Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
#RSAC
SESSION ID:
Gene Kim Joshua Corman
Rugged DevOps
Going Even Faster
With Software Supply Chains
CTO
Sonatype
@joshcor...
@joshcorman
@RealGeneKim
Session ID:
Gene Kim
Total time: 45 minutes
15 min: where we’ve been (levelset
the tribe)
Josh: 7...
@joshcorman
@RealGeneKim
Session	
  ID:	
  
Session	
  Classifica0on:	
  
Josh Corman, Gene Kim
VERY ROUGH 1ST Draft
Securi...
@joshcorman
@RealGeneKim
4	
  
10/23/2013	
  
	
  @joshcorman	
  
~	
  Marc	
  Marc	
  Andreessen	
  2011	
  
@joshcorman
@RealGeneKim
5	
  
@joshcorman
@RealGeneKim
6	
  
10/23/2013	
  
	
  @joshcorman	
  
Trade	
  Offs	
  
Costs	
  &	
  
Benefits	
  
@joshcorman
@RealGeneKim
Beyond Heartbleed: OpenSSL in 2014
(31 in NIST’s NVD thru December)
7	
  
§  CVE-2014-3470 6/5/2...
@joshcorman
@RealGeneKim
Heartbleed + (UnPatchable) Internet of Things == ___ ?
In	
  Our	
  Bodies	
   In	
  Our	
  Homes...
@joshcorman
@RealGeneKim
Sarcsm: I’m shocked!
9	
  
@joshcorman
@RealGeneKim
@joshcorman
@RealGeneKim
• The	
  	
  
The Cavalry isn’t coming… It falls to usı
Problem	
  Statement	
  
Our	
  society	
...
@joshcorman
@RealGeneKim
The Rugged Manifesto
I am rugged... and more importantly, my code is rugged.
I recognize that sof...
@joshcorman
@RealGeneKim
The Rugged Manifesto
I am rugged... and more importantly, my code is rugged.
I recognize that sof...
@joshcorman
@RealGeneKim
Our Goals
§ Play Mad Chemists
§ The Best & Brightest of DevOps
§ The Best & Brightest of Secur...
#RSAC
SESSION ID:
Where We’ve Been
@RealGeneKim
The Downward
Spiral…
@RealGeneKim
@RealGeneKim
@RealGeneKim
IT Ops And Dev At War
19	
  
@RealGeneKim
@RealGeneKim
There Is A Better Way…
@RealGeneKim
Google, Amazon, Netflix,
Spotify, Etsy, Spotify, Twitter,
Facebook…
@RealGeneKim
10 deploys per day
Dev & ops cooperation at Flickr
John Allspaw & Paul Hammond
Velocity 2009
Source: John All...
@RealGeneKim
Little bit weird
Sits closer to the boss
Thinks too hard
Pulls levers & turns knobs
Easily excited
Yells a lot in emergenc...
*	
  
@RealGeneKim
Ops who think like devs
Devs who think like ops
Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
@RealGeneKim
Dev and Ops
Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
@RealGeneKimSource: Theo Schlossnagle (@postwait)
DevOps
is incomplete,
is interpreted wrong,
and is too isolated
@RealGeneKim
.*Ops
Source: Theo Schlossnagle (@postwait)
@RealGeneKim
^(?<dept>.+)Ops$
Source: Theo Schlossnagle (@postwait)
@RealGeneKim
Justin Collins, Neil Matatall & Alex Smolen
from Twitter
*	
  
@RealGeneKim
High Performers Are More Agile
30x 8,000x
more frequent
deployments
faster lead times
than their peers
Source...
@RealGeneKim
High Performers Are More Reliable
2x 12x
the change
success rate
faster mean time
to recover (MTTR)
Source: P...
@RealGeneKim
High Performers Win In The Marketplace
2x 50%more likely to
exceed profitability,
market share &
productivity...
@RealGeneKim
Deploy Smaller Changes, More Frequently *
Source: http://www.facebook.com/note.php?note_id=14218138919
@RealGeneKim
“As a lifelong Ops practitioner, I know
we need DevOps to make our work
humane.
In the past, I’ve worked ever...
@RealGeneKim
The Three Ways
@RealGeneKim
The First Way: Outcomes
§  Creating single repository for code and environments
§  All Ops artifacts in ver...
@RealGeneKim
The Second Way: Outcomes
§  Peer review of code and environment changes
§  Disciplined automated testing en...
@RealGeneKim
The Third Way: Outcomes*	
  
