SlideShare ist ein Scribd-Unternehmen logo

Dev ops hackformers-matt-tesauro

Als ODP, PDF herunterladen
M
Matt Tesauro

DevOps - its all about doing the right thing, much like the teachings in the Bible. A quick overview of DevOps, how many of the tenants of DevOps are shared with Christianity and how Pearson is putting DevOps into AppSec with an AppSec Pipeline.

Technologie
1 von 45
DevOps from a Christian Perspective
5 months with Pearson Application Security Lead Engineer Prior to Pearson ● Rackspace - Lead Engineer, Product Security ● AppSec consulting o VP Services, Praetorian o Consultant Trustwave’s Spiderlabs ● TEA - Senior Security Engineer ● DIR - Penetration Tester ● Texas A&M University o Systems Analyst, Sys Admin, Developer, DBA o Lecturer in MIS department ● Viatel - Internet App Developer Who am I?
Other professional experience ● OWASP Live CD / OWASP WTE o Project lead 2008 to present o Over 300K downloads o http://appseclive.org ● OWASP Foundation Board of Directors o International charity focused on improving software security ● Multiple speaking engagements internationally at AppSec, DHS, ISC2, SANS… conferences ● Application Security Training internationally ● B.S. Economics, M.S. in MIS o Strong believer in the value of cross- discipline study Who am I?
A Christian ● Life long Lutheran o Lutheran private schools through 8th Grade o Pro Bono consulting work for Lutheran Foundation of TX o My kids attend Cross Lutheran School in New Braunfels ● Prefer contemporary to traditional services ● I've never had that big “aha” moment o Many times in my life I had to lean upon my faith ● Kids illnesses ● Hospice care ● Parents illness Who am I?
DevOps
The old way... Very early and prescriptive requirements and design Long development cycles Waterfall Approach Groups work in Silos - Dev, SysAdmin, QA, Security Possible feedback from bug reports but little else Throwing code over the wall Traditional Software Dev & Ops
Waterfall Development
Why waterfall can be prone to failure Very difficult to capture all the requirements... - before design is complete - some may not surface until implementation All features “locked in” during early stages Operational considerations occur very late - Ops resorts to 'work arounds' and ad-hoc installs - Dev assumptions may violate Ops policy “Worked on my laptop...” Waterfall Development
Waterfall Development – from this
Waterfall Development – to this
Why DevOps came to be What's different about DevOps Web/Cloud companies needed - high availability - fast introduction of new features Easy for users to switch to a competing service + fist mover advantage No media to ship with SaaS models Cultural change – not just new cool tech aka CI/CD, Docker... Focus on clear business objectives Dev and SysAdmins share responsibility for uptime, deploys, downtime Emphasize people and process, repeatability Goal is better uptime and lower operational costs The DevOps Answer
The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
Workflow The 3 Ways of DevOps 1 2 3
Look at your purpose and those process which aid it From the Bible Make sure the process is correct from beginning to the end Then look at ways to speed up that process Value Stream – the name a the process which provides value to the business Working from left to right – think of a time line: business / development => customer / operations Flow [rate] – the speed work goes through the process I make known the end from the beginning, from ancient times, what is still to come. I say, 'My purpose will stand, and I will do all that I please.' - Isaiah 46:10 The end of a matter is better than its beginning; Patience of spirit is better than haughtiness of spirit. - Ecclesiastes 7:8 #1 - Workflow
An example workflow Software release process ● Code written ● Code committed to a code repository ● Unit test the code ● Package the code for deployment ● Integration testing ● Deploy code to production #1 - Workflow
Making things repeatable Remove all haphazard and ad hoc work from the process Repeat until stable, I like doing the first couple times manually with a 'run book' Scripting languages are your friends Config Mgmt – Puppet, Chef, Salt, Ansible, Jenkins, CFEngine, … Creating deployable artifacts from a branch/release aka .rpm / .deb / .msi Make sure what you do can be done on 1 server or 10,000 servers Repetition is the mother of skill - Master Bret Riley, Sa Bom Nim (Master Instructor TSD-MGK) #1 - Workflow Each Step Repeatable
Work left to right but don't pass on failures From the Bible Test early and often Increase the rigor of testing as you work left to right When a failure occurs, end that flow and start a new one after corrections The further right you are, the more expensive failure is So whoever knows the right thing to do and fails to do it, for him it is sin. - James 4:17 The King will reply, ‘Truly I tell you, whatever you did for one of the least of these brothers and sisters of mine, you did for me. - Matthew 25:40 #1 - Workflow Never Pass on Defects
Your fix cannot be my new problem From the Bible Ensure no single-step optimizations degrade the overall performance of the workflow Spending time optimizing anything other than the critical resource is an illusion. Find the bottle neck in your workflow and start there - Upstream changes will just back things up - Downstream changes won't manifest since input is limited Each new optimization creates a new bottleneck – iterate on this So whatever you wish that others would do to you, do also to them, for this is the Law and the Prophets. - Matthew 7:12 #1 - Workflow Local optimizations with a global view
Now go faster From the Bible Make sure you have a well-defined, repeatable process first Look for manual steps that can be automated Look for duplicate work that can be removed/eliminated Measuring/tracking time taken at each step is crucial Where does the flow ebb? Give, and it will be given to you. A good measure, pressed down, shaken together and running over, will be poured into your lap. For with the measure you use, it will be measured to you. - Luke 6:38 #1 - Workflow Increase the flow of work
Workflow Improve Feedback The 3 Ways of DevOps 1 2 3
Open yourself to upstream and downstream information From the Bible Feedback loops occur when information is gathered from - upstream (business / development) - downstream (customer / operations) Make visible problems, concerns, potential improvements – share this publicly Learn as you move left to right so improvements aren't lost Requests are opportunities to better fulfill the needs of the business There is rarely enough feedback, capture and look for more Feedback collected can be used to optimally improve the system For there is nothing hidden that will not be disclosed, and nothing concealed that will not be known or brought out into the open. - Luke 8:17 #2 – Improve Feedback
Customers are also inside your business From the Bible Customer is more then the 'consumer' at the end of the process - Each step is the customer of the previous step - Understand what the next steps need from you to succeed Remember, feedback isn't guaranteed - encourage it by responding - Responses are required of external and internal customers Make feedback & responding quick, easy and readily available Where there is no guidance, a people falls, but in an abundance of counselors there is safety. - Proverbs 11:14 My dear brothers and sisters, take note of this: Everyone should be quick to listen, slow to speak and slow to become angry. - James 1:19 #2 – Improve Feedback Understand and respond to your customers
Remove any intermediaries and impediments to feedback From the Bible Communicate directly as possible, skipping steps/people if possible - e.g. The person who finds a problems communicates with the person who can fix the problem The more hands that hold the feedback, the more chance to get garbled If possible, intermediaries should be software not people Whispered secret across a classroom, how much change occurs? A person finds joy in giving an apt reply — and how good is a timely word! - Proverbs 15:23 #2 – Improve Feedback Shorten Feedback loops
