SlideShare ist ein Scribd-Unternehmen logo

Amy DeMartine - 7 Habits of Rugged DevOps

Als PPTX, PDF herunterladen
S
SeniorStoryteller

Amy DeMartine presentation at DevOps Connect: Rugged DevOps during RSA Conference 2016

Technologie
1 von 27
Amy DeMartine Seven Habits of Rugged DevOps
© 2015 Forrester Research, Inc. Reproduction Prohibited 2 Security breaches seem to be getting worse not better…
© 2015 Forrester Research, Inc. Reproduction Prohibited 3 Lack of application security is systemic › 3rd party software is used with latent vulnerabilities › Use of unsafe development methods › Inability to quickly fix security issues as they arise › Misconfigured application supporting systems
© 2015 Forrester Research, Inc. Reproduction Prohibited 4 Source: “DevOps Makes Modern Service Delivery Modern” Forrester report. Old method: no coordinated effort, oftentimes too little too late in the life cycle New method: security visibility across development life cycle to decrease discovery and remediation time
© 2015 Forrester Research, Inc. Reproduction Prohibited 5 DevOps uses integrated product teams
Security and Risk pros Infrastructure and Operations pros Developers Can Take Advantage Of DevOps To Increase Application Security
Habit 1: Increase Trust And Transparency Between Dev, Sec, And Ops
© 2015 Forrester Research, Inc. Reproduction Prohibited 8 Stereotypes hold us back… Infrastructure & Operations Department of NO Application Development Department of Anything Goes Security and Risk Department of Persistent Nagging
© 2015 Forrester Research, Inc. Reproduction Prohibited 9 Learn To Talk About Security Issues In Their Language… Outages, Performance glitches Unplanned, unscheduled work Breaches, vulnerabilities Infrastructure & Operations Application Development Security and Risk
Habit 2: Understand The Probability And Impact Of Specific Risks
© 2015 Forrester Research, Inc. Reproduction Prohibited 11 Increase knowledge › Increase visibility into security issues › Make Dev and Ops part of the conversation › Use real life examples…discuss
Habit 3: Discard Detailed Security Road Maps In Favor Of Incremental Improvements
Discard detailed security roadmap Create a vision instead Example vision: We will improve cybersecurity by having real time actionable measurements and data across the life cycle to decrease remediation time for discovered vulnerabilities
© 2015 Forrester Research, Inc. Reproduction Prohibited 14 Source: “Embrace Deming's PDCA Cycle To Continuously Optimize Modern Service Delivery” Forrester Report Learn to incrementally improve
Habit 4: Use The Continuous Delivery Pipeline To Incrementally Improve Security Practices
© 2015 Forrester Research, Inc. Reproduction Prohibited 16 Source: “The Seven Habits Of Rugged DevOps” Forrester report
Habit 5: Standardize Third-Party Software And Then Keep Current
© 2015 Forrester Research, Inc. Reproduction Prohibited 18 1 out of every 16 open source component download request is for a component with a known vulnerability 97% of the successfully exploited vulnerabilities in 2014 trace back to 10 common vulnerabilities and exposures, eight of which have been patched for 10 to 12 years 90% of code in modern applications is open source 31% of companies have had or suspect a breach in an open source component
© 2015 Forrester Research, Inc. Reproduction Prohibited 19 Tackling the risk of 3rd party software including open source › Use new components › Use components that do not have any reported CVEs › Create component library › Reduce number of versions of a single component › Don’t forget middleware, OS, network, database, and performance management tools › Use continuous delivery pipeline tools to catalog which 3rd party software is used and where it’s located And when a vulnerability is identified, use the continuous delivery pipeline to find all affected applications, quickly generate a fix and deploy
Habit 6: Govern With Automated Audit Trails
© 2015 Forrester Research, Inc. Reproduction Prohibited 21 Automated tools create an audit trail… › Each tool in the continuous delivery pipeline includes tracking and logging › Ability to know exactly who (attackers, developers, I&O pros, S&R pros, users) performed what change and when Protect IP and flag potential insider threat automatically without ruining the collaboration
© 2015 Forrester Research, Inc. Reproduction Prohibited 22 Source: “DevOps Makes Modern Service Delivery Modern” and “The Seven Habits Of Rugged DevOps “ Forrester reports 1. Create automatic security alerts 2. Flag high risk changes 3. Enable proper authentication and authorization on all systems 5. Define security based quality gates 4. Track drift across development, testing, and production environments Protect IP and flag potential insider threat automatically without ruining the collaboration
Habit 7: Test Preparedness With Security Games
© 2015 Forrester Research, Inc. Reproduction Prohibited 24 Rules of engagement for red teaming › Pick integrated team for both red and blue teams › Red team attacks with any resources › Blue team defends with tools and technology available in production › Rotate members to get equal participation › Can be performed regularly e.g. every Monday or intermittently › Make changes in application, infrastructure or tools as a response
© 2015 Forrester Research, Inc. Reproduction Prohibited 25 Focus on metrics of visibility and speed while red teaming › How fast are you at identifying the problem? Do you have the right tools and technology to identify an intrusion? › How fast are you at remediating a vulnerability? Can you produce and deploy a fix quickly in response? › Is this an attack that has been tested for?
© 2015 Forrester Research, Inc. Reproduction Prohibited 26 Seven Habits of Rugged DevOps Increase Trust And Transparency Between Dev, Sec, And Ops Understand The Probability And Impact Of Specific Risks Discard Detailed Security Road Maps In Favor Of Incremental Improvements Use The Continuous Delivery Pipeline To Incrementally Improve Security Practices Standardize Third-Party Software And Then Keep Current Govern With Automated Audit Trails Test Preparedness With Security Games 1 2 3 4 5 6 7
Thank you forrester.com Amy DeMartine +1 617.613.8906 ademartine@forrester.com @AmyDeMartine

