SlideShare une entreprise Scribd logo

Build the right culture in DevSecOps

N
Nadira Bajrei

I share about DevOps/DevSecOps Values called CALMS (Culture, Automation, Lean, Measure, Sharing)

Technologie
1  sur  37
Télécharger pour lire hors ligne
Nadira, DevSecOps Indonesia Community Leader 1 Year Journey DevSecOps Indonesia
ABOUT ME •Regional Director Hysn Technologies and Practical DevSecOps •DevSecOps Indonesia Community Leader •Speaker, Trainer & Independent Consultant. •Speaker at DevSecCon Singapore •9 years experience Governance, Risk and Compliance Area •Passionate on building community •Love travelling and networking •Contact me •Linkedin : bajrei.nadira@gmail.com •Telegram : nadirabajrei •Twitter :@nadirabajrei1 Nadira Bajrei
Purpose Rule Value Community for open discussion on application security No rules but please avoid spamming Share, Learn and Respect each other opinion ABOUT DEVSECOPS INDONESIA Since 02 November 2018 | 1068 Members Join us on Telegram : DevSecOpsIndonesia
DevSecOps Meetup History 1 2 3 4 5 August 2019 Host : Bank Mandiri Participant : 103 person Speaker : 1. Suman Sourav (VP Security Lazada 2. Amien Harisen (CEO Tjakrabirawa) September 2019 Host : PT. Megaxus Participant : 45 person Speaker : 1. Rusdi Rachim (CISO Indosat) 2. Vandy (VP Security Bukalapak October 2019 Host : BukaLapak Participant : 34 person Speaker : 1. Mohammed A. Imran (CTO Practical DevSecOps 2. Vandy (VP Security Bukalapak November 2019 Host : tiket.com Participant : 80 person Speaker : 1. Erick (Cyber Security Consultant KPMG) 2. Ari apridana (IT Security tiket.com) December 2019 Host : Indosat Participant : - person Speaker : 1. Joko Moro (GRC Blibli) 2. Nadira (Reg, Dir Hysn Tech)
2020 Meetup Plan 6 7 8 9 10 January 2020 Host : blibli.com Participant : - Speaker : - 11 February 2020 Host : Delloite Consulting Participant : - Speaker : - March 2020 Host : F5 Participant : - Speaker : - April 2020 Host : - Participant : - Speaker : - May 2020 Host : - Participant : - Speaker : - Juni 2020 Host : - Participant : - Speaker : - What DevSecOps Indonesia Need? •Call for Host •Call for Speaker •Call for Volunteer Please reach me out to my email: bajrei.nadira@gmail.com or telegram: @nadirabajrei
DevSecOps Indonesia Collaborate with Agile community Bank Mandiri
DevSecOps Indonesia Collaborate with PT. Megaxus Infotech
DevSecOps Indonesia Collaborate with bukalapak.com
DevSecOps Indonesia Collaborate with tiket.com
Our Hosts Many more…
Nadira, Regional Director Hysn Technologies How to build the right culture
What is DevSecOps? Why DevSecOps is Important? How to implement DevOps Values? DevOps Increases Agility & Stability QnA Agenda 2 1 3 4 5
What is DevSecOps?1
What is DevSecOps? •In simple words its about bringing security practices into DevOps •Security is everybody responsibility (Dev, Ops, Sec) •What is DevOps then? •A Cultural and professional movement that stresses communication, collaboration and integration between software developers and IT Operations and other professionals while automating the process of software delivery and infrastructure changes.
to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.
DevOps will complement Agile to break the “silos” and achieve better Business-IT Alignment, increased delivery certainty and faster speed to market and deliver more secure application. W a l L W a l L W a l L Customers Development IT Operations IT Security Wanting Flexibility Wanting Change Wanting Stability Wanting Security Create Flexibility Improve time to market Create Stability Enhance Services Create Security Enhance security service Security as a code Create effective change Add/modify features DevsecopsDevOpsAgile Dev
OperateBuild Integrate Test Deploy Release Agile Development Continuous Integration Continuous Delivery Continuous Deployment DevOps/DevSecOps Business decision to go live Security as a code Shift left security testing
Why DevSecOps is Important?2
DEV/OPS/SEC 100 10 1/ /
DevSecOps Benefit?
How to implement DevOps Values? Agenda 3
C A L M S Culture Culture change is never easy, but without culture change all practices fail Automation Automation alone cannot give you DevOps - but cannot succeed without it and avoid tools that enforce Lean Creates more value for customer with fewer resources and less waste Sharing Sharing to enhance collaboration and tight integration between business, developer, operation and also security Measure If you can’t measure it, you can’t improve it DevOps Core Values