#RSAC
SESSION ID:
Why It’s “Go Time”
@joshcorman
@RealGeneKim
Session ID:
Gene Kim
15 min: why we’re here, and why it’s
“go time”
Josh: 0m
Gene: 7m
@joshcorman
@RealGeneKim
§ we’ve seen what true integration of infosec into
the daily work of Dev and Ops; and it is good...
@joshcorman
@RealGeneKim
@joshcorman
@RealGeneKim
New engineer to John Allspaw:
“Is it okay for me to make this change?”
John Allspaw:
“I don’t kno...
@joshcorman
@RealGeneKim
One Of The Highest Predictors Of
Performance
Source: Typology Of Organizational Culture (Westrum,...
@joshcorman
@RealGeneKim
One Of The Highest Predictors Of
Performance
Source: Typology Of Organizational Culture (Westrum,...
@joshcorman
@RealGeneKim
DevOps Enterprise: Lessons Learned
§ On Oct 21-23, we held the DevOps Enterprise
Summit, a confe...
@joshcorman
@RealGeneKim
Observations
§ They were using the same technical practices
and getting the same sort of metrics...
@joshcorman
@RealGeneKim
Observations
§ The transformation stories are among the most
courageous I’ve ever heard –
§ Oft...
@joshcorman
@RealGeneKim
52	
  Source: Lean Enterprise (upcoming): Jez Humble, Joanne Molesky, and Barry O’Reilly
@RealGeneKim
Capital One: DevOpsSec
Source: Tapabrata Pal, Capital One
*	
  
@joshcorman
@RealGeneKim
Heather Mickman, Target, Inc.
§ Abolished the TEP-LARB process
§ As a result, she won the Lifet...
@joshcorman
@RealGeneKim
What About Infosec?
§ Ed Bellis
§ Former CISO of Orbitz
§ VP Information Security at
Bank of A...
@joshcorman
@RealGeneKim
Risk I/O DevOps By the Numbers
Small & Frequent Commits
• Average between 75 & 125
commits commit...
@joshcorman
@RealGeneKim
Risk I/O DevOps By the Numbers
Small & Frequent Commits
• Average between 75 & 125
commits commit...
@joshcorman
@RealGeneKim
Risk I/O DevOps By the Numbers
Small & Frequent Commits
• Average between 75 & 125
commits commit...
@RealGeneKim
The	
  DevOps	
  Audit	
  Defense	
  Toolkit	
  
h]p://bit.ly/DevOpsAudit	
  	
  
	
  
	
  
James	
  DeLuccia...
@RealGeneKim
Breaking The Bottlenecks In The Flow
§ Environment creation
§ Code deployment
§ Test setup and run (mentio...
@RealGeneKim
@RealGeneKim
“deploys / day”
“deploys / day / dev”
#RSAC
SESSION ID:
Where We Want To Go
@joshcorman
@RealGeneKim
Session ID:
Gene Kim
15 min: where we want to go
Gene: 0m
Josh: 10m
@joshcorman
@RealGeneKim
§  outline concrete tangible things that can be done together to fulfill it
§  Accelerating to ...
@joshcorman
@RealGeneKim
Innovate!	
  