Empfohlen

The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
SeniorStoryteller
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
SeniorStoryteller
 
What we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devopsWhat we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devops
Nicole Forsgren
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
SeniorStoryteller
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
Cigital
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletin
Adrian Sanabria
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 

Empfohlen

The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
SeniorStoryteller
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
SeniorStoryteller
 
What we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devopsWhat we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devops
Nicole Forsgren
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
SeniorStoryteller
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
Cigital
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletin
Adrian Sanabria
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of Transformation
DevOps Indonesia
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
SeniorStoryteller
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos Engineering
Aaron Rinehart
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Tom Stiehm
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
DevOps Indonesia
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
WhiteSource
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
Stefan Streichsbier
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline Wong
DevSecCon
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
Adrian Sanabria
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
Franklin Mosley
 
The road goes ever on and on by Ciaran Conliffe
The road goes ever on and on by Ciaran ConliffeThe road goes ever on and on by Ciaran Conliffe
The road goes ever on and on by Ciaran Conliffe
DevSecCon
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanent
Tom Stiehm
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
Stefan Streichsbier
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
Aaron Rinehart
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Tom Stiehm
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos Engineering
Aaron Rinehart
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon
 
Upgrade Dos and Don'ts for JIRA and Confluence - Atlassian Summit 2010
Upgrade Dos and Don'ts for JIRA and Confluence - Atlassian Summit 2010Upgrade Dos and Don'ts for JIRA and Confluence - Atlassian Summit 2010
Upgrade Dos and Don'ts for JIRA and Confluence - Atlassian Summit 2010
Atlassian
 
DevOps Roadtrip - Denver
DevOps Roadtrip - DenverDevOps Roadtrip - Denver
DevOps Roadtrip - Denver
VictorOps
 

Weitere ähnliche Inhalte

Was ist angesagt?

DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
Stefan Streichsbier
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
Adrian Sanabria
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
Aaron Rinehart
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos Engineering
Aaron Rinehart
 

Was ist angesagt? (20)

New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of Transformation
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos Engineering
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline Wong
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
 
The road goes ever on and on by Ciaran Conliffe
The road goes ever on and on by Ciaran ConliffeThe road goes ever on and on by Ciaran Conliffe
The road goes ever on and on by Ciaran Conliffe
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanent
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDC
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos Engineering
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
 

Andere mochten auch

Learning from the Early Adopters of DevOps: A Guidebook to Success featuring ...
Learning from the Early Adopters of DevOps: A Guidebook to Success featuring ...Learning from the Early Adopters of DevOps: A Guidebook to Success featuring ...
Learning from the Early Adopters of DevOps: A Guidebook to Success featuring ...
Perforce
 
Fifteen Years of DevOps -- LISA 2012 keynote
Fifteen Years of DevOps -- LISA 2012 keynoteFifteen Years of DevOps -- LISA 2012 keynote
Fifteen Years of DevOps -- LISA 2012 keynote
Geoff Halprin
 
From DevOps to NoOps
From DevOps to NoOpsFrom DevOps to NoOps
From DevOps to NoOps
Capgemini
 

Andere mochten auch (8)

Upgrade Dos and Don'ts for JIRA and Confluence - Atlassian Summit 2010
Upgrade Dos and Don'ts for JIRA and Confluence - Atlassian Summit 2010Upgrade Dos and Don'ts for JIRA and Confluence - Atlassian Summit 2010
Upgrade Dos and Don'ts for JIRA and Confluence - Atlassian Summit 2010
 
DevOps Roadtrip - Denver
DevOps Roadtrip - DenverDevOps Roadtrip - Denver
DevOps Roadtrip - Denver
 
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
 
Learning from the Early Adopters of DevOps: A Guidebook to Success featuring ...
Learning from the Early Adopters of DevOps: A Guidebook to Success featuring ...Learning from the Early Adopters of DevOps: A Guidebook to Success featuring ...
Learning from the Early Adopters of DevOps: A Guidebook to Success featuring ...
 
