Adrian Sanabria, profile picture
Uploaded byAdrian Sanabria
PPTX, PDF1,241 views

Security and DevOps Overview

This document discusses DevSecOps and the changing role of security in IT. It notes that IT is changing fast due to factors like cloud, DevOps, and agile methodologies while attackers are also adapting quickly. However, security tools and processes are often slow to change. The document explores what DevOps is and where security fits within modern IT approaches. It argues that security practitioners must adapt and change how they work, moving from standalone roles to being integrated within development and operations teams in order to keep up with the pace of change and help ensure security is built into systems from the start.

Technology
Related topics:
Information Security

Embed presentation

Downloaded 30 times
SecDevOps DevSecOps DevOps Which is it? And what is DevOps? And where does security fit?
In case you didn’t already know...
Why are we here? • IT is changing fast. Attackers are changing fast. Defenders don’t. • Security tools must change • Security processes must change • Security practitioners must change
What is DevOps? (No really – what is it? Discuss.)
What is DevOps?
What is DevOps?
SPEED 7
Words: what do they mean? • ‘Full stack’ • Automation Engineer • DevOps Engineer • Agile • Waterfall • Lean • Cloud • DevOps
‘New’ IT
There is a new IT: what is it? 11 Agile/Lean Business Cloud DevOps people and processestools and products results
Welcome to the new IT: key trends Speed 10x faster to prod Agility Integration Automation Developers Convenience Resilience Going faster requires better safety Success Project success increases by 14%-28% 12 NOTE: Success metrics from 2013 Ambysoft and 2015 Chaos Manifesto survey data, comparing projects using Waterfall vs Agile. Agile project success improvements increase with project size.
Why DevOps? 13 DevOps Cloud Agile Business Agile Business DevOps Cloud
Where does security fit?
Pete Cheslock’s analogy https://twitter.com/petecheslock/status/595617204273618944
Stefan Streichsbier’s solution https://www.slideshare.net/StefanStreichsbier/application- security-in-an-agile-world-agile-singapore-2016
The new practitioner
The New Practitioner • Influence design, architecture standards, processes • Automate tasks • Forensics • Security assessments • Identify gaps and recommend fixes • API integration • Data science • Routing, load balancing, nw protocols The Traditional Practitioner • Monitoring security alerts • Manage network security • Manage endpoint security • IR/Forensics • Pentesting • Vulnerability Scanning • Policies/Standards • Compliance/Regs • Log management • DR/BCP and SecAware The Security Practitioner: old versus new
The New Practitioner • Influence design, architecture standards, processes • Automate tasks (code) • Forensics • Security assessments • Identify gaps and recommend fixes (code) • API integration (code) • Data science (code) • Routing, load balancing, network protocols The Traditional Practitioner • Monitoring security alerts • Manage network security • Manage endpoint security • IR/Forensics • Pentesting • Vulnerability Scanning • Policies/Standards • Compliance/Regs • Log management • DR/BCP and SecAware The Security Practitioner: old versus new
Understanding security’s role by understanding IT Traditional approach to security: • Security is always a secondary or enabling layer • Security must have direct knowledge and experience with the underlying layer in order to be effective at protecting it or recommending feasible solutions • Direct experience in core technical disciplines goes a long way in earning respect and cooperation Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
Understanding security’s role by understanding IT Issues with the traditional approach: • Few security teams can ever be ‘well-rounded’ enough • Security team isn’t qualified to advise much of IT • Adversarial/dysfunctional relationships common • IT changes often; attackers adapt quickly • Defenders and security tools adapt slowly Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
Security Security’s changing role An example: going ‘cloud-first’ • Lower-level IT layers are outsourced • Most security practitioner knowledge lies in these layers • Infrastructure-heavy security skillsets lose value • Concept of bi-modal IT further confuses things • As IT changes, so must security Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
Security’s changing role Cloud and DevOps – an opportunity to redesign security: • Smaller ‘well-rounded’ groups • Dev, ops, infrastructure and security roles are shared • Everyone working towards a clear, common goal • Relationship between security and developers is crucial • Security can’t impact delivery schedule Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security
Questions What should security’s future role be? • Security is redistributed into IT for all operational tasks • Dedicated security staff performs • high-level design, design/architectural input • monitor changes in risk/attackers/landscape • instruct/consult individual SMEs as needed Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security SME Internal Security Team Security SME Security SME Security SME
New rule: if you own it, own it “Whomever is responsible for an asset – be it data, infrastructure, code, or people – must secure it”
Why make asset owners responsible? • No one knows and understands the opportunities, constraints and dependencies of the asset better • Security becomes a bottleneck for performance, progress and often, even security • Little to no time wasted on remediation conflict: what to fix, how to fix it, when and at what priority level • Likely that fewer security issues will occur* • Drives the cost of securing systems down, in terms of labor, efficiency and efficacy** * I’ll explain later ** I’ll explain after that
Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson Reads like a short version of the Phoenix Project
Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson • Creating an independent testing group can encourage counterproductive culture • “Don’t do today what you can push off onto someone else’s plate” • Document and address low hanging fruit • Schedule time for developers to test and fix bugs • To improve code quality, stop the problem at the source • Everyone should understand what they’re building and why • Get testers involved earlier in the process • Bottleneck testing resources and developers are forced to ship higher quality code http://testobsessed.com/wp-content/uploads/2011/04/btwq.pdf
Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson • Could this apply to InfoSec? • Surely not. • In fact, it might be quite worse. • We’ve convinced everyone not just that security is our job, but that we’re the only ones that can do it properly. • What if they believed us?
Security and DevOps Overview