Characteristic of DevOps Culture • Shared vision, goals and incentives • Open, honest, two way communication • Collaboration • Respect • Trust • Transparency • Continues improvement • Data driven • Safe • Reflection • Recognition C A L M S DevOps Values - Culture *To achieve it we should Shifting Thought, Behaviour, Built Culture of Safe Failure and also culture of Continues Improvement
Culture Change is never easy 1. You can’t change people, they can only change themselves 2. Change almost takes longer and costs more than expected 3. Stakeholder involvement is critical 4. People who participate in what and how to change decisions are far more likely to accept change C A L M S DevOps Values - Culture
The Stages of Change Acceptance C A L M S DevOps Values - Culture Q: What is critical? A: Communication 1. A DevOps culture requires timely and effective communication 2. Shared a tools facilitate timely and meaningful communication • Chat platform • Task managers • Social tools • Alert management tools • Knowledge sharing platform
C A L M S DevOps Values - Automation 1. Architect before automating 2. Assess our existing tools and automation capabilities 3. Identify critical gaps 4. Seek vendor for POC 5. Automate high value and repetitive work 6. Optimise workflow bottleneck *Do not underestimate the effort and cost building toolchain from open source applications, open source is not necessarily free, you need to modify the source fit to your needs* Adopting automation we avoid tools that enforce silos HOW?
Plan Operate ObjectiveTools DeployTestBuildDevelop Agile - CI DevSecOps Backlog grooming, define user story, burnt down charts, security Requirement Develop apps and services using version control, traceability, and CI Manage, track and document all changes to application and configuration management Automate test script execution including regression, user acceptance and security Deploy apps and provision environments using automation & standardised configurations Measure performance of environment and application
Security within software lifecycle OperatePlan Develop Test Deploy Security Req. Source Code Review VA/Pentest SIEM Security Hardening Antivirus Patch Management Security Awareness Security guy as SME
C A L M S DevOps Values - Lean Muda - Waste Simple statement to identify waste “If you are not adding value , then you are adding waste” How we eliminating waste? ✓ Start finishing stop starting or limit WIP (work in progress) ✓ Avoid hand-overs. Mura - Reduce inconsistency ✓ Make everything as simple as possible Muri – Overburden Its represents the activities where processes, people, or machines are pushed beyond a reasonable limit. ✓ Remove bottlenecks
DevOps Values - Measure Speed Quality Stability Culture Change Lead and Cycle Times Deployment frequency Deployment Speed Change failure rate Deployment success rate Incidents and Defects Mean time to detect incident (MTTD) Mean Time to Recover (MTTR) - Component Mean time to restore service (MTRS) - Service Retention & loyalty Engagement Knowledge Sharing Make it Visible, Enable Transparency Use the same dashboard for Dev, Ops, Sec, even Business
DevOps Increases Agility & Stability4
High performing teams deploy more frequently and have much faster lead times DevOps Increasing Agility & Stability They makes changes with fewer failures, and recover faster from failures High performing team spend less time fixing security issues ! ! !
C A L M S Strategies for Building DevSecOps Culture Develop a culture ✓ Embrace transparency & Openness Establish strong feedback loop ✓ Facilitate team with collaboration platform Create Security Champion ✓ Identify individuals that understand security within both the Dev and the Ops groups. Team Autonomy ✓ Successful DevSecOps leaders empower their teams and give them the authority to determine many of their own processes and tools based on their needs. Put “Sec” In Silent ✓ Integrate “sec” aspect in the pipeline and please makes sure not stop the build
QnA5
Build the right culture in DevSecOps

