DM
Uploaded byDarin Morris
89 views

DevOps and the Future of Information Security

This document discusses how DevOps affects information security. It begins by motivating the talk and explaining that information systems need higher quality and faster delivery. Security is often an afterthought in development. The document then discusses what DevOps truly means, debunking several myths including that it replaces Agile or is incompatible with security and compliance. DevOps is explained as a way of thinking about work that emphasizes team collaboration across development and operations. This enables more efficient risk mitigation and implementation of security principles throughout the software development lifecycle.

Embed presentation

DevOps and the Future of Information Security Darin Morris @techdevdari n in/darinmorris 2018
In General: What we’re going talk about 2. How “doing DevOps” affects how we secure Data and Computer-centric Information Systems In Particular: 1. What it really means to do DevOps Thoughts I’ve had around DevOps and Security
Motivation for this talk ‱ I want “information technology practitioners” to become more professional, more productive and happier at work. Many reasons, but some of the more major reasons are: ‱ Information systems need to be of higher quality and delivered faster – we need to really understand the DevOps philosophy to do that well. ‱ Security is often an afterthought in the IT systems lifecycle – that needs to change. ‱ We need a common, meaningful language – not buzzwords!
DevOps and Security are very broad domains!
So can we cover enough in only 35 minutes?!
SOMEONE ONCE TOLD ME NOT TO BITE OFF MORE THAN I COULD CHEW
 I said I’d rather CHOKE ON GREATNESS THAN NIBBLE ON MEDIOCRITY.
Let’s get to know each other a little better!
Sales or Relationship Management Does this sound like your role? Marketing Finance Leadership (C-Suite) Human Resources Business Analyst / Big Data Analyst General Administrator In-house Legal
Project Manager or Coordinator Product Manager/Owner Software Architect Software Engineer Test Engineer Provision and Manage IT Infrastructure (IT Ops) Does this sound like your role? Dedicated Security or Compliance Something else? ?
OK! Less about you. More about me!
Fun facts about me Most used programming languages: C#, JavaScript “SiliconCape Native” First PC: Pentium 1 with Windows 95 First programming language: Java (JDK 1.3)
Professional background ‱ I’m a self-taught “Technologist” and I solve problems using technology. ‱ I've been a founder, manager, team lead and software engineer, in various sectors, and in teams of different shapes and sizes. ‱ Microsoft Certified Professional ‱ Certified ScrumMaster ‱ In the process of completing CSSLP, ITIL and ISTQB certifications. ‱ Member of a number of professional IT associations and bodies i.e. OWASP, ISACA, IITPSA ‱ Fulltime full stack software engineer for the past 13 years, primarily focussed on web and cloud-native software.
Let’s play a game!
True or False? DevOps is only done by technical staff. Question #1
True or False? DevOps is a Role. Question #2
True or False? DevOps is a way of thinking about how we do work. Question #3
What is DevOps really?
‱ DevOps Principles and Practices are compatible with Agile ‱ DevOps is a logical continuation of Agile ‱ Agile serves as an effective enabler of DevOps Myth #1: DevOps replaces Agile
‱ Can be made compatible - many areas just become automated. Myth #2: DevOps is incompatible with ITIL
‱ Controls are integrated into every stage of daily work of the SDLC resulting in better quality and security and compliance outcomes. Myth #3: DevOps is incompatible with InfoSec and Compliance Image credit: Checkmarx Software Exposure platform (www.checkmarx.com)
‱ Rarely the case. Nature of IT Operations work just changes. ‱ Collaborates far earlier in SDLC with development. ‱ Enables developer productivity through APIs and self-service platforms that create environments, test and deploy code, monitor and display production telemetry, etc. ‱ IT Ops become more like Development ‱ i.e. engaged in product development for developers. Myth #4: DevOps means eliminating IT Operations
‱ “DevOps isn’t about automation, just as astronomy isn’t about telescopes” - Christopher Little Myth #5: DevOps is just Infrastructure as Code
DevOps is about Team Work that enables efficient creation of value What DevOp really boils down to
So, how is Security affected?
Security and DevOps - DevSecOps? ‱ Security is fundamentally about mitigating risk (you’ll never be 100% secure). ‱ Mitigating risk is enabled by maintaining integrity, availability and confidentially. ‱ Security principles haven’t changed, the way we implement security has.
Security Fail Securely Minimize attack surface Least Privilege Integrity Auditing Keep Things Simple (Economy of mechanism) Separation of duties/privilege Confidentiality Psychological Acceptability Availability Single Point of Failure Defense in Depth Leverage Existing Components Open Design Complete Mediation Security Principles and Concepts
That’s a wrap! @techdevdarin in/darinmorris Connect with me:

More Related Content

PPTX
DevSecOps with Microsoft Tech
byDarin Morris
 
PPTX
The Journey to DevSecOps
bySeniorStoryteller
 
PPTX
451 AppSense Webinar - Why blame the user?
byAdrian Sanabria
 
PDF
AWS Innovate 2016 : Closing Keynote - Glenn Gore
byAmazon Web Services Korea
 
PPTX
DevOps and the Future of InfoSec
byDarin Morris
 
PPTX
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
byDevSecCon
 
PDF
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
byDevSecCon
 
PDF
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
DevSecOps with Microsoft Tech
byDarin Morris
 
The Journey to DevSecOps
bySeniorStoryteller
 
451 AppSense Webinar - Why blame the user?
byAdrian Sanabria
 
AWS Innovate 2016 : Closing Keynote - Glenn Gore
byAmazon Web Services Korea
 
DevOps and the Future of InfoSec
byDarin Morris
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
byDevSecCon
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
byDevSecCon
 
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 

What's hot

PPTX
The Teams Behind DevSecOps
byUleska
 
PDF
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
byFranklin Mosley
 
PDF
DevSecOps - The big picture
byDevSecOpsSg
 
PPTX
Shifting security all day dev ops
byTom Stiehm
 
PPTX
2016 virus bulletin
byAdrian Sanabria
 
PPTX
Amy DeMartine - 7 Habits of Rugged DevOps
bySeniorStoryteller
 
PPTX
The R.O.A.D to DevOps
bySeniorStoryteller
 
PPTX
A beginner's guide for Java.pptx
byGautamKumar163048
 
PDF
Just4Meeting 2012 - How to protect your web applications
byMagno Logan
 
PDF
BHack 2012 - How to protect your web applications
byMagno Logan
 
PDF
Continuous Delivery in the World of Enterprise PHP
byGreat Wide Open
 
PPTX
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
PPTX
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
byPuppet
 
PPTX
Turning security into code by Jeff Williams
byDevSecCon
 
PPTX
Build reliable Svelte applications using Cypress
byMaurice De Beijer [MVP]
 
PDF
3 florin coada - sast in the days of dev ops
byIevgenii Katsan
 
PDF
Nick Drage & Fraser Scott - Epic battle devops vs security
byDevSecCon
 
PPTX
Lessons learned from Detroit to Deming by Derek Weeks
byDevSecCon
 
PDF
Got Myth? Myths in Software Engineering
byThomas Zimmermann
 
PPTX
Failure is inevitable but it isn't permanent
byTom Stiehm
 
The Teams Behind DevSecOps
byUleska
 
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
byFranklin Mosley
 
DevSecOps - The big picture
byDevSecOpsSg
 
Shifting security all day dev ops
byTom Stiehm
 
2016 virus bulletin
byAdrian Sanabria
 
Amy DeMartine - 7 Habits of Rugged DevOps
bySeniorStoryteller
 
The R.O.A.D to DevOps
bySeniorStoryteller
 
A beginner's guide for Java.pptx
byGautamKumar163048
 
Just4Meeting 2012 - How to protect your web applications
byMagno Logan
 
BHack 2012 - How to protect your web applications
byMagno Logan
 
Continuous Delivery in the World of Enterprise PHP
byGreat Wide Open
 
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
byPuppet
 
Turning security into code by Jeff Williams
byDevSecCon
 
Build reliable Svelte applications using Cypress
byMaurice De Beijer [MVP]
 