Shout it from the mountain tops From the Bible No heroes quietly fixing things or applying workarounds. Open, honest communication of feedback, especially of problems - File a bug report - Halting the process at that step (pull the cord to stop the line) Public feedback == full knowledge to solve the problem in the optimal way Make having problems OK and hiding problems a fireable offense Cease to hear instruction, my son, and you will stray from the words of knowledge. - Proverbs 19:27 Let the wilderness and its towns raise their voices; let the settlements where Kedar lives rejoice. Let the people of Sela sing for joy; let them shout from the mountaintops. - Isaiah 42:11 #2 – Improve Feedback Amplify all feedback
Go all in From the Bible Keep specialized knowledge out of people's heads and into the system - special configurations, business requirements, etc - Check it into source control – automatically versioned. - git blame anyone? You can find out where/when regressions occurred Moving left to right, keep needed info in the stage that requires it - Docs to build a package stored in the repo for that package - Deploy automation in repo with configuration templates, etc Gold there is, and rubies in abundance, but lips that speak knowledge are a rare jewel. - Proverbs 20:15 #2 – Improve Feedback Embed knowledge when needed
Workflow Improve Feedback Continual Experimentation and Learning The 3 Ways of DevOps 1 2 3
Create a culture of innovation and experimentation From the Bible The fundamentals are now solid, what can your new knowledge buy you? The business culture must allow for and embrace innovation / experimentation Two essential things must be understood by the business and all involved - We can learn from the failed experiments and risks we take - Mastery comes with repetition and practice and you won't be a master the first N times you practice The mind of the discerning acquires knowledge, and the ear of the wise seeks it. – Proverbs 18:15 But be doers of the word and not hearers only, deceiving yourselves. – James 1:22 #3 – Continual Experimentation & Learning
Reward risk + learning From the Bible Don't just talk about rewarding risk, walk the walk Trying new things and failing is OK when you gain knowledge Consider this creating your own feedback in a very tight loop Get real about this – failures should be noted positively in annual reviews if and only if a lesson was learned Edison invented the lightbulb by running out of things that didn't work Be very careful, then, how you live—not as unwise but as wise, making the most of every opportunity, because the days are evil. Therefore do not be foolish, but understand what the Lord’s will is. Ephesians 5:15–17 #3 – Continual Experimentation & Learning Rituals are created that reward risk taking
Plan to improve or you're planning on stagnation From the Bible Invest in improving the system created - By providing value to the business, it should want to maximize that return Prune any technical debt – all debt is not bad - some is good, none has opportunity costs, too much will crush you Amplifying feedback helps sell this to the business Can keep mistakes from being repeated For I know the plans I have for you,” declares the LORD, “plans to prosper you and not to harm you, plans to give you hope and a future.” - Jeremiah 29:11 There is a time for everything, and a season for every activity under the heavens – Ecclesiastes 3:1 #3 – Continual Experimentation & Learning Mgmt allocates time for projects to improve the system
Practice emergencies so emergencies feel routine From the Bible Fire drills aka Chaos Monkey You need to be a very mature org to do this Wonderful feedback loop - How would your programming change if you knew the DB could go away at any time? How else can you check redundancy? Think trying to restore from backups For God gave us a spirit not of fear but of power and love and self- control. - 2 Timothy 1:7 (Yeah, a bit of a stretch) #3 – Continual Experimentation & Learning Faults are introduced to increase resilience
Stretch out of your comfort zone From the Bible Requires embracing of failures since many of these won't work Forces out-of-the-box thinking Provides new perspectives on existing systems - You may think A will break first, but B falls over instead Can help find false bottlenecks, bad assumptions, the dreaded unknown unknowns Yet another source of feedback so make sure and learn from it publicly Take pains with these things; be absorbed in them, so that your progress will be evident to all. - 1 Timothy 4:15 #3 – Continual Experimentation & Learning Try crazy or audacious things
Everything shouldn't be bigger in Texas I got nothing for this one... Do small releases frequently - Release become ordinary not extraordinary - Feedback loops are quick, positive changes can happen quicker - Bugs are easier to find & fix in a smaller code base / diff Reduction in code latency (code latency is how long written code is idle) - Customers won't see new features until deployed. Happy Customer == $$ - Start making returns on your coding investment – aka ROI Feels counter-intuitive but bigger changes == more complexity, less practice, customer wait for features/bug fixes which means more risk A pebble every day or a boulder every quarter? Bonus Material Small Batches Are Better
What Does DevOps Mean For My AppSec Program?
The AppSec Pipeline
Key Features of AppSec Pipelines ● Designed for iterative improvement ● Provides a reusable path for AppSec activities to follow ● Provides a consistent process for both the team and our constituency ● One way flow with well-defined states ● Relies heavily on automation ● Has the ability to grow in functionality organically over time ● Gracefully interconnects with the development process
Spending time optimizing anything other than the critical resource is an illusion.
Key Goals of AppSec Pipelines • Optimize the critical resource - AppSec personnel ● Automate all the things that don’t require a human brain ● Drive up consistency ● Increase tracking of work status ● Increase flow through the system ● Increase visibility and metrics ● Reduce any dev team friction with application security
Pipeline - Intake • “First Impression” • Major categories of Intake • Existing App • New App • Previously tested App • App to re-test findings • Key Concepts • Ask for data about Apps only once • Have data reviewed when an App returns • Adapt data collected based on broad categories of Apps
Pipeline – the Middle ● Inbound request triage ● Ala Carte App Sec ● Dynamic Testing ● Static Testing ● Re-Testing mitigated findings ● Mix and match based on risk ● Key Concepts ● Activities can be run in parallel ● Automation on setup, configuration, data export ● People focus on customization rather than setup
Pipeline – the End ● Source of truth for all AppSec activities ● ThreadFix is used to ● Dedup / Consolidate findings ● Normalize scanner data ● Generate Metrics ● Push issues to bug trackers ● Report and metrics automation ● REST + tfclient ● Source of many touch points with external teams
Why we like AppSec Pipelines ● Allow us to have visibility into WIP ● Better understand/track/optimize flow of engagements ● Average static test takes ... ● Great increase in consistency ● Easier re-allocation of engagements between staff ● Each step has a well defined interface ● Knowing who has what allows for more informed “cost of switching” conversations ● Flexible enough for a range of skills and app maturity
Books to read...
The Phoenix Project The Practice of Cloud System Administration Gene Kim, Kevin Behr and George Spafford Books to read Thomas A. Limoncelli, Strata R. Chalup, Christina J. Hogan
The Bible The Shack Books to read William P. Young
Thank you !