Recommandé

DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 

Recommandé

DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Securityn|u - The Open Security Community
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsCheah Eng Soon
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsTomas Honzak
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps LifecycleDevOps Indonesia
 

Contenu connexe

Tendances

DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 

Tendances (20)

DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
 

Similaire à Build the right culture in DevSecOps

DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...Turja Narayan Chaudhuri
 
ITpreneurs’ DevOps Portfolio- Professionalizing DevOps Skills
ITpreneurs’ DevOps Portfolio- Professionalizing DevOps SkillsITpreneurs’ DevOps Portfolio- Professionalizing DevOps Skills
ITpreneurs’ DevOps Portfolio- Professionalizing DevOps SkillsITpreneurs
 
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...Turja Narayan Chaudhuri
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenNadira Bajrei
 
DevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptxDevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptxGurajalanaganarasimh
 
DevOps Journey_Distributed_Delivery
DevOps Journey_Distributed_DeliveryDevOps Journey_Distributed_Delivery
DevOps Journey_Distributed_DeliveryJeevan T.M.
 
DevOps Culture transformation in Modern Software Delivery
DevOps Culture transformation in Modern Software DeliveryDevOps Culture transformation in Modern Software Delivery
DevOps Culture transformation in Modern Software DeliveryNajib Radzuan
 
Observability in serverless solutions
Observability in serverless solutionsObservability in serverless solutions
Observability in serverless solutionsLeonardo Murillo
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
Continuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and WhatContinuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and WhatMarc Hornbeek
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Security Innovation
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
The complexity in the simplicity of Agile? by Arie van Bennekum
The complexity in the simplicity of Agile? by Arie van BennekumThe complexity in the simplicity of Agile? by Arie van Bennekum
The complexity in the simplicity of Agile? by Arie van BennekumAgile ME
 
Making devops business as usual
Making devops business as usualMaking devops business as usual
Making devops business as usualGraham Dick
 

Similaire à Build the right culture in DevSecOps (20)

DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
 
ITpreneurs’ DevOps Portfolio- Professionalizing DevOps Skills
ITpreneurs’ DevOps Portfolio- Professionalizing DevOps SkillsITpreneurs’ DevOps Portfolio- Professionalizing DevOps Skills
ITpreneurs’ DevOps Portfolio- Professionalizing DevOps Skills
 
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
DevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptxDevSecOps-Explained-converted.pptx
DevSecOps-Explained-converted.pptx
 
DevOps Journey_Distributed_Delivery
DevOps Journey_Distributed_DeliveryDevOps Journey_Distributed_Delivery
DevOps Journey_Distributed_Delivery
 
DevOps Culture transformation in Modern Software Delivery
DevOps Culture transformation in Modern Software DeliveryDevOps Culture transformation in Modern Software Delivery
DevOps Culture transformation in Modern Software Delivery
 
Devops
DevopsDevops
Devops
 
Observability in serverless solutions
Observability in serverless solutionsObservability in serverless solutions
Observability in serverless solutions
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
Continuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and WhatContinuous Security / DevSecOps- Why How and What
Continuous Security / DevSecOps- Why How and What
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
Enabling The DevOps Culture At Organization
Enabling The DevOps Culture At OrganizationEnabling The DevOps Culture At Organization
Enabling The DevOps Culture At Organization
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
The complexity in the simplicity of Agile? by Arie van Bennekum
The complexity in the simplicity of Agile? by Arie van BennekumThe complexity in the simplicity of Agile? by Arie van Bennekum
The complexity in the simplicity of Agile? by Arie van Bennekum
 
Making devops business as usual
Making devops business as usualMaking devops business as usual
Making devops business as usual
 

