SlideShare ist ein Scribd-Unternehmen logo

DevSecCon KeyNote London 2015

Als PPTX, PDF herunterladen
Shannon Lietz
Shannon Lietz

Presented at DevSecCon in London 2015 for Security Innovation at Speed and Scale via DevSecOps

Technologie
1 von 28
LONDON 2015Join the conversation #devseccon Securing Innovation @ Speed & Scale via DevSecOps DEVSECCON LONDON 2015 @devsecops
Who am I? • 25+ yrs Technology & Security Experience • Background in Security R&D • Working with the Cloud before it was called the “Cloud” • Manage teams using DevOps, Agile & Scrum • Incident Response & Crisis Management -- FOUNDER --
The Race for Competitive Advantage… Indicators that demonstrate change: • Tailoring business to the needs of customers to achieve large-scale business returns is driving Cloud & DevOps adoption • Small businesses and entrepreneurs are enabled to compete in complex business models with boutique appeal against Enterprises • High performing teams are being developed and incubated in Enterprises to mimic the DevOps teams found in Start-ups.
Startups on the Rise in 2015… From 1996 to 2015: • Increase in Startups in 2015, shows rebound • Entrepreneurs over 55 has nearly doubled • Significant Rise in Immigrant Entrepreneurs • New Entrepreneurs are on the rise again • More men than women are becoming first time Entrepreneurs kauffman.org
DevOps Growth… Google Trends • DevOps.com was bought in 2004 • Google searches for “DevOps” started to rise in 2010 • Major influences: • Saving your Infrastructure from DevOps / Chicago Tribune • DevOps: A Culture Shift, Not a Technology / Information Week • DevOps: A Sharder’s Tale from Etsy • DevOps.com articles • RuggedSoftware.org was bought in 2010 https://www.google.com/trends/
Cloud Security Boom… • Cloud Platform security features are on the rise the last few years • Security in the Cloud is becoming the norm • Default configurations are still not quite there but will become the focus with growing thought leadership • Cloud Provider’s must solve for providing security features that scale • Security teams need to learn to use these features quickly2007 2008 2009 2010 2011 2012 2013 2014 2015 48 61 82 159 280 514 ? AWS re:Invent 2015
Big Data? • Reflecting on this 2013 article • Devices & IoT drive bigger data • Instrumentation <- Security needs this • Asset management & monitoring • Service Support http://www.enterprisecioforum.com/big-data-case-study-utilities/
DevOps increases speed & scale… This collaborative effort can help DevOps-led projects make IT operational metrics 100 times better, and in so doing offers “an evolutionary fork in the road” which could lead to the “end of security as we know it,” added Joshua Corman – founder of Rugged DevOps and I am the Cavalry. http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security
So what hinders “secure” innovation @ speed & scale? 1. Friction for friction’s sake 2. Manual processes & meeting culture 3. Point in time assessments 4. Decisions being made outside of value creation 5. Contextual misunderstandings 6. Late constraints and requirements 7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration 10. Management and political interference (approvals, exceptions)
And then there’s… Security & Compliance! • The discipline is very complex • Majority of the Security Industry is Vendor dependent • Requires Meetings, Appointments, and Point in Time evaluations with low context • Requirements are dependent on what is developed • The art of “No” has become its own science
Can Security evolve? OPS SEC DEV • Security as Code • Self-Service Testing • Red Team/Blue Team • Inline Enforcement • Analytics & Insights • Detect & Contain • Incident Response • Investigations • Forensics AppSec
What’s the DevSecOps Mission? …creating targeted customer value through secure iterative innovation at speed & scale … Security is Everyone’s Job!
What should we value to evolve Security for DevOps? Leaning in over Always Saying “No” Data & Security Science over Fear, Uncertainty and Doubt Open Contribution & Collaboration over Security-Only Requirements Consumable Security Services with APIs over Mandated Security Controls & Paperwork Business Driven Security Scores over Rubber Stamp Security Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident Shared Threat Intelligence over Keeping Info to Ourselves Compliance Operations over Clipboards & Checklists In essence, don’t waste people’s time with Fear -> Uncertainty -> Doubt devsecops.org
Imagine adding Security into the DevOps pipeline… Security Self-Service skills Biz UX Dev Data App Sec Sec Eng Science Comp Ops Sec Ops Ops Training Software & Infrastructure Platforms Software Components & Resources YOUR APP STACK GOES HERE Operational Tools & Monitoring collaboration, partnership, value creation, self-service [DevOps, Agile, Scrum, Cloud]
The Art of DevSecOps (Security View) DevSecOps Security Engineering Experiment, Automate, Test Security Operations Hunt, Detect, Contain Compliance Operations Respond, Manage, Train Security Science Learn, Measure, Forecast