More Related Content

PPTX
DevSecOps Training Bootcamp - A Practical DevSecOps Course
byTonex
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PPTX
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
PPTX
DEVSECOPS.pptx
byMohammadSaif904342
 
PPTX
DevOps and Tools
byMohammed Fazuluddin
 
PDF
2019 DevSecOps Reference Architectures
bySonatype
 
PPTX
Secure Software Development Life Cycle
byMaurice Dawson
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
byTonex
 
Introduction to DevSecOps
bySetu Parimi
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
DEVSECOPS.pptx
byMohammadSaif904342
 
DevOps and Tools
byMohammed Fazuluddin
 
2019 DevSecOps Reference Architectures
bySonatype
 
Secure Software Development Life Cycle
byMaurice Dawson
 

What's hot

PDF
The What, Why, and How of DevSecOps
byCprime
 
PDF
DevSecOps Implementation Journey
byDevOps Indonesia
 
PDF
The State of DevSecOps
byDevOps Indonesia
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PDF
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
PDF
Introduction to CICD
byKnoldus Inc.
 
PPTX
Introduction to CI/CD
bySteve Mactaggart
 
PPTX
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
bySimplilearn
 
PDF
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
byEdureka!
 
PDF
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
PPTX
Secure SDLC Framework
byRishi Kant
 
PPTX
DevOps introduction
byMettje Heegstra
 
PPTX
Introduction to penetration testing
byNezar Alazzabi
 
PDF
Security in CI/CD Pipelines: Tips for DevOps Engineers
byDevOps.com
 
PDF
CICD with Jenkins
byVietnam Open Infrastructure User Group
 
PDF
Selenium with Cucumber
byKnoldus Inc.
 
PDF
9 reasons why low code no-code platform is the best choice for increasing ado...
byEnterprise Bot
 
PDF
Demystifying DevSecOps
byArchana Joshi
 
PDF
Devops | CICD Pipeline
byBinish Siddiqui
 
PDF
Java Source Code Analysis using SonarQube
byAngelin R
 
The What, Why, and How of DevSecOps
byCprime
 
DevSecOps Implementation Journey
byDevOps Indonesia
 
The State of DevSecOps
byDevOps Indonesia
 
Introduction to DevSecOps
byabhimanyubhogwan
 
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
Introduction to CICD
byKnoldus Inc.
 
Introduction to CI/CD
bySteve Mactaggart
 
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
bySimplilearn
 
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
byEdureka!
 
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
Secure SDLC Framework
byRishi Kant
 
DevOps introduction
byMettje Heegstra
 
Introduction to penetration testing
byNezar Alazzabi
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
byDevOps.com
 
CICD with Jenkins
byVietnam Open Infrastructure User Group
 
Selenium with Cucumber
byKnoldus Inc.
 