Empfohlen

Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
 

Empfohlen

Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
 
The Devops Handbook
The Devops HandbookThe Devops Handbook
The Devops HandbookHarish Kamugakudi Marimuthu
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsJules Pierre-Louis
 
From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]Dynatrace
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
Practical Tips for Ops: End User Monitoring
Practical Tips for Ops: End User MonitoringPractical Tips for Ops: End User Monitoring
Practical Tips for Ops: End User MonitoringDynatrace
 
Accelerate User Driven Innovation [Webinar]
Accelerate User Driven Innovation [Webinar]Accelerate User Driven Innovation [Webinar]
Accelerate User Driven Innovation [Webinar]Dynatrace
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsQASymphony
 
From Continuous Integration to Continuous Delivery and DevOps
From Continuous Integration to Continuous Delivery and DevOpsFrom Continuous Integration to Continuous Delivery and DevOps
From Continuous Integration to Continuous Delivery and DevOpsLuca Minudel
 
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as CodeConfoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as CodeSteve Mercier
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
5 Steps for Identifying Deficiencies and Fixing Problems FAST
5 Steps for Identifying Deficiencies and Fixing Problems FAST5 Steps for Identifying Deficiencies and Fixing Problems FAST
5 Steps for Identifying Deficiencies and Fixing Problems FASTDynatrace
 
