SlideShare a Scribd company logo

You build it - Cyber Chicago Keynote

John Willis
John Willis

Cyber Keynote

Technology
1 of 43
Download to read offline
“You Build It, You Secure It” Introduction to DevSecOps
https://github.com/botchagalupe/my-presentations
DTO Solutions Shift Left, Accelerate Right!
Devops is about Humans 5 Devops is a set of practices and patterns that turn human capital into high performance organizational capital.
Devops Practices and Patterns • Continuous Delivery • Everything in version control • Small batch principle • Trunk based deployments • Manage flow (WIP) • Automate everything
 • Culture • Everyone is responsible • Done means released • Stop the line when it breaks • Remove silos6 itrevolution.com/devops-handbook
Fast CheapGood “Pick Two!” Conventional Wisdom
Fast CheapGood “Pick Two!” Conventional Wisdom
DevOps ResilienceSpeed “Must Have All Three!” New Triangle
Devops Automated Deployment Pipeline 10 Source: Wikipedia - Continuous Delivery
12 Devops Results Google • Over 15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree • Over 75M test cases run daily
13 Devops Results Google • Over 15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree • Over 75M test cases run daily 2016 150 Million automated tests run daily…
14 Unicorns and Horses (Enterprises) Unicorns Enterprise Shamelessly stolen and repurposed from: Pete Cheslock
15 Devops Results Enterprise Organizations • Ticketmaster - 98% reduction in MTTR • Nordstrom - 20% shorter Lead Time • Target - Full Stack Deploy 3 months to minutes • USAA - Release from 28 days to 7 days • ING - 500 applications teams doing devops • CSG - From 200 incidents per release to 18
Dev : Ops 10 : 1
Dev : Ops : Sec 100 : 10 : 1 SEC ^
20 Summary • Agile took us from months to days to deliver software • Devops took from months to days to deploy software • Now security is the bottleneck • People….
21 Bill Bryson - A Short History of Nearly Everything
22 Security Meta Points • It’s 30 time cheaper to fix a security defect in Dev vs. Prod • Average data break incident cost 5.4 million • High performing organizations include security in the software delivery process • 80% to 90% of every modern application consists of open source components • Not all vulnerabilities can be scanned
23
24
DevSecOps as Supply Chain? 27 Source: Wikipedia - Continuous Delivery
DevSecOps ResilienceSpeed “Must Have All Three!” New Triangle
DevSecOps Requirements & Design Development CI Interval Trigger Assessment Production Application Risk Classification Security Requirement Definition Secure Libraries Static Analysis/IDE SCM Open Source Governance(CI) Secure Coding Standards Perimeter Assessment Dynamic Assessments Threat-Based Pen Test Web Application Firewalls Automated Attack/ Bot Defense Container Security Management Security Mavens (Security-Trained Developers and Operations) Role Based Software Security Training Continuous Monitoring, Analytics and KPI Gathering Preventative Detective Container Security Compliance (CI) Threat modeling Static Analysis (CI) Implementing DevOps in a Regulated Environment
Software Supply Chain 30 Delivery Team Version Control Build Test Release DevOps Example Stage Prod
Software Supply Chain 31 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod
32 Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod DevSecOps Basics Security Training Security Requirements Threat Modeling Architecture Review OWASP Top 10 IDE Plugins Code Examples TDD for Security Fail the Build Static Code Analysis Security Policy Testing Configuration Analysis Vulnerability Scanning Code and App Analysis RASP Automated Pen Testing Static Code Analysis Security Policy Testing Configuration Analysis Security Monitoring
 Configuration Monitoring
33 More Security Meta Points • Have security create templates, recipes, playbook • Create a Wiki for Security • All Issues managed in a common issue system • Create a Github Repo for OWASP code examples • Create interactive visual environments for security • Visualize all the things…. • A bug is a bug is a bug….
34 DevSecOps and Cloud Configuration • IAM and resource policies (S3 Bucket, SQS, etc.) • Permissive policies (e.g. wildcards) • Security Group ingress and egress rules • Liberal rules (e.g. 0.0.0.0/0, port range 1-65535 is open) • Encryption • Encryption that is not enabled or enforced for applicable resources • Automatic Key Rotation • KMS keys that don't have rotation enabled, • Invalid SSL configurations • ELBs with invalid SSL configurations
35 DevSecOps and Containers • Base Image Policies • Signed images • Capabilities policies • Vulnerability Image Scans • Port and Link Policies • Secrets Management
36 DevSecOps and Serverless • OWASP top 10 are still relevant • Proper Permissions • Data, Keys and Secrets • Still can have vulnerable code dependancies
Best Practices for DevSecOps • Train development teams to develop secure code • Track security issues the same as software issues • If infrastructure is now code, then security should be code. • Integrate security controls in the software pipeline • Automate security test in the build process • Detect known vulnerabilities during the pipeline • Monitor security in production for known states • Inject failure to ensure security is hardened Gene Kim, Jez Humble, Patrick Dubois, and John Willis. 
 The DevOps Handbook; It Revolution Press, LLC.;2016.
Devops Kaizen - Full Life Cycle 1.Key Outcomes 2.Countermeasures 3.Storyboard 4.Kanban Board 5.Post Retrospective 1 2 3 4 5
•Devops Kaizen
 •DevSecOps Workshops •Devops Assessments •Devops Full Retrospective •Dojo Coaching
41 Bonus Material
42 Immutable Service Delivery Fortune 500 Insurance Company • Tracks critical and high security defect rate per 10k lines of code • Started out with (10/10k) • After applying Devops practices and principles (4/10k) • After applying Toyota Supply Chain 4VL (1/10k ) • After Docker with Immutable Delivery (0.1/10k)
43 With Docker Fortune 500 Insurance Company • One Service • One Container • One Read Only File System • One Port