Can we make it simple? Yes! • Smaller Teams • Smaller Services • Smaller Failures • Rest APIs drive culture • Customer focus • Deep problem understanding throughout org • Deliberate dedication to solving and simplifying tech challenges • Products and Services have security built-in along the supply chain • Security removes barriers and roadblocks as self-service for DevOps • Managers map, magnify and multiply to create culture blast radius
How can we get started? Small Project Migration Big Project Approach is tailored to small experiments and pipeline testing. Pros: • Requires DevOps Approach • Fast failures • Team learns to collaborate • Higher Productivity, Less waste Cons: • Skill shortages • Team needs vision to avoid micro-focus churn Approach allows organization to map and adjust for what they already know. Pros: • Allows companies to keep operating while teams figure out what’s needed Cons: • Overload • Can be slower to accomplish completion • Failures can become complex Approach is “all-in” and used to transform an organization as a whole. Pros: • Firm commitment alleviates political back and forth • Focus & All-in Speed Cons: • Bigger Failures • Difficult for everyone to learn from mistakes and experiments
Small Project -> The Provocation How can we transform a control into a self-aware, self-reporting, self-healing component that can be consumed at speed & scale? Our challenge is to begin the process of creating self-aware and self-reporting components. This process can be achieved using configuration management tools, open source and log management systems. Let’s work with the IA Controls from NIST 800-53 today and use the implementation of MFA as an example. Specifically, IA-2 calls for multi-factor authentication which is available in some Software Defined Environments as a feature. Let’s look at how we can enable MFA within our Stack and the different use cases that are present and require security baseline components. Questions to answer: 1. How can baseline components be shared and extended? 2. Once the component is ready to be used, implemented, then what? 3. What about the feedback loop? 4. What is the best way to create an automated report that is continuously built and maintained? 5. How can we report across a full-stack? 6. What tools can assist? FW ? Web ? Compliance at Velocity (https://medium.com/compliance-at-velocity)
Migrations -> One foot in… One foot out... Web App Web DB App DB Traditional IT & Security DevOps + DevSecOps FW/IDS FW/IDS ELB App ELB DBAAS App DBAAS
Big Project -> The Hail Mary Web App Web DB App DB Traditional IT & Security DevOps? + DevSecOps? FW/IDS FW/IDS Web App Web DB App DB FW/IDS FW/IDS What is this?
Why is approach so important? API KEY EXPOSURE -> 8 HRS DEFAULT CONFIGS -> 24 HRS SECURITY GROUPS -> 24 HRS ESCALATION OF PRIVS -> 5 D KNOWN VULN -> 8 HRS
So let’s recap before we move on to examples… DevSecOps needs: • Active Collaboration • High Engagement • Experimentation • Open Contribution • Fail Fast Culture • Ability to adapt and learn • DevOps Understanding • Focusing on Simplicity Not this one… This one!!
Perimeter Testing THEN PCI DSS1.1.1 – Approve/Test/Detect firewall changes NOW Scan API, Ingest Config/Cloudtrail, trigger firewall audits and revert unapproved changes to heal to spec Labor: 40 hours/Annually Tools: Excel, Text Pad, Open Source or Commercial Config Management Labor: 40 hours/First Year, 8 hours per yr maintain Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: Depends on Resource
Configuration Management/Baselines THEN PCI DSS2.2 - Develop & Assure configuration standards for all system components. NOW Track known good CF stacks & AMIs, alert or neutralize non- compliant/non-approved deploys Labor: 40 hours/Annually/Per Major Component Tools: Excel, Text Pad, Open Source or Commercial Config Management Labor: 40 hours/First Year, 1 hour per yr maintain/Per Component Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: High
Encrypting Sensitive Data THEN HIPAA 164.312(a)(2)(iv): Implement a method to encrypt and decrypt electronic protected health information. NOW Enforce encryption of all assets by platform or data classification tags. Continuous enforcement and automated detection. Labor: 1 FTE minimum per 3 DevOps Teams Tools: Commercial, Open Source Labor: 8 hours Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: High
Access Management THEN NIST800-53 AC2(12) – Monitors and report atypical usage of information system accounts. NOW Cloudtrail/Config user attribution of use/abuse, ability to reduce team size and allow for smaller containers Labor: 1 FTE minimum Tools: Commercial, Open Source Labor: 40 hours Dev, 8 hours Maintain Tools: APIs, Logs, Open Source, Commercial Measure: Certify quarterly, annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: High
Multi-Factor Authentication THEN NIST800-53 IA-2 – The information system uniquely identifies and authenticates organizational users NOW MFA built into APIs and Cloud Platforms can be exposed for authorization decisions Labor: 1 FTE minimum Tools: Commercial, Open Source Labor: 1 hour per week Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Resolve Impact: High Global Call to Action 2015
Get Involved and Join the Community • devsecops.org • @devsecops on Twitter • DevSecOps on LinkedIn • DevSecOps on Github • RuggedSoftware.org • Compliance at Velocity • Join Us !!! • Spread the word!!!

