Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

DevSecOps - The big picture

1.077 Aufrufe

Veröffentlicht am

This was the first presentation giving at the DevSecOps meetup in Singapore.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

DevSecOps - The big picture

  1. 1. The big picture Culture, Processes and Technologies on a high level
  2. 2. Stefan Streichsbier Company: Vantage Point Twitter: @s_streichsbier Why?
  3. 3. A Brief History of DevOps
  4. 4. In the beginning there was… Source: https://www.flickr.com/photos/37186408@N05/12162302775
  5. 5. Waterfall • Long release cycles • A lot of “WIP” • Functional silos • Incredibly rigid
  6. 6. …then there was Agile Source: https://i.ytimg.com/vi/8Hedq2d1H44/maxresdefault.jpg
  7. 7. Agile • Shorter release cycles • Smaller batch sizes • Cross-functional teams • “Incredibly” agile
  8. 8. Suddenly Ops was the bottleneck
  9. 9. Agile Ops Anyone? 2 major related trends: 1. Agile Operations/Infrastructure 2. Collaboration between dev and ops Ultimately led to the first DevOpsDays in 2009…
  10. 10. So, what is DevOps? • Set of principles and practices for efficient communication and collaboration. (Culture) • Automated deployment pipeline. (Processes) • Supporting tool chain (Technologies)
  11. 11. ”[…]it seems as though the problems are just between dev and ops, but test is in there, and you have security objectives. These are top-level concerns of Management […] and have become part of the DevOps picture. In other words, when you hear "DevOps" today, you should probably be thinking DevOpsQATestInfoSec." - Gene Kim
  12. 12. DevSecOps
  13. 13. Target State DevSecOps enables organisations to deliver inherently secure software at DevOps speed.
  14. 14. Security challenges in DevOps • It is clear why companies are moving to DevOps …but how can security keep up with this? Source: https://xebialabs.com/assets/files/whitepapers/ITRev_DevOps_Guide_5_2015.pdf
  15. 15. 3 key categories of DevSecOps 1. Culture 2. Processes 3. Technologies
  16. 16. Culture
  17. 17. Culture • Communication and transparency • High-trust environment “blameless postmortem” • Continuous improvement • Everyone is responsible for security • Automate as much as possible • Everything as code
  18. 18. Culture: Open Space Ideas • How did your org switch to Dev(Sec)Ops? • Continuous Improvement (Kaizen) • What are you automating at the moment?
  19. 19. Processes
  20. 20. Processes 1. Secure SDLC 2. Security Pipelines
  21. 21. Processes: Secure SDLC 1. Training 2. Requirements 3. Architecture & Design 4. Coding 5. Testing 6. Deployment 7. Post Deployment
  22. 22. Processes: Sec Pipelines • Opt. critical resource • Reduce friction • Increase visibility • Each step repeatable • Drive up consistency
  23. 23. Security Pipelines
  24. 24. Processes: Open Space Ideas • How are you managing security requirements? • How are you building security into the SDLC? • AppSec Pipelines in the wild • ChatSecOps
  25. 25. TechnologiesDevOps is not supposed to be about “tools”
  26. 26. DevSecOps Technologies 1. Requirements 2. Code: IDE Plugins, SAST 3. Test: Gauntlt, *AST 4. Configure: Sec as Code 5. Maintenance: Patch Management 6. Monitor: Auditing, Attack visibility, RASP Warning about *AST
  27. 27. Technologies: Open Space Ideas • Scaling security requirements • TDD and security in testing • Which *AST technologies have you been using? • Experience with IDE Plugins • Environment management (Dev/Prod parity) • Configuration management (configuration drift) • Patch Management and deployment strategies (e.g. Phoenix)
  28. 28. Summary • DevSecOps enable organisations to deliver inherently secure software at DevOps speed.
  29. 29. Questions?
  30. 30. Inspirations • http://itrevolution.com/heres-how-the-amazing-twitter-infosec-team-helps-devops/ • http://techbeacon.com/devsecops-9-ways-devops-automation-bolster-security-compliance • https://www.checkmarx.com/2015/11/13/devsecops-4-best-practices-the-pros-teach-us-about- security-and-devops/ • http://www.slideshare.net/zanelackey/effective-approaches-to-web-application-security • http://searchdatacenter.techtarget.com/feature/How-to-adopt-a-successful-DevOps-enterprise • https://opensource.com/business/14/7/devops-red-hat • http://www.infoq.com/news/2014/03/etsy-deploy-50-times-a-day • http://www.slideshare.net/mtesauro/taking-appsec-to-11-appsec-pipeline-devops-and-making- things-better • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

×