3 florin coada - sast in the days of dev ops
byIevgenii Katsan
 
Nick Drage & Fraser Scott - Epic battle devops vs security
byDevSecCon
 
Lessons learned from Detroit to Deming by Derek Weeks
byDevSecCon
 
Got Myth? Myths in Software Engineering
byThomas Zimmermann
 
Failure is inevitable but it isn't permanent
byTom Stiehm
 

Similar to DevOps and the Future of Information Security

PPTX
DevOps Introduction
byRobert Sell
 
PPTX
Is DevOps Braking Your Company?
byconjur_inc
 
PPTX
Security and DevOps Overview
byAdrian Sanabria
 
PPTX
Devops
bypenetration Tester
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PPTX
DevOps.pptx
byMohamedSaied877003
 
PDF
Securing DevOps Lifecycle
byDevOps Indonesia
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
PDF
DevOps vs DevSecOps_ What CTOs Must Know Before Scaling Securely.pdf
byDevseccops.ai
 
PDF
What is DevOps? History, Present and the Future
byRohit Kumar
 
DOCX
DevSecOps – The Importance of DevOps Security in 2023.docx
byXavor Corporation - Redefining Health Technology
 
PPTX
DevOps
byDawn Keenan
 
PPT
DevOps in 2014
byDavid Thompson
 
PDF
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
PPTX
Introduction to DevSecOps OWASP Ahmedabad
bykunwaratul hax0r
 
PDF
Why DevSecOps Is Necessary For Your SDLC Pipeline?
byEnov8
 
PPTX
What is DevOps?
byALG Systems (АЛЖ ĐĄĐžŃŃ‚Đ”ĐŒŃ)
 
PPTX
DevOps DevSecOps Based on Training Materials
byRifqiMultazamOfficia
 
PDF
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
byTexas.gov
 
DevOps Introduction
byRobert Sell
 
Is DevOps Braking Your Company?
byconjur_inc
 
Security and DevOps Overview
byAdrian Sanabria
 
Devops
bypenetration Tester
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
DevOps.pptx
byMohamedSaied877003
 
Securing DevOps Lifecycle
byDevOps Indonesia
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
DevOps vs DevSecOps_ What CTOs Must Know Before Scaling Securely.pdf
byDevseccops.ai
 
What is DevOps? History, Present and the Future
byRohit Kumar
 
DevSecOps – The Importance of DevOps Security in 2023.docx
byXavor Corporation - Redefining Health Technology
 
DevOps
byDawn Keenan
 
DevOps in 2014
byDavid Thompson
 
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
Introduction to DevSecOps OWASP Ahmedabad
bykunwaratul hax0r
 
Why DevSecOps Is Necessary For Your SDLC Pipeline?
byEnov8
 
What is DevOps?
byALG Systems (АЛЖ ĐĄĐžŃŃ‚Đ”ĐŒŃ)
 
DevOps DevSecOps Based on Training Materials
byRifqiMultazamOfficia
 
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
byTexas.gov
 

Recently uploaded

PPTX
Cloud Computing Odedara Manav B. 23bit289d
byManavOdedara
 
PPTX
Cybersecurity Threats and Prevention Odedara Manav
byManavOdedara
 
PDF
GDG on Campus University of Primorska 2025 - Meet & Greet Presentation
byZhivkoStoimchev
 
PPTX
Launch of the Community of Practice Biopesticides
byFrancois Stepman
 
PDF
STW_1_2_Audience_Types .pdf
bybajurajera
 
PDF
_Scale Your U.S. Audience on Twitter — Strategy + Execution.pdf
bymarketing
 
PPTX
Master The Art of Negotiation Skills By Manish Sharma
byManish Sharma
 
DOCX
11 Top Sites To Buy Verified Chime Bank Accounts (Aged.docx
bymarketing
 
PPTX
MATHEMATICS QUARTER 1 WEEK 1 DAY 1-4.pptx
byJoanneLahipIgnacio
 
PPTX
The Power of Mindset: Optimism vs Pessimism In Achieving Goals and Managing Time
bysanidhyashivhare30
 
PPTX
Chemeical +Environmental Awarness Trg.pptx
byserdagzy
 
PPTX
My slide on how adaptability has helped me throughout my life.
byClementineFlahault
 