Empfohlen

The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldShannon Lietz
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owaspShannon Lietz
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software DevelopmentDevOps.com
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementShriniKulkarni
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureDevSecOpsSg
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 

Empfohlen

The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldShannon Lietz
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owaspShannon Lietz
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software DevelopmentDevOps.com
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementShriniKulkarni
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureDevSecOpsSg
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsAlert Logic
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOpsCloudPassage
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorDevSecCon
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgThe Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgDevSecOpsSg
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...SeniorStoryteller
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_programShannon Lietz
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 

Weitere ähnliche Inhalte

Was ist angesagt?

Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsAlert Logic
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOpsCloudPassage
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorDevSecCon
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgThe Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgDevSecOpsSg
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...SeniorStoryteller
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 

Was ist angesagt? (20)

Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer Maor
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgThe Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 

Andere mochten auch

S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_programShannon Lietz
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSAShannon Lietz
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon
 
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...DevSecCon
 
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...DevSecCon
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenryDevSecCon
 
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon
 
Justin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryJustin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryDevSecCon
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsShannon Lietz
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016Shannon Lietz
 
SPOF - Single "Person" of Failure
SPOF - Single "Person" of FailureSPOF - Single "Person" of Failure
SPOF - Single "Person" of FailureSasha Rosenbaum
 
Chaos patterns - architecting for failure in distributed systems
Chaos patterns - architecting for failure in distributed systemsChaos patterns - architecting for failure in distributed systems
Chaos patterns - architecting for failure in distributed systemsJos Boumans
 
Un-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonUn-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonSkelton Thatcher Consulting Ltd
 
Monitoring Is Never Done
Monitoring Is Never DoneMonitoring Is Never Done
Monitoring Is Never DoneMelanie Cey
 