DevOps 101
DevOps 101DevOps 101
DevOps 101Ernest Mueller
 
Five Ways Automation Has Increased Application Deployment and Changed Culture
Five Ways Automation Has Increased Application Deployment and Changed CultureFive Ways Automation Has Increased Application Deployment and Changed Culture
Five Ways Automation Has Increased Application Deployment and Changed CultureXebiaLabs
 
Agile Incident Response and Resolution in the Wold of Devops
Agile Incident Response and Resolution in the Wold of DevopsAgile Incident Response and Resolution in the Wold of Devops
Agile Incident Response and Resolution in the Wold of DevopsAtlassian
 
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOpsDOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOpsGene Kim
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Deborah Schalm
 
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next ProjectAbeer R
 
DevOps Challenges and Best Practices
DevOps Challenges and Best PracticesDevOps Challenges and Best Practices
DevOps Challenges and Best PracticesBrian Chorba
 
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...PROIDEA
 
Open Source Software Development Practices that Works
Open Source Software Development Practices that WorksOpen Source Software Development Practices that Works
Open Source Software Development Practices that WorksChoong Ping Teo
 

Weitere ähnliche Inhalte

Was ist angesagt?

DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsJules Pierre-Louis
 
From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]Dynatrace
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
Practical Tips for Ops: End User Monitoring
Practical Tips for Ops: End User MonitoringPractical Tips for Ops: End User Monitoring
Practical Tips for Ops: End User MonitoringDynatrace
 
Accelerate User Driven Innovation [Webinar]
Accelerate User Driven Innovation [Webinar]Accelerate User Driven Innovation [Webinar]
Accelerate User Driven Innovation [Webinar]Dynatrace
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsQASymphony
 
From Continuous Integration to Continuous Delivery and DevOps
From Continuous Integration to Continuous Delivery and DevOpsFrom Continuous Integration to Continuous Delivery and DevOps
From Continuous Integration to Continuous Delivery and DevOpsLuca Minudel
 
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as CodeConfoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as CodeSteve Mercier
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
5 Steps for Identifying Deficiencies and Fixing Problems FAST
5 Steps for Identifying Deficiencies and Fixing Problems FAST5 Steps for Identifying Deficiencies and Fixing Problems FAST
5 Steps for Identifying Deficiencies and Fixing Problems FASTDynatrace
 
Five Ways Automation Has Increased Application Deployment and Changed Culture
Five Ways Automation Has Increased Application Deployment and Changed CultureFive Ways Automation Has Increased Application Deployment and Changed Culture
Five Ways Automation Has Increased Application Deployment and Changed CultureXebiaLabs
 
Agile Incident Response and Resolution in the Wold of Devops
Agile Incident Response and Resolution in the Wold of DevopsAgile Incident Response and Resolution in the Wold of Devops
Agile Incident Response and Resolution in the Wold of DevopsAtlassian
 
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOpsDOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOpsGene Kim
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Deborah Schalm
 
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next ProjectAbeer R
 
DevOps Challenges and Best Practices
DevOps Challenges and Best PracticesDevOps Challenges and Best Practices
DevOps Challenges and Best PracticesBrian Chorba
 

Was ist angesagt? (20)

DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
 
The Devops Handbook
The Devops HandbookThe Devops Handbook
The Devops Handbook
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the World
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
 
From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
 
Practical Tips for Ops: End User Monitoring
Practical Tips for Ops: End User MonitoringPractical Tips for Ops: End User Monitoring
Practical Tips for Ops: End User Monitoring
 
Accelerate User Driven Innovation [Webinar]
Accelerate User Driven Innovation [Webinar]Accelerate User Driven Innovation [Webinar]
Accelerate User Driven Innovation [Webinar]
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOps
 
From Continuous Integration to Continuous Delivery and DevOps
From Continuous Integration to Continuous Delivery and DevOpsFrom Continuous Integration to Continuous Delivery and DevOps
From Continuous Integration to Continuous Delivery and DevOps
 
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as CodeConfoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
5 Steps for Identifying Deficiencies and Fixing Problems FAST
5 Steps for Identifying Deficiencies and Fixing Problems FAST5 Steps for Identifying Deficiencies and Fixing Problems FAST
5 Steps for Identifying Deficiencies and Fixing Problems FAST
 
DevOps 101
DevOps 101DevOps 101
DevOps 101
 
Five Ways Automation Has Increased Application Deployment and Changed Culture
Five Ways Automation Has Increased Application Deployment and Changed CultureFive Ways Automation Has Increased Application Deployment and Changed Culture
Five Ways Automation Has Increased Application Deployment and Changed Culture
 
Agile Incident Response and Resolution in the Wold of Devops
Agile Incident Response and Resolution in the Wold of DevopsAgile Incident Response and Resolution in the Wold of Devops
Agile Incident Response and Resolution in the Wold of Devops
 
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOpsDOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
 