PPTX
2025-11-09 Moses 06 (shared slides).pptx
byDale Wells
 
PPTX
RESEARCH ABOUT PHILIPPINE LITERARY PERIODS
byDJFlores1
 
PPTX
Presentation about making basic layout for programme
byChristopherPurcia1
 
PPTX
Paul McManis - My India Our India.pptx india
bymcmanispaul3
 
PPTX
Bob Stewart James 2 11-09-2025.pptx
byFamilyWorshipCenterD
 
PDF
An Unforgettable Experience simple past tense.pdf
bysusiana521
 
Cloud Computing Odedara Manav B. 23bit289d
byManavOdedara
 
Cybersecurity Threats and Prevention Odedara Manav
byManavOdedara
 
GDG on Campus University of Primorska 2025 - Meet & Greet Presentation
byZhivkoStoimchev
 
Launch of the Community of Practice Biopesticides
byFrancois Stepman
 
STW_1_2_Audience_Types .pdf
bybajurajera
 
_Scale Your U.S. Audience on Twitter — Strategy + Execution.pdf
bymarketing
 
Master The Art of Negotiation Skills By Manish Sharma
byManish Sharma
 
11 Top Sites To Buy Verified Chime Bank Accounts (Aged.docx
bymarketing
 
MATHEMATICS QUARTER 1 WEEK 1 DAY 1-4.pptx
byJoanneLahipIgnacio
 
The Power of Mindset: Optimism vs Pessimism In Achieving Goals and Managing Time
bysanidhyashivhare30
 
Chemeical +Environmental Awarness Trg.pptx
byserdagzy
 
My slide on how adaptability has helped me throughout my life.
byClementineFlahault
 
2025-11-09 Moses 06 (shared slides).pptx
byDale Wells
 
RESEARCH ABOUT PHILIPPINE LITERARY PERIODS
byDJFlores1
 
Presentation about making basic layout for programme
byChristopherPurcia1
 
Paul McManis - My India Our India.pptx india
bymcmanispaul3
 
Bob Stewart James 2 11-09-2025.pptx
byFamilyWorshipCenterD
 
An Unforgettable Experience simple past tense.pdf
bysusiana521
 

DevOps and the Future of Information Security

  • 1.
    DevOps and theFuture of Information Security Darin Morris @techdevdari n in/darinmorris 2018
  • 2.
    In General: What we’regoing talk about 2. How “doing DevOps” affects how we secure Data and Computer-centric Information Systems In Particular: 1. What it really means to do DevOps Thoughts I’ve had around DevOps and Security
  • 3.
    Motivation for thistalk ‱ I want “information technology practitioners” to become more professional, more productive and happier at work. Many reasons, but some of the more major reasons are: ‱ Information systems need to be of higher quality and delivered faster – we need to really understand the DevOps philosophy to do that well. ‱ Security is often an afterthought in the IT systems lifecycle – that needs to change. ‱ We need a common, meaningful language – not buzzwords!
  • 5.
    DevOps and Securityare very broad domains!
  • 6.
    So can wecover enough in only 35 minutes?!
  • 7.
    SOMEONE ONCE TOLDME NOT TO BITE OFF MORE THAN I COULD CHEW
 I said I’d rather CHOKE ON GREATNESS THAN NIBBLE ON MEDIOCRITY.
  • 8.
    Let’s get toknow each other a little better!
  • 9.
    Sales or Relationship Management Doesthis sound like your role? Marketing Finance Leadership (C-Suite) Human Resources Business Analyst / Big Data Analyst General Administrator In-house Legal
  • 10.
    Project Manager or CoordinatorProduct Manager/Owner Software Architect Software Engineer Test Engineer Provision and Manage IT Infrastructure (IT Ops) Does this sound like your role? Dedicated Security or Compliance Something else? ?
  • 11.
    OK! Less aboutyou. More about me!
  • 12.
    Fun facts aboutme Most used programming languages: C#, JavaScript “SiliconCape Native” First PC: Pentium 1 with Windows 95 First programming language: Java (JDK 1.3)
  • 13.
    Professional background ‱ I’ma self-taught “Technologist” and I solve problems using technology. ‱ I've been a founder, manager, team lead and software engineer, in various sectors, and in teams of different shapes and sizes. ‱ Microsoft Certified Professional ‱ Certified ScrumMaster ‱ In the process of completing CSSLP, ITIL and ISTQB certifications. ‱ Member of a number of professional IT associations and bodies i.e. OWASP, ISACA, IITPSA ‱ Fulltime full stack software engineer for the past 13 years, primarily focussed on web and cloud-native software.
  • 14.
  • 15.
    True or False? DevOpsis only done by technical staff. Question #1
  • 16.
    True or False? DevOpsis a Role. Question #2
  • 17.
    True or False? DevOpsis a way of thinking about how we do work. Question #3
  • 18.
  • 20.
    ‱ DevOps Principlesand Practices are compatible with Agile ‱ DevOps is a logical continuation of Agile ‱ Agile serves as an effective enabler of DevOps Myth #1: DevOps replaces Agile
  • 21.
    ‱ Can bemade compatible - many areas just become automated. Myth #2: DevOps is incompatible with ITIL
  • 22.
    ‱ Controls are integratedinto every stage of daily work of the SDLC resulting in better quality and security and compliance outcomes. Myth #3: DevOps is incompatible with InfoSec and Compliance Image credit: Checkmarx Software Exposure platform (www.checkmarx.com)
  • 23.
    ‱ Rarely thecase. Nature of IT Operations work just changes. ‱ Collaborates far earlier in SDLC with development. ‱ Enables developer productivity through APIs and self-service platforms that create environments, test and deploy code, monitor and display production telemetry, etc. ‱ IT Ops become more like Development ‱ i.e. engaged in product development for developers. Myth #4: DevOps means eliminating IT Operations
  • 24.
    ‱ “DevOps isn’tabout automation, just as astronomy isn’t about telescopes” - Christopher Little Myth #5: DevOps is just Infrastructure as Code
  • 25.
    DevOps is aboutTeam Work that enables efficient creation of value What DevOp really boils down to
  • 26.
    So, how isSecurity affected?
  • 27.
    Security and DevOps- DevSecOps? ‱ Security is fundamentally about mitigating risk (you’ll never be 100% secure). ‱ Mitigating risk is enabled by maintaining integrity, availability and confidentially. ‱ Security principles haven’t changed, the way we implement security has.
  • 28.
    Security Fail Securely Minimize attack surface Least Privilege Integrity Auditing KeepThings Simple (Economy of mechanism) Separation of duties/privilege Confidentiality Psychological Acceptability Availability Single Point of Failure Defense in Depth Leverage Existing Components Open Design Complete Mediation Security Principles and Concepts
  • 29.

Editor's Notes

  • #3 Aims: 1.1. Cover key principles. 1.2. Take audience on a journey to my AHA moment. 2. Delve into the impact of DevOps on security Clarify Terms and Concepts (Information Technology, Technology, DevOps, QA, Security) Provoke reflection on the way the audience currently does work and thought about what can be done better. Drive home the importance of security in software
  • #4 Is a pen and paper information technology?
  • #5 Disclaimer 1: I may be biased – I’m a software developer I’ve been thinking about this stuff a lot lately, but I’m probably ignorant to something. There is enough content to write about, never mind a short talk.
  • #6 Disclaimer 2: There is potentially a lot we could cover, but we have very little time.
  • #7 Disclaimer 2: There is potentially a lot we could cover, but we have very little time.
  • #8 I make joke. Har har.
  • #16 Answer: False Reason: DevOps isn't any single person's job. It's everyone's job.
  • #17 Answer: False Reason: DevOps isn't any single person's job. It's everyone's job.
  • #18 Answer: False Reason: DevOps isn't any single person's job. It's everyone's job.
  • #20 DevOps is a lot like the Standard Model of particle physics.
  • #21 Agile Toronto Conference 2008 Patrick Debois coined to the term DevOps when he organized the first DevOpsDays conference in 2009.
  • #29 DevOps is a lot like the Standard Model of particle physics