SlideShare a Scribd company logo

From DevOps to DevSecOps: 2 Dimensions of Security for DevOps

Sanjeev Sharma
Sanjeev Sharma

This document discusses security considerations for DevOps enterprises transitioning to DevSecOps. It identifies three dimensions of security: 1) securing the perimeter, 2) securing the delivery pipeline, and 3) securing deliverables. For the delivery pipeline, it notes vulnerabilities related to supply chains, insider attacks, errors in development, and weaknesses in design/code/integration. It emphasizes applying security practices throughout the development lifecycle, from coding through deployment. The document provides references for further reading on DevOps security best practices.

Software
1 of 25
Downloaded 91 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
DevOps to DevSecOps: Two Dimensions of Security in a DevOps Enterprise Sanjeev Sharma CTO, DevOps Technical Sales and Adoption IBM Distinguished Engineer @sd_architect
#WhoAmI • 20+ Years in Software Development and Delivery • IBM’s Client-facing CTO for DevOps • Author: DevOps For Dummies - http://ibm.co/devopsfordum mies • Write DevOps and Cloud Adoption Blog: http://bit.ly/sdarchitect
DevOps Overview
DevOps: Origins
DevOps approach: Apply Lean principles accelerate feedback and improve time to value 5 People Process Line-of- business Customer 1 3 2 1. Get ideas into production fast 2. Get people to use it 3. Get feedback Continuously Improve: I. Application Delivered II. Environment Deployed III. Application and Environment Delivery Process
Delivering a Business Capability: Multi-Speed IT Development SCM Build Package Repo Deploy Development SCM Build Package Repo Deploy Development SCM Build Package Repo Deploy Development SCM Build Package Repo Deploy Test Stage Production Application N Application C Application B Application A Enterprise Release Agile/Innovation Edge Rapid Delivery for Innovation • Agile • Antifragile • Experimentation • New and Innovative • Hybrid Cloud • PaaS Industrialized Core Deliver at regular cadence • Waterfall -> Agile • Stability • Predictability • Lean Delivery pipeline • Core and Legacy Hybrid Infrastructure – Physical, Cloud • IaaS/PaaS Business Capability
Security and the Application Delivery Pipeline
Three (Two) Dimensions of Security 8 1. Secure the Perimeter 2. Secure the Delivery Pipeline 3. Secure the Deliverable http://www.ibm.com/developerworks/library/d-security- considerations-devops-adoption/
1. Secure the Perimeter 9 Out of Scope for this session
2. Secure the Delivery Pipeline 10 Secure Engineering Patch ManagementSecure Build and Deploy Availability and Business ContinuitySeparation of Duties Security Evaluation and Learning Development SCM Build Package Repo Deploy Testing Staging Production FeedbackPlanning Manage
3. Secure the Deliverable 11 Application Middleware Config Middleware OS Config Hardware FullStack Blueprint Policies Secure: • Code • Scripts • Packages • Components • Configurations • Content • Policies • Roles Development SCM Build Package Repo Deploy Testing Staging Production FeedbackPlanning Manage
Risks and Vulnerabilities - Delivery Pipeline and Deliverables 12 1. Vulnerabilities related to the supply chain 2. Insider attacks 3. Errors and mistakes in the development project 4. Weaknesses in the design, code, and integration 5. API Economy and Security http://www.ibm.com/developerworks/library/d-security- considerations-devops-adoption/
Vulnerabilities related to the supply chain 13 External Supplier A External Supplier B Internal Supplier A Internal Supplier B Development SCM Build Package Repo Deploy Testing Staging Production FeedbackPlanning Manage
Insider attacks 14
Errors and mistakes in the development project 15 1 per min 1 per min 4 per min 1 per min 4 per min 4 per min • Reduced Batch size • Continuous Validation: – Continuous Security Testing – Testing small batches in every Sprint • Antifragile Systems – Servers are ‘cattle’ not ‘pets’ – MTBF vs MTTR
Weaknesses in the design, code, and integration 16 http://www-03.ibm.com/security/secure-engineering/
The API economy and security 17https://developer.ibm.com/architecture/gallery/APImanagement
The API economy and security: Implementation 18https://developer.ibm.com/architecture/gallery/APImanagement 1. API Key management 2. API provider/consumer Identity Management 3. API Access control 4. API Usage management/throttling 5. API Security Incident Monitoring 6. API Logging and audit trail
DevOps Reference Architecture
Adopting a (Secure) DevOps Architecture https://developer.ibm.com/architecture/devOps
Solution Architecture : DevOps Multi-Speed IT https://developer.ibm.com/architecture/gallery/devOpsMultiSpeed
Start Here: Value Stream Mapping for Identifying and Addressing bottlenecks
Mapping your Delivery Pipeline Idea/Feature/Bug Fix/ Enhancement Production Development Build QA SIT UAT Prod PMO Requirements/ Analyst Developer CustomersLine of Business Build Engineer QA Team Integration Tester User/Tester Operations Artifact Repository Deployment Engineer Release Management Code Repository Deploy Get Feedback Infrastructure as Code/ Cloud Patterns Feedback Customer or Customer Surrogate Metrics - Reporting/Dashboarding Tasks Artifacts
DevOps Innovation Workshop 24 Review the current state 1. Business goals, IT goals, current initiatives 2. DevOps 3. Requirements 4. Environments 5. Repositories 6. Roles / Organization 7. Metrics 8. Security Prioritize challenges to be resolved Create a first pass at an improvement roadmap The whiteboard
Questions? 25

More Related Content

What's hot (20)

PDF
Adopting DevOps for 2-Speed IT
IBM UrbanCode Products
 
PPTX
Delivering Applications Continuously to Cloud
IBM UrbanCode Products
 
PDF
Security and DevOps - Managing Security in a DevOps Enterprise
Claudia Ring
 
PDF
Hybrid Cloud DevOps with Apprenda and UrbanCode Deploy
Claudia Ring
 
PPTX
Enterprise DevOps: Scaling Build, Deploy, Test, Release
IBM UrbanCode Products
 
PDF
Leading DevOps Application Release and Deployment - Best Practices for Organi...
IBM UrbanCode Products
 
PDF
Mastering DevOps Automation: Webinar
Claudia Ring
 
PDF
Leading the Transformation: Applying DevOps and Agile Principles at Scale
IBM UrbanCode Products
 
PDF
A Continuous Delivery Safety Net for Databases
IBM UrbanCode Products
 
PDF
IBM InterConnect 2016: Security for DevOps in an Enterprise
Sanjeev Sharma
 
PDF
Using Lean Thinking to identify and address Delivery Pipeline bottlenecks
Sanjeev Sharma
 
PDF
Death to Manual Deployments
IBM UrbanCode Products
 
PDF
The Future of DevOps and UrbanCode
IBM UrbanCode Products
 
PPT
Enabling DevOps in the cloud - Federal Cloud Innovation Center
Sanjeev Sharma
 
PDF
DevOps in an Embedded World
Sajeewa Dayaratne
 
PPTX
Urban code - DevOps - cost reduction
Chris Sparshott
 
PDF
Continuous Delivery with Jenkins Enterprise and IBM UrbanCode Deploy
IBM UrbanCode Products
 
PDF
Continuous Delivery in the Enterprise - with IBM UrbanCode
IBM UrbanCode Products
 
PDF
DevOps for Enterprise Systems Overview
Rosalind Radcliffe
 
PDF
Bluemix DevOps Meetup
Kyle Brown
 
Adopting DevOps for 2-Speed IT
IBM UrbanCode Products
 
Delivering Applications Continuously to Cloud
IBM UrbanCode Products
 
Security and DevOps - Managing Security in a DevOps Enterprise
Claudia Ring
 
Hybrid Cloud DevOps with Apprenda and UrbanCode Deploy
Claudia Ring
 
Enterprise DevOps: Scaling Build, Deploy, Test, Release
IBM UrbanCode Products
 
Leading DevOps Application Release and Deployment - Best Practices for Organi...
IBM UrbanCode Products
 
Mastering DevOps Automation: Webinar
Claudia Ring
 
Leading the Transformation: Applying DevOps and Agile Principles at Scale
IBM UrbanCode Products
 
A Continuous Delivery Safety Net for Databases
IBM UrbanCode Products
 
IBM InterConnect 2016: Security for DevOps in an Enterprise
Sanjeev Sharma
 
Using Lean Thinking to identify and address Delivery Pipeline bottlenecks
Sanjeev Sharma
 