DevOps from Control to Enablement
DevOps from Control to EnablementDevOps from Control to Enablement
DevOps from Control to Enablement
 
Lean Security
Lean SecurityLean Security
Lean Security
 
Fifteen Years of DevOps -- LISA 2012 keynote
Fifteen Years of DevOps -- LISA 2012 keynoteFifteen Years of DevOps -- LISA 2012 keynote
Fifteen Years of DevOps -- LISA 2012 keynote
 
From DevOps to NoOps
From DevOps to NoOpsFrom DevOps to NoOps
From DevOps to NoOps
 

Ähnlich wie Amy DeMartine - 7 Habits of Rugged DevOps

Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacks
AppSense
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
Sirius
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
SBWebinars
 
Welcome & The State of Open Source Security
Welcome & The State of Open Source SecurityWelcome & The State of Open Source Security
Welcome & The State of Open Source Security
Jerika Phelps
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
WhiteSource
 

Ähnlich wie Amy DeMartine - 7 Habits of Rugged DevOps (20)

Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 
Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacks
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous Delivery
 
Web application security measures
Web application security measuresWeb application security measures
Web application security measures
 
Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)
 
Welcome & The State of Open Source Security
Welcome & The State of Open Source SecurityWelcome & The State of Open Source Security
Welcome & The State of Open Source Security
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource Webinar
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
 
The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 

Mehr von SeniorStoryteller

Mehr von SeniorStoryteller (20)

Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanWhere Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedRelease Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
 
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon Edwards
 
Building Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh RaghavanBuilding Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh Raghavan
 
Breaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John WillisBreaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John Willis
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
 
NuGet Package Management Done Right
NuGet Package Management Done RightNuGet Package Management Done Right
NuGet Package Management Done Right
 
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and DockerHero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
 
Heroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps TransformationsHeroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps Transformations
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for Success
 
Create Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply ChainCreate Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply Chain
 

Kürzlich hochgeladen

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Kürzlich hochgeladen (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Amy DeMartine - 7 Habits of Rugged DevOps