DevOps Challenges and Best Practices
DevOps Challenges and Best PracticesDevOps Challenges and Best Practices
DevOps Challenges and Best Practices
 

Ähnlich wie Dev ops hackformers-matt-tesauro

CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...PROIDEA
 
Open Source Software Development Practices that Works
Open Source Software Development Practices that WorksOpen Source Software Development Practices that Works
Open Source Software Development Practices that WorksChoong Ping Teo
 
Making Support Fun & Profitable: DrupalCon Portland
Making Support Fun & Profitable: DrupalCon Portland Making Support Fun & Profitable: DrupalCon Portland
Making Support Fun & Profitable: DrupalCon Portland Anne Stefanyk
 
Process Evolution and Product Maturity
Process Evolution and Product MaturityProcess Evolution and Product Maturity
Process Evolution and Product MaturityQAware GmbH
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsMatt Tesauro
 
DevOps - Understanding Core Concepts
DevOps - Understanding Core ConceptsDevOps - Understanding Core Concepts
DevOps - Understanding Core ConceptsNitin Bhide
 
Leancamp Talk by Reshma
Leancamp Talk by ReshmaLeancamp Talk by Reshma
Leancamp Talk by ReshmaSeedcamp
 
Lean Software Development Principles
Lean Software Development PrinciplesLean Software Development Principles
Lean Software Development PrinciplesJohn Vajda
 
DrupalCon 2013 Making Support Fun & Profitable
DrupalCon 2013 Making Support Fun & ProfitableDrupalCon 2013 Making Support Fun & Profitable
DrupalCon 2013 Making Support Fun & ProfitablePromet Source
 
Open Source adoption in a Mexicon Second tier Bank
Open Source adoption in a Mexicon Second tier BankOpen Source adoption in a Mexicon Second tier Bank
Open Source adoption in a Mexicon Second tier BankWSO2
 
The principles of agile development
The principles of agile developmentThe principles of agile development
The principles of agile developmentRajat Samal
 
The Three Pillars of Continuous Delivery - Boston Continuous Delivery Event
The Three Pillars of Continuous Delivery - Boston Continuous Delivery EventThe Three Pillars of Continuous Delivery - Boston Continuous Delivery Event
The Three Pillars of Continuous Delivery - Boston Continuous Delivery EventXebiaLabs
 
Learnings from great statups Antti Kosunen
Learnings from great statups Antti KosunenLearnings from great statups Antti Kosunen
Learnings from great statups Antti KosunenAntti Kosunen
 
DevOps for the sysadmin
DevOps for the sysadminDevOps for the sysadmin
DevOps for the sysadminRobert Nelson
 
Cloud foundry, Lessons Learned at The Home Depot
Cloud foundry, Lessons Learned at The Home Depot Cloud foundry, Lessons Learned at The Home Depot
Cloud foundry, Lessons Learned at The Home Depot James Watters
 

Ähnlich wie Dev ops hackformers-matt-tesauro (20)

CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
 
Open Source Software Development Practices that Works
Open Source Software Development Practices that WorksOpen Source Software Development Practices that Works
Open Source Software Development Practices that Works
 
Making Support Fun & Profitable: DrupalCon Portland
Making Support Fun & Profitable: DrupalCon Portland Making Support Fun & Profitable: DrupalCon Portland
Making Support Fun & Profitable: DrupalCon Portland
 
Process Evolution and Product Maturity
Process Evolution and Product MaturityProcess Evolution and Product Maturity
Process Evolution and Product Maturity
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
 
DevOps - Understanding Core Concepts
DevOps - Understanding Core ConceptsDevOps - Understanding Core Concepts
DevOps - Understanding Core Concepts
 
Leancamp Talk by Reshma
Leancamp Talk by ReshmaLeancamp Talk by Reshma
Leancamp Talk by Reshma
 
Lean Software Development Principles
Lean Software Development PrinciplesLean Software Development Principles
Lean Software Development Principles
 
DrupalCon 2013 Making Support Fun & Profitable
DrupalCon 2013 Making Support Fun & ProfitableDrupalCon 2013 Making Support Fun & Profitable
DrupalCon 2013 Making Support Fun & Profitable
 
Open Source adoption in a Mexicon Second tier Bank
Open Source adoption in a Mexicon Second tier BankOpen Source adoption in a Mexicon Second tier Bank
Open Source adoption in a Mexicon Second tier Bank
 
The principles of agile development
The principles of agile developmentThe principles of agile development
The principles of agile development
 
Lean / Kanban
Lean / KanbanLean / Kanban
Lean / Kanban
 
DevOps for Managers
DevOps for ManagersDevOps for Managers
DevOps for Managers
 
DBA Best Practices.ppt
DBA Best Practices.pptDBA Best Practices.ppt
DBA Best Practices.ppt
 
The Three Pillars of Continuous Delivery - Boston Continuous Delivery Event
The Three Pillars of Continuous Delivery - Boston Continuous Delivery EventThe Three Pillars of Continuous Delivery - Boston Continuous Delivery Event
The Three Pillars of Continuous Delivery - Boston Continuous Delivery Event
 
Refresher
RefresherRefresher
Refresher
 
Learnings from great statups Antti Kosunen
Learnings from great statups Antti KosunenLearnings from great statups Antti Kosunen
Learnings from great statups Antti Kosunen
 
Why agile?
Why agile?Why agile?
Why agile?
 