Devops and Immutable infrastructure - Cloud Expo 2015 NYC
Devops and Immutable infrastructure - Cloud Expo 2015 NYCDevops and Immutable infrastructure - Cloud Expo 2015 NYC
Devops and Immutable infrastructure - Cloud Expo 2015 NYCJohn Willis
 

Andere mochten auch (20)

S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
 
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatops
 
Justin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryJustin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application delivery
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
 
SPOF - Single "Person" of Failure
SPOF - Single "Person" of FailureSPOF - Single "Person" of Failure
SPOF - Single "Person" of Failure
 
Chaos patterns - architecting for failure in distributed systems
Chaos patterns - architecting for failure in distributed systemsChaos patterns - architecting for failure in distributed systems
Chaos patterns - architecting for failure in distributed systems
 
Un-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonUn-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew Skelton
 
Monitoring Is Never Done
Monitoring Is Never DoneMonitoring Is Never Done
Monitoring Is Never Done
 
Devops and Immutable infrastructure - Cloud Expo 2015 NYC
Devops and Immutable infrastructure - Cloud Expo 2015 NYCDevops and Immutable infrastructure - Cloud Expo 2015 NYC
Devops and Immutable infrastructure - Cloud Expo 2015 NYC
 

Ähnlich wie DevSecCon KeyNote London 2015

Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
Owasp summit slides day 2
Owasp summit slides day 2Owasp summit slides day 2
Owasp summit slides day 2Dinis Cruz
 
DevOps Transformation - Another View
DevOps Transformation - Another ViewDevOps Transformation - Another View
DevOps Transformation - Another ViewAgron Fazliu
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
 
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...Turja Narayan Chaudhuri
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The CloudPECB
 
Introduction to 5w’s of DevOps
Introduction to 5w’s of DevOpsIntroduction to 5w’s of DevOps
Introduction to 5w’s of DevOpsCygnet Infotech
 
Continuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessContinuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessTechWell
 
AWS re:Invent 2016: Lift and Evolve – Saving Money in the Cloud is Easy, Maki...
AWS re:Invent 2016: Lift and Evolve – Saving Money in the Cloud is Easy, Maki...AWS re:Invent 2016: Lift and Evolve – Saving Money in the Cloud is Easy, Maki...
AWS re:Invent 2016: Lift and Evolve – Saving Money in the Cloud is Easy, Maki...Amazon Web Services
 
Introduction to DevOps slides.pdf
Introduction to DevOps slides.pdfIntroduction to DevOps slides.pdf
Introduction to DevOps slides.pdfBoreVishnusai
 
Chris Munns, DevOps @ Amazon: Microservices, 2 Pizza Teams, & 50 Million Depl...
Chris Munns, DevOps @ Amazon: Microservices, 2 Pizza Teams, & 50 Million Depl...Chris Munns, DevOps @ Amazon: Microservices, 2 Pizza Teams, & 50 Million Depl...
Chris Munns, DevOps @ Amazon: Microservices, 2 Pizza Teams, & 50 Million Depl...TriNimbus
 
Observability in serverless solutions
Observability in serverless solutionsObservability in serverless solutions
Observability in serverless solutionsLeonardo Murillo
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
Atagg2015 Where testing is moving in agile cloud world!
Atagg2015 Where testing is moving in agile cloud world!Atagg2015 Where testing is moving in agile cloud world!
Atagg2015 Where testing is moving in agile cloud world!Agile Testing Alliance
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 

Ähnlich wie DevSecCon KeyNote London 2015 (20)

Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
Owasp summit slides day 2
Owasp summit slides day 2Owasp summit slides day 2
Owasp summit slides day 2
 
DevOps Transformation - Another View
DevOps Transformation - Another ViewDevOps Transformation - Another View
DevOps Transformation - Another View
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
 
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
Introduction to 5w’s of DevOps
Introduction to 5w’s of DevOpsIntroduction to 5w’s of DevOps
Introduction to 5w’s of DevOps
 
Continuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessContinuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps Success
 
AWS re:Invent 2016: Lift and Evolve – Saving Money in the Cloud is Easy, Maki...
AWS re:Invent 2016: Lift and Evolve – Saving Money in the Cloud is Easy, Maki...AWS re:Invent 2016: Lift and Evolve – Saving Money in the Cloud is Easy, Maki...
AWS re:Invent 2016: Lift and Evolve – Saving Money in the Cloud is Easy, Maki...
 