Death to Manual Deployments
IBM UrbanCode Products
 
The Future of DevOps and UrbanCode
IBM UrbanCode Products
 
Enabling DevOps in the cloud - Federal Cloud Innovation Center
Sanjeev Sharma
 
DevOps in an Embedded World
Sajeewa Dayaratne
 
Urban code - DevOps - cost reduction
Chris Sparshott
 
Continuous Delivery with Jenkins Enterprise and IBM UrbanCode Deploy
IBM UrbanCode Products
 
Continuous Delivery in the Enterprise - with IBM UrbanCode
IBM UrbanCode Products
 
DevOps for Enterprise Systems Overview
Rosalind Radcliffe
 
Bluemix DevOps Meetup
Kyle Brown
 

Viewers also liked (19)

PPT
Continuous Delivery to the cloud - Innovate 2014
Sanjeev Sharma
 
PDF
dev@InterConnect workshop - Lean and DevOps
Sanjeev Sharma
 
PPTX
BGOUG "Agile Data: revolutionizing database cloning'
Kyle Hailey
 
PPTX
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 
PDF
Building a Modern Security Engineering Organization
Zane Lackey
 
PDF
DTS-1778 Understanding DevOps - IBM InterConnect Session
Sanjeev Sharma
 
PDF
How to adapt the SDLC to the era of DevSecOps
Zane Lackey
 
PDF
Mobile to Mainframe - En-to-end transformation
Sanjeev Sharma
 
PDF
Technology Keynote I Love APIs 2015: Anant Jhingran, Apigee CTO
Apigee | Google Cloud
 
PPTX
Project Execution Methodologies – Rising a Step Further
SPEC INDIA
 
PPTX
Delivering High-Availability Web Services with NGINX Plus on AWS
NGINX, Inc.
 
PDF
Cloud-Native DevOps Engineering
Diego Pacheco
 
PDF
Design - Automating Application Deployment for Hybrid Cloud Environments
LaurenWendler
 
PPTX
DevOps 101 - IBM Impact 2014
Sanjeev Sharma
 
PPTX
ACT-IAC Partners #GovDevOps: PTO - agile - and DevOps
Christopher Dorobek
 
PPTX
DevOps FTW!, Will cloud and DevOps make you sleep peacefully?
Maciej Sawicki
 
PDF
REAN Cloud DevOps Accelerators
REAN Cloud
 
PPTX
DevOps at DreamLab
DreamLab
 
PPTX
Cloud With DevOps Enabling Rapid Business Development
Sam Garforth
 
Continuous Delivery to the cloud - Innovate 2014
Sanjeev Sharma
 
dev@InterConnect workshop - Lean and DevOps
Sanjeev Sharma
 
BGOUG "Agile Data: revolutionizing database cloning'
Kyle Hailey
 
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 
Building a Modern Security Engineering Organization
Zane Lackey
 
DTS-1778 Understanding DevOps - IBM InterConnect Session
Sanjeev Sharma
 
How to adapt the SDLC to the era of DevSecOps
Zane Lackey
 
Mobile to Mainframe - En-to-end transformation
Sanjeev Sharma
 
Technology Keynote I Love APIs 2015: Anant Jhingran, Apigee CTO
Apigee | Google Cloud
 
Project Execution Methodologies – Rising a Step Further
SPEC INDIA
 
Delivering High-Availability Web Services with NGINX Plus on AWS
NGINX, Inc.
 
Cloud-Native DevOps Engineering
Diego Pacheco
 
Design - Automating Application Deployment for Hybrid Cloud Environments
LaurenWendler
 
DevOps 101 - IBM Impact 2014
Sanjeev Sharma
 
ACT-IAC Partners #GovDevOps: PTO - agile - and DevOps
Christopher Dorobek
 
DevOps FTW!, Will cloud and DevOps make you sleep peacefully?
Maciej Sawicki
 
REAN Cloud DevOps Accelerators
REAN Cloud
 
DevOps at DreamLab
DreamLab
 
Cloud With DevOps Enabling Rapid Business Development
Sam Garforth
 
Ad

Similar to From DevOps to DevSecOps: 2 Dimensions of Security for DevOps (20)

PPTX
AddingtheSecToDevOpsBSides (1).pptx for Bsides Nairobi 22 with Joylynn Kirui
ellan12
 
DOCX
DevSecOps – The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
DOCX
The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
PDF
2021-10-14 The Critical Role of Security in DevOps.pdf
Savinder Puri
 
