuous security? • Typical Q&A
  • 4. What is Continuous Security / DevSecOps? Leadership Culture Design Integration Testing Infrastructure Monitoring Deployment
  • 5. What is Continuous Security / DevSecOps? Continuous Security as an integral part of continuous delivery cultures, processes and value streams. Integrating security practices into DevOps, such as Security as Code, is a way for security practitioners to operate and contribute value with less friction. Security practices must adapt dynamically to ensure data security and privacy issues are not left behind in the fast-paced world of DevOps.
  • 6. Why is continuous security important to DevOps? DevOps without DevSecOps generates security risks.
  • 7. Why is continuous security important to DevOps? DevOps without DevSecOps generates security risks. DevOps without DevSecOps is dangerous! Like Fusion energy: powerful but dangerous if not controlled Acceleration of dev and deployment without DevSecOps practices can result in unintended security risks (E.g. OWASP Top 10) - Designs without security considerations - New Attack surfaces: IOT, Mobile, home offices - Vulnerabilities embedded in code - Credentials embedded in dev artifacts - Additional Infrastructure attack surfaces - Poor Database from SQL injections - Exposing sensitive data - 3rd party code – Open source - Software supply chain (E.g., SolarWinds) - Inadequate login and monitoring capabilities.
  • 8. Why is continuous security important to DevOps? DevSecOps is an opportunity to integrate security into the DevOps value stream.
  • 9. Why is continuous security important to DevOps? DevSecOps is an opportunity to integrate security into the DevOps value stream. • DevSecOps is a Holy Grail for cybersecurity • Like fusion power – sophisticated controls are needed • Change security structure from “expert governance role” to “educated workforce supported by integrated technologies and practices”: - Education and training - Design with Security practices - Automated security scanning - Automated testing - End-to-end monitoring - Immutable Infrastructure as code practices - Security monkey.
  • 10. How is security integrated into Continuous DevOps environments? 9 Pillars of DevSecOps practices https://devops.com/9- pillars-of-continuous- security-best-practices/
  • 11. How is security integrated into Continuous DevOps environments? Foundations • Orchestration and automation of security tools and processes • Governance through monitoring and “as-code” controls 9 Pillars • Leadership: Evangelist, sponsor, budget, behavior reinforcement • Culture: Education, Empowerment, Communication, collaboration • Design: Security design standards and practices • Integration: Security Scanning dependency tracking, source and image control • Testing: security tests • Monitoring: security logs and analysis • Security as a pillar: security center of excellence • Infrastructure: Immutable infra as code • Delivery/Deployment: Deployment strategies, quick detection and recovery Arches • Value Streams make security visible end to end. • Planning and operations based on continuous leaning • Releases gated with security metrics • CI/CD Security tools orchestration and automation DevSecOps Practices
  • 12. Continuous Security / DevSecOps Engineering Blueprint DevSecOps provides an opportunity to reduce security risks if security is integrated into the continuous delivery pipeline according to good engineering practices.
  • 13. How is security integrated into Continuous DevOps environments? Security instrumentation, automation and observability
  • 14. How is security integrated into Continuous DevOps environments? Security instrumentation, automation and observability SHIFT VERY LEFT IS THE KEY TO DEVSECOPS • Top DevSecOps organizations focus on embedding security in the design and build stage of agile development. • Revamp the security operation model • Organization structure: from focus on security domains to Product focus • Communication: from formal governance to embedded culture • Roles and responsibilities: from Expert Assessor to Coaches and practitioners • Continuous Improvement: from Unconstructive KPIs to observable SLO/SLIs Center of Security Excellence Approach 1. Educate and empower others rather than policing compliance. 2. Automate security to help IT and the business achieve their agility goal 3. Monitor exceptions rather than police non-compliance. Employ Observability and SLO/SLO concepts.