Introduction to DevOps slides.pdf
Introduction to DevOps slides.pdfIntroduction to DevOps slides.pdf
Introduction to DevOps slides.pdf
 
Chris Munns, DevOps @ Amazon: Microservices, 2 Pizza Teams, & 50 Million Depl...
Chris Munns, DevOps @ Amazon: Microservices, 2 Pizza Teams, & 50 Million Depl...Chris Munns, DevOps @ Amazon: Microservices, 2 Pizza Teams, & 50 Million Depl...
Chris Munns, DevOps @ Amazon: Microservices, 2 Pizza Teams, & 50 Million Depl...
 
Observability in serverless solutions
Observability in serverless solutionsObservability in serverless solutions
Observability in serverless solutions
 
Dev ops concept
Dev ops conceptDev ops concept
Dev ops concept
 
DevOps 101
DevOps 101DevOps 101
DevOps 101
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Atagg2015 Where testing is moving in agile cloud world!
Atagg2015 Where testing is moving in agile cloud world!Atagg2015 Where testing is moving in agile cloud world!
Atagg2015 Where testing is moving in agile cloud world!
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
What is DevOps? What is DevOps CoE?
What is DevOps? What is DevOps CoE? What is DevOps? What is DevOps CoE?
What is DevOps? What is DevOps CoE?
 

Kürzlich hochgeladen

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 

Kürzlich hochgeladen (20)

