This presentation explains what Continuous Security / DevSecOps is, Why it is important, How it works and What you can do to realized a well-engineered DevSecOps solution in your own organization or enterprise.
1. Marc Hornbeek
a.k.a. DevOps_the_Gray esq.
CEO and Principal Consultant
Engineering DevOps Consulting
Author – Engineering DevOps
mhornbeek@engineeringdevops.com
Continuous Security / DevSecOps
Evolving from Security-as-an-audit strategies to Lifecycle Security-as-code strategies
mybook.to/engineeringdevops
https://devops.com/9-pillars-of-continuous-security-best-practices/
2. Enterprise, Manufacturers, Service Providers and Institutions
DevOps / QA / DevSecOps / SRE
www.engineeringdevops.com
mhornbeek@engineeringdevops.com
Training and
Certifications
DevOps, DevSecOps QA, SRE
Assessments
DevOps, DevSecOps, QA, SRE
Strategic Planning
Agile plans for 26 topics
Speaking Engagements
Conferences, Events,
Onsite or Online
Advisory Services
Workshops, mentoring
Content Writing
Blogs, White papers, eBooks
Webinars
Content and delivery
Engineering DevOps Consulting
3. www.engineeringdevops.com
What You Will Learn
• What is Continuous Security / DevSecOps?
• Why is continuous security important to
DevOps?
• How is security integrated into Continuous
DevOps environments?
• What do you need to integrate continuous
security?
• Typical Q&A
4. What is Continuous Security / DevSecOps?
Leadership
Culture
Design
Integration
Testing
Infrastructure
Monitoring
Deployment
5. What is Continuous Security / DevSecOps?
Continuous Security as an integral part of
continuous delivery cultures, processes
and value streams.
Integrating security practices into DevOps,
such as Security as Code, is a way for
security practitioners to operate and
contribute value with less friction. Security
practices must adapt dynamically to ensure
data security and privacy issues are not left
behind in the fast-paced world of DevOps.
6. Why is continuous security important to DevOps?
DevOps without DevSecOps generates security risks.
7. Why is continuous security important to DevOps?
DevOps without
DevSecOps generates
security risks.
DevOps without DevSecOps is dangerous!
Like Fusion energy: powerful but dangerous if not
controlled
Acceleration of dev and deployment without
DevSecOps practices can result in unintended
security risks (E.g. OWASP Top 10)
- Designs without security considerations
- New Attack surfaces: IOT, Mobile, home offices
- Vulnerabilities embedded in code
- Credentials embedded in dev artifacts
- Additional Infrastructure attack surfaces
- Poor Database from SQL injections
- Exposing sensitive data
- 3rd party code – Open source
- Software supply chain (E.g., SolarWinds)
- Inadequate login and monitoring capabilities.
8. Why is continuous security important to DevOps?
DevSecOps is an opportunity to integrate
security into the DevOps value stream.
9. Why is continuous security important to DevOps?
DevSecOps is an opportunity to
integrate security into the DevOps
value stream.
• DevSecOps is a Holy Grail for cybersecurity
• Like fusion power – sophisticated controls are
needed
• Change security structure from “expert
governance role” to “educated workforce
supported by integrated technologies and
practices”:
- Education and training
- Design with Security practices
- Automated security scanning
- Automated testing
- End-to-end monitoring
- Immutable Infrastructure as code practices
- Security monkey.
10. How is security integrated into Continuous DevOps
environments?
9 Pillars of
DevSecOps
practices
https://devops.com/9-
pillars-of-continuous-
security-best-practices/
11. How is security integrated into Continuous DevOps
environments?
Foundations
• Orchestration and automation of security tools and processes
• Governance through monitoring and “as-code” controls
9 Pillars
• Leadership: Evangelist, sponsor,
budget, behavior reinforcement
• Culture: Education, Empowerment,
Communication, collaboration
• Design: Security design standards
and practices
• Integration: Security Scanning
dependency tracking, source and
image control
• Testing: security tests
• Monitoring: security logs and
analysis
• Security as a pillar: security center
of excellence
• Infrastructure: Immutable infra as
code
• Delivery/Deployment: Deployment
strategies, quick detection and
recovery
Arches
• Value Streams make
security visible end to end.
• Planning and operations
based on continuous
leaning
• Releases gated with
security metrics
• CI/CD Security tools
orchestration and
automation
DevSecOps Practices
12. Continuous Security / DevSecOps Engineering Blueprint
DevSecOps
provides an
opportunity to
reduce security
risks if security
is integrated
into the
continuous
delivery pipeline
according to
good
engineering
practices.
13. How is security integrated into Continuous DevOps
environments?
Security instrumentation, automation and observability
14. How is security integrated into Continuous DevOps
environments?