  • 15. Seven-Step Transformation Blueprint 1. Visioning 2. Alignment 3. Assessment 4. Solution 5. Realize 6. Operationalize 7. Expansion What do you need to integrate continuous security? Kickoff Meeting Discovery Surveys Solution Mapping Workshops & Interviews Recommended Solution Follow-up Typical duration 21 days Rapid Strategic DevSecOps Assessment
  • 16. DevOps Adoption Blueprint Leadership / Culture Initiative Model Application m Application m + 1 • Adoption goals • Leaders training • Organization preparation • Model project selection • Investment (team & tools) • Architecture team • Monitoring and incentives • Team and organization • Training (CI/CD practices) • Goals, Assessment, Value Stream • Tool chain with ARA backbone • Automate CI and QA automation • Automate CD , containers, G/B, A/B • DevSecOps, SRE practices • KPIs, SLOs and monitoring tools • Site Reliability Engineering • Optimize (Kaizen) • App Selection • Self contained product teams (squads, tribes, SREs) • Proactive sharing or practices (Yokoten) • Info sharing (Chapters and Guilds) SCALE ! Systematic, measured, adoption progression POC MVP 2nd Way 1st Way 3rd Way Application m + 2 Application m + n . . . Scaling DevSecOps – Progressive Adoption Blueprint
  • 17. DevOps Adoption Blueprint Scaling DevSecOps – Progressive Adoption Blueprint The DevOps Progressive Adoption blueprint ensures all applications targeted for DevOps transformation progress towards continuous improvement instead of stalling out. Scaling DevOps to other applications across the enterprise will typically occur nearly in parallel with the development of DevOps for the Model application. Success patterns learned from the model application are communicated across the enterprise and applied to other applications proactively in a way referred to as “Yokoten”. The priorities for applications follow the same application selection criterion as the model. As DevOps scales to more and more applications across the enterprise, more of the organization is restructured into tightly coupled product teams while maintaining a culture of proactive cross-team sharing of DevOps practices. Establishing cross-team Chapters and Guilds is a good approach to facilitate sharing and communication.
  • 18. Summary / Takeaways Continuous security/DevSecOps is at once a transformation challenge to an opportunity for dramatic security improvement. There is no “standard” DevSecOps approach in the industry. The Continuous Security approach based on the Continuous Security Blueprint, 9 Pillars Assessment, Seven-Step Transformation Blueprint and Progressive Adoption Blueprint is proven, progressive and adaptable approach. Refer to www.engineeringdevops.com for more information regarding the Continuous Security/ DevSecOps approach.
  • 19. Discussion Questions What % of organizations are embracing continuous security? QA (10%) – DevOps (70%) – DevSecOps (?)- SRE/Security (?) World Software Quality 2020 Upskilling Report – DevOps Institute 42% project level 23% enterprise level 16% planning 81% overall Of those 52% state SECURITY SKILLS ARE MUST-HAVE
  • 20. What are some myths and realities for continuous security? Myth: tools and automation alone are the answer Reality: leadership, culture, training, automaton, observability Myth: Adopting DevSecOps means giving up control. Reality: SAC improves governance and compliance to security standards through automation.
  • 21. What are impediments to implementing continuous security? Need to establish a Center of Security Excellence Approach 1.Strategy Alignment 2.Culture - Educate and empower others rather than policing compliance. 3.Tools and Automation – strategy selection and work 4.Monitor exceptions rather than police non-compliance. Employ Observability and SLO/SLO concepts.
  • 22. How can you determine a roadmap to continuous security? There no one way or standard. What has proven to work: • Seven-Step Transformation Blueprint, starting with strategy alignment • Strategic Progressive Adoption Blueprint
  • 23. How will emerging technologies affect continuous security? • New attack surfaces – Work from home, IOT,5G Access networks • Supply chain – open source and 3rd part • DevSecOps embedded into applications, pipelines and infrastructure • Cloud-native, containers, microservices • DevSecOps as a service • AI/ML to help improve scans, observability and determine best actions
  • 24. DevOps / DevSecOps / SRE Tools Blueprints, Scorecards, Engineering Practices, Assessment tool, calculators, templates DevOps / DevSecOps / SRE Services Assessments, Strategic Planning, Training, Content www.EngineeringDevOps.com DevOps / DevSecOps / SRE White Papers & Book