DevOps for the sysadmin
DevOps for the sysadminDevOps for the sysadmin
DevOps for the sysadmin
 
Cloud foundry, Lessons Learned at The Home Depot
Cloud foundry, Lessons Learned at The Home Depot Cloud foundry, Lessons Learned at The Home Depot
Cloud foundry, Lessons Learned at The Home Depot
 

Mehr von Matt Tesauro

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Matt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API LandscapeMatt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with ScissorsMatt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileMatt Tesauro
 
Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Matt Tesauro
 

Mehr von Matt Tesauro (20)

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone Agile
 
Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013
 

Kürzlich hochgeladen

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Kürzlich hochgeladen (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Dev ops hackformers-matt-tesauro

  • 2. 5 months with Pearson Application Security Lead Engineer Prior to Pearson ● Rackspace - Lead Engineer, Product Security ● AppSec consulting o VP Services, Praetorian o Consultant Trustwave’s Spiderlabs ● TEA - Senior Security Engineer ● DIR - Penetration Tester ● Texas A&M University o Systems Analyst, Sys Admin, Developer, DBA o Lecturer in MIS department ● Viatel - Internet App Developer Who am I?
  • 3. Other professional experience ● OWASP Live CD / OWASP WTE o Project lead 2008 to present o Over 300K downloads o http://appseclive.org ● OWASP Foundation Board of Directors o International charity focused on improving software security ● Multiple speaking engagements internationally at AppSec, DHS, ISC2, SANS… conferences ● Application Security Training internationally ● B.S. Economics, M.S. in MIS o Strong believer in the value of cross- discipline study Who am I?
  • 4. A Christian ● Life long Lutheran o Lutheran private schools through 8th Grade o Pro Bono consulting work for Lutheran Foundation of TX o My kids attend Cross Lutheran School in New Braunfels ● Prefer contemporary to traditional services ● I've never had that big “aha” moment o Many times in my life I had to lean upon my faith ● Kids illnesses ● Hospice care ● Parents illness Who am I?
  • 6. The old way... Very early and prescriptive requirements and design Long development cycles Waterfall Approach Groups work in Silos - Dev, SysAdmin, QA, Security Possible feedback from bug reports but little else Throwing code over the wall Traditional Software Dev & Ops
  • 8. Why waterfall can be prone to failure Very difficult to capture all the requirements... - before design is complete - some may not surface until implementation All features “locked in” during early stages Operational considerations occur very late - Ops resorts to 'work arounds' and ad-hoc installs - Dev assumptions may violate Ops policy “Worked on my laptop...” Waterfall Development
  • 11. Why DevOps came to be What's different about DevOps Web/Cloud companies needed - high availability - fast introduction of new features Easy for users to switch to a competing service + fist mover advantage No media to ship with SaaS models Cultural change – not just new cool tech aka CI/CD, Docker... Focus on clear business objectives Dev and SysAdmins share responsibility for uptime, deploys, downtime Emphasize people and process, repeatability Goal is better uptime and lower operational costs The DevOps Answer
  • 12. The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
  • 13. Workflow The 3 Ways of DevOps 1 2 3
  • 14. Look at your purpose and those process which aid it From the Bible Make sure the process is correct from beginning to the end Then look at ways to speed up that process Value Stream – the name a the process which provides value to the business Working from left to right – think of a time line: business / development => customer / operations Flow [rate] – the speed work goes through the process I make known the end from the beginning, from ancient times, what is still to come. I say, 'My purpose will stand, and I will do all that I please.' - Isaiah 46:10 The end of a matter is better than its beginning; Patience of spirit is better than haughtiness of spirit. - Ecclesiastes 7:8 #1 - Workflow
  • 15. An example workflow Software release process ● Code written ● Code committed to a code repository ● Unit test the code ● Package the code for deployment ● Integration testing ● Deploy code to production #1 - Workflow
  • 16. Making things repeatable Remove all haphazard and ad hoc work from the process Repeat until stable, I like doing the first couple times manually with a 'run book' Scripting languages are your friends Config Mgmt – Puppet, Chef, Salt, Ansible, Jenkins, CFEngine, … Creating deployable artifacts from a branch/release aka .rpm / .deb / .msi Make sure what you do can be done on 1 server or 10,000 servers Repetition is the mother of skill - Master Bret Riley, Sa Bom Nim (Master Instructor TSD-MGK) #1 - Workflow Each Step Repeatable
  • 17. Work left to right but don't pass on failures From the Bible Test early and often Increase the rigor of testing as you work left to right When a failure occurs, end that flow and start a new one after corrections The further right you are, the more expensive failure is So whoever knows the right thing to do and fails to do it, for him it is sin. - James 4:17 The King will reply, ‘Truly I tell you, whatever you did for one of the least of these brothers and sisters of mine, you did for me. - Matthew 25:40 #1 - Workflow Never Pass on Defects