PRODUCTIVITY	
  
TIME	
  
@joshcorman
@RealGeneKim67	
   4/20/15	
  
Product Vulnerability Disclosures Following the HeartBleed Announcement (Circle...
@joshcorman
@RealGeneKim
h]ps://www.usenix.org/system/files/login/ar0cles/15_geer_0.pdf	
  
	
  
For	
  the	
  41%	
  	
  
...
@joshcorman
@RealGeneKim
True Costs & Least Cost Avoiders
ACME	
  
Enterprise	
  
Bank	
  
Retail	
  
	
  Manufacturing	
 ...
@joshcorman
@RealGeneKim
70	
  
@joshcorman
@RealGeneKim
ON	
  TIME	
  	
   ON	
  BUDGET	
  
ACCEPTABLE	
  
QUALITY/RISK	
  
@joshcorman
@RealGeneKim
72	
  
@joshcorman
@RealGeneKim
@joshcorman
@RealGeneKim
ON	
  TIME.	
  	
  
Faster	
  builds.	
  	
  
Fewer	
  interrup9ons.	
  
More	
  innova9on.	
  	
...
@joshcorman
@RealGeneKim
@joshcorman
@RealGeneKim
ON	
  TIME.	
  	
  
Faster	
  builds.	
  	
  
Fewer	
  interrup9ons.	
  
More	
  innova9on.	
  	
...
@joshcorman
@RealGeneKim
DevOps
@joshcorman
@RealGeneKim
ON	
  TIME.	
  	
  
Faster	
  builds.	
  	
  
Fewer	
  interrup9ons.	
  
More	
  innova9on.	
  	
...
@joshcorman
@RealGeneKim
SW Supply Chains
@joshcorman
@RealGeneKim
ON	
  TIME.	
  	
  
Faster	
  builds.	
  	
  
Fewer	
  interrup9ons.	
  
More	
  innova9on.	
  	
...
@joshcorman
@RealGeneKim
SW Supply Chains
@joshcorman
@RealGeneKim
Toyota	
  
Advantage	
  
Toyota	
  
Prius	
  
Chevy	
  
Volt	
  
Unit	
  Cost	
   61%	
   $24,200...
@joshcorman
@RealGeneKim83	
  
@joshcorman
@RealGeneKim
H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”
§  Elegant Procurement Tr...
#RSAC
SESSION ID:
Go Forth…
…and be Rugged
@joshcorman
@RealGeneKim
@RuggedSoftware
@joshcorman
@RealGeneKim
Want More Learn More?
To receive the following:
§  A copy of this presentation
§  The 140 page ...
Prochain SlideShare
Chargement dans…5
×

DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec

1 457 vues

Publié le

DevOps Connect event: Josh Corman and Gene Kim discuss DevOpsSec / Rugged DevOps at special RSA Conference sessions for DevOps community.