9 reasons why low code no-code platform is the best choice for increasing ado...
byEnterprise Bot
 
Demystifying DevSecOps
byArchana Joshi
 
Devops | CICD Pipeline
byBinish Siddiqui
 
Java Source Code Analysis using SonarQube
byAngelin R
 

Similar to Security and DevOps Overview

PPTX
Fortify-Application_Security_Foundation_Training.pptx
byVictoriaChavesta
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PDF
Introduction to Cybersecurity
byKrutarth Vasavada
 
PPTX
Fortify-Application_Security_Foundation_Training.pptx
byYoisRoberthTapiadeLa
 
PPTX
DevOps and the Future of Information Security
byDarin Morris
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PDF
Pivotal Role of HR in Cybersecurity
byMatthew Rosenquist
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
PPTX
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
ODP
CISSP Week 12
byjemtallon
 
PDF
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
byMatthew Rosenquist
 
PPTX
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
PDF
Outpost24 webinar: Turning DevOps and security into DevSecOps
byOutpost24
 
PPTX
The New Security Practitioner
byAdrian Sanabria
 
PPTX
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
PPTX
NZISF Talk: Six essential security services
byHinne Hettema
 
PPTX
Solnet dev secops meetup
bypbink
 
PDF
Security of the future - Adapting Approaches to What We Need
bysimplyme12345
 
PDF
Cyber Risk Management in 2017: Challenges & Recommendations
byUlf Mattsson
 
Fortify-Application_Security_Foundation_Training.pptx
byVictoriaChavesta
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
Introduction to Cybersecurity
byKrutarth Vasavada
 
Fortify-Application_Security_Foundation_Training.pptx
byYoisRoberthTapiadeLa
 
DevOps and the Future of Information Security
byDarin Morris
 
AppSec in an Agile World
byDavid Lindner
 
Pivotal Role of HR in Cybersecurity
byMatthew Rosenquist
 
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
The Future of DevSecOps
byStefan Streichsbier
 
CISSP Week 12
byjemtallon
 
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
byMatthew Rosenquist
 
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
byOutpost24
 
The New Security Practitioner
byAdrian Sanabria
 
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
NZISF Talk: Six essential security services
byHinne Hettema
 
Solnet dev secops meetup
bypbink
 
Security of the future - Adapting Approaches to What We Need
bysimplyme12345
 
Cyber Risk Management in 2017: Challenges & Recommendations
byUlf Mattsson
 

More from Adrian Sanabria

PPTX
Red Team Framework
byAdrian Sanabria
 
PPTX
451 and Cylance - The Roadmap To Better Endpoint Security
byAdrian Sanabria
 
PPTX
Open Source Defense for Edge 2017
byAdrian Sanabria
 
PPTX
Equifax Breach Postmortem
byAdrian Sanabria
 
PPTX
451 AppSense Webinar - Why blame the user?
byAdrian Sanabria
 
PPTX
2016 virus bulletin
byAdrian Sanabria
 
PPTX
The state of endpoint defense in 2021
byAdrian Sanabria
 
PPTX
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
byAdrian Sanabria
 
PDF
The Products We Deserve
byAdrian Sanabria
 
PPTX
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
PPTX
Ten security product categories you've (probably) never heard of
byAdrian Sanabria
 
PPTX
RSAC 2016: CISO's guide to Startups
byAdrian Sanabria
 
PPTX
Ten Security Product Categories You've Probably Never Heard Of
byAdrian Sanabria
 
PDF
2019 InfoSec Buyer's Guide
byAdrian Sanabria
 
PPTX
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
byAdrian Sanabria
 
PPTX
Lies and Myths in InfoSec - 2023 Usenix Enigma
byAdrian Sanabria
 
PPTX
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
byAdrian Sanabria
 
PPTX
From due diligence to IoT disaster
byAdrian Sanabria
 
PPTX
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
byAdrian Sanabria
 
PPTX
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
byAdrian Sanabria
 
Red Team Framework
byAdrian Sanabria
 
451 and Cylance - The Roadmap To Better Endpoint Security
byAdrian Sanabria
 
Open Source Defense for Edge 2017
byAdrian Sanabria
 
Equifax Breach Postmortem
byAdrian Sanabria
 
451 AppSense Webinar - Why blame the user?
byAdrian Sanabria
 
2016 virus bulletin
byAdrian Sanabria
 
The state of endpoint defense in 2021
byAdrian Sanabria
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
byAdrian Sanabria
 
The Products We Deserve
byAdrian Sanabria
 
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
Ten security product categories you've (probably) never heard of
byAdrian Sanabria
 
RSAC 2016: CISO's guide to Startups
byAdrian Sanabria
 
Ten Security Product Categories You've Probably Never Heard Of
byAdrian Sanabria
 
2019 InfoSec Buyer's Guide
byAdrian Sanabria
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
byAdrian Sanabria
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
byAdrian Sanabria
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
byAdrian Sanabria
 
From due diligence to IoT disaster
byAdrian Sanabria
 
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
byAdrian Sanabria
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
byAdrian Sanabria
 

Recently uploaded

PDF
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PPTX
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PDF
UiPath Veterans Day Acknowledgement and Benefits
byDianaGray10
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
UiPath Veterans Day Acknowledgement and Benefits
byDianaGray10
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
In this document
Powered by AI

Explores DevOps and its relation to security, emphasizing the fast changes in IT and the need for adaptability.