  • 18. Your fix cannot be my new problem From the Bible Ensure no single-step optimizations degrade the overall performance of the workflow Spending time optimizing anything other than the critical resource is an illusion. Find the bottle neck in your workflow and start there - Upstream changes will just back things up - Downstream changes won't manifest since input is limited Each new optimization creates a new bottleneck – iterate on this So whatever you wish that others would do to you, do also to them, for this is the Law and the Prophets. - Matthew 7:12 #1 - Workflow Local optimizations with a global view
  • 19. Now go faster From the Bible Make sure you have a well-defined, repeatable process first Look for manual steps that can be automated Look for duplicate work that can be removed/eliminated Measuring/tracking time taken at each step is crucial Where does the flow ebb? Give, and it will be given to you. A good measure, pressed down, shaken together and running over, will be poured into your lap. For with the measure you use, it will be measured to you. - Luke 6:38 #1 - Workflow Increase the flow of work
  • 20. Workflow Improve Feedback The 3 Ways of DevOps 1 2 3
  • 21. Open yourself to upstream and downstream information From the Bible Feedback loops occur when information is gathered from - upstream (business / development) - downstream (customer / operations) Make visible problems, concerns, potential improvements – share this publicly Learn as you move left to right so improvements aren't lost Requests are opportunities to better fulfill the needs of the business There is rarely enough feedback, capture and look for more Feedback collected can be used to optimally improve the system For there is nothing hidden that will not be disclosed, and nothing concealed that will not be known or brought out into the open. - Luke 8:17 #2 – Improve Feedback
  • 22. Customers are also inside your business From the Bible Customer is more then the 'consumer' at the end of the process - Each step is the customer of the previous step - Understand what the next steps need from you to succeed Remember, feedback isn't guaranteed - encourage it by responding - Responses are required of external and internal customers Make feedback & responding quick, easy and readily available Where there is no guidance, a people falls, but in an abundance of counselors there is safety. - Proverbs 11:14 My dear brothers and sisters, take note of this: Everyone should be quick to listen, slow to speak and slow to become angry. - James 1:19 #2 – Improve Feedback Understand and respond to your customers
  • 23. Remove any intermediaries and impediments to feedback From the Bible Communicate directly as possible, skipping steps/people if possible - e.g. The person who finds a problems communicates with the person who can fix the problem The more hands that hold the feedback, the more chance to get garbled If possible, intermediaries should be software not people Whispered secret across a classroom, how much change occurs? A person finds joy in giving an apt reply — and how good is a timely word! - Proverbs 15:23 #2 – Improve Feedback Shorten Feedback loops
  • 24. Shout it from the mountain tops From the Bible No heroes quietly fixing things or applying workarounds. Open, honest communication of feedback, especially of problems - File a bug report - Halting the process at that step (pull the cord to stop the line) Public feedback == full knowledge to solve the problem in the optimal way Make having problems OK and hiding problems a fireable offense Cease to hear instruction, my son, and you will stray from the words of knowledge. - Proverbs 19:27 Let the wilderness and its towns raise their voices; let the settlements where Kedar lives rejoice. Let the people of Sela sing for joy; let them shout from the mountaintops. - Isaiah 42:11 #2 – Improve Feedback Amplify all feedback
  • 25. Go all in From the Bible Keep specialized knowledge out of people's heads and into the system - special configurations, business requirements, etc - Check it into source control – automatically versioned. - git blame anyone? You can find out where/when regressions occurred Moving left to right, keep needed info in the stage that requires it - Docs to build a package stored in the repo for that package - Deploy automation in repo with configuration templates, etc Gold there is, and rubies in abundance, but lips that speak knowledge are a rare jewel. - Proverbs 20:15 #2 – Improve Feedback Embed knowledge when needed
  • 26. Workflow Improve Feedback Continual Experimentation and Learning The 3 Ways of DevOps 1 2 3
  • 27. Create a culture of innovation and experimentation From the Bible The fundamentals are now solid, what can your new knowledge buy you? The business culture must allow for and embrace innovation / experimentation Two essential things must be understood by the business and all involved - We can learn from the failed experiments and risks we take - Mastery comes with repetition and practice and you won't be a master the first N times you practice The mind of the discerning acquires knowledge, and the ear of the wise seeks it. – Proverbs 18:15 But be doers of the word and not hearers only, deceiving yourselves. – James 1:22 #3 – Continual Experimentation & Learning
  • 28. Reward risk + learning From the Bible Don't just talk about rewarding risk, walk the walk Trying new things and failing is OK when you gain knowledge Consider this creating your own feedback in a very tight loop Get real about this – failures should be noted positively in annual reviews if and only if a lesson was learned Edison invented the lightbulb by running out of things that didn't work Be very careful, then, how you live—not as unwise but as wise, making the most of every opportunity, because the days are evil. Therefore do not be foolish, but understand what the Lord’s will is. Ephesians 5:15–17 #3 – Continual Experimentation & Learning Rituals are created that reward risk taking