Publié dans : Technologie

DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec

  1. 1. #RSAC SESSION ID: Gene Kim Joshua Corman Rugged DevOps Going Even Faster With Software Supply Chains CTO Sonatype @joshcorman Researcher and Author IT Revolution Press @RealGeneKim
  2. 2. @joshcorman @RealGeneKim Session ID: Gene Kim Total time: 45 minutes 15 min: where we’ve been (levelset the tribe) Josh: 7m Gene: 13m
  3. 3. @joshcorman @RealGeneKim Session  ID:   Session  Classifica0on:   Josh Corman, Gene Kim VERY ROUGH 1ST Draft Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed… CLD-106 Intermediate
  4. 4. @joshcorman @RealGeneKim 4   10/23/2013    @joshcorman   ~  Marc  Marc  Andreessen  2011  
  5. 5. @joshcorman @RealGeneKim 5  
  6. 6. @joshcorman @RealGeneKim 6   10/23/2013    @joshcorman   Trade  Offs   Costs  &   Benefits  
  7. 7. @joshcorman @RealGeneKim Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December) 7   §  CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM ß SEIMENS * §  CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM ß SEIMENS * §  CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM §  CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM §  CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM ß SEIMENS * §  CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH §  CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** §  CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM §  CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM §  CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM ß HeartBleed §  CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM §  CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM §  CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW §  CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM §  CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM §  CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM §  CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM §  … As  of  today,  internet  scans   by  MassScan    reveal  300,000   of  original  600,000  remain   unpatched  or  unpatchable  
  8. 8. @joshcorman @RealGeneKim Heartbleed + (UnPatchable) Internet of Things == ___ ? In  Our  Bodies   In  Our  Homes   In  Our  Infrastructure  In  Our  Cars  
  9. 9. @joshcorman @RealGeneKim Sarcsm: I’m shocked! 9  
  10. 10. @joshcorman @RealGeneKim
  11. 11. @joshcorman @RealGeneKim • The     The Cavalry isn’t coming… It falls to usı Problem  Statement   Our  society  is  adop0ng  connected   technology  faster  than  we  are  able  to   secure  it.   Mission  Statement   To  ensure  connected  technologies  with   the  poten0al  to  impact  public  safety   and  human  life  are  worthy  of  our  trust.    Collec9ng    exis0ng  research,  researchers,  and  resources    Connec9ng    researchers  with  each  other,  industry,  media,  policy,  and  legal    Collabora9ng    across  a  broad  range  of  backgrounds,  interests,  and  skillsets    Catalyzing    posi0ve  ac0on  sooner  than  it  would  have  happened  on  its  own    Why    Trust,  public  safety,  human  life    How    Educa0on,  outreach,  research    Who    Infosec  research  community        Who    Global,  grass  roots  ini0a0ve    What  Long-­‐term  vision  for  cyber  safety     Medical   Automo0ve   Connected   Home   Public   Infrastructure   I Am The Cavalryı
  12. 12. @joshcorman @RealGeneKim The Rugged Manifesto I am rugged... and more importantly, my code is rugged. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security. I recognize these things - and I choose to be rugged. I am rugged because I refuse to be a source of vulnerability or weakness. I am rugged because I assure my code will support its mission. I am rugged because my code can face these challenges and persist in spite of them. I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.    
  13. 13. @joshcorman @RealGeneKim The Rugged Manifesto I am rugged... and more importantly, my code is rugged. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security. I recognize these things - and I choose to be rugged. I am rugged because I refuse to be a source of vulnerability or weakness. I am rugged because I assure my code will support its mission. I am rugged because my code can face these challenges and persist in spite of them. I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.    
  14. 14. @joshcorman @RealGeneKim Our Goals § Play Mad Chemists § The Best & Brightest of DevOps § The Best & Brightest of Security § Cause High Value / High Connection § Merge our Tribes for Mutual Awesomeness § Catalyze New Patterns and Solutions
  15. 15. #RSAC SESSION ID: Where We’ve Been
  16. 16. @RealGeneKim The Downward Spiral…
  17. 17. @RealGeneKim
  18. 18. @RealGeneKim
  19. 19. @RealGeneKim IT Ops And Dev At War 19  
  20. 20. @RealGeneKim
  21. 21. @RealGeneKim There Is A Better Way…
  22. 22. @RealGeneKim Google, Amazon, Netflix, Spotify, Etsy, Spotify, Twitter, Facebook…
  23. 23. @RealGeneKim 10 deploys per day Dev & ops cooperation at Flickr John Allspaw & Paul Hammond Velocity 2009 Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
  24. 24. @RealGeneKim
  25. 25. Little bit weird Sits closer to the boss Thinks too hard Pulls levers & turns knobs Easily excited Yells a lot in emergencies Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
  26. 26. *  
  27. 27. @RealGeneKim Ops who think like devs Devs who think like ops Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
  28. 28. @RealGeneKim Dev and Ops Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
  29. 29. @RealGeneKimSource: Theo Schlossnagle (@postwait) DevOps is incomplete, is interpreted wrong, and is too isolated
  30. 30. @RealGeneKim .*Ops Source: Theo Schlossnagle (@postwait)
  31. 31. @RealGeneKim ^(?<dept>.+)Ops$ Source: Theo Schlossnagle (@postwait)
  32. 32. @RealGeneKim Justin Collins, Neil Matatall & Alex Smolen from Twitter *  
  33. 33. @RealGeneKim High Performers Are More Agile 30x 8,000x more frequent deployments faster lead times than their peers Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic
  34. 34. @RealGeneKim High Performers Are More Reliable 2x 12x the change success rate faster mean time to recover (MTTR) Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic
  35. 35. @RealGeneKim High Performers Win In The Marketplace 2x 50%more likely to exceed profitability, market share & productivity goals higher market capitalization growth over 3 years* Source: Puppet Labs 2014 State Of DevOps
  36. 36. @RealGeneKim Deploy Smaller Changes, More Frequently * Source: http://www.facebook.com/note.php?note_id=14218138919
  37. 37. @RealGeneKim “As a lifelong Ops practitioner, I know we need DevOps to make our work humane. In the past, I’ve worked every holiday, on my birthday, my spouse’s birthday, and even on the day my son was born.” Nathan Shimek Engineering Manager, New Context @nathan_shimek
  38. 38. @RealGeneKim The Three Ways
  39. 39. @RealGeneKim The First Way: Outcomes §  Creating single repository for code and environments §  All Ops artifacts in version control §  Determinism in the release process §  Consistent Dev, Test and Production environments, all properly built before deployment begins §  Developers checking in code daily, being productive §  Automated regression testing §  Features being deployed daily without catastrophic failures §  Decreased lead time §  Faster cycle time and release cadence
  40. 40. @RealGeneKim The Second Way: Outcomes §  Peer review of code and environment changes §  Disciplined automated testing enabling many simultaneous small, agile teams to work productively §  Proactive monitoring of the production environment §  Defects and security issues getting fixed faster than ever §  High trust culture §  All groups communicating and coordinating better §  Everybody is getting more work done
  41. 41. @RealGeneKim The Third Way: Outcomes*  
  42. 42. #RSAC SESSION ID: Why It’s “Go Time”
  43. 43. @joshcorman @RealGeneKim Session ID: Gene Kim 15 min: why we’re here, and why it’s “go time” Josh: 0m Gene: 7m
  44. 44. @joshcorman @RealGeneKim § we’ve seen what true integration of infosec into the daily work of Dev and Ops; and it is good § key learnings of the DevOps Enterprise 2015 § Ed Bellis example: Capital One: DevOpsSec § examples of practices: preventive, detective/ corrective
  45. 45. @joshcorman @RealGeneKim
  46. 46. @joshcorman @RealGeneKim New engineer to John Allspaw: “Is it okay for me to make this change?” John Allspaw: “I don’t know. Is it?”