Introduces new IT trends: Agile frameworks, Cloud adoption, and the importance of speed and resilience.

Discussion on security's essential integration within IT frameworks as technology evolves.

Contrasts traditional and new security roles, highlighting the shift towards proactive security practices.

Analyzes traditional security's limitations and the necessity for security to adapt as IT evolves.

Proposes a model where asset owners handle security responsibilities, improving efficiency and ownership.

Examines the impact of testing roles on quality in both development and security, emphasizing shared responsibility.

Security and DevOps Overview

  • 1.
    SecDevOps DevSecOps DevOps Which is it? Andwhat is DevOps? And where does security fit?
  • 2.
    In case youdidn’t already know...
  • 3.
    Why are wehere? • IT is changing fast. Attackers are changing fast. Defenders don’t. • Security tools must change • Security processes must change • Security practitioners must change
  • 4.
    What is DevOps? (Noreally – what is it? Discuss.)
  • 5.
  • 6.
  • 7.
  • 8.
    Words: what dothey mean? • ‘Full stack’ • Automation Engineer • DevOps Engineer • Agile • Waterfall • Lean • Cloud • DevOps
  • 10.
  • 11.
    There is anew IT: what is it? 11 Agile/Lean Business Cloud DevOps people and processestools and products results
  • 12.
    Welcome to thenew IT: key trends Speed 10x faster to prod Agility Integration Automation Developers Convenience Resilience Going faster requires better safety Success Project success increases by 14%-28% 12 NOTE: Success metrics from 2013 Ambysoft and 2015 Chaos Manifesto survey data, comparing projects using Waterfall vs Agile. Agile project success improvements increase with project size.
  • 13.
  • 14.
  • 16.
  • 17.
  • 18.
  • 19.
    The New Practitioner •Influence design, architecture standards, processes • Automate tasks • Forensics • Security assessments • Identify gaps and recommend fixes • API integration • Data science • Routing, load balancing, nw protocols The Traditional Practitioner • Monitoring security alerts • Manage network security • Manage endpoint security • IR/Forensics • Pentesting • Vulnerability Scanning • Policies/Standards • Compliance/Regs • Log management • DR/BCP and SecAware The Security Practitioner: old versus new
  • 20.
    The New Practitioner •Influence design, architecture standards, processes • Automate tasks (code) • Forensics • Security assessments • Identify gaps and recommend fixes (code) • API integration (code) • Data science (code) • Routing, load balancing, network protocols The Traditional Practitioner • Monitoring security alerts • Manage network security • Manage endpoint security • IR/Forensics • Pentesting • Vulnerability Scanning • Policies/Standards • Compliance/Regs • Log management • DR/BCP and SecAware The Security Practitioner: old versus new
  • 22.
    Understanding security’s roleby understanding IT Traditional approach to security: • Security is always a secondary or enabling layer • Security must have direct knowledge and experience with the underlying layer in order to be effective at protecting it or recommending feasible solutions • Direct experience in core technical disciplines goes a long way in earning respect and cooperation Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
  • 23.
    Understanding security’s roleby understanding IT Issues with the traditional approach: • Few security teams can ever be ‘well-rounded’ enough • Security team isn’t qualified to advise much of IT • Adversarial/dysfunctional relationships common • IT changes often; attackers adapt quickly • Defenders and security tools adapt slowly Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
  • 24.
    Security Security’s changing role Anexample: going ‘cloud-first’ • Lower-level IT layers are outsourced • Most security practitioner knowledge lies in these layers • Infrastructure-heavy security skillsets lose value • Concept of bi-modal IT further confuses things • As IT changes, so must security Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
  • 25.
    Security’s changing role Cloudand DevOps – an opportunity to redesign security: • Smaller ‘well-rounded’ groups • Dev, ops, infrastructure and security roles are shared • Everyone working towards a clear, common goal • Relationship between security and developers is crucial • Security can’t impact delivery schedule Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security
  • 26.
    Questions What should security’sfuture role be? • Security is redistributed into IT for all operational tasks • Dedicated security staff performs • high-level design, design/architectural input • monitor changes in risk/attackers/landscape • instruct/consult individual SMEs as needed Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security SME Internal Security Team Security SME Security SME Security SME
  • 27.
    New rule: ifyou own it, own it “Whomever is responsible for an asset – be it data, infrastructure, code, or people – must secure it”
  • 28.
    Why make assetowners responsible? • No one knows and understands the opportunities, constraints and dependencies of the asset better • Security becomes a bottleneck for performance, progress and often, even security • Little to no time wasted on remediation conflict: what to fix, how to fix it, when and at what priority level • Likely that fewer security issues will occur* • Drives the cost of securing systems down, in terms of labor, efficiency and efficacy** * I’ll explain later ** I’ll explain after that
  • 29.
    Better Testing, WorseQuality? Study done in 2000 by Elizabeth Hendrickson Reads like a short version of the Phoenix Project
  • 30.
    Better Testing, WorseQuality? Study done in 2000 by Elizabeth Hendrickson • Creating an independent testing group can encourage counterproductive culture • “Don’t do today what you can push off onto someone else’s plate” • Document and address low hanging fruit • Schedule time for developers to test and fix bugs • To improve code quality, stop the problem at the source • Everyone should understand what they’re building and why • Get testers involved earlier in the process • Bottleneck testing resources and developers are forced to ship higher quality code http://testobsessed.com/wp-content/uploads/2011/04/btwq.pdf
  • 31.
    Better Testing, WorseQuality? Study done in 2000 by Elizabeth Hendrickson • Could this apply to InfoSec? • Surely not. • In fact, it might be quite worse. • We’ve convinced everyone not just that security is our job, but that we’re the only ones that can do it properly. • What if they believed us?

