SlideShare une entreprise Scribd logo

DevOps and Security, a Match Made in Heaven

Dana Gardner
Dana Gardner

Transcript of a Briefings Direct discussion on the relationship between DevOps and security and exploring the impact of security on compliance, risk, and auditing.

Technologie
1  sur  9
Télécharger pour lire hors ligne
DevOps and Security, a Match Made in Heaven Transcript of a Briefings Direct discussion on the relationship between DevOps and security and exploring the impact of security on compliance, risk, and auditing. Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android. Sponsor: HP Enterprise Dana Gardner: Hello, and welcome to the next edition of the HP Discover Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing sponsored discussion on IT innovation and how it’s making an impact on people’s lives. Our next DevOps thought leadership discussion explores the impact on security and how those investing in DevOps models can expect to improve their security, compliance, and risk-mitigation efforts. To help us better understand the relationship between DevOps and security, we're joined by two panelists. Please join me welcoming Gene Kim, DevOps researcher and author focused on IT operations, information security and transformation. His most recent book is 'The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win', and his new book coming out soon is called 'The DevOps Cookbook'. Welcome, Gene. Learn the Four Keys to Continuous DevOps Gene Kim: Dana, great to be here. Thank you. Gardner: We're also here with Ashish Kuthiala, Senior Director of Marketing and Strategy for HP DevOps. Welcome back, Ashish. Ashish Kuthiala: Thank you very much Dana. Glad to be here. Gardner: Ashish, let me start with you. Coordinating and fostering increased collaboration between development, the testers, and IT operations has a lot of benefits. We've been talking about that in a number of these discussions, but security specifically. How is DevOps engendering a safer code and an ability to work towards an iterative, continuous approach to improved security? Kuthiala: Dana, I look at security as no different than any other testing that you do on your code. Anything that you catch early on in the process, fix it, and close the vulnerabilities is much simpler, much easier, and much cheaper to fix than when the end product is in the hands of the users. At that point, it could be in the hands of thousands of users, deployed in thousands of environments, and it's really very expensive. Even if you want to fix it there, if some trouble Page 1 Gardner
happens, there is security breach, you're not just dealing with the code vulnerability but you are also dealing with loss of brand, loss of revenue, and loss of reputation in the marketplace. Gene has done a lot of study on security and DevOps. I would love to hear his point of view on that. Promise is phenomenal Kim: You're so right. The promise of DevOps for advancing the information security objective is phenomenal, but unfortunately, the way most information security practitioners react to DevOps is one of moral outrage and fear. The fear being verbalized is that Dev and Ops are deploying more quickly than ever, and the outcomes haven't been so great. You're doing one release a year, what will happen if they are doing 10 deploys a day. We can understand why they might be just terrified of this. Yet, what Ashish described is that DevOps represents the ideal integration of testing into the the daily work of Dev and Ops. We have testing happening all the time. Developers own the responsibilities of building and running the test. It’s happening after every code commit, and these are exactly same sort of behaviors and cultural norms that we want in information security. After all, security is just another aspect of quality. We're seeing many, many examples of how organizations are creating what some people calling DevOps(Sec), DevOps plus security. One of my favorite examples is Capital One. which calls DevOps in their organization DevOps(Sec). Basically, information security is being integrated into every stage of the software development lifecycle. This is actually what every information security practitioner has wanted for the last two decades. Gardner: Ashish. Kuthiala: Gene, that brings up an interesting thought. As we look at Dev and Ops teams coming together without security, increasingly we talk about how people need to have generally more skills across the spectrum. Developers need to understand production systems and to be able to support their code in production. But what you just described, does that mean that’s how the developers and planners start to become security specialist or think like that? What have you seen? Kim: Let's talk about the numbers for a second. I love this ratio of 100 to 10 to 1. For every 100 developers, we have 10 operations people and you have one security person. So there's no way you're going to get the adequate coverage, right? There are not enough security people around. If we can't embed Ops people into these project or service teams, then we have to train developers to care and know when seek help from the Ops experts. Page 2 Kim Kuthiala
We have the similar challenge in information security -- how we train, whether it's about secure coding, regular compliance, or how we create evidence that controls exist and are effective. It is not going to be security doing the work. Instead, security needs to be training Dev and Ops on how to do things securely. Kuthiala: Are there patterns that they should be looking at in security? Are there any known patterns out there or are there some being developed? What you have seen with the customers that you work with? Kim: In the deployment pipeline, instead of having just unit tests being run after every code commit, you actually run static code analysis tools. That way you know that it's functionally correct, and the developers are getting fast feedback and then they’re writing things that are potentially more secure than they would have otherwise. And then alongside that in production, there are the monitoring tools. You're running things like the dynamic security testing. Now, you can actually see how it’s behaving in the production environment. In my mind, that's the ideal embodiment of how information security work should be integrated into the daily work of dev, test, and operations. Seems contradictory Kuthiala: It seems a little contradictory in nature. I know DevOps is all about going a little faster, but actually, you’re adding more functionality right up front and slowing this down. Is it a classic case of going slower to go faster? Walk before you can run, until you get to crawl? From my point of view, it slows you down here, but towards the end, you speed up more. Are you able to do this? Kim: I would claim the opposite. We're getting the best of all worlds, because the security testing is now automated. It’s being done on demand by the developers, as opposed to your opening a ticket, "Gene, can you scan my application?" And I'll get back to you in about six weeks. That’s being done automatically as part of my daily work. My claim would be not only is it faster, but we'll get better coverage than we had before. The fearful info sector person would ask how we can do this for highly regulated environments, where there is a lot of compliance regimes in place. If you were to count the number of controls that are continuously operating, not only do you have orders and managing more controls, but they are actually operating all the time as opposed to testing once a year. Kuthiala: From what I've observed with my customers, I have two kind of separate questions here. First, if you look at some of the highly regulated industries, for example, the pharmaceutical industry, it's not just internal compliances and regulations. It's part of security, Page 3
but they often have to go to the outside agencies for almost physical paperwork kind of regulatory compliance checks. As they're trying to go towards DevOps and speed this up, they are saying, "How do we handle that portion of the compliance checks and the security checks, because they are manual checks. They're not automated. How do we deal with external agencies and incorporate this in. What have you seen work really well? Kim: Last year, at the DevOps Enterprise Summit, we had one bank, and it was a smaller bank. This year, we have five including some of the most well-known banks in the industry. We had manufacturing. I think we had covereage of almost every major industry vertical, the majority of which are heavily regulated. They are all able to demonstrate that not only can you be compliant with all the relevant laws, contractual obligations, and regulations, but you can significantly decrease the amount of work. One of my favorite examples came from Salesforce. Selling to the Federal government, they had to apply with FedRAMP. One of the things that they got agreement on from security, compliance groups, and change management was that all infrastructure changes made through the automation tools could be considered a standard change. In other words, they wouldn’t require review and approval, but all changes that were done manually would still require approvals, which would often take weeks. This really shows that we can create this fast path not just for the people doing the work, but also, this make some work significantly easier for security and compliance as well. Human error Kuthiala: And you're taking on the human error possibility in there. People can be on vacation, slowing things down. People can be sick. People may not be in their jobs anymore. Automation is a key answer to this, as you said. Gardner: One of things we've been grappling with in the industry is how to get DevOps accelerated into cultures and organizations. What about the security as a point on the arrow here? If we see and recognize that security can benefit from DevOps and we want to instantiate DevOps models faster, wouldn’t the security people be a good place to be on the evangelistic side of DevOps? Kim: That’s a great observation, Dana. In fact, I think part of the method behind the madness is that the goal of the DevOps Enterprise Summit was to prove points. We had 50 speakers all from large, complex organizations. The goal was to get coverage of the industry verticals. Learn the Four Keys to Continuous DevOps I also helped co-host a one-day DevOps Security Conference at the RSA Conference, and this was very much from a security perspective. It was amazing to find those champions in the Page 4