PDF
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
 
PDF
Why is The IT industry moving towards a DevSecOps approach?
Enov8
 
PDF
Understanding DevOps Security - Full Guide
Lency Korien
 
PDF
understanding devops security - DevSecOps
Anshulkichara3
 
PPTX
Ensuring Secure and Efficient Operations with DevOps Security
Dev Software
 
PDF
How to Ensure SaaS App Security with DevOps.pdf
MadvITSolutions
 
PPTX
Secure DevOps - Evolution or Revolution?
Security Innovation
 
PDF
Security & DevOps - What We Have Here Is a Failure to Communicate!
DevOps.com
 
PDF
Working on DevSecOps culture - a team centric view
Patrick Debois
 
PDF
DevOps or DevSecOps
Michelangelo van Dam
 
PPTX
A detailed guide about dev secops
Enov8
 
PDF
DevSecOps Security: Is it Necessary?
Enov8
 
PDF
A detailed guide about dev secops.docx
Enov8
 
PPTX
S360 2015 dev_secops_program
Shannon Lietz
 
PDF
Democratizing security
Sanjeev Sharma
 
PPTX
Introduction to DevSecOps
abhimanyubhogwan
 
AddingtheSecToDevOpsBSides (1).pptx for Bsides Nairobi 22 with Joylynn Kirui
ellan12
 
DevSecOps – The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
2021-10-14 The Critical Role of Security in DevOps.pdf
Savinder Puri
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
 
Why is The IT industry moving towards a DevSecOps approach?
Enov8
 
Understanding DevOps Security - Full Guide
Lency Korien
 
understanding devops security - DevSecOps
Anshulkichara3
 
Ensuring Secure and Efficient Operations with DevOps Security
Dev Software
 
How to Ensure SaaS App Security with DevOps.pdf
MadvITSolutions
 
Secure DevOps - Evolution or Revolution?
Security Innovation
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
DevOps.com
 
Working on DevSecOps culture - a team centric view
Patrick Debois
 
DevOps or DevSecOps
Michelangelo van Dam
 
A detailed guide about dev secops
Enov8
 
DevSecOps Security: Is it Necessary?
Enov8
 
A detailed guide about dev secops.docx
Enov8
 
S360 2015 dev_secops_program
Shannon Lietz
 
Democratizing security
Sanjeev Sharma
 
Introduction to DevSecOps
abhimanyubhogwan
 
Ad

More from Sanjeev Sharma (13)

PDF
My code, my environment, and yes, my data
Sanjeev Sharma
 
PDF
Cloud expo 2018: From Apollo 13 to Google SRE - When DevOps meets SRE
Sanjeev Sharma
 
PDF
DeliverAgile2018 - from Apollo 13 to Google SRE
Sanjeev Sharma
 
PPTX
OpenTechSummit InterConnect2015 DevOps
Sanjeev Sharma
 
PDF
DevOps and Application Delivery for Hybrid Cloud - DevOpsSummit session
Sanjeev Sharma
 
PDF
IBM Innovate - Uderstanding DevOps
Sanjeev Sharma
 
PDF
CampDevOps keynote - DevOps: Using 'Lean' to eliminate Bottlenecks
Sanjeev Sharma
 
PPT
IBM Pulse session 2727: Continuous delivery -accelerated with DevOps
Sanjeev Sharma
 
PDF
Continuous Delivery for cloud - scenarios and scope
Sanjeev Sharma
 
PPTX
Mobile to mainframe - Enterprise DevOps - MoDevEast Slides
Sanjeev Sharma
 
PPT
Applying DevOps for more reliable Public Sector Software Delivery
Sanjeev Sharma
 
PPT
(Japanese) From Continuous Integration to DevOps - Japan Innovate 2013
Sanjeev Sharma
 
PPTX
From Continuous Integration to DevOps - Japan Innovate 2013
Sanjeev Sharma
 
My code, my environment, and yes, my data
Sanjeev Sharma
 
Cloud expo 2018: From Apollo 13 to Google SRE - When DevOps meets SRE
Sanjeev Sharma
 
DeliverAgile2018 - from Apollo 13 to Google SRE
Sanjeev Sharma
 
OpenTechSummit InterConnect2015 DevOps
Sanjeev Sharma
 
DevOps and Application Delivery for Hybrid Cloud - DevOpsSummit session
Sanjeev Sharma
 
IBM Innovate - Uderstanding DevOps
Sanjeev Sharma
 
CampDevOps keynote - DevOps: Using 'Lean' to eliminate Bottlenecks
Sanjeev Sharma
 