Editor's Notes

  • #8 Just read the tweet.
  • #12 DevOps is a combination of culture, processes and principles. This is the most challenging aspect of what we’re talking about today, because it fundamentally transforms how IT works And ultimately the combination of DevOps and new technologies like cloud are having a permanent impact on how businesses operate.
  • #13 Speed: First production release going out in the time it took hardware to ship to our doorsteps Agility: The ability to add/remove/change infrastructure at will without significant capital expense Resilience: Could also be thought of as “survivability”. With this much automation, the application must be resilient, and IT must plan for a range of contingencies. Bonus: you’ve planned for DR/BCP simultaneously! Success
  • #14 Why DevOps? It isn't a fad, it is simply the most efficient, reliable and successful way we've found so far to build and run software. In the beginning, IT led the charge as an experiment and a way to fix/alleviate issues. Now that the business has seen the value in it, it has gone from fad/trend to requirement and permanent change. There’s no going back.
  • #20 I'm talking about people, but this is all text, it's a list Focus on the message - again, try to use icons Right now, the slide doesn't show the differences very well Don't necessarily need to use the lists Could ask the audience what differences they see, and then reveal the actual differences - look at how diff tools show the difference visually
  • #21 I'm talking about people, but this is all text, it's a list Focus on the message - again, try to use icons Right now, the slide doesn't show the differences very well Don't necessarily need to use the lists Could ask the audience what differences they see, and then reveal the actual differences - look at how diff tools show the difference visually
  • #23 We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
  • #24 We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
  • #25 We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
  • #26 We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
  • #27 Just an idea – doesn’t have to be precisely like this. Depends on the business, the culture, trial/error and a hundred other factors. The general idea though, is to get security responsibility and expertise closer to where the work is done.
  • #30 Introduced an independent test unit, which made the number of bugs go up and software quality go down.
  • #31 Findings More QA = more bugs and longer cycles Created the psychological impact of telling developers that quality is someone else’s problem Insulting; percieved lack of empathy and respect for the developer Solution Tight relationships necessary between QA and Dev QA remains, but with an artificial bottleneck Developers still responsible for deadlines and therefore have to ‘budget’ time for QA Devs write better code to ensure it goes through QA quickly Devs need to be given 10% extra time to ensure better quality code.
  • #32 Also, remember – the two are inseparably linked. When we talk about code quality, we’re also often talking about security - issues with quality is where vulnerabilities come from, right?