security community who are driving DevOps objectives. They have to figure out how security fits into the DevOps ecosystem, because we need them to show that the water is not only just safe, but the water is great. Kuthiala: This brings up a question, Gene. For any new project that kicks off, it’s a new company. You can really define the architecture from scratch, thus enabling you a lot of practices you need to put in place, whether it's independent deliverables and faster deliverables, all acting independent of each other. But for the bigger companies and enterprise software that’s being released -- we've discussed this in our past talks -- you need to look at the architecture underneath it and see how we can modernize this to do this. So, when you start to address security, how do you go about approaching that, because you know you're dealing with a large base of code that’s very monolithic? It can take thousands of people to release something out to the customers. Now, you're trying to incorporate security into this with any new features and functions you add. I can see how you can start to incorporate security and the expertise into it and scan it right from development cycle. How do you deal with that big component of the architecture that’s already there? Any best practices? Kim: One of the people who have best articulated the philosophy is Gary Gruver. He said something that, for me, was very memorable. If you don’t have automated testing, and I think his context was very much like unit testing, automated regression testing, you have a fundamentally broken cost model, and it becomes too expensive. You get to a point where it becomes too expensive to add features. That’s not even counting security testing. You get to a point where not only it is too expensive, but it becomes too risky to change code. So, just as marketing is too important to leave to the marketing people, and quality is too important to leave to the QA people -- so too security is too important to leave just to the security people. We have to fully empower developers to get feedback on their work and have them fully responsible for not just the features, but the non-functional requirements, testability, deployability, manageability, and security. A better way Gardner: Assume that those listening and reading here today are completely swayed by our view of things and they do want to have DevOps with security ingrained. Are there not also concurrent developments around big data and analytics that give them a better way to do this, once they've decided to do it. Page 5
It seems to me that there is an awful lot of data available within systems, whether it's log files, configuration databases. Starting to harness that affordably, and then applying that back to those automation capabilities is going to be a very powerful synergistic value. How does it work when we apply big data to DevOps and security, Ashish? Kuthiala: Good question Dana. You're absolutely right with data sources now becoming easy, bringing together data sources into one repository and at an affordable cost. We're starting to build analytics on top of that and this has being applied in a number of areas. The best example I can talk about is how HP has been working on an IP creation of the area of testing using big data analytics. So, if we have to go faster and we have to release software every hour or every two, versus every six to eight months, you need to test it as fast as well. You can no longer afford to go and run your 20,000 tests based on this one-line change of code. You have to be able to figure out what modules are affected, which ones are not, and which ones are likely to break. We're starting to do some intelligent testing inside of our labs and we're finding that we're about 80 to 85 percent accurate in predicting what to test and not to test and what features are reflected or not. Similarly, using the big data analytics and the security expertise that Gene talked about, you need to start digging through and analyzing exactly the same as we run any test. What security vulnerabilities do you want to test, which functions of the code? And it’s just a best practice moving forward that you start to incorporate the big data analytics into your security testing. Gardner: Gene. Kim: You were implying something that I just want to make explicit. One of the most provocative notions that Ashish and I talked about was to think about all the telemetry and all the data that the build mechanisms create. You start putting in all the results of testing, and suddenly we have a much better basis of where we apply our testing effort. If we actually need to deploy faster, even if we completely automate our tests, and even if we parallelize them and run them across thousands of servers and if that takes days, we may be able use data to tell us where to surgically apply testing so we make a informed decision on whether to deploy or not. That's an awesome potential. Gardner: Speaking of awesome potentials, when we compress the feedback loops using this data, when development and operations are collaborating and communicating very well, it seems to me that we're also moving from a reactive stance to security issues, closer to a proactive stance with certainly as little time as possible. One of the notions about security is that you can’t prevent people from getting in, but you can limit the damage they can do when they do get in. It seems to me that if you close a loop between development operations and test, you can get the right remediation out into operations and production much quicker. Therefore you can almost behave like we had seen with anti-malware Page 6
software, where the cycle between the inception of a problem, the creation of the patch, and then deployment of the patch was very, very short. Is that vision pie in the sky or is that something we could get to when DevOps and security comes together, Gene? Key to prevention Kim: You're right on. The way an auditor would talk about it is that there are things that we can do to prevent, that’s code review, that’s automated code testing and scanning. Making libraries available so that developers are choosing things and deploying them in a secured state are all preventive controls. If we can make sure that we have the best situational awareness we can of the production environment, those are what allow quicker detection recovery. The better we are at that, the better we are at mitigating, effectively mitigating risk. Kuthiala: Gene, as you were talking, I was thinking. We have this notion of rolling back code when something breaks in production, and that’s a very common kind of procedure. You go back into the lab, fix what didn’t work, and then you roll it back into production. If it works, it's fine. Otherwise, you roll it back and do it over again. But with the admin of DevOps and those who are doing this successfully, there are no roll backs. They roll forward. You just go forward, because with the discipline of DevOps, if done well, you can quickly put a patch into production within hours, versus months, days, and weeks. And similarly like you talked about security, you know once a vulnerability is out there that you want to go fix it, you want to issue the patch. With DevOps and security, there are lot of similarities. Gardner: Before we close out, is there anything for the future? We've heard a lot about the Internet of Things (IoT), a lot more devices, device types, networks, extended networks, and variable networks. Is there a benefit with DevOps and security as a tag team, as we look to an increased era of complexity around the IoT sensors and plethora of disparate networks? Ashish? Kuthiala: The more you talk about IoT, the more holes are open for hackers to get in. I'll give you classic example. I've been looking forward to the day where my phone is all I carry. I don’t have to open my car with my keys or I can pay for things with it, and we have been getting towards that vision, but a lot of my friends who are in high-tech are actually skeptical. What happens if you lose your phone? Somebody has access to it. You know their counter argument against that. You can switch off your phone and wipe the data etc. But I think as IoT Page 7
grows in number, more holes open up. So, it becomes even more important to incorporate your security planning cycles right into the planning and dev cycles. Gardner: Particularly if you're in an industry where you expect to an have an Internet of Things ramp up getting automation in place, thinking about DevOps, thinking about security as an integral part of DevOps certainly makes a great deal of sense to me. Gene. Kim: Absolutely, you said it better than I ever could. Yes. Gardner: We'll have to leave it there. We've been discussing the relationship between DevOps and security and exploring the impact of security on things like compliance and risk and auditing and I would like to thank our guest for very intriguing discussion. We've been here with Gene Kim, DevOps Researcher and Author focused on IT operations, information security and transformation. His most recent book is 'The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win', and his new book coming out soon is called 'The DevOps Cookbook'. Thanks so much, Gene. Learn the Four Keys to Continuous DevOps  Kim: Thank you so much. Gardner: And we have been here with Ashish Kuthiala, Senior Director of Marketing and Strategy for HP DevOps. Thank you, Ashish. Kuthiala: Thank you very much, Dana. Gardner: And I'd like to extend a big thank you to our audience as well for joining for this DevOps and security discussion. I'm Dana Gardner, principal analyst at Interarbor Solutions, your host for this ongoing series of HP sponsored discussions. Thanks again for listening and come back next time. Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android. Sponsor: HP Enterprise Transcript of a Briefings Direct discussion on the relationship between DevOps and security and exploring the impact of security on compliance, risk, and auditing. Copyright Interarbor Solutions, LLC, 2005-2015. All rights reserved. You may also be interested in: • Redcentric Uses Advanced Configuration Database to Focus Massive Merger Across Multiple Networks • HP at Discover delivers the industry's first open, hybrid, ecosystem-wide cloud architecture Page 8
• How Tableau Software and Big Data Come Together: Strong Visualization Embedded on an Agile Analytics Engine • Big Data Helps Conservation International Proactively Respond to Species Threat in Tropical Forests • How Globe Testing helps startups make the leap to cloud- and mobile-first development • GoodData analytics developers on what they look for in a big data platform • ITIL-ITSM tagteam boosts Mexican ISP INFOTEC's operations quality • Novel consumer retail behavior analysis from InfoScout relies on HP Vertica big data chops • IT Operations Modernization Helps Energy Powerhouse Exelon Acquire Businesses • ECommerce portal Avito uses big data to master rapid fraud detection • How a Hackathon Approach Juices Innovation on Big Data Applications for Thomson Reuters • How Waste Management Builds a Powerful Services Contiunuum Across Operations, Infrastructure, Development, and IT Processes • GSN Games hits top prize using big data to uncover deep insights into gamer preferences Page 9

