DevSecCon, profile picture
Uploaded byDevSecCon
PDF, PPTX429 views

Why does security matter for devops by Caroline Wong

This document discusses why security matters for DevOps. It begins by introducing the speaker and intended audience. It then explains how the role of security is changing from protecting the perimeter to addressing risks from vendors and mobile endpoints. Security matters for DevOps because major companies have experienced high-profile data breaches, which hurt sales, acquisition, press, and compliance. The document outlines the NIST Cybersecurity Framework approach of identifying, preventing, detecting, responding to, and recovering from incidents. It emphasizes that security for DevOps must be business-driven, on-demand to fit the DevOps toolchain, and built on a culture of trust.

Embed presentation

Download as PDF, PPTX
Why does Security matter for DevOps? Caroline Wong, CISSP Vice President of Security Strategy, Cobalt www.cobalt.io
About Me B.S. in Electrical Engineering and Computer Sciences (U.C. Berkeley) 12 years in Information Security ● Security practitioner at eBay, Zynga ● Product manager at Symantec ● Consultant at Cigital (acquired by Synopsys) Joined Cobalt.io in 2016
About Me / About You In the room, ● Engineers ● Security ● Doing DevOps today ○ Born DevOps ○ Became DevOps ● Thinking about doing DevOps
Agenda ● Why does DevOps matter? ● The changing role of Security ● Why Security matters ● What to do about it ● Key Takeaways
First things first -- Why does DevOps matter?
Businesses do what they need to do to survive and succeed. If their customers need agility then they will evolve to accommodate that.
27% Percentage of organizations that have made the switch to DevOps, according to the 2017 State of DevOps Report
How is the role of Security changing?
Then ● Protect the Perimeter ● SDLC Gates ● On-premise Data Center and Workforce
Now ● Vendor Risk (goes both ways) ● Apps and APIs ● Mobile Workforce Endpoints
Why do you think Security matters for DevOps?
Adobe
Facebook
Amazon
Fidelity
Walmart
Etsy
Netflix
Target
Sony
Nordstrom
Why does Security matter for DevOps? Sales / Acquisition
Why does Security matter for DevOps? Sales / Acquisition Press
Why does Security matter for DevOps? Sales / Acquisition Press Compliance
It’s all about the $$$
So… what to do?
112 control elements
121 control elements
133 control elements
Security for DevOps It’s about preventing unplanned work and rework. It’s also about trust. “Super Tribe”
NIST Cybersecurity Framework 1. Identify 2. Prevent 3. Detect 4. Respond 5. Recover
Identify Prevent Respond RecoverDetect
1. Identify ● Learn the business ○ Learn the DevOps tool chain ○ Understand what functions are critical ● Eliminate scope where you can ● Supply chain management Identify Prevent Re spo nd Re cov er Det ect
2. Prevent ● Attack-driven awareness ○ Learn from the past ● Policy and procedures ○ E.g. change management and secret management ● Reduce technical debt ○ Vendor patches and updates ● On-demand security testing Identify Prevent Re spo nd Re cov er Det ect
3. Detect, Respond, Recover Detect ● Logging, monitoring, alerting Respond ● Incident response planning ○ Supply chain considerations Recover ● Post mortem ● Lessons learned Identify Prevent Re spo nd Re cov er Det ect
Key Takeaways Security for DevOps must be: ● Business driven ○ Understand business risks and tradeoffs ○ Supply chain (both ways) ○ Scoping matters ● On-demand ○ DevOps toolchain (Slack, GitHub, JIRA, etc.) ○ But manual still matters ● Built to fit a culture of trust ○ Real not theoretical ○ Valid not false positive ○ Trust but verify Resources and References ● The Phoenix Project (novel) ● Enabling DevOps: A Security Imperative (podcast) ● 2017 State of DevOps ● DZone’s Guide to Automated Testing ● NIST Cybersecurity Framework ● Special thanks to Mike Shema, Esben Friis-Jensen, Christian Hansen, and Cameron Clifford