Recommended

Art of the Possible - Serverless Conference NYC 2017
Art of the Possible - Serverless Conference NYC 2017 Art of the Possible - Serverless Conference NYC 2017
Art of the Possible - Serverless Conference NYC 2017
John Willis
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018
Michael Man
 
Devops Kaizen - DevopsDays Dallas 2017
Devops Kaizen - DevopsDays Dallas 2017 Devops Kaizen - DevopsDays Dallas 2017
Devops Kaizen - DevopsDays Dallas 2017
John Willis
 
Evolving Architecture and Organization - Lessons from Google and eBay
Evolving Architecture and Organization - Lessons from Google and eBayEvolving Architecture and Organization - Lessons from Google and eBay
Evolving Architecture and Organization - Lessons from Google and eBay
Randy Shoup
 
Scaling Your Architecture for the Long Term
Scaling Your Architecture for the Long TermScaling Your Architecture for the Long Term
Scaling Your Architecture for the Long Term
Randy Shoup
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
Sonatype
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailShifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. Kail
DevSecCon
 
Service Architectures At Scale - QCon London 2015
Service Architectures At Scale - QCon London 2015Service Architectures At Scale - QCon London 2015
Service Architectures At Scale - QCon London 2015
Randy Shoup
 

Recommended

Art of the Possible - Serverless Conference NYC 2017
Art of the Possible - Serverless Conference NYC 2017 Art of the Possible - Serverless Conference NYC 2017
Art of the Possible - Serverless Conference NYC 2017
John Willis
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018
Michael Man
 
Devops Kaizen - DevopsDays Dallas 2017
Devops Kaizen - DevopsDays Dallas 2017 Devops Kaizen - DevopsDays Dallas 2017
Devops Kaizen - DevopsDays Dallas 2017
John Willis
 
Evolving Architecture and Organization - Lessons from Google and eBay
Evolving Architecture and Organization - Lessons from Google and eBayEvolving Architecture and Organization - Lessons from Google and eBay
Evolving Architecture and Organization - Lessons from Google and eBay
Randy Shoup
 
Scaling Your Architecture for the Long Term
Scaling Your Architecture for the Long TermScaling Your Architecture for the Long Term
Scaling Your Architecture for the Long Term
Randy Shoup
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
Sonatype
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailShifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. Kail
DevSecCon
 
Service Architectures At Scale - QCon London 2015
Service Architectures At Scale - QCon London 2015Service Architectures At Scale - QCon London 2015
Service Architectures At Scale - QCon London 2015
Randy Shoup
 
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CDDevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps_Fest
 
Managing Data in Microservices
Managing Data in MicroservicesManaging Data in Microservices
Managing Data in Microservices
Randy Shoup
 
Monoliths, Migrations, and Microservices
Monoliths, Migrations, and MicroservicesMonoliths, Migrations, and Microservices
Monoliths, Migrations, and Microservices
Randy Shoup
 
Service Architectures at Scale
Service Architectures at ScaleService Architectures at Scale
Service Architectures at Scale
Randy Shoup
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer Maor
DevSecCon
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?
Kris Buytaert
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
CloudPassage
 
Why Your Next QA Job Might Be in Ops
Why Your Next QA Job Might Be in OpsWhy Your Next QA Job Might Be in Ops
Why Your Next QA Job Might Be in Ops
Edward Rousseau
 
Learning from Learnings: Anatomy of Three Incidents
Learning from Learnings: Anatomy of Three IncidentsLearning from Learnings: Anatomy of Three Incidents
Learning from Learnings: Anatomy of Three Incidents
Randy Shoup
 
DevOps for CTOs
DevOps for CTOsDevOps for CTOs
DevOps for CTOs
Burke Autrey
 
Lessons Learned Monitoring Production
Lessons Learned Monitoring ProductionLessons Learned Monitoring Production
Lessons Learned Monitoring Production
Aviran Mordo
 
Scaling Your Architecture with Services and Events
Scaling Your Architecture with Services and EventsScaling Your Architecture with Services and Events
Scaling Your Architecture with Services and Events
Randy Shoup
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald BelchamGetting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
.NET Conf UY
 
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOpsDOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
Gene Kim
 
Road to Continuous Delivery - Wix.com
Road to Continuous Delivery - Wix.comRoad to Continuous Delivery - Wix.com
Road to Continuous Delivery - Wix.com
Aviran Mordo
 
Best Practices for Database Deployments
Best Practices for Database DeploymentsBest Practices for Database Deployments
Best Practices for Database Deployments
Red Gate Software
 
Untangling Continuous Delivery
Untangling Continuous DeliveryUntangling Continuous Delivery
Untangling Continuous Delivery
Perforce
 
Carl shaulis agile_td2014
Carl shaulis agile_td2014Carl shaulis agile_td2014
Carl shaulis agile_td2014
Carl Shaulis
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0
Dinis Cruz
 
Demystifying DevOps
Demystifying DevOpsDemystifying DevOps
Demystifying DevOps
Tathagat Varma
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
Evolve 2017 - Vegas - Devops, Docker and Security
Evolve 2017 - Vegas - Devops, Docker and Security Evolve 2017 - Vegas - Devops, Docker and Security
Evolve 2017 - Vegas - Devops, Docker and Security
John Willis
 

More Related Content

What's hot

DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CDDevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps_Fest
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
CloudPassage
 
Learning from Learnings: Anatomy of Three Incidents
Learning from Learnings: Anatomy of Three IncidentsLearning from Learnings: Anatomy of Three Incidents
Learning from Learnings: Anatomy of Three Incidents
Randy Shoup
 
Scaling Your Architecture with Services and Events
Scaling Your Architecture with Services and EventsScaling Your Architecture with Services and Events
Scaling Your Architecture with Services and Events
Randy Shoup
 

What's hot (20)

DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CDDevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
 
Managing Data in Microservices
Managing Data in MicroservicesManaging Data in Microservices
Managing Data in Microservices
 
Monoliths, Migrations, and Microservices
Monoliths, Migrations, and MicroservicesMonoliths, Migrations, and Microservices
Monoliths, Migrations, and Microservices
 