Recommandé

Internet of Things Brings On Development Demands That DevOps Manages, Say Exp...
Internet of Things Brings On Development Demands That DevOps Manages, Say Exp...Internet of Things Brings On Development Demands That DevOps Manages, Say Exp...
Internet of Things Brings On Development Demands That DevOps Manages, Say Exp...Dana Gardner
 
Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...
Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...
Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...Dana Gardner
 
How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...
How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...
How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...Dana Gardner
 
How Malaysia’s Bank Simpanan Nasional Implemented a Sweeping Enterprise Conte...
How Malaysia’s Bank Simpanan Nasional Implemented a Sweeping Enterprise Conte...How Malaysia’s Bank Simpanan Nasional Implemented a Sweeping Enterprise Conte...
How Malaysia’s Bank Simpanan Nasional Implemented a Sweeping Enterprise Conte...Dana Gardner
 
DevOps by Design -- Practical Guide to Effectively Ushering DevOps into Any O...
DevOps by Design -- Practical Guide to Effectively Ushering DevOps into Any O...DevOps by Design -- Practical Guide to Effectively Ushering DevOps into Any O...
DevOps by Design -- Practical Guide to Effectively Ushering DevOps into Any O...Dana Gardner
 
GoodData Developers Share Their Big Data Platform Wish List
GoodData Developers Share Their Big Data Platform Wish ListGoodData Developers Share Their Big Data Platform Wish List
GoodData Developers Share Their Big Data Platform Wish ListDana Gardner
 
How Big Data Generates New Insights into What’s Happening in Tropical Ecosyst...
How Big Data Generates New Insights into What’s Happening in Tropical Ecosyst...How Big Data Generates New Insights into What’s Happening in Tropical Ecosyst...
How Big Data Generates New Insights into What’s Happening in Tropical Ecosyst...Dana Gardner
 
A Tale of Two IT Departments, or How Governance is Essential in the Hybrid Cl...
A Tale of Two IT Departments, or How Governance is Essential in the Hybrid Cl...A Tale of Two IT Departments, or How Governance is Essential in the Hybrid Cl...
A Tale of Two IT Departments, or How Governance is Essential in the Hybrid Cl...Dana Gardner
 

Recommandé

Internet of Things Brings On Development Demands That DevOps Manages, Say Exp...
Internet of Things Brings On Development Demands That DevOps Manages, Say Exp...Internet of Things Brings On Development Demands That DevOps Manages, Say Exp...
Internet of Things Brings On Development Demands That DevOps Manages, Say Exp...Dana Gardner
 
Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...
Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...
Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...Dana Gardner
 
How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...
How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...
How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...Dana Gardner
 
How Malaysia’s Bank Simpanan Nasional Implemented a Sweeping Enterprise Conte...
How Malaysia’s Bank Simpanan Nasional Implemented a Sweeping Enterprise Conte...How Malaysia’s Bank Simpanan Nasional Implemented a Sweeping Enterprise Conte...
How Malaysia’s Bank Simpanan Nasional Implemented a Sweeping Enterprise Conte...Dana Gardner
 
DevOps by Design -- Practical Guide to Effectively Ushering DevOps into Any O...
DevOps by Design -- Practical Guide to Effectively Ushering DevOps into Any O...DevOps by Design -- Practical Guide to Effectively Ushering DevOps into Any O...
DevOps by Design -- Practical Guide to Effectively Ushering DevOps into Any O...Dana Gardner
 
GoodData Developers Share Their Big Data Platform Wish List
GoodData Developers Share Their Big Data Platform Wish ListGoodData Developers Share Their Big Data Platform Wish List
GoodData Developers Share Their Big Data Platform Wish ListDana Gardner
 
How Big Data Generates New Insights into What’s Happening in Tropical Ecosyst...
How Big Data Generates New Insights into What’s Happening in Tropical Ecosyst...How Big Data Generates New Insights into What’s Happening in Tropical Ecosyst...
How Big Data Generates New Insights into What’s Happening in Tropical Ecosyst...Dana Gardner
 
A Tale of Two IT Departments, or How Governance is Essential in the Hybrid Cl...
A Tale of Two IT Departments, or How Governance is Essential in the Hybrid Cl...A Tale of Two IT Departments, or How Governance is Essential in the Hybrid Cl...
A Tale of Two IT Departments, or How Governance is Essential in the Hybrid Cl...Dana Gardner
 
How Analytics as a Service Changes the Game and Expands the Market for Big Da...
How Analytics as a Service Changes the Game and Expands the Market for Big Da...How Analytics as a Service Changes the Game and Expands the Market for Big Da...
How Analytics as a Service Changes the Game and Expands the Market for Big Da...Dana Gardner
 
Beyond Look and Feel--The New Role That User Experience Plays in Business App...
Beyond Look and Feel--The New Role That User Experience Plays in Business App...Beyond Look and Feel--The New Role That User Experience Plays in Business App...
Beyond Look and Feel--The New Role That User Experience Plays in Business App...Dana Gardner
 
How INOVVO Delivers Analysis that Leads to Greater User Retention and Loyalty...
How INOVVO Delivers Analysis that Leads to Greater User Retention and Loyalty...How INOVVO Delivers Analysis that Leads to Greater User Retention and Loyalty...
How INOVVO Delivers Analysis that Leads to Greater User Retention and Loyalty...Dana Gardner
 
How a Hackathon Approach Juices Innovation on Big Data Applications for Thoms...
How a Hackathon Approach Juices Innovation on Big Data Applications for Thoms...How a Hackathon Approach Juices Innovation on Big Data Applications for Thoms...
How a Hackathon Approach Juices Innovation on Big Data Applications for Thoms...Dana Gardner
 
Improved IT Asset and Configuration Management Allow Health Shared Services B...
Improved IT Asset and Configuration Management Allow Health Shared Services B...Improved IT Asset and Configuration Management Allow Health Shared Services B...
Improved IT Asset and Configuration Management Allow Health Shared Services B...Dana Gardner
 
How Big Data Paves the Path to Extreme Personalization and Amazing User Exper...
How Big Data Paves the Path to Extreme Personalization and Amazing User Exper...How Big Data Paves the Path to Extreme Personalization and Amazing User Exper...
How Big Data Paves the Path to Extreme Personalization and Amazing User Exper...Dana Gardner
 
Ariba's Product Roadmap for 2015 Points to Improved Business Cloud Services
Ariba's Product Roadmap for 2015 Points to Improved Business Cloud ServicesAriba's Product Roadmap for 2015 Points to Improved Business Cloud Services
Ariba's Product Roadmap for 2015 Points to Improved Business Cloud ServicesDana Gardner
 
Agile on Fire: IT Enters the New Era of 'Continuous' Everything
Agile on Fire: IT Enters the New Era of 'Continuous' EverythingAgile on Fire: IT Enters the New Era of 'Continuous' Everything
Agile on Fire: IT Enters the New Era of 'Continuous' EverythingDana Gardner
 
BSM and IT Data Access Improvement at Swiss Insurer and Turkish Mobile Carrie...
BSM and IT Data Access Improvement at Swiss Insurer and Turkish Mobile Carrie...BSM and IT Data Access Improvement at Swiss Insurer and Turkish Mobile Carrie...
BSM and IT Data Access Improvement at Swiss Insurer and Turkish Mobile Carrie...Dana Gardner
 
How New Technology Trends Will Disrupt the Very Nature of Business
How New Technology Trends Will Disrupt the Very Nature of Business How New Technology Trends Will Disrupt the Very Nature of Business
How New Technology Trends Will Disrupt the Very Nature of Business Dana Gardner
 
Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...
Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...
Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...Dana Gardner
 
Using Testing as a Service, Globe Testing Helping Startups Make Leap to Cloud...
Using Testing as a Service, Globe Testing Helping Startups Make Leap to Cloud...Using Testing as a Service, Globe Testing Helping Startups Make Leap to Cloud...
Using Testing as a Service, Globe Testing Helping Startups Make Leap to Cloud...Dana Gardner
 
'Extreme Apps’ Approach to Analysis Makes On-Site Retail Experience King Again
'Extreme Apps’ Approach to Analysis Makes On-Site Retail Experience King Again'Extreme Apps’ Approach to Analysis Makes On-Site Retail Experience King Again
'Extreme Apps’ Approach to Analysis Makes On-Site Retail Experience King AgainDana Gardner
 
A Practical Guide to Rapid ITSM as a Foundation for Overall Business Agility
A Practical Guide to Rapid ITSM as a Foundation for Overall Business AgilityA Practical Guide to Rapid ITSM as a Foundation for Overall Business Agility
A Practical Guide to Rapid ITSM as a Foundation for Overall Business AgilityDana Gardner
 
Need for Fast Analytics Across All Kinds of Healthcare Data Spurs Converged S...
Need for Fast Analytics Across All Kinds of Healthcare Data Spurs Converged S...Need for Fast Analytics Across All Kinds of Healthcare Data Spurs Converged S...
Need for Fast Analytics Across All Kinds of Healthcare Data Spurs Converged S...Dana Gardner
 
How New York Genome Center Manages the Massive Data Generated from DNA Sequen...
How New York Genome Center Manages the Massive Data Generated from DNA Sequen...How New York Genome Center Manages the Massive Data Generated from DNA Sequen...
How New York Genome Center Manages the Massive Data Generated from DNA Sequen...Dana Gardner
 
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...Dana Gardner
 
451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...
451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...
451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...Dana Gardner
 
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...Dana Gardner
 
Manufacturer Gains Advantage by Expanding IoT Footprint from Many Machines to...
Manufacturer Gains Advantage by Expanding IoT Footprint from Many Machines to...Manufacturer Gains Advantage by Expanding IoT Footprint from Many Machines to...
Manufacturer Gains Advantage by Expanding IoT Footprint from Many Machines to...Dana Gardner
 
Ford Motor Company; Rise of the Brandividual by Scott Monty
Ford Motor Company; Rise of the Brandividual by Scott MontyFord Motor Company; Rise of the Brandividual by Scott Monty
Ford Motor Company; Rise of the Brandividual by Scott MontySocial Media Marketing
 
Blog Content Marketing - How to Be the Best Answer
Blog Content Marketing - How to Be the Best AnswerBlog Content Marketing - How to Be the Best Answer
Blog Content Marketing - How to Be the Best AnswerTopRank Marketing Agency
 

Contenu connexe

Tendances

How Analytics as a Service Changes the Game and Expands the Market for Big Da...
How Analytics as a Service Changes the Game and Expands the Market for Big Da...How Analytics as a Service Changes the Game and Expands the Market for Big Da...
How Analytics as a Service Changes the Game and Expands the Market for Big Da...Dana Gardner
 
Beyond Look and Feel--The New Role That User Experience Plays in Business App...
Beyond Look and Feel--The New Role That User Experience Plays in Business App...Beyond Look and Feel--The New Role That User Experience Plays in Business App...
Beyond Look and Feel--The New Role That User Experience Plays in Business App...Dana Gardner
 
How INOVVO Delivers Analysis that Leads to Greater User Retention and Loyalty...
How INOVVO Delivers Analysis that Leads to Greater User Retention and Loyalty...How INOVVO Delivers Analysis that Leads to Greater User Retention and Loyalty...
How INOVVO Delivers Analysis that Leads to Greater User Retention and Loyalty...Dana Gardner
 
How a Hackathon Approach Juices Innovation on Big Data Applications for Thoms...
How a Hackathon Approach Juices Innovation on Big Data Applications for Thoms...How a Hackathon Approach Juices Innovation on Big Data Applications for Thoms...
How a Hackathon Approach Juices Innovation on Big Data Applications for Thoms...Dana Gardner
 
Improved IT Asset and Configuration Management Allow Health Shared Services B...
Improved IT Asset and Configuration Management Allow Health Shared Services B...Improved IT Asset and Configuration Management Allow Health Shared Services B...
Improved IT Asset and Configuration Management Allow Health Shared Services B...Dana Gardner
 
How Big Data Paves the Path to Extreme Personalization and Amazing User Exper...
How Big Data Paves the Path to Extreme Personalization and Amazing User Exper...How Big Data Paves the Path to Extreme Personalization and Amazing User Exper...
How Big Data Paves the Path to Extreme Personalization and Amazing User Exper...Dana Gardner
 
Ariba's Product Roadmap for 2015 Points to Improved Business Cloud Services
Ariba's Product Roadmap for 2015 Points to Improved Business Cloud ServicesAriba's Product Roadmap for 2015 Points to Improved Business Cloud Services
Ariba's Product Roadmap for 2015 Points to Improved Business Cloud ServicesDana Gardner
 
Agile on Fire: IT Enters the New Era of 'Continuous' Everything
Agile on Fire: IT Enters the New Era of 'Continuous' EverythingAgile on Fire: IT Enters the New Era of 'Continuous' Everything
Agile on Fire: IT Enters the New Era of 'Continuous' EverythingDana Gardner
 
BSM and IT Data Access Improvement at Swiss Insurer and Turkish Mobile Carrie...
BSM and IT Data Access Improvement at Swiss Insurer and Turkish Mobile Carrie...BSM and IT Data Access Improvement at Swiss Insurer and Turkish Mobile Carrie...
BSM and IT Data Access Improvement at Swiss Insurer and Turkish Mobile Carrie...Dana Gardner
 
How New Technology Trends Will Disrupt the Very Nature of Business
How New Technology Trends Will Disrupt the Very Nature of Business How New Technology Trends Will Disrupt the Very Nature of Business
How New Technology Trends Will Disrupt the Very Nature of Business Dana Gardner
 
Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...
Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...
Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...Dana Gardner
 
Using Testing as a Service, Globe Testing Helping Startups Make Leap to Cloud...
Using Testing as a Service, Globe Testing Helping Startups Make Leap to Cloud...Using Testing as a Service, Globe Testing Helping Startups Make Leap to Cloud...
Using Testing as a Service, Globe Testing Helping Startups Make Leap to Cloud...Dana Gardner
 
'Extreme Apps’ Approach to Analysis Makes On-Site Retail Experience King Again
'Extreme Apps’ Approach to Analysis Makes On-Site Retail Experience King Again'Extreme Apps’ Approach to Analysis Makes On-Site Retail Experience King Again
'Extreme Apps’ Approach to Analysis Makes On-Site Retail Experience King AgainDana Gardner
 
A Practical Guide to Rapid ITSM as a Foundation for Overall Business Agility
A Practical Guide to Rapid ITSM as a Foundation for Overall Business AgilityA Practical Guide to Rapid ITSM as a Foundation for Overall Business Agility
A Practical Guide to Rapid ITSM as a Foundation for Overall Business AgilityDana Gardner
 
Need for Fast Analytics Across All Kinds of Healthcare Data Spurs Converged S...
Need for Fast Analytics Across All Kinds of Healthcare Data Spurs Converged S...Need for Fast Analytics Across All Kinds of Healthcare Data Spurs Converged S...
Need for Fast Analytics Across All Kinds of Healthcare Data Spurs Converged S...Dana Gardner
 