  • 29. Plan to improve or you're planning on stagnation From the Bible Invest in improving the system created - By providing value to the business, it should want to maximize that return Prune any technical debt – all debt is not bad - some is good, none has opportunity costs, too much will crush you Amplifying feedback helps sell this to the business Can keep mistakes from being repeated For I know the plans I have for you,” declares the LORD, “plans to prosper you and not to harm you, plans to give you hope and a future.” - Jeremiah 29:11 There is a time for everything, and a season for every activity under the heavens – Ecclesiastes 3:1 #3 – Continual Experimentation & Learning Mgmt allocates time for projects to improve the system
  • 30. Practice emergencies so emergencies feel routine From the Bible Fire drills aka Chaos Monkey You need to be a very mature org to do this Wonderful feedback loop - How would your programming change if you knew the DB could go away at any time? How else can you check redundancy? Think trying to restore from backups For God gave us a spirit not of fear but of power and love and self- control. - 2 Timothy 1:7 (Yeah, a bit of a stretch) #3 – Continual Experimentation & Learning Faults are introduced to increase resilience
  • 31. Stretch out of your comfort zone From the Bible Requires embracing of failures since many of these won't work Forces out-of-the-box thinking Provides new perspectives on existing systems - You may think A will break first, but B falls over instead Can help find false bottlenecks, bad assumptions, the dreaded unknown unknowns Yet another source of feedback so make sure and learn from it publicly Take pains with these things; be absorbed in them, so that your progress will be evident to all. - 1 Timothy 4:15 #3 – Continual Experimentation & Learning Try crazy or audacious things
  • 32. Everything shouldn't be bigger in Texas I got nothing for this one... Do small releases frequently - Release become ordinary not extraordinary - Feedback loops are quick, positive changes can happen quicker - Bugs are easier to find & fix in a smaller code base / diff Reduction in code latency (code latency is how long written code is idle) - Customers won't see new features until deployed. Happy Customer == $$ - Start making returns on your coding investment – aka ROI Feels counter-intuitive but bigger changes == more complexity, less practice, customer wait for features/bug fixes which means more risk A pebble every day or a boulder every quarter? Bonus Material Small Batches Are Better
  • 33. What Does DevOps Mean For My AppSec Program?
  • 35. Key Features of AppSec Pipelines ● Designed for iterative improvement ● Provides a reusable path for AppSec activities to follow ● Provides a consistent process for both the team and our constituency ● One way flow with well-defined states ● Relies heavily on automation ● Has the ability to grow in functionality organically over time ● Gracefully interconnects with the development process
  • 36. Spending time optimizing anything other than the critical resource is an illusion.
  • 37. Key Goals of AppSec Pipelines • Optimize the critical resource - AppSec personnel ● Automate all the things that don’t require a human brain ● Drive up consistency ● Increase tracking of work status ● Increase flow through the system ● Increase visibility and metrics ● Reduce any dev team friction with application security
  • 38. Pipeline - Intake • “First Impression” • Major categories of Intake • Existing App • New App • Previously tested App • App to re-test findings • Key Concepts • Ask for data about Apps only once • Have data reviewed when an App returns • Adapt data collected based on broad categories of Apps
  • 39. Pipeline – the Middle ● Inbound request triage ● Ala Carte App Sec ● Dynamic Testing ● Static Testing ● Re-Testing mitigated findings ● Mix and match based on risk ● Key Concepts ● Activities can be run in parallel ● Automation on setup, configuration, data export ● People focus on customization rather than setup
  • 40. Pipeline – the End ● Source of truth for all AppSec activities ● ThreadFix is used to ● Dedup / Consolidate findings ● Normalize scanner data ● Generate Metrics ● Push issues to bug trackers ● Report and metrics automation ● REST + tfclient ● Source of many touch points with external teams
  • 41. Why we like AppSec Pipelines ● Allow us to have visibility into WIP ● Better understand/track/optimize flow of engagements ● Average static test takes ... ● Great increase in consistency ● Easier re-allocation of engagements between staff ● Each step has a well defined interface ● Knowing who has what allows for more informed “cost of switching” conversations ● Flexible enough for a range of skills and app maturity
  • 43. The Phoenix Project The Practice of Cloud System Administration Gene Kim, Kevin Behr and George Spafford Books to read Thomas A. Limoncelli, Strata R. Chalup, Christina J. Hogan
  • 44. The Bible The Shack Books to read William P. Young

Hinweis der Redaktion

  1. http://www.mikealeckson.com/2011/12/christianity-and-continuous-improvement.html http://christianfaithatwork.com/are-you-committed-to-continuous-learning/
  2. http://www.patheos.com/blogs/christiancrier/2014/12/02/top-7-bible-verses-about-taking-chances/