Service Architectures at Scale
Service Architectures at ScaleService Architectures at Scale
Service Architectures at Scale
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer Maor
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
Why Your Next QA Job Might Be in Ops
Why Your Next QA Job Might Be in OpsWhy Your Next QA Job Might Be in Ops
Why Your Next QA Job Might Be in Ops
 
Learning from Learnings: Anatomy of Three Incidents
Learning from Learnings: Anatomy of Three IncidentsLearning from Learnings: Anatomy of Three Incidents
Learning from Learnings: Anatomy of Three Incidents
 
DevOps for CTOs
DevOps for CTOsDevOps for CTOs
DevOps for CTOs
 
Lessons Learned Monitoring Production
Lessons Learned Monitoring ProductionLessons Learned Monitoring Production
Lessons Learned Monitoring Production
 
Scaling Your Architecture with Services and Events
Scaling Your Architecture with Services and EventsScaling Your Architecture with Services and Events
Scaling Your Architecture with Services and Events
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald BelchamGetting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
 
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOpsDOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
 
Road to Continuous Delivery - Wix.com
Road to Continuous Delivery - Wix.comRoad to Continuous Delivery - Wix.com
Road to Continuous Delivery - Wix.com
 
Best Practices for Database Deployments
Best Practices for Database DeploymentsBest Practices for Database Deployments
Best Practices for Database Deployments
 
Untangling Continuous Delivery
Untangling Continuous DeliveryUntangling Continuous Delivery
Untangling Continuous Delivery
 
Carl shaulis agile_td2014
Carl shaulis agile_td2014Carl shaulis agile_td2014
Carl shaulis agile_td2014
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0
 
Demystifying DevOps
Demystifying DevOpsDemystifying DevOps
Demystifying DevOps
 

Similar to You build it - Cyber Chicago Keynote

The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018
John Willis
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Amazon Web Services
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 

Similar to You build it - Cyber Chicago Keynote (20)

You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
 
Evolve 2017 - Vegas - Devops, Docker and Security
Evolve 2017 - Vegas - Devops, Docker and Security Evolve 2017 - Vegas - Devops, Docker and Security
Evolve 2017 - Vegas - Devops, Docker and Security
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 

More from John Willis

swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityswampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
John Willis
 
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's BeenDevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
John Willis
 

More from John Willis (20)

Automated Governance
Automated GovernanceAutomated Governance
Automated Governance
 
Devops Long Strange Trip
Devops Long Strange Trip Devops Long Strange Trip
Devops Long Strange Trip
 
I Got 99 Problems and a Bash DSL Ain't One of Them
I Got 99 Problems and a Bash DSL Ain't One of ThemI Got 99 Problems and a Bash DSL Ain't One of Them
I Got 99 Problems and a Bash DSL Ain't One of Them
 
Math is cool
Math is coolMath is cool
Math is cool
 
The 7 deadly diseases of DevOps 2019
The 7 deadly diseases of DevOps 2019The 7 deadly diseases of DevOps 2019
The 7 deadly diseases of DevOps 2019
 
Next Generation Infrastructure - Devops Enterprise Summit 2018
Next Generation Infrastructure - Devops Enterprise Summit 2018Next Generation Infrastructure - Devops Enterprise Summit 2018
Next Generation Infrastructure - Devops Enterprise Summit 2018
 
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityswampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
 
Devops - A Long Strange Trip It's Been
Devops - A Long Strange Trip It's BeenDevops - A Long Strange Trip It's Been
Devops - A Long Strange Trip It's Been
 
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's BeenDevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
 
Why Executives Can't Change
Why Executives Can't Change Why Executives Can't Change
Why Executives Can't Change
 
Alibaba Cloud Conference 2016 - Docker Open Source
Alibaba Cloud Conference 2016 - Docker Open Source Alibaba Cloud Conference 2016 - Docker Open Source
Alibaba Cloud Conference 2016 - Docker Open Source
 