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

DevSecCon KeyNote London 2015

  • 1. LONDON 2015Join the conversation #devseccon Securing Innovation @ Speed & Scale via DevSecOps DEVSECCON LONDON 2015 @devsecops
  • 2. Who am I? • 25+ yrs Technology & Security Experience • Background in Security R&D • Working with the Cloud before it was called the “Cloud” • Manage teams using DevOps, Agile & Scrum • Incident Response & Crisis Management -- FOUNDER --
  • 3. The Race for Competitive Advantage… Indicators that demonstrate change: • Tailoring business to the needs of customers to achieve large-scale business returns is driving Cloud & DevOps adoption • Small businesses and entrepreneurs are enabled to compete in complex business models with boutique appeal against Enterprises • High performing teams are being developed and incubated in Enterprises to mimic the DevOps teams found in Start-ups.
  • 4. Startups on the Rise in 2015… From 1996 to 2015: • Increase in Startups in 2015, shows rebound • Entrepreneurs over 55 has nearly doubled • Significant Rise in Immigrant Entrepreneurs • New Entrepreneurs are on the rise again • More men than women are becoming first time Entrepreneurs kauffman.org
  • 5. DevOps Growth… Google Trends • DevOps.com was bought in 2004 • Google searches for “DevOps” started to rise in 2010 • Major influences: • Saving your Infrastructure from DevOps / Chicago Tribune • DevOps: A Culture Shift, Not a Technology / Information Week • DevOps: A Sharder’s Tale from Etsy • DevOps.com articles • RuggedSoftware.org was bought in 2010 https://www.google.com/trends/
  • 6. Cloud Security Boom… • Cloud Platform security features are on the rise the last few years • Security in the Cloud is becoming the norm • Default configurations are still not quite there but will become the focus with growing thought leadership • Cloud Provider’s must solve for providing security features that scale • Security teams need to learn to use these features quickly2007 2008 2009 2010 2011 2012 2013 2014 2015 48 61 82 159 280 514 ? AWS re:Invent 2015
  • 7. Big Data? • Reflecting on this 2013 article • Devices & IoT drive bigger data • Instrumentation <- Security needs this • Asset management & monitoring • Service Support http://www.enterprisecioforum.com/big-data-case-study-utilities/
  • 8. DevOps increases speed & scale… This collaborative effort can help DevOps-led projects make IT operational metrics 100 times better, and in so doing offers “an evolutionary fork in the road” which could lead to the “end of security as we know it,” added Joshua Corman – founder of Rugged DevOps and I am the Cavalry. http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security
  • 9. So what hinders “secure” innovation @ speed & scale? 1. Friction for friction’s sake 2. Manual processes & meeting culture 3. Point in time assessments 4. Decisions being made outside of value creation 5. Contextual misunderstandings 6. Late constraints and requirements 7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration 10. Management and political interference (approvals, exceptions)
  • 10. And then there’s… Security & Compliance! • The discipline is very complex • Majority of the Security Industry is Vendor dependent • Requires Meetings, Appointments, and Point in Time evaluations with low context • Requirements are dependent on what is developed • The art of “No” has become its own science
  • 11. Can Security evolve? OPS SEC DEV • Security as Code • Self-Service Testing • Red Team/Blue Team • Inline Enforcement • Analytics & Insights • Detect & Contain • Incident Response • Investigations • Forensics AppSec
  • 12. What’s the DevSecOps Mission? …creating targeted customer value through secure iterative innovation at speed & scale … Security is Everyone’s Job!
  • 13. What should we value to evolve Security for DevOps? Leaning in over Always Saying “No” Data & Security Science over Fear, Uncertainty and Doubt Open Contribution & Collaboration over Security-Only Requirements Consumable Security Services with APIs over Mandated Security Controls & Paperwork Business Driven Security Scores over Rubber Stamp Security Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident Shared Threat Intelligence over Keeping Info to Ourselves Compliance Operations over Clipboards & Checklists In essence, don’t waste people’s time with Fear -> Uncertainty -> Doubt devsecops.org
  • 14. Imagine adding Security into the DevOps pipeline… Security Self-Service skills Biz UX Dev Data App Sec Sec Eng Science Comp Ops Sec Ops Ops Training Software & Infrastructure Platforms Software Components & Resources YOUR APP STACK GOES HERE Operational Tools & Monitoring collaboration, partnership, value creation, self-service [DevOps, Agile, Scrum, Cloud]
  • 15. The Art of DevSecOps (Security View) DevSecOps Security Engineering Experiment, Automate, Test Security Operations Hunt, Detect, Contain Compliance Operations Respond, Manage, Train Security Science Learn, Measure, Forecast
  • 16. Can we make it simple? Yes! • Smaller Teams • Smaller Services • Smaller Failures • Rest APIs drive culture • Customer focus • Deep problem understanding throughout org • Deliberate dedication to solving and simplifying tech challenges • Products and Services have security built-in along the supply chain • Security removes barriers and roadblocks as self-service for DevOps • Managers map, magnify and multiply to create culture blast radius