Dernier

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 

Dernier (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 

Build the right culture in DevSecOps

  • 1. Nadira, DevSecOps Indonesia Community Leader 1 Year Journey DevSecOps Indonesia
  • 2. ABOUT ME •Regional Director Hysn Technologies and Practical DevSecOps •DevSecOps Indonesia Community Leader •Speaker, Trainer & Independent Consultant. •Speaker at DevSecCon Singapore •9 years experience Governance, Risk and Compliance Area •Passionate on building community •Love travelling and networking •Contact me •Linkedin : bajrei.nadira@gmail.com •Telegram : nadirabajrei •Twitter :@nadirabajrei1 Nadira Bajrei
  • 3. Purpose Rule Value Community for open discussion on application security No rules but please avoid spamming Share, Learn and Respect each other opinion ABOUT DEVSECOPS INDONESIA Since 02 November 2018 | 1068 Members Join us on Telegram : DevSecOpsIndonesia
  • 4. DevSecOps Meetup History 1 2 3 4 5 August 2019 Host : Bank Mandiri Participant : 103 person Speaker : 1. Suman Sourav (VP Security Lazada 2. Amien Harisen (CEO Tjakrabirawa) September 2019 Host : PT. Megaxus Participant : 45 person Speaker : 1. Rusdi Rachim (CISO Indosat) 2. Vandy (VP Security Bukalapak October 2019 Host : BukaLapak Participant : 34 person Speaker : 1. Mohammed A. Imran (CTO Practical DevSecOps 2. Vandy (VP Security Bukalapak November 2019 Host : tiket.com Participant : 80 person Speaker : 1. Erick (Cyber Security Consultant KPMG) 2. Ari apridana (IT Security tiket.com) December 2019 Host : Indosat Participant : - person Speaker : 1. Joko Moro (GRC Blibli) 2. Nadira (Reg, Dir Hysn Tech)
  • 5. 2020 Meetup Plan 6 7 8 9 10 January 2020 Host : blibli.com Participant : - Speaker : - 11 February 2020 Host : Delloite Consulting Participant : - Speaker : - March 2020 Host : F5 Participant : - Speaker : - April 2020 Host : - Participant : - Speaker : - May 2020 Host : - Participant : - Speaker : - Juni 2020 Host : - Participant : - Speaker : - What DevSecOps Indonesia Need? •Call for Host •Call for Speaker •Call for Volunteer Please reach me out to my email: bajrei.nadira@gmail.com or telegram: @nadirabajrei
  • 11. Nadira, Regional Director Hysn Technologies How to build the right culture
  • 12. What is DevSecOps? Why DevSecOps is Important? How to implement DevOps Values? DevOps Increases Agility & Stability QnA Agenda 2 1 3 4 5
  • 14. What is DevSecOps? •In simple words its about bringing security practices into DevOps •Security is everybody responsibility (Dev, Ops, Sec) •What is DevOps then? •A Cultural and professional movement that stresses communication, collaboration and integration between software developers and IT Operations and other professionals while automating the process of software delivery and infrastructure changes.
  • 15. to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.
  • 16. DevOps will complement Agile to break the “silos” and achieve better Business-IT Alignment, increased delivery certainty and faster speed to market and deliver more secure application. W a l L W a l L W a l L Customers Development IT Operations IT Security Wanting Flexibility Wanting Change Wanting Stability Wanting Security Create Flexibility Improve time to market Create Stability Enhance Services Create Security Enhance security service Security as a code Create effective change Add/modify features DevsecopsDevOpsAgile Dev
  • 17. OperateBuild Integrate Test Deploy Release Agile Development Continuous Integration Continuous Delivery Continuous Deployment DevOps/DevSecOps Business decision to go live Security as a code Shift left security testing
  • 18. Why DevSecOps is Important?2
  • 21. How to implement DevOps Values? Agenda 3
  • 22. C A L M S Culture Culture change is never easy, but without culture change all practices fail Automation Automation alone cannot give you DevOps - but cannot succeed without it and avoid tools that enforce Lean Creates more value for customer with fewer resources and less waste Sharing Sharing to enhance collaboration and tight integration between business, developer, operation and also security Measure If you can’t measure it, you can’t improve it DevOps Core Values