  47. 47. @joshcorman @RealGeneKim One Of The Highest Predictors Of Performance Source: Typology Of Organizational Culture (Westrum, 2004)
  48. 48. @joshcorman @RealGeneKim One Of The Highest Predictors Of Performance Source: Typology Of Organizational Culture (Westrum, 2004)
  49. 49. @joshcorman @RealGeneKim DevOps Enterprise: Lessons Learned § On Oct 21-23, we held the DevOps Enterprise Summit, a conference for horses, by horses § Speakers included leaders from: § Macy’s, Disney, GE Capital, Blackboard, Telstra, US Department of Homeland Security, CSG, Raytheon, Ticketmaster, Union Bank of California
  50. 50. @joshcorman @RealGeneKim Observations § They were using the same technical practices and getting the same sort of metrics as the unicorns § Target: 10+ deploys per day, < 10 incidents per month § Capital One: 100s of deploys per day, lead time of minutes § Macy’s: 1,500 manual tests every 10 days, now 100Ks automated tests run daily § Nationwide Insurance: Retirement Plans app (COBOL on mainframe)
  51. 51. @joshcorman @RealGeneKim Observations § The transformation stories are among the most courageous I’ve ever heard – § Often the transformation leader was putting themselves in personal jeopardy § Why? Absolute clarity and conviction that it was the right thing for the organization *  
  52. 52. @joshcorman @RealGeneKim 52  Source: Lean Enterprise (upcoming): Jez Humble, Joanne Molesky, and Barry O’Reilly
  53. 53. @RealGeneKim Capital One: DevOpsSec Source: Tapabrata Pal, Capital One *  
  54. 54. @joshcorman @RealGeneKim Heather Mickman, Target, Inc. § Abolished the TEP-LARB process § As a result, she won the Lifetime Achievement Award from her grateful team
  55. 55. @joshcorman @RealGeneKim What About Infosec? § Ed Bellis § Former CISO of Orbitz § VP Information Security at Bank of America § Currently CEO of Risk I/O
  56. 56. @joshcorman @RealGeneKim Risk I/O DevOps By the Numbers Small & Frequent Commits • Average between 75 & 125 commits commits to Master/week • Simplicity is your friend
  57. 57. @joshcorman @RealGeneKim Risk I/O DevOps By the Numbers Small & Frequent Commits • Average between 75 & 125 commits commits to Master/week • Simplicity is your friend Security Automation at Risk I/O Chef All the Things! Test All the Things! (including security) Static + Dynamic Throughout Continuous Integration via CircleCI Open-Sourced Cookbooks ModSecurity (airbag) Nessus (air bag ctrl) Nmap (brakes) SSH iptables (shoulder belt) encrypted volumes Duo 2FA openVPN ChatOps = Slack + graphite + logstash + sensu + pagerduty
  58. 58. @joshcorman @RealGeneKim Risk I/O DevOps By the Numbers Small & Frequent Commits • Average between 75 & 125 commits commits to Master/week • Simplicity is your friend Security Automation at Risk I/O Chef All the Things! Test All the Things! (including security) Static + Dynamic Throughout Continuous Integration via CircleCI Open-Sourced Cookbooks ModSecurity (airbag) Nessus (air bag ctrl) Nmap (brakes) SSH iptables (shoulder belt) encrypted volumes Duo 2FA openVPN ChatOps = Slack + graphite + logstash + sensu + pagerduty DevOps as a Compliance Enabler Automation as Evidence & Doc Cookbooks Leveraging the ELK Stack Elasticsearch Logstash Kibana Github + Code Climate + Risk I/O Compliance Automation Extra Credit: https:// telekomlabs.github.io/ @Eellis
  59. 59. @RealGeneKim The  DevOps  Audit  Defense  Toolkit   h]p://bit.ly/DevOpsAudit         James  DeLuccia  IV   Jeff  Gallimore   Gene  Kim   Byron  Miller  
  60. 60. @RealGeneKim Breaking The Bottlenecks In The Flow § Environment creation § Code deployment § Test setup and run (mention @rohansingh) § Overly tight architecture § Development § Product management
  61. 61. @RealGeneKim
  62. 62. @RealGeneKim “deploys / day” “deploys / day / dev”
  63. 63. #RSAC SESSION ID: Where We Want To Go
  64. 64. @joshcorman @RealGeneKim Session ID: Gene Kim 15 min: where we want to go Gene: 0m Josh: 10m
  65. 65. @joshcorman @RealGeneKim §  outline concrete tangible things that can be done together to fulfill it §  Accelerating to transition from here to there §  Deming -> SW Supply Chain Rigor §  Better/Fewer suppliers. §  Better Supply §  Traceability/Visibility throughout for Prompt/Agile recall §  “Congressional Bill” - now or never (Jim Routh) §  Expanding the DevOps Enterprise community §  we can have mutual benefit through DevOps and software supply chains §  legislation