More Related Content

PPTX
Security and DevOps Overview
byAdrian Sanabria
 
PDF
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
PPTX
The Journey to DevSecOps
bySeniorStoryteller
 
PDF
Secure Software Development Lifecycle - Devoxx MA 2018
byImola Informatica
 
PPTX
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
PPTX
The road goes ever on and on by Ciaran Conliffe
byDevSecCon
 
PDF
Building Security Controls around Attack Models
bySeniorStoryteller
 
PPTX
The path of secure software by Katy Anton
byDevSecCon
 
Security and DevOps Overview
byAdrian Sanabria
 
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
The Journey to DevSecOps
bySeniorStoryteller
 
Secure Software Development Lifecycle - Devoxx MA 2018
byImola Informatica
 
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
The road goes ever on and on by Ciaran Conliffe
byDevSecCon
 
Building Security Controls around Attack Models
bySeniorStoryteller
 
The path of secure software by Katy Anton
byDevSecCon
 

What's hot

PPTX
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
byOutpost24
 
PPTX
Open Source Defense for Edge 2017
byAdrian Sanabria
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PPTX
2016 virus bulletin
byAdrian Sanabria
 
PPTX
451 AppSense Webinar - Why blame the user?
byAdrian Sanabria
 
PPTX
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
byAdrian Sanabria
 
PPTX
Amy DeMartine - 7 Habits of Rugged DevOps
bySeniorStoryteller
 
PDF
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
byTom Stiehm
 
PPTX
Practical Secure Coding Workshop - {DECIPHER} Hackathon
byStefan Streichsbier
 
PPTX
The R.O.A.D to DevOps
bySeniorStoryteller
 
PPTX
A journey from dev ops to devsecops
byVeritis Group, Inc
 
PPTX
Securing a great DX - DevSecOps Days Singapore 2018
byStefan Streichsbier
 
PDF
DevSecOps in 2031: How robots and humans will secure apps together Log
byStefan Streichsbier
 
PPTX
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
byDevOps.com
 
PDF
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
byDevSecCon
 
PDF
Getting to Know Security and Devs: Keys to Successful DevSecOps
byFranklin Mosley
 
PDF
Chaos engineering for cloud native security
byKennedy
 
PDF
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
PDF
Nick Drage & Fraser Scott - Epic battle devops vs security
byDevSecCon
 
PPTX
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
byBlack Duck by Synopsys
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
byOutpost24
 
Open Source Defense for Edge 2017
byAdrian Sanabria
 
The Future of DevSecOps
byStefan Streichsbier
 
2016 virus bulletin
byAdrian Sanabria
 
451 AppSense Webinar - Why blame the user?
byAdrian Sanabria
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
byAdrian Sanabria
 
Amy DeMartine - 7 Habits of Rugged DevOps
bySeniorStoryteller
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
byTom Stiehm
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
byStefan Streichsbier
 
The R.O.A.D to DevOps
bySeniorStoryteller
 
A journey from dev ops to devsecops
byVeritis Group, Inc
 
Securing a great DX - DevSecOps Days Singapore 2018
byStefan Streichsbier
 
DevSecOps in 2031: How robots and humans will secure apps together Log
byStefan Streichsbier
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
byDevOps.com
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
byDevSecCon
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
byFranklin Mosley
 
Chaos engineering for cloud native security
byKennedy
 
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
Nick Drage & Fraser Scott - Epic battle devops vs security
byDevSecCon
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
byBlack Duck by Synopsys
 

Similar to Why does security matter for devops by Caroline Wong

PDF
The What, Why, and How of DevSecOps
byCprime
 
PPTX
DevSecCon KeyNote London 2015
byShannon Lietz
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PPTX
Is DevOps Braking Your Company?
byconjur_inc
 
PDF
Protecting Agile Transformation through Secure DevOps (DevSecOps)
byEryk Budi Pratama
 
PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PDF
DevOps vs DevSecOps_ What CTOs Must Know Before Scaling Securely.pdf
byDevseccops.ai
 
PDF
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
PPTX
ISACA Ireland Keynote 2015
byShannon Lietz
 