  • 23. Characteristic of DevOps Culture • Shared vision, goals and incentives • Open, honest, two way communication • Collaboration • Respect • Trust • Transparency • Continues improvement • Data driven • Safe • Reflection • Recognition C A L M S DevOps Values - Culture *To achieve it we should Shifting Thought, Behaviour, Built Culture of Safe Failure and also culture of Continues Improvement
  • 24. Culture Change is never easy 1. You can’t change people, they can only change themselves 2. Change almost takes longer and costs more than expected 3. Stakeholder involvement is critical 4. People who participate in what and how to change decisions are far more likely to accept change C A L M S DevOps Values - Culture
  • 25. The Stages of Change Acceptance C A L M S DevOps Values - Culture Q: What is critical? A: Communication 1. A DevOps culture requires timely and effective communication 2. Shared a tools facilitate timely and meaningful communication • Chat platform • Task managers • Social tools • Alert management tools • Knowledge sharing platform
  • 26. C A L M S DevOps Values - Automation 1. Architect before automating 2. Assess our existing tools and automation capabilities 3. Identify critical gaps 4. Seek vendor for POC 5. Automate high value and repetitive work 6. Optimise workflow bottleneck *Do not underestimate the effort and cost building toolchain from open source applications, open source is not necessarily free, you need to modify the source fit to your needs* Adopting automation we avoid tools that enforce silos HOW?
  • 27. Plan Operate ObjectiveTools DeployTestBuildDevelop Agile - CI DevSecOps Backlog grooming, define user story, burnt down charts, security Requirement Develop apps and services using version control, traceability, and CI Manage, track and document all changes to application and configuration management Automate test script execution including regression, user acceptance and security Deploy apps and provision environments using automation & standardised configurations Measure performance of environment and application
  • 28.
  • 29. Security within software lifecycle OperatePlan Develop Test Deploy Security Req. Source Code Review VA/Pentest SIEM Security Hardening Antivirus Patch Management Security Awareness Security guy as SME
  • 30. C A L M S DevOps Values - Lean Muda - Waste Simple statement to identify waste “If you are not adding value , then you are adding waste” How we eliminating waste? ✓ Start finishing stop starting or limit WIP (work in progress) ✓ Avoid hand-overs. Mura - Reduce inconsistency ✓ Make everything as simple as possible Muri – Overburden Its represents the activities where processes, people, or machines are pushed beyond a reasonable limit. ✓ Remove bottlenecks
  • 31.
  • 32. DevOps Values - Measure Speed Quality Stability Culture Change Lead and Cycle Times Deployment frequency Deployment Speed Change failure rate Deployment success rate Incidents and Defects Mean time to detect incident (MTTD) Mean Time to Recover (MTTR) - Component Mean time to restore service (MTRS) - Service Retention & loyalty Engagement Knowledge Sharing Make it Visible, Enable Transparency Use the same dashboard for Dev, Ops, Sec, even Business
  • 33. DevOps Increases Agility & Stability4
  • 34. High performing teams deploy more frequently and have much faster lead times DevOps Increasing Agility & Stability They makes changes with fewer failures, and recover faster from failures High performing team spend less time fixing security issues ! ! !
  • 35. C A L M S Strategies for Building DevSecOps Culture Develop a culture ✓ Embrace transparency & Openness Establish strong feedback loop ✓ Facilitate team with collaboration platform Create Security Champion ✓ Identify individuals that understand security within both the Dev and the Ops groups. Team Autonomy ✓ Successful DevSecOps leaders empower their teams and give them the authority to determine many of their own processes and tools based on their needs. Put “Sec” In Silent ✓ Integrate “sec” aspect in the pipeline and please makes sure not stop the build
  • 36. QnA5