  66. 66. @joshcorman @RealGeneKim Innovate!   PRODUCTIVITY   TIME  
  67. 67. @joshcorman @RealGeneKim67   4/20/15   Product Vulnerability Disclosures Following the HeartBleed Announcement (Circle Size Indicates CVSS Severity Score) F5 New OpenSSL Disclosures (Both CVSS Level 10) Here IBM Cisco IBM McAfee Initial 'HeartBleed' OpenSSL Disclosure (CVSS Level 5 (underscored)) NumberofProductsIncludedinAnnouncement 0 10 20 30 40 50 60 70 80 90 100 110 120 Days Since HeartBeed Announcement 0 10 20 30 40 50 60 70 80 90 100 110 120     X  Axis:    Time  (Days)  following  ini0al  HeartBleed  disclosure  and  patch  availability   Y  Axis:    Number  of  products  included  in  the  vendor  vulnerability  disclosure   Z  Axis  (circle  size):    Exposure  as  measured  by  the  CVE  CVSS  score     COMMERCIAL  RESPONSES  TO  OPENSSL  
  68. 68. @joshcorman @RealGeneKim h]ps://www.usenix.org/system/files/login/ar0cles/15_geer_0.pdf     For  the  41%     390  days   CVSS  10s  224  days    
  69. 69. @joshcorman @RealGeneKim True Costs & Least Cost Avoiders ACME   Enterprise   Bank   Retail    Manufacturing   BioPharma   Educa0on   High  Tech   Enterprise   Bank   Retail    Manufacturing   BioPharma   Educa0on   High  Tech   Enterprise   Bank   Retail   Manufacturing   BioPharma   Educa0on   High  Tech                                                                  
  70. 70. @joshcorman @RealGeneKim 70  
  71. 71. @joshcorman @RealGeneKim ON  TIME     ON  BUDGET   ACCEPTABLE   QUALITY/RISK  
  72. 72. @joshcorman @RealGeneKim 72  
  73. 73. @joshcorman @RealGeneKim
  74. 74. @joshcorman @RealGeneKim ON  TIME.     Faster  builds.     Fewer  interrup9ons.   More  innova9on.     ON  BUDGET.   More  efficient.     More  profitable.   More  compe99ve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protec9on.  
  75. 75. @joshcorman @RealGeneKim
  76. 76. @joshcorman @RealGeneKim ON  TIME.     Faster  builds.     Fewer  interrup9ons.   More  innova9on.     ON  BUDGET.   More  efficient.     More  profitable.   More  compe99ve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protec9on.   Agile  /  CI  
  77. 77. @joshcorman @RealGeneKim DevOps
  78. 78. @joshcorman @RealGeneKim ON  TIME.     Faster  builds.     Fewer  interrup9ons.   More  innova9on.     ON  BUDGET.   More  efficient.     More  profitable.   More  compe99ve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protec9on.   DevOps  /  CD   Agile  /  CI  
  79. 79. @joshcorman @RealGeneKim SW Supply Chains
  80. 80. @joshcorman @RealGeneKim ON  TIME.     Faster  builds.     Fewer  interrup9ons.   More  innova9on.     ON  BUDGET.   More  efficient.     More  profitable.   More  compe99ve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protec9on.   SW  Supply  Chain   DevOps  /  CD   Agile  /  CI  
  81. 81. @joshcorman @RealGeneKim SW Supply Chains
  82. 82. @joshcorman @RealGeneKim Toyota   Advantage   Toyota   Prius   Chevy   Volt   Unit  Cost   61%   $24,200   $39,900   Units  Sold   13x   23,294   1,788   In-­‐House   Produc0on   50%   27%   54%   Plant  Suppliers   16%     (10x  per)   125   800   Firm-­‐Wide   Suppliers   4%   224   5,500   Comparing the Prius and the Volt
  83. 83. @joshcorman @RealGeneKim83  
  84. 84. @joshcorman @RealGeneKim H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014” §  Elegant Procurement Trio 1) Ingredients: §  Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk: §  …and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY) 3) Remediation: §  …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
  85. 85. #RSAC SESSION ID: Go Forth… …and be Rugged @joshcorman @RealGeneKim @RuggedSoftware
  86. 86. @joshcorman @RealGeneKim Want More Learn More? To receive the following: §  A copy of this presentation §  The 140 page excerpt of The Phoenix Project §  Videos and slides from DevOps Enterprise 2014 §  Information on DevOps Enterprise 2015 §  Link to the DevOps Audit Defense Toolkit §  Announcement of The Phoenix Project audiobook §  See early drafts of our upcoming DevOps Cookbook Just pick up your phone, and send an email: To: realgenekim@SendYourSlides.com Subject: devops realgenekim@SendYourSlides.com   devops  

×