Alibaba Cloud Conference 2016 - Docker Enterprise
Alibaba Cloud Conference 2016 - Docker EnterpriseAlibaba Cloud Conference 2016 - Docker Enterprise
Alibaba Cloud Conference 2016 - Docker Enterprise
 
Breaking Bad Equilibrium - Devops Connect 2017 RSAC
Breaking Bad Equilibrium - Devops Connect 2017 RSACBreaking Bad Equilibrium - Devops Connect 2017 RSAC
Breaking Bad Equilibrium - Devops Connect 2017 RSAC
 
Breaking Bad Equilibrium - Devops Connect 2016 LA
Breaking Bad Equilibrium - Devops Connect 2016 LABreaking Bad Equilibrium - Devops Connect 2016 LA
Breaking Bad Equilibrium - Devops Connect 2016 LA
 
All daydevops 2016 - Turning Human Capital into High Performance Organizati...
All daydevops 2016 - Turning Human Capital into High Performance Organizati...All daydevops 2016 - Turning Human Capital into High Performance Organizati...
All daydevops 2016 - Turning Human Capital into High Performance Organizati...
 
Turning Human Capital into High Performance Organizational Capital
Turning Human Capital into High Performance Organizational CapitalTurning Human Capital into High Performance Organizational Capital
Turning Human Capital into High Performance Organizational Capital
 
Immutable Service Delivery Shenzhen 2016
Immutable Service Delivery Shenzhen 2016Immutable Service Delivery Shenzhen 2016
Immutable Service Delivery Shenzhen 2016
 
DOES16 London - Better Faster Cheaper .. How?
DOES16 London - Better Faster Cheaper .. How? DOES16 London - Better Faster Cheaper .. How?
DOES16 London - Better Faster Cheaper .. How?
 
Dockercon USA 2016 - Immutable Awesomeness
Dockercon USA 2016 - Immutable Awesomeness Dockercon USA 2016 - Immutable Awesomeness
Dockercon USA 2016 - Immutable Awesomeness
 
Psychology and High Performance Organizations
Psychology and High Performance Organizations Psychology and High Performance Organizations
Psychology and High Performance Organizations
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