How New York Genome Center Manages the Massive Data Generated from DNA Sequen...
How New York Genome Center Manages the Massive Data Generated from DNA Sequen...How New York Genome Center Manages the Massive Data Generated from DNA Sequen...
How New York Genome Center Manages the Massive Data Generated from DNA Sequen...Dana Gardner
 
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...Dana Gardner
 
451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...
451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...
451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...Dana Gardner
 
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...Dana Gardner
 
Manufacturer Gains Advantage by Expanding IoT Footprint from Many Machines to...
Manufacturer Gains Advantage by Expanding IoT Footprint from Many Machines to...Manufacturer Gains Advantage by Expanding IoT Footprint from Many Machines to...
Manufacturer Gains Advantage by Expanding IoT Footprint from Many Machines to...Dana Gardner
 

Tendances (20)

How Analytics as a Service Changes the Game and Expands the Market for Big Da...
How Analytics as a Service Changes the Game and Expands the Market for Big Da...How Analytics as a Service Changes the Game and Expands the Market for Big Da...
How Analytics as a Service Changes the Game and Expands the Market for Big Da...
 
Beyond Look and Feel--The New Role That User Experience Plays in Business App...
Beyond Look and Feel--The New Role That User Experience Plays in Business App...Beyond Look and Feel--The New Role That User Experience Plays in Business App...
Beyond Look and Feel--The New Role That User Experience Plays in Business App...
 
How INOVVO Delivers Analysis that Leads to Greater User Retention and Loyalty...
How INOVVO Delivers Analysis that Leads to Greater User Retention and Loyalty...How INOVVO Delivers Analysis that Leads to Greater User Retention and Loyalty...
How INOVVO Delivers Analysis that Leads to Greater User Retention and Loyalty...
 
How a Hackathon Approach Juices Innovation on Big Data Applications for Thoms...
How a Hackathon Approach Juices Innovation on Big Data Applications for Thoms...How a Hackathon Approach Juices Innovation on Big Data Applications for Thoms...
How a Hackathon Approach Juices Innovation on Big Data Applications for Thoms...
 
Improved IT Asset and Configuration Management Allow Health Shared Services B...
Improved IT Asset and Configuration Management Allow Health Shared Services B...Improved IT Asset and Configuration Management Allow Health Shared Services B...
Improved IT Asset and Configuration Management Allow Health Shared Services B...
 
How Big Data Paves the Path to Extreme Personalization and Amazing User Exper...
How Big Data Paves the Path to Extreme Personalization and Amazing User Exper...How Big Data Paves the Path to Extreme Personalization and Amazing User Exper...
How Big Data Paves the Path to Extreme Personalization and Amazing User Exper...
 
Ariba's Product Roadmap for 2015 Points to Improved Business Cloud Services
Ariba's Product Roadmap for 2015 Points to Improved Business Cloud ServicesAriba's Product Roadmap for 2015 Points to Improved Business Cloud Services
Ariba's Product Roadmap for 2015 Points to Improved Business Cloud Services
 
Agile on Fire: IT Enters the New Era of 'Continuous' Everything
Agile on Fire: IT Enters the New Era of 'Continuous' EverythingAgile on Fire: IT Enters the New Era of 'Continuous' Everything
Agile on Fire: IT Enters the New Era of 'Continuous' Everything
 
BSM and IT Data Access Improvement at Swiss Insurer and Turkish Mobile Carrie...
BSM and IT Data Access Improvement at Swiss Insurer and Turkish Mobile Carrie...BSM and IT Data Access Improvement at Swiss Insurer and Turkish Mobile Carrie...
BSM and IT Data Access Improvement at Swiss Insurer and Turkish Mobile Carrie...
 
How New Technology Trends Will Disrupt the Very Nature of Business
How New Technology Trends Will Disrupt the Very Nature of Business How New Technology Trends Will Disrupt the Very Nature of Business
How New Technology Trends Will Disrupt the Very Nature of Business
 
Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...
Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...
Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...
 
Using Testing as a Service, Globe Testing Helping Startups Make Leap to Cloud...
Using Testing as a Service, Globe Testing Helping Startups Make Leap to Cloud...Using Testing as a Service, Globe Testing Helping Startups Make Leap to Cloud...
Using Testing as a Service, Globe Testing Helping Startups Make Leap to Cloud...
 
'Extreme Apps’ Approach to Analysis Makes On-Site Retail Experience King Again
'Extreme Apps’ Approach to Analysis Makes On-Site Retail Experience King Again'Extreme Apps’ Approach to Analysis Makes On-Site Retail Experience King Again
'Extreme Apps’ Approach to Analysis Makes On-Site Retail Experience King Again
 
A Practical Guide to Rapid ITSM as a Foundation for Overall Business Agility
A Practical Guide to Rapid ITSM as a Foundation for Overall Business AgilityA Practical Guide to Rapid ITSM as a Foundation for Overall Business Agility
A Practical Guide to Rapid ITSM as a Foundation for Overall Business Agility
 
Need for Fast Analytics Across All Kinds of Healthcare Data Spurs Converged S...
Need for Fast Analytics Across All Kinds of Healthcare Data Spurs Converged S...Need for Fast Analytics Across All Kinds of Healthcare Data Spurs Converged S...
Need for Fast Analytics Across All Kinds of Healthcare Data Spurs Converged S...
 
How New York Genome Center Manages the Massive Data Generated from DNA Sequen...
How New York Genome Center Manages the Massive Data Generated from DNA Sequen...How New York Genome Center Manages the Massive Data Generated from DNA Sequen...
How New York Genome Center Manages the Massive Data Generated from DNA Sequen...
 
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...
 
451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...
451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...
451’s Berkholz on How DevOps, Automation and Orchestration Combine for Contin...
 
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...
 
Manufacturer Gains Advantage by Expanding IoT Footprint from Many Machines to...
Manufacturer Gains Advantage by Expanding IoT Footprint from Many Machines to...Manufacturer Gains Advantage by Expanding IoT Footprint from Many Machines to...
Manufacturer Gains Advantage by Expanding IoT Footprint from Many Machines to...
 

En vedette

Ford Motor Company; Rise of the Brandividual by Scott Monty
Ford Motor Company; Rise of the Brandividual by Scott MontyFord Motor Company; Rise of the Brandividual by Scott Monty
Ford Motor Company; Rise of the Brandividual by Scott MontySocial Media Marketing
 
Blog Content Marketing - How to Be the Best Answer
Blog Content Marketing - How to Be the Best AnswerBlog Content Marketing - How to Be the Best Answer
Blog Content Marketing - How to Be the Best AnswerTopRank Marketing Agency
 
People's Insights Volume 1, Issue 18 : Heineken Ideas Brewery
People's Insights Volume 1, Issue 18 : Heineken Ideas BreweryPeople's Insights Volume 1, Issue 18 : Heineken Ideas Brewery
People's Insights Volume 1, Issue 18 : Heineken Ideas BreweryMSL
 
Google's Mobile Search Presentation from #MMSEM11
Google's Mobile Search Presentation from #MMSEM11Google's Mobile Search Presentation from #MMSEM11
Google's Mobile Search Presentation from #MMSEM11Marcel Media
 
Screaming Fast Wpmu
Screaming Fast WpmuScreaming Fast Wpmu
Screaming Fast Wpmudjcp
 
The state of ad blocking - September 2015
The state of ad blocking - September 2015The state of ad blocking - September 2015
The state of ad blocking - September 2015sourcepoint
 
International Lithium Presentation September 2014
International Lithium Presentation September 2014International Lithium Presentation September 2014
International Lithium Presentation September 2014Kirill Klip
 
Amelia Showalter_SearchLove London 2013
Amelia Showalter_SearchLove London 2013Amelia Showalter_SearchLove London 2013
Amelia Showalter_SearchLove London 2013Distilled
 