IBM Pulse session 2727: Continuous delivery -accelerated with DevOps
Sanjeev Sharma
 
Continuous Delivery for cloud - scenarios and scope
Sanjeev Sharma
 
Mobile to mainframe - Enterprise DevOps - MoDevEast Slides
Sanjeev Sharma
 
Applying DevOps for more reliable Public Sector Software Delivery
Sanjeev Sharma
 
(Japanese) From Continuous Integration to DevOps - Japan Innovate 2013
Sanjeev Sharma
 
From Continuous Integration to DevOps - Japan Innovate 2013
Sanjeev Sharma
 

Recently uploaded (20)

PDF
HiHelloHR – Simplify HR Operations for Modern Workplaces
HiHelloHR
 
PDF
Letasoft Sound Booster 1.12.0.538 Crack Download+ Product Key [Latest]
HyperPc soft
 
PDF
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
PPTX
Platform for Enterprise Solution - Java EE5
abhishekoza1981
 
PPTX
How Apagen Empowered an EPC Company with Engineering ERP Software
SatishKumar2651
 
PDF
MiniTool Partition Wizard 12.8 Crack License Key LATEST
hashhshs786
 
PPTX
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
PPTX
MailsDaddy Outlook OST to PST converter.pptx
abhishekdutt366
 
PPTX
Tally software_Introduction_Presentation
AditiBansal54083
 
PDF
Alarm in Android-Scheduling Timed Tasks Using AlarmManager in Android.pdf
Nabin Dhakal
 
PPTX
Feb 2021 Cohesity first pitch presentation.pptx
enginsayin1
 
PDF
Salesforce CRM Services.VALiNTRY360
VALiNTRY360
 
PPTX
An Introduction to ZAP by Checkmarx - Official Version
Simon Bennetts
 
PDF
Efficient, Automated Claims Processing Software for Insurers
Insurance Tech Services
 
PPTX
Comprehensive Guide: Shoviv Exchange to Office 365 Migration Tool 2025
Shoviv Software
 
PPTX
Perfecting XM Cloud for Multisite Setup.pptx
Ahmed Okour
 
PDF
Linux Certificate of Completion - LabEx Certificate
VICTOR MAESTRE RAMIREZ
 
PPTX
A Complete Guide to Salesforce SMS Integrations Build Scalable Messaging With...
360 SMS APP
 
PDF
Understanding the Need for Systemic Change in Open Source Through Intersectio...
Imma Valls Bernaus
 
PDF
Revenue streams of the Wazirx clone script.pdf
aaronjeffray
 
HiHelloHR – Simplify HR Operations for Modern Workplaces
HiHelloHR
 
Letasoft Sound Booster 1.12.0.538 Crack Download+ Product Key [Latest]
HyperPc soft
 
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
Platform for Enterprise Solution - Java EE5
abhishekoza1981
 
How Apagen Empowered an EPC Company with Engineering ERP Software
SatishKumar2651
 
MiniTool Partition Wizard 12.8 Crack License Key LATEST
hashhshs786
 
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
MailsDaddy Outlook OST to PST converter.pptx
abhishekdutt366
 
Tally software_Introduction_Presentation
AditiBansal54083
 
Alarm in Android-Scheduling Timed Tasks Using AlarmManager in Android.pdf
Nabin Dhakal
 
Feb 2021 Cohesity first pitch presentation.pptx
enginsayin1
 
Salesforce CRM Services.VALiNTRY360
VALiNTRY360
 
An Introduction to ZAP by Checkmarx - Official Version
Simon Bennetts
 
Efficient, Automated Claims Processing Software for Insurers
Insurance Tech Services
 
Comprehensive Guide: Shoviv Exchange to Office 365 Migration Tool 2025
Shoviv Software
 
Perfecting XM Cloud for Multisite Setup.pptx
Ahmed Okour
 
Linux Certificate of Completion - LabEx Certificate
VICTOR MAESTRE RAMIREZ
 
A Complete Guide to Salesforce SMS Integrations Build Scalable Messaging With...
360 SMS APP
 
Understanding the Need for Systemic Change in Open Source Through Intersectio...
Imma Valls Bernaus
 
Revenue streams of the Wazirx clone script.pdf
aaronjeffray
 

From DevOps to DevSecOps: 2 Dimensions of Security for DevOps