  • 17. How can we get started? Small Project Migration Big Project Approach is tailored to small experiments and pipeline testing. Pros: • Requires DevOps Approach • Fast failures • Team learns to collaborate • Higher Productivity, Less waste Cons: • Skill shortages • Team needs vision to avoid micro-focus churn Approach allows organization to map and adjust for what they already know. Pros: • Allows companies to keep operating while teams figure out what’s needed Cons: • Overload • Can be slower to accomplish completion • Failures can become complex Approach is “all-in” and used to transform an organization as a whole. Pros: • Firm commitment alleviates political back and forth • Focus & All-in Speed Cons: • Bigger Failures • Difficult for everyone to learn from mistakes and experiments
  • 18. Small Project -> The Provocation How can we transform a control into a self-aware, self-reporting, self-healing component that can be consumed at speed & scale? Our challenge is to begin the process of creating self-aware and self-reporting components. This process can be achieved using configuration management tools, open source and log management systems. Let’s work with the IA Controls from NIST 800-53 today and use the implementation of MFA as an example. Specifically, IA-2 calls for multi-factor authentication which is available in some Software Defined Environments as a feature. Let’s look at how we can enable MFA within our Stack and the different use cases that are present and require security baseline components. Questions to answer: 1. How can baseline components be shared and extended? 2. Once the component is ready to be used, implemented, then what? 3. What about the feedback loop? 4. What is the best way to create an automated report that is continuously built and maintained? 5. How can we report across a full-stack? 6. What tools can assist? FW ? Web ? Compliance at Velocity (https://medium.com/compliance-at-velocity)
  • 19. Migrations -> One foot in… One foot out... Web App Web DB App DB Traditional IT & Security DevOps + DevSecOps FW/IDS FW/IDS ELB App ELB DBAAS App DBAAS
  • 20. Big Project -> The Hail Mary Web App Web DB App DB Traditional IT & Security DevOps? + DevSecOps? FW/IDS FW/IDS Web App Web DB App DB FW/IDS FW/IDS What is this?
  • 21. Why is approach so important? API KEY EXPOSURE -> 8 HRS DEFAULT CONFIGS -> 24 HRS SECURITY GROUPS -> 24 HRS ESCALATION OF PRIVS -> 5 D KNOWN VULN -> 8 HRS
  • 22. So let’s recap before we move on to examples… DevSecOps needs: • Active Collaboration • High Engagement • Experimentation • Open Contribution • Fail Fast Culture • Ability to adapt and learn • DevOps Understanding • Focusing on Simplicity Not this one… This one!!
  • 23. Perimeter Testing THEN PCI DSS1.1.1 – Approve/Test/Detect firewall changes NOW Scan API, Ingest Config/Cloudtrail, trigger firewall audits and revert unapproved changes to heal to spec Labor: 40 hours/Annually Tools: Excel, Text Pad, Open Source or Commercial Config Management Labor: 40 hours/First Year, 8 hours per yr maintain Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: Depends on Resource
  • 24. Configuration Management/Baselines THEN PCI DSS2.2 - Develop & Assure configuration standards for all system components. NOW Track known good CF stacks & AMIs, alert or neutralize non- compliant/non-approved deploys Labor: 40 hours/Annually/Per Major Component Tools: Excel, Text Pad, Open Source or Commercial Config Management Labor: 40 hours/First Year, 1 hour per yr maintain/Per Component Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: High
  • 25. Encrypting Sensitive Data THEN HIPAA 164.312(a)(2)(iv): Implement a method to encrypt and decrypt electronic protected health information. NOW Enforce encryption of all assets by platform or data classification tags. Continuous enforcement and automated detection. Labor: 1 FTE minimum per 3 DevOps Teams Tools: Commercial, Open Source Labor: 8 hours Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: High
  • 26. Access Management THEN NIST800-53 AC2(12) – Monitors and report atypical usage of information system accounts. NOW Cloudtrail/Config user attribution of use/abuse, ability to reduce team size and allow for smaller containers Labor: 1 FTE minimum Tools: Commercial, Open Source Labor: 40 hours Dev, 8 hours Maintain Tools: APIs, Logs, Open Source, Commercial Measure: Certify quarterly, annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: High
  • 27. Multi-Factor Authentication THEN NIST800-53 IA-2 – The information system uniquely identifies and authenticates organizational users NOW MFA built into APIs and Cloud Platforms can be exposed for authorization decisions Labor: 1 FTE minimum Tools: Commercial, Open Source Labor: 1 hour per week Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Resolve Impact: High Global Call to Action 2015
  • 28. Get Involved and Join the Community • devsecops.org • @devsecops on Twitter • DevSecOps on LinkedIn • DevSecOps on Github • RuggedSoftware.org • Compliance at Velocity • Join Us !!! • Spread the word!!!