Close Deals: Using Content at the Bottom of the Funnel
Close Deals: Using Content at the Bottom of the FunnelClose Deals: Using Content at the Bottom of the Funnel
Close Deals: Using Content at the Bottom of the FunnelKapost
 
Souders WPO Web 2.0 Expo
Souders WPO Web 2.0 ExpoSouders WPO Web 2.0 Expo
Souders WPO Web 2.0 ExpoSteve Souders
 
U.S. Technology Funding -- What's Going On?
U.S. Technology Funding -- What's Going On? U.S. Technology Funding -- What's Going On?
U.S. Technology Funding -- What's Going On? a16z
 

En vedette (12)

Ford Motor Company; Rise of the Brandividual by Scott Monty
Ford Motor Company; Rise of the Brandividual by Scott MontyFord Motor Company; Rise of the Brandividual by Scott Monty
Ford Motor Company; Rise of the Brandividual by Scott Monty
 
Blog Content Marketing - How to Be the Best Answer
Blog Content Marketing - How to Be the Best AnswerBlog Content Marketing - How to Be the Best Answer
Blog Content Marketing - How to Be the Best Answer
 
People's Insights Volume 1, Issue 18 : Heineken Ideas Brewery
People's Insights Volume 1, Issue 18 : Heineken Ideas BreweryPeople's Insights Volume 1, Issue 18 : Heineken Ideas Brewery
People's Insights Volume 1, Issue 18 : Heineken Ideas Brewery
 
Google's Mobile Search Presentation from #MMSEM11
Google's Mobile Search Presentation from #MMSEM11Google's Mobile Search Presentation from #MMSEM11
Google's Mobile Search Presentation from #MMSEM11
 
Screaming Fast Wpmu
Screaming Fast WpmuScreaming Fast Wpmu
Screaming Fast Wpmu
 
YSlow 2.0
YSlow 2.0YSlow 2.0
YSlow 2.0
 
The state of ad blocking - September 2015
The state of ad blocking - September 2015The state of ad blocking - September 2015
The state of ad blocking - September 2015
 
International Lithium Presentation September 2014
International Lithium Presentation September 2014International Lithium Presentation September 2014
International Lithium Presentation September 2014
 
Amelia Showalter_SearchLove London 2013
Amelia Showalter_SearchLove London 2013Amelia Showalter_SearchLove London 2013
Amelia Showalter_SearchLove London 2013
 
Close Deals: Using Content at the Bottom of the Funnel
Close Deals: Using Content at the Bottom of the FunnelClose Deals: Using Content at the Bottom of the Funnel
Close Deals: Using Content at the Bottom of the Funnel
 
Souders WPO Web 2.0 Expo
Souders WPO Web 2.0 ExpoSouders WPO Web 2.0 Expo
Souders WPO Web 2.0 Expo
 
U.S. Technology Funding -- What's Going On?
U.S. Technology Funding -- What's Going On? U.S. Technology Funding -- What's Going On?
U.S. Technology Funding -- What's Going On?
 

Similaire à DevOps and Security, a Match Made in Heaven

Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Dana Gardner
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdfSavinder Puri
 
Unum Group Architect Charts a DevOps Course to a Hybrid Cloud Future
Unum Group Architect Charts a DevOps Course to a Hybrid Cloud FutureUnum Group Architect Charts a DevOps Course to a Hybrid Cloud Future
Unum Group Architect Charts a DevOps Course to a Hybrid Cloud FutureDana Gardner
 
IT Security - TestArmy
IT Security - TestArmy IT Security - TestArmy
IT Security - TestArmy TestArmy
 
The principles of agile development
The principles of agile developmentThe principles of agile development
The principles of agile developmentRajat Samal
 
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...Dana Gardner
 
Let’s Talk With Luis Jaime Gomez Vazquez About DevOps Solutions
Let’s Talk With Luis Jaime Gomez Vazquez About DevOps SolutionsLet’s Talk With Luis Jaime Gomez Vazquez About DevOps Solutions
Let’s Talk With Luis Jaime Gomez Vazquez About DevOps SolutionsCerebrum Infotech
 
Case studies of Test Driven Development
Case studies of Test Driven DevelopmentCase studies of Test Driven Development
Case studies of Test Driven DevelopmentSimform
 
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...Dana Gardner
 
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...Mighty Guides, Inc.
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysOri Pekelman
 
Winnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsWinnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsGene Kim
 
Standards Effort Points to Automation Via Common Markup Language for Improved...
Standards Effort Points to Automation Via Common Markup Language for Improved...Standards Effort Points to Automation Via Common Markup Language for Improved...
Standards Effort Points to Automation Via Common Markup Language for Improved...Dana Gardner
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️Ori Pekelman
 
When Things Go Bump in the Night
When Things Go Bump in the NightWhen Things Go Bump in the Night
When Things Go Bump in the Nightahamilton55
 
HP's ALM11 Guides Companies Through Shifting Landscape of Application Develop...
HP's ALM11 Guides Companies Through Shifting Landscape of Application Develop...HP's ALM11 Guides Companies Through Shifting Landscape of Application Develop...
HP's ALM11 Guides Companies Through Shifting Landscape of Application Develop...Dana Gardner
 
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps PatternsRugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps PatternsEvident.io
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Dana Gardner
 

Similaire à DevOps and Security, a Match Made in Heaven (20)

Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
 
Unum Group Architect Charts a DevOps Course to a Hybrid Cloud Future
Unum Group Architect Charts a DevOps Course to a Hybrid Cloud FutureUnum Group Architect Charts a DevOps Course to a Hybrid Cloud Future
Unum Group Architect Charts a DevOps Course to a Hybrid Cloud Future
 
IT Security - TestArmy
IT Security - TestArmy IT Security - TestArmy
IT Security - TestArmy
 
The principles of agile development
The principles of agile developmentThe principles of agile development
The principles of agile development
 
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
 
Let’s Talk With Luis Jaime Gomez Vazquez About DevOps Solutions
Let’s Talk With Luis Jaime Gomez Vazquez About DevOps SolutionsLet’s Talk With Luis Jaime Gomez Vazquez About DevOps Solutions
Let’s Talk With Luis Jaime Gomez Vazquez About DevOps Solutions
 
Case studies of Test Driven Development
Case studies of Test Driven DevelopmentCase studies of Test Driven Development
Case studies of Test Driven Development
 
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
 
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
 
Winnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsWinnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOps
 
Standards Effort Points to Automation Via Common Markup Language for Improved...
Standards Effort Points to Automation Via Common Markup Language for Improved...Standards Effort Points to Automation Via Common Markup Language for Improved...
Standards Effort Points to Automation Via Common Markup Language for Improved...
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
 
When Things Go Bump in the Night
When Things Go Bump in the NightWhen Things Go Bump in the Night
When Things Go Bump in the Night
 
HP's ALM11 Guides Companies Through Shifting Landscape of Application Develop...
HP's ALM11 Guides Companies Through Shifting Landscape of Application Develop...HP's ALM11 Guides Companies Through Shifting Landscape of Application Develop...
HP's ALM11 Guides Companies Through Shifting Landscape of Application Develop...
 