  • 1. Amy DeMartine Seven Habits of Rugged DevOps
  • 2. © 2015 Forrester Research, Inc. Reproduction Prohibited 2 Security breaches seem to be getting worse not better…
  • 3. © 2015 Forrester Research, Inc. Reproduction Prohibited 3 Lack of application security is systemic › 3rd party software is used with latent vulnerabilities › Use of unsafe development methods › Inability to quickly fix security issues as they arise › Misconfigured application supporting systems
  • 4. © 2015 Forrester Research, Inc. Reproduction Prohibited 4 Source: “DevOps Makes Modern Service Delivery Modern” Forrester report. Old method: no coordinated effort, oftentimes too little too late in the life cycle New method: security visibility across development life cycle to decrease discovery and remediation time
  • 5. © 2015 Forrester Research, Inc. Reproduction Prohibited 5 DevOps uses integrated product teams
  • 6. Security and Risk pros Infrastructure and Operations pros Developers Can Take Advantage Of DevOps To Increase Application Security
  • 7. Habit 1: Increase Trust And Transparency Between Dev, Sec, And Ops
  • 8. © 2015 Forrester Research, Inc. Reproduction Prohibited 8 Stereotypes hold us back… Infrastructure & Operations Department of NO Application Development Department of Anything Goes Security and Risk Department of Persistent Nagging
  • 9. © 2015 Forrester Research, Inc. Reproduction Prohibited 9 Learn To Talk About Security Issues In Their Language… Outages, Performance glitches Unplanned, unscheduled work Breaches, vulnerabilities Infrastructure & Operations Application Development Security and Risk
  • 10. Habit 2: Understand The Probability And Impact Of Specific Risks
  • 11. © 2015 Forrester Research, Inc. Reproduction Prohibited 11 Increase knowledge › Increase visibility into security issues › Make Dev and Ops part of the conversation › Use real life examples…discuss
  • 12. Habit 3: Discard Detailed Security Road Maps In Favor Of Incremental Improvements
  • 13. Discard detailed security roadmap Create a vision instead Example vision: We will improve cybersecurity by having real time actionable measurements and data across the life cycle to decrease remediation time for discovered vulnerabilities
  • 14. © 2015 Forrester Research, Inc. Reproduction Prohibited 14 Source: “Embrace Deming's PDCA Cycle To Continuously Optimize Modern Service Delivery” Forrester Report Learn to incrementally improve
  • 15. Habit 4: Use The Continuous Delivery Pipeline To Incrementally Improve Security Practices
  • 16. © 2015 Forrester Research, Inc. Reproduction Prohibited 16 Source: “The Seven Habits Of Rugged DevOps” Forrester report
  • 17. Habit 5: Standardize Third-Party Software And Then Keep Current
  • 18. © 2015 Forrester Research, Inc. Reproduction Prohibited 18 1 out of every 16 open source component download request is for a component with a known vulnerability 97% of the successfully exploited vulnerabilities in 2014 trace back to 10 common vulnerabilities and exposures, eight of which have been patched for 10 to 12 years 90% of code in modern applications is open source 31% of companies have had or suspect a breach in an open source component
  • 19. © 2015 Forrester Research, Inc. Reproduction Prohibited 19 Tackling the risk of 3rd party software including open source › Use new components › Use components that do not have any reported CVEs › Create component library › Reduce number of versions of a single component › Don’t forget middleware, OS, network, database, and performance management tools › Use continuous delivery pipeline tools to catalog which 3rd party software is used and where it’s located And when a vulnerability is identified, use the continuous delivery pipeline to find all affected applications, quickly generate a fix and deploy
  • 20. Habit 6: Govern With Automated Audit Trails
  • 21. © 2015 Forrester Research, Inc. Reproduction Prohibited 21 Automated tools create an audit trail… › Each tool in the continuous delivery pipeline includes tracking and logging › Ability to know exactly who (attackers, developers, I&O pros, S&R pros, users) performed what change and when Protect IP and flag potential insider threat automatically without ruining the collaboration
  • 22. © 2015 Forrester Research, Inc. Reproduction Prohibited 22 Source: “DevOps Makes Modern Service Delivery Modern” and “The Seven Habits Of Rugged DevOps “ Forrester reports 1. Create automatic security alerts 2. Flag high risk changes 3. Enable proper authentication and authorization on all systems 5. Define security based quality gates 4. Track drift across development, testing, and production environments Protect IP and flag potential insider threat automatically without ruining the collaboration
  • 23. Habit 7: Test Preparedness With Security Games
  • 24. © 2015 Forrester Research, Inc. Reproduction Prohibited 24 Rules of engagement for red teaming › Pick integrated team for both red and blue teams › Red team attacks with any resources › Blue team defends with tools and technology available in production › Rotate members to get equal participation › Can be performed regularly e.g. every Monday or intermittently › Make changes in application, infrastructure or tools as a response
  • 25. © 2015 Forrester Research, Inc. Reproduction Prohibited 25 Focus on metrics of visibility and speed while red teaming › How fast are you at identifying the problem? Do you have the right tools and technology to identify an intrusion? › How fast are you at remediating a vulnerability? Can you produce and deploy a fix quickly in response? › Is this an attack that has been tested for?
  • 26. © 2015 Forrester Research, Inc. Reproduction Prohibited 26 Seven Habits of Rugged DevOps Increase Trust And Transparency Between Dev, Sec, And Ops Understand The Probability And Impact Of Specific Risks Discard Detailed Security Road Maps In Favor Of Incremental Improvements Use The Continuous Delivery Pipeline To Incrementally Improve Security Practices Standardize Third-Party Software And Then Keep Current Govern With Automated Audit Trails Test Preparedness With Security Games 1 2 3 4 5 6 7
  • 27. Thank you forrester.com Amy DeMartine +1 617.613.8906 ademartine@forrester.com @AmyDeMartine

Hinweis der Redaktion

  1. http://www.contegix.com/data-security-and-ssl-certificates/
  2. http://i-spirit.ca/2013/03/29/trust
  3. http://themouthymermaid.com/?p=94 http://www.123rf.com/photo_8807559_smiling-cowboy-with-lasso-vector-strong-man.html http://blog.octanner.com/work-we-love/how-to-speak-corporatese-lesson-2
  4. http://www.papersfromsidcup.com/graham-daveys-blog/the-impact-of-impact-factors-good-for-business-but-bad-for-science
  5. http://meanderful.blogspot.com/2015/05/the-age-of-perception-20-trillion.html
  6. http://www.hightoweradvisors.com/who-we-are/hightower-advisors/hsw-advisors/the-pipeline/tag/master-limited-partnerships/
  7. http://www.exacttarget.com/blog/marketing-automation-infographic/
  8. http://www.exacttarget.com/blog/marketing-automation-infographic/
  9. http://www.millerctc.com/wp-content/uploads/2014/12/strategy1.jpg