Presentation by Shannon Lietz
Software needs to be awesome, resilient, available and “secure”, but Security has long been a big roadblock to fast deployments and software improvement. What if it wasn’t?
Continuous delivery requires operational functions to shift left and for an iterative approach to be taken. Security has not been easy to shift left and taking an iterative approach requires everyone to take responsibility. With a continuos security approach and everyone in the Software Supply Chain taking on the tasks of including security, its possible to achieve Rugged Software. This talk aims to provide a journey towards this approach and provide the path.
Software needs to be awesome, resilient, available and “secure”, but Security has long been a big roadblock to fast deployments and software improvement. What if it wasn’t?
Continuous delivery requires operational functions to shift left and for an iterative approach to be taken. Security has not been easy to shift left and taking an iterative approach requires everyone to take responsibility. With a continuos security approach and everyone in the Software Supply Chain taking on the tasks of including security, its possible to achieve Rugged Software. This talk aims to provide a journey towards this approach and provide the path.
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
2016 - Safely Removing the Last Roadblock to Continuous Delivery
1. 1 Intuit Confidential and Proprietary1
Safely Removing the Last Roadblock to
Continuous Delivery
Shannon Lietz
Director DevSecOps, Intuit
@devsecops
2. 2
Thanks to Henrik Kniberg
When will you solve my problem?!! Can we discuss my feedback?
(Uh - seatbelts?)
A Traditional Supply Chain
3. 3
Thanks to Henrik Kniberg
Awesome!When can I bring my kids with me?
Does it come in Red?
Can this be motorized
to go faster and for longer trips?
Better than walking, for sure…
but not by much...
A Customer Centric Supply Chain
Shifting left solves problems faster…
4. 4
Google Trends
• Several years after the Agile
Manifesto, DevOps.com
was registered (2004)
• Google searches for
“DevOps” started to rise in
2010
• Major influences:
– Saving your Infrastructure
from DevOps / Chicago
Tribune
– DevOps: A Culture Shift,
Not a Technology /
Information Week
– DevOps: A Sharder’s Tale
from Etsy
– DevOps.com articles
• RuggedSoftware.org
was registered in 2010
https://www.google.com/trends/
5. 5
Business strategy is achieved with the
collaboration of all departments and
providers in service to the customer who
requires better, faster, cheaper, secure
products and services.
What’s the Business benefit?
6. 6
1. Manual processes & meeting culture
2. Point in time assessments
3. Friction for friction’s sake
4. Contextual misunderstandings
5. Decisions being made outside of value creation
6. Late constraints and requirements
7. Big commitments, big teams, and big failures
8. Fear of failure, lack of learning
9. Lack of inspiration
10. Management and political interference (approvals, exceptions)
...
So what hinders “secure” innovation @ speed & scale?
10. 10
Secure Software Supply Chain
1. Gating processes are not Deming-like
2. Security is a design constraint
3. Decisions made by engineering teams
4. It’s hard to avoid business catastrophes by
applying one-size-fits-all strategies
5. Security defects is more like a security
“recall”
design build deploy operate
How do I secure
my app?
What component
is secure
enough?
How do I
secure secrets
for the app?
Is my app getting
attacked? How?
Typical gates for
security
checks & balances
Mistakes and drift often happen
after design and build phases that
result in weaknesses and potentially exploits
Most costly mistakes
Happen during design
Faster security feedback loop
12. 12
• Everyone knows Maslow…
• If you can remember 5 things,
remember these ->
“Apps & data are as safe as
where you put it, what’s in it, how
you inspect it, who talks to it, and
how its protected…”
Simplifying Security for the Masses
13. 13
Reasonable Security was recently defined for California within the
2016 California Data Breach Report.
“The 20 controls in the Center for Internet Security’s Critical Security
Controls identify a minimum level of information security that all
organizations that collect or maintain personal information should
meet. The failure to implement all the Controls that apply to an
organization’s environment constitutes a lack of reasonable
security.”
Why Governance?
14. 14
Migrating Security to the Left…
design build deploy operate
How do I secure
my app?
What component
is secure
enough?
How do I
secure secrets
for the app?
Is my app getting
attacked? How?
Typical gates for
security
checks & balances
Mistakes and drift often happen
after design and build phases that
result in weaknesses and potentially exploits
Most costly mistakes
Happen during design
Faster security feedback loop
Security is a Design Constraint
24. 24
Get Involved and Join the Community
• devsecops.org
• @devsecops on Twitter
• DevSecOps on LinkedIn
• DevSecOps on Github
• RuggedSoftware.org
• Compliance at Velocity
Hinweis der Redaktion
Prepare the environment in the right order and ensure inspections pass before making traffic available.
What you test and how you test also make a big difference. Code can have immediate issues and mistakes that become costly later.
The parts you consider using during design make a big difference.
…
When something isn’t secure by default it can have a profound effect on operations. As an example…