You build it - Cyber Chicago Keynote

  • 1. “You Build It, You Secure It” Introduction to DevSecOps
  • 3.
  • 4. DTO Solutions Shift Left, Accelerate Right!
  • 5. Devops is about Humans 5 Devops is a set of practices and patterns that turn human capital into high performance organizational capital.
  • 6. Devops Practices and Patterns • Continuous Delivery • Everything in version control • Small batch principle • Trunk based deployments • Manage flow (WIP) • Automate everything
 • Culture • Everyone is responsible • Done means released • Stop the line when it breaks • Remove silos6 itrevolution.com/devops-handbook
  • 10. Devops Automated Deployment Pipeline 10 Source: Wikipedia - Continuous Delivery
  • 11.
  • 12. 12 Devops Results Google • Over 15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree • Over 75M test cases run daily
  • 13. 13 Devops Results Google • Over 15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree • Over 75M test cases run daily 2016 150 Million automated tests run daily…
  • 14. 14 Unicorns and Horses (Enterprises) Unicorns Enterprise Shamelessly stolen and repurposed from: Pete Cheslock
  • 15. 15 Devops Results Enterprise Organizations • Ticketmaster - 98% reduction in MTTR • Nordstrom - 20% shorter Lead Time • Target - Full Stack Deploy 3 months to minutes • USAA - Release from 28 days to 7 days • ING - 500 applications teams doing devops • CSG - From 200 incidents per release to 18
  • 16.
  • 18.
  • 19. Dev : Ops : Sec 100 : 10 : 1 SEC ^
  • 20. 20 Summary • Agile took us from months to days to deliver software • Devops took from months to days to deploy software • Now security is the bottleneck • People….
  • 21. 21 Bill Bryson - A Short History of Nearly Everything
  • 22. 22 Security Meta Points • It’s 30 time cheaper to fix a security defect in Dev vs. Prod • Average data break incident cost 5.4 million • High performing organizations include security in the software delivery process • 80% to 90% of every modern application consists of open source components • Not all vulnerabilities can be scanned
  • 23. 23
  • 24. 24
  • 25.
  • 26.
  • 27. DevSecOps as Supply Chain? 27 Source: Wikipedia - Continuous Delivery
  • 29. DevSecOps Requirements & Design Development CI Interval Trigger Assessment Production Application Risk Classification Security Requirement Definition Secure Libraries Static Analysis/IDE SCM Open Source Governance(CI) Secure Coding Standards Perimeter Assessment Dynamic Assessments Threat-Based Pen Test Web Application Firewalls Automated Attack/ Bot Defense Container Security Management Security Mavens (Security-Trained Developers and Operations) Role Based Software Security Training Continuous Monitoring, Analytics and KPI Gathering Preventative Detective Container Security Compliance (CI) Threat modeling Static Analysis (CI) Implementing DevOps in a Regulated Environment
  • 30. Software Supply Chain 30 Delivery Team Version Control Build Test Release DevOps Example Stage Prod
  • 31. Software Supply Chain 31 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod
  • 32. 32 Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod DevSecOps Basics Security Training Security Requirements Threat Modeling Architecture Review OWASP Top 10 IDE Plugins Code Examples TDD for Security Fail the Build Static Code Analysis Security Policy Testing Configuration Analysis Vulnerability Scanning Code and App Analysis RASP Automated Pen Testing Static Code Analysis Security Policy Testing Configuration Analysis Security Monitoring
 Configuration Monitoring
  • 33. 33 More Security Meta Points • Have security create templates, recipes, playbook • Create a Wiki for Security • All Issues managed in a common issue system • Create a Github Repo for OWASP code examples • Create interactive visual environments for security • Visualize all the things…. • A bug is a bug is a bug….
  • 34. 34 DevSecOps and Cloud Configuration • IAM and resource policies (S3 Bucket, SQS, etc.) • Permissive policies (e.g. wildcards) • Security Group ingress and egress rules • Liberal rules (e.g. 0.0.0.0/0, port range 1-65535 is open) • Encryption • Encryption that is not enabled or enforced for applicable resources • Automatic Key Rotation • KMS keys that don't have rotation enabled, • Invalid SSL configurations • ELBs with invalid SSL configurations
  • 35. 35 DevSecOps and Containers • Base Image Policies • Signed images • Capabilities policies • Vulnerability Image Scans • Port and Link Policies • Secrets Management
  • 36. 36 DevSecOps and Serverless • OWASP top 10 are still relevant • Proper Permissions • Data, Keys and Secrets • Still can have vulnerable code dependancies
  • 37.
  • 38. Best Practices for DevSecOps • Train development teams to develop secure code • Track security issues the same as software issues • If infrastructure is now code, then security should be code. • Integrate security controls in the software pipeline • Automate security test in the build process • Detect known vulnerabilities during the pipeline • Monitor security in production for known states • Inject failure to ensure security is hardened Gene Kim, Jez Humble, Patrick Dubois, and John Willis. 
 The DevOps Handbook; It Revolution Press, LLC.;2016.
  • 39. Devops Kaizen - Full Life Cycle 1.Key Outcomes 2.Countermeasures 3.Storyboard 4.Kanban Board 5.Post Retrospective 1 2 3 4 5
  • 40. •Devops Kaizen
 •DevSecOps Workshops •Devops Assessments •Devops Full Retrospective •Dojo Coaching
  • 42. 42 Immutable Service Delivery Fortune 500 Insurance Company • Tracks critical and high security defect rate per 10k lines of code • Started out with (10/10k) • After applying Devops practices and principles (4/10k) • After applying Toyota Supply Chain 4VL (1/10k ) • After Docker with Immutable Delivery (0.1/10k)
  • 43. 43 With Docker Fortune 500 Insurance Company • One Service • One Container • One Read Only File System • One Port