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps PatternsRugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
 
Continuous Delivery e-book
Continuous Delivery e-bookContinuous Delivery e-book
Continuous Delivery e-book
 

Dernier

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Dernier (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

DevOps and Security, a Match Made in Heaven

  • 1. DevOps and Security, a Match Made in Heaven Transcript of a Briefings Direct discussion on the relationship between DevOps and security and exploring the impact of security on compliance, risk, and auditing. Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android. Sponsor: HP Enterprise Dana Gardner: Hello, and welcome to the next edition of the HP Discover Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing sponsored discussion on IT innovation and how it’s making an impact on people’s lives. Our next DevOps thought leadership discussion explores the impact on security and how those investing in DevOps models can expect to improve their security, compliance, and risk-mitigation efforts. To help us better understand the relationship between DevOps and security, we're joined by two panelists. Please join me welcoming Gene Kim, DevOps researcher and author focused on IT operations, information security and transformation. His most recent book is 'The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win', and his new book coming out soon is called 'The DevOps Cookbook'. Welcome, Gene. Learn the Four Keys to Continuous DevOps Gene Kim: Dana, great to be here. Thank you. Gardner: We're also here with Ashish Kuthiala, Senior Director of Marketing and Strategy for HP DevOps. Welcome back, Ashish. Ashish Kuthiala: Thank you very much Dana. Glad to be here. Gardner: Ashish, let me start with you. Coordinating and fostering increased collaboration between development, the testers, and IT operations has a lot of benefits. We've been talking about that in a number of these discussions, but security specifically. How is DevOps engendering a safer code and an ability to work towards an iterative, continuous approach to improved security? Kuthiala: Dana, I look at security as no different than any other testing that you do on your code. Anything that you catch early on in the process, fix it, and close the vulnerabilities is much simpler, much easier, and much cheaper to fix than when the end product is in the hands of the users. At that point, it could be in the hands of thousands of users, deployed in thousands of environments, and it's really very expensive. Even if you want to fix it there, if some trouble Page 1 Gardner
  • 2. happens, there is security breach, you're not just dealing with the code vulnerability but you are also dealing with loss of brand, loss of revenue, and loss of reputation in the marketplace. Gene has done a lot of study on security and DevOps. I would love to hear his point of view on that. Promise is phenomenal Kim: You're so right. The promise of DevOps for advancing the information security objective is phenomenal, but unfortunately, the way most information security practitioners react to DevOps is one of moral outrage and fear. The fear being verbalized is that Dev and Ops are deploying more quickly than ever, and the outcomes haven't been so great. You're doing one release a year, what will happen if they are doing 10 deploys a day. We can understand why they might be just terrified of this. Yet, what Ashish described is that DevOps represents the ideal integration of testing into the the daily work of Dev and Ops. We have testing happening all the time. Developers own the responsibilities of building and running the test. It’s happening after every code commit, and these are exactly same sort of behaviors and cultural norms that we want in information security. After all, security is just another aspect of quality. We're seeing many, many examples of how organizations are creating what some people calling DevOps(Sec), DevOps plus security. One of my favorite examples is Capital One. which calls DevOps in their organization DevOps(Sec). Basically, information security is being integrated into every stage of the software development lifecycle. This is actually what every information security practitioner has wanted for the last two decades. Gardner: Ashish. Kuthiala: Gene, that brings up an interesting thought. As we look at Dev and Ops teams coming together without security, increasingly we talk about how people need to have generally more skills across the spectrum. Developers need to understand production systems and to be able to support their code in production. But what you just described, does that mean that’s how the developers and planners start to become security specialist or think like that? What have you seen? Kim: Let's talk about the numbers for a second. I love this ratio of 100 to 10 to 1. For every 100 developers, we have 10 operations people and you have one security person. So there's no way you're going to get the adequate coverage, right? There are not enough security people around. If we can't embed Ops people into these project or service teams, then we have to train developers to care and know when seek help from the Ops experts. Page 2 Kim Kuthiala
  • 3. We have the similar challenge in information security -- how we train, whether it's about secure coding, regular compliance, or how we create evidence that controls exist and are effective. It is not going to be security doing the work. Instead, security needs to be training Dev and Ops on how to do things securely. Kuthiala: Are there patterns that they should be looking at in security? Are there any known patterns out there or are there some being developed? What you have seen with the customers that you work with? Kim: In the deployment pipeline, instead of having just unit tests being run after every code commit, you actually run static code analysis tools. That way you know that it's functionally correct, and the developers are getting fast feedback and then they’re writing things that are potentially more secure than they would have otherwise. And then alongside that in production, there are the monitoring tools. You're running things like the dynamic security testing. Now, you can actually see how it’s behaving in the production environment. In my mind, that's the ideal embodiment of how information security work should be integrated into the daily work of dev, test, and operations. Seems contradictory Kuthiala: It seems a little contradictory in nature. I know DevOps is all about going a little faster, but actually, you’re adding more functionality right up front and slowing this down. Is it a classic case of going slower to go faster? Walk before you can run, until you get to crawl? From my point of view, it slows you down here, but towards the end, you speed up more. Are you able to do this? Kim: I would claim the opposite. We're getting the best of all worlds, because the security testing is now automated. It’s being done on demand by the developers, as opposed to your opening a ticket, "Gene, can you scan my application?" And I'll get back to you in about six weeks. That’s being done automatically as part of my daily work. My claim would be not only is it faster, but we'll get better coverage than we had before. The fearful info sector person would ask how we can do this for highly regulated environments, where there is a lot of compliance regimes in place. If you were to count the number of controls that are continuously operating, not only do you have orders and managing more controls, but they are actually operating all the time as opposed to testing once a year. Kuthiala: From what I've observed with my customers, I have two kind of separate questions here. First, if you look at some of the highly regulated industries, for example, the pharmaceutical industry, it's not just internal compliances and regulations. It's part of security, Page 3
  • 4. but they often have to go to the outside agencies for almost physical paperwork kind of regulatory compliance checks. As they're trying to go towards DevOps and speed this up, they are saying, "How do we handle that portion of the compliance checks and the security checks, because they are manual checks. They're not automated. How do we deal with external agencies and incorporate this in. What have you seen work really well? Kim: Last year, at the DevOps Enterprise Summit, we had one bank, and it was a smaller bank. This year, we have five including some of the most well-known banks in the industry. We had manufacturing. I think we had covereage of almost every major industry vertical, the majority of which are heavily regulated. They are all able to demonstrate that not only can you be compliant with all the relevant laws, contractual obligations, and regulations, but you can significantly decrease the amount of work. One of my favorite examples came from Salesforce. Selling to the Federal government, they had to apply with FedRAMP. One of the things that they got agreement on from security, compliance groups, and change management was that all infrastructure changes made through the automation tools could be considered a standard change. In other words, they wouldn’t require review and approval, but all changes that were done manually would still require approvals, which would often take weeks. This really shows that we can create this fast path not just for the people doing the work, but also, this make some work significantly easier for security and compliance as well. Human error Kuthiala: And you're taking on the human error possibility in there. People can be on vacation, slowing things down. People can be sick. People may not be in their jobs anymore. Automation is a key answer to this, as you said. Gardner: One of things we've been grappling with in the industry is how to get DevOps accelerated into cultures and organizations. What about the security as a point on the arrow here? If we see and recognize that security can benefit from DevOps and we want to instantiate DevOps models faster, wouldn’t the security people be a good place to be on the evangelistic side of DevOps? Kim: That’s a great observation, Dana. In fact, I think part of the method behind the madness is that the goal of the DevOps Enterprise Summit was to prove points. We had 50 speakers all from large, complex organizations. The goal was to get coverage of the industry verticals. Learn the Four Keys to Continuous DevOps I also helped co-host a one-day DevOps Security Conference at the RSA Conference, and this was very much from a security perspective. It was amazing to find those champions in the Page 4
  • 5. security community who are driving DevOps objectives. They have to figure out how security fits into the DevOps ecosystem, because we need them to show that the water is not only just safe, but the water is great. Kuthiala: This brings up a question, Gene. For any new project that kicks off, it’s a new company. You can really define the architecture from scratch, thus enabling you a lot of practices you need to put in place, whether it's independent deliverables and faster deliverables, all acting independent of each other. But for the bigger companies and enterprise software that’s being released -- we've discussed this in our past talks -- you need to look at the architecture underneath it and see how we can modernize this to do this. So, when you start to address security, how do you go about approaching that, because you know you're dealing with a large base of code that’s very monolithic? It can take thousands of people to release something out to the customers. Now, you're trying to incorporate security into this with any new features and functions you add. I can see how you can start to incorporate security and the expertise into it and scan it right from development cycle. How do you deal with that big component of the architecture that’s already there? Any best practices? Kim: One of the people who have best articulated the philosophy is Gary Gruver. He said something that, for me, was very memorable. If you don’t have automated testing, and I think his context was very much like unit testing, automated regression testing, you have a fundamentally broken cost model, and it becomes too expensive. You get to a point where it becomes too expensive to add features. That’s not even counting security testing. You get to a point where not only it is too expensive, but it becomes too risky to change code. So, just as marketing is too important to leave to the marketing people, and quality is too important to leave to the QA people -- so too security is too important to leave just to the security people. We have to fully empower developers to get feedback on their work and have them fully responsible for not just the features, but the non-functional requirements, testability, deployability, manageability, and security. A better way Gardner: Assume that those listening and reading here today are completely swayed by our view of things and they do want to have DevOps with security ingrained. Are there not also concurrent developments around big data and analytics that give them a better way to do this, once they've decided to do it. Page 5
  • 6. It seems to me that there is an awful lot of data available within systems, whether it's log files, configuration databases. Starting to harness that affordably, and then applying that back to those automation capabilities is going to be a very powerful synergistic value. How does it work when we apply big data to DevOps and security, Ashish? Kuthiala: Good question Dana. You're absolutely right with data sources now becoming easy, bringing together data sources into one repository and at an affordable cost. We're starting to build analytics on top of that and this has being applied in a number of areas. The best example I can talk about is how HP has been working on an IP creation of the area of testing using big data analytics. So, if we have to go faster and we have to release software every hour or every two, versus every six to eight months, you need to test it as fast as well. You can no longer afford to go and run your 20,000 tests based on this one-line change of code. You have to be able to figure out what modules are affected, which ones are not, and which ones are likely to break. We're starting to do some intelligent testing inside of our labs and we're finding that we're about 80 to 85 percent accurate in predicting what to test and not to test and what features are reflected or not. Similarly, using the big data analytics and the security expertise that Gene talked about, you need to start digging through and analyzing exactly the same as we run any test. What security vulnerabilities do you want to test, which functions of the code? And it’s just a best practice moving forward that you start to incorporate the big data analytics into your security testing. Gardner: Gene. Kim: You were implying something that I just want to make explicit. One of the most provocative notions that Ashish and I talked about was to think about all the telemetry and all the data that the build mechanisms create. You start putting in all the results of testing, and suddenly we have a much better basis of where we apply our testing effort. If we actually need to deploy faster, even if we completely automate our tests, and even if we parallelize them and run them across thousands of servers and if that takes days, we may be able use data to tell us where to surgically apply testing so we make a informed decision on whether to deploy or not. That's an awesome potential. Gardner: Speaking of awesome potentials, when we compress the feedback loops using this data, when development and operations are collaborating and communicating very well, it seems to me that we're also moving from a reactive stance to security issues, closer to a proactive stance with certainly as little time as possible. One of the notions about security is that you can’t prevent people from getting in, but you can limit the damage they can do when they do get in. It seems to me that if you close a loop between development operations and test, you can get the right remediation out into operations and production much quicker. Therefore you can almost behave like we had seen with anti-malware Page 6
  • 7. software, where the cycle between the inception of a problem, the creation of the patch, and then deployment of the patch was very, very short. Is that vision pie in the sky or is that something we could get to when DevOps and security comes together, Gene? Key to prevention Kim: You're right on. The way an auditor would talk about it is that there are things that we can do to prevent, that’s code review, that’s automated code testing and scanning. Making libraries available so that developers are choosing things and deploying them in a secured state are all preventive controls. If we can make sure that we have the best situational awareness we can of the production environment, those are what allow quicker detection recovery. The better we are at that, the better we are at mitigating, effectively mitigating risk. Kuthiala: Gene, as you were talking, I was thinking. We have this notion of rolling back code when something breaks in production, and that’s a very common kind of procedure. You go back into the lab, fix what didn’t work, and then you roll it back into production. If it works, it's fine. Otherwise, you roll it back and do it over again. But with the admin of DevOps and those who are doing this successfully, there are no roll backs. They roll forward. You just go forward, because with the discipline of DevOps, if done well, you can quickly put a patch into production within hours, versus months, days, and weeks. And similarly like you talked about security, you know once a vulnerability is out there that you want to go fix it, you want to issue the patch. With DevOps and security, there are lot of similarities. Gardner: Before we close out, is there anything for the future? We've heard a lot about the Internet of Things (IoT), a lot more devices, device types, networks, extended networks, and variable networks. Is there a benefit with DevOps and security as a tag team, as we look to an increased era of complexity around the IoT sensors and plethora of disparate networks? Ashish? Kuthiala: The more you talk about IoT, the more holes are open for hackers to get in. I'll give you classic example. I've been looking forward to the day where my phone is all I carry. I don’t have to open my car with my keys or I can pay for things with it, and we have been getting towards that vision, but a lot of my friends who are in high-tech are actually skeptical. What happens if you lose your phone? Somebody has access to it. You know their counter argument against that. You can switch off your phone and wipe the data etc. But I think as IoT Page 7
  • 8. grows in number, more holes open up. So, it becomes even more important to incorporate your security planning cycles right into the planning and dev cycles. Gardner: Particularly if you're in an industry where you expect to an have an Internet of Things ramp up getting automation in place, thinking about DevOps, thinking about security as an integral part of DevOps certainly makes a great deal of sense to me. Gene. Kim: Absolutely, you said it better than I ever could. Yes. Gardner: We'll have to leave it there. We've been discussing the relationship between DevOps and security and exploring the impact of security on things like compliance and risk and auditing and I would like to thank our guest for very intriguing discussion. We've been here with Gene Kim, DevOps Researcher and Author focused on IT operations, information security and transformation. His most recent book is 'The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win', and his new book coming out soon is called 'The DevOps Cookbook'. Thanks so much, Gene. Learn the Four Keys to Continuous DevOps  Kim: Thank you so much. Gardner: And we have been here with Ashish Kuthiala, Senior Director of Marketing and Strategy for HP DevOps. Thank you, Ashish. Kuthiala: Thank you very much, Dana. Gardner: And I'd like to extend a big thank you to our audience as well for joining for this DevOps and security discussion. I'm Dana Gardner, principal analyst at Interarbor Solutions, your host for this ongoing series of HP sponsored discussions. Thanks again for listening and come back next time. Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android. Sponsor: HP Enterprise Transcript of a Briefings Direct discussion on the relationship between DevOps and security and exploring the impact of security on compliance, risk, and auditing. Copyright Interarbor Solutions, LLC, 2005-2015. All rights reserved. You may also be interested in: • Redcentric Uses Advanced Configuration Database to Focus Massive Merger Across Multiple Networks • HP at Discover delivers the industry's first open, hybrid, ecosystem-wide cloud architecture Page 8
  • 9. • How Tableau Software and Big Data Come Together: Strong Visualization Embedded on an Agile Analytics Engine • Big Data Helps Conservation International Proactively Respond to Species Threat in Tropical Forests • How Globe Testing helps startups make the leap to cloud- and mobile-first development • GoodData analytics developers on what they look for in a big data platform • ITIL-ITSM tagteam boosts Mexican ISP INFOTEC's operations quality • Novel consumer retail behavior analysis from InfoScout relies on HP Vertica big data chops • IT Operations Modernization Helps Energy Powerhouse Exelon Acquire Businesses • ECommerce portal Avito uses big data to master rapid fraud detection • How a Hackathon Approach Juices Innovation on Big Data Applications for Thomson Reuters • How Waste Management Builds a Powerful Services Contiunuum Across Operations, Infrastructure, Development, and IT Processes • GSN Games hits top prize using big data to uncover deep insights into gamer preferences Page 9