Security
instrumentation,
automation and
observability
SHIFT VERY LEFT IS THE KEY TO DEVSECOPS
• Top DevSecOps organizations focus on embedding security in the design
and build stage of agile development.
• Revamp the security operation model
• Organization structure: from focus on security domains to Product focus
• Communication: from formal governance to embedded culture
• Roles and responsibilities: from Expert Assessor to Coaches and
practitioners
• Continuous Improvement: from Unconstructive KPIs to observable
SLO/SLIs
Center of Security Excellence Approach
1. Educate and empower others rather than policing compliance.
2. Automate security to help IT and the business achieve their agility goal
3. Monitor exceptions rather than police non-compliance. Employ
Observability and SLO/SLO concepts.
15. Seven-Step Transformation Blueprint
1. Visioning
2. Alignment
3. Assessment
4. Solution
5. Realize
6. Operationalize
7. Expansion
What do you need to integrate continuous security?
Kickoff
Meeting
Discovery
Surveys
Solution
Mapping
Workshops
& Interviews
Recommended
Solution
Follow-up
Typical duration 21 days
Rapid Strategic DevSecOps Assessment
16. DevOps Adoption Blueprint
Leadership / Culture Initiative
Model Application m
Application m + 1
• Adoption goals
• Leaders training
• Organization preparation
• Model project selection
• Investment (team &
tools)
• Architecture team
• Monitoring and
incentives
• Team and organization
• Training (CI/CD practices)
• Goals, Assessment, Value Stream
• Tool chain with ARA backbone
• Automate CI and QA automation
• Automate CD , containers, G/B, A/B
• DevSecOps, SRE practices
• KPIs, SLOs and monitoring tools
• Site Reliability Engineering
• Optimize (Kaizen)
• App Selection
• Self contained product teams
(squads, tribes, SREs)
• Proactive sharing or practices
(Yokoten)
• Info sharing (Chapters and Guilds)
SCALE !
Systematic, measured, adoption progression
POC MVP
2nd
Way
1st
Way
3rd
Way
Application m + 2
Application m + n
. . .
Scaling DevSecOps – Progressive Adoption Blueprint
17. DevOps Adoption Blueprint
Scaling DevSecOps – Progressive Adoption Blueprint
The DevOps Progressive Adoption blueprint ensures all applications targeted for DevOps transformation
progress towards continuous improvement instead of stalling out.
Scaling DevOps to other applications across the enterprise will typically
occur nearly in parallel with the development of DevOps for the Model
application.
Success patterns learned from the model application are
communicated across the enterprise and applied to other applications
proactively in a way referred to as “Yokoten”. The priorities for
applications follow the same application selection criterion as the
model.
As DevOps scales to more and more applications across the enterprise,
more of the organization is restructured into tightly coupled product
teams while maintaining a culture of proactive cross-team sharing of
DevOps practices. Establishing cross-team Chapters and Guilds is a
good approach to facilitate sharing and communication.
18. Summary / Takeaways
Continuous security/DevSecOps is at once a
transformation challenge to an opportunity
for dramatic security improvement.
There is no “standard” DevSecOps approach
in the industry.
The Continuous Security approach based
on the Continuous Security Blueprint, 9
Pillars Assessment, Seven-Step
Transformation Blueprint and Progressive
Adoption Blueprint is proven, progressive
and adaptable approach.
Refer to
www.engineeringdevops.com for
more information regarding the
Continuous Security/ DevSecOps
approach.
19. Discussion Questions
What % of organizations are embracing continuous security?
QA (10%) – DevOps (70%) – DevSecOps (?)- SRE/Security (?)
World Software Quality
2020 Upskilling Report – DevOps Institute
42% project level
23% enterprise level
16% planning
81% overall
Of those 52% state SECURITY SKILLS ARE MUST-HAVE
20. What are some myths and realities for continuous security?
Myth: tools and automation alone are the answer
Reality: leadership, culture, training, automaton, observability
Myth: Adopting DevSecOps means giving up control.
Reality: SAC improves governance and compliance to security standards
through automation.
21. What are impediments to implementing continuous security?
Need to establish a Center of Security Excellence Approach
1.Strategy Alignment
2.Culture - Educate and empower others rather than policing
compliance.
3.Tools and Automation – strategy selection and work
4.Monitor exceptions rather than police non-compliance.
Employ Observability and SLO/SLO concepts.
22. How can you determine a roadmap to continuous security?
There no one way or standard.
What has proven to work:
• Seven-Step Transformation Blueprint, starting with
strategy alignment
• Strategic Progressive Adoption Blueprint
23. How will emerging technologies affect continuous security?
• New attack surfaces – Work from home, IOT,5G Access
networks
• Supply chain – open source and 3rd part
• DevSecOps embedded into applications, pipelines and
infrastructure
• Cloud-native, containers, microservices
• DevSecOps as a service
• AI/ML to help improve scans, observability and
determine best actions