PPTX
DevSecCon Keynote
byShannon Lietz
 
PPTX
S360 2015 dev_secops_program
byShannon Lietz
 
PDF
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
PPT
Bio IT World 2015 - DevOps Security and Transparency
byKevin Gilpin
 
DOCX
The Importance of DevOps Security in 2023.docx
byXavor Corporation - Redefining Health Technology
 
PPTX
Introduction to DevSecOps OWASP Ahmedabad
bykunwaratul hax0r
 
DOCX
DevSecOps – The Importance of DevOps Security in 2023.docx
byXavor Corporation - Redefining Health Technology
 
PPTX
The Journey to DevSecOps
byShannon Lietz
 
PDF
Devops is a Security Requirement
byKris Buytaert
 
PPTX
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
byTroy Marshall
 
The What, Why, and How of DevSecOps
byCprime
 
DevSecCon KeyNote London 2015
byShannon Lietz
 
Introduction to DevSecOps
byabhimanyubhogwan
 
Is DevOps Braking Your Company?
byconjur_inc
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
byEryk Budi Pratama
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
DevOps vs DevSecOps_ What CTOs Must Know Before Scaling Securely.pdf
byDevseccops.ai
 
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
ISACA Ireland Keynote 2015
byShannon Lietz
 
DevSecCon Keynote
byShannon Lietz
 
S360 2015 dev_secops_program
byShannon Lietz
 
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
Bio IT World 2015 - DevOps Security and Transparency
byKevin Gilpin
 
The Importance of DevOps Security in 2023.docx
byXavor Corporation - Redefining Health Technology
 
Introduction to DevSecOps OWASP Ahmedabad
bykunwaratul hax0r
 
DevSecOps – The Importance of DevOps Security in 2023.docx
byXavor Corporation - Redefining Health Technology
 
The Journey to DevSecOps
byShannon Lietz
 
Devops is a Security Requirement
byKris Buytaert
 
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
byTroy Marshall
 

More from DevSecCon

PPTX
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Preventative Security for Kubernetes
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
byDevSecCon
 
PDF
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
byDevSecCon
 
PDF
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
byDevSecCon
 
PPTX
DevSecCon London 2018: Is your supply chain your achille's heel
byDevSecCon
 
PDF
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
PDF
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
byDevSecCon
 
PPTX
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
byDevSecCon
 
PPTX
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
byDevSecCon
 
PPTX
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
byDevSecCon
 
PDF
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
byDevSecCon
 
PDF
DevSecCon London 2018: Open DevSecOps
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
byDevSecCon
 
PPTX
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
byDevSecCon
 
PPTX
DevSecCon London 2018: Get rid of these TLS certificates
byDevSecCon
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
byDevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
byDevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
byDevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
byDevSecCon
 
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
byDevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
byDevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
byDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
byDevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
byDevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
byDevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
byDevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
byDevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
byDevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
byDevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
byDevSecCon
 
DevSecCon London 2018: Open DevSecOps
byDevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
byDevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
byDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
byDevSecCon
 

Recently uploaded

PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PPTX
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
UiPath Veterans Day Acknowledgement and Benefits
byDianaGray10
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
UiPath Veterans Day Acknowledgement and Benefits
byDianaGray10
 
MathML Core in WebKit
byIgalia
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 

Why does security matter for devops by Caroline Wong

  • 1.
    Why does Security matterfor DevOps? Caroline Wong, CISSP Vice President of Security Strategy, Cobalt www.cobalt.io
  • 2.
    About Me B.S. inElectrical Engineering and Computer Sciences (U.C. Berkeley) 12 years in Information Security ● Security practitioner at eBay, Zynga ● Product manager at Symantec ● Consultant at Cigital (acquired by Synopsys) Joined Cobalt.io in 2016
  • 3.
    About Me /About You In the room, ● Engineers ● Security ● Doing DevOps today ○ Born DevOps ○ Became DevOps ● Thinking about doing DevOps
  • 4.
    Agenda ● Why doesDevOps matter? ● The changing role of Security ● Why Security matