2. Always an Early Adopter
Google Trends
• DevOps.com was bought in
2004
• Google searches for “DevOps”
started to rise in 2010
• Major influences:
– Saving your Infrastructure from
DevOps / Chicago Tribune
– DevOps: A Culture Shift, Not a
Technology / Information Week
– DevOps: A Sharder’s Tale from
Etsy
– DevOps.com articles
• RuggedSoftware.org was
bought in 2010
https://www.google.com/trends/
5. This is the End of Security as We Know It…
Say what?!??!
6+ years later, it’s hard to believe
we’re still shocked by this quote!
This talk will provide you with a
path forward…
And a survival kit...
-Josh Corman
6. An Ugly Little Secret
• DevOps teams make security
decisions… several times,
everyday!
• Hackers find security issues and
exploit them... several times,
everday!
• Security teams hardly ever make
security decisions... and really only
when risks need to be officially
authorized!
https://www.flickr.com/photos/denise_rowlands
7. In a Deming World…
• Most decisions are made within the
software supply chain by engineering
teams
• Security decisions are usually made as a
result of attempting to balance design
constraints
• Gating processes are not Deming-like; but
it is hard to avoid business catastrophes by
applying measure ahead strategies for
security
• Most security defects are identified during
a major event triggering the equivalent of
a security “recall”
design build deploy operate
How do I
secure my
app?
What
component
is secure
enough?
How do I
secure
secrets for
the app?
Is my app
getting
attacked?
How?
Typical gates for security
checks & balances
Mistakes and drift often happen
after design and build phases
Most costly mistakes
Happen during design
Missing and much-needed feedback loop
8. Hackers have lots of opportunities…
People
• Susceptible to phishing and email scams
• Can be social engineered
Process
• Humans make mistakes, because they are human (6 Sigma)
• Process gaps provide room for fraud
Technology
• Software complexity increases with reusable components
• Technology providers have to do their part, or everyone fails!
9. Get Grounded in Reality
• Secure business is the new black! KTLO!
• Everyone must be responsible for security!
• Perfection is over-rated… Mistakes are
inevitable.
• Reacting can be costly… build security in.
• Compliance is important but it’s not security!
• A blaming culture is dangerous, avoid it!
• Continuously test, detect, measure and
incrementally improve.
10. Keep The Lights On!
• Keeping the Lights on includes
Security…
• 66% of companies adopting
DevOps
• DevOps teams need guardrails
and guidelines to move fast
• Security decisions that haven’t
been made before likely
require escalation
https://www.flickr.com/photos/darwinbell
http://www.rightscale.com/blog/cloud-industry-insights/cloud-
computing-trends-2015-state-cloud-survey
11. Enlist Everyone!
• Common ratio for Dev, Ops
and Sec => 100, 10, 1
• Numbers matter against
attackers!
• Skills help, but anyone can
identify an anomaly.
• Everyone needs to help
with security; everyone has
a role to play. And this is hard to find...
12. Mistakes happen…
• DevOps utilize customer-driven
development processes with
incremental changes…Mistakes
just happen.
• But because of frequent
changes, teams have more
opportunities to correct
defects, on average 30x more
• Teams need help deciphering
how to self-correct
https://www.flickr.com/photos/doobybrain
13. Protection is ideal; Detection is a must!
• The faster a defect is
discovered, the faster it can
be dealt with.
• DevOps has 50% faster MTTR
• Transforming security events
into incidents and problems
helps with resolution rates https://www.flickr.com/photos/daoro
14. Compliance Programs won’t stop a breach
• Point in time assessments
don’t go far enough
• 0 companies (in 10 years)
have been found compliant
after a breach
• Compliance needs to be
paired with rugged security
http://www.slideshare.net/VerizonEnterpriseSolutions/webinar-new-
insights-to-simplify-pci-compliance-and-manage-risk
15. High Performing is where it’s at!
• High performing teams that
focus on a blameless culture
improve on average 50% better
• Blaming cultures create less
engagement, 30% less efficient
• MTTR is 5x faster in blameless
teams that focus on
opportunities first
#1
16. Continuous Improvement
• Continuous improvement has
been a goal for an endless
amount of years
• Teams that focus on testing,
early detection, and measuring
progress have 30% fewer
defects in production
• Tests are often added to
continuous delivery to achieve
better results throughout the
continuous delivery pipeline
https://www.flickr.com/photos/deniscollette
17. Great! What does this look like in practice for a
security professional?
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
20. Get Involved and Join the Community
• devsecops.org
• @devsecops on Twitter
• DevSecOps on LinkedIn
• DevSecOps on Github
• RuggedSoftware.org
• Compliance at Velocity
• Join Us !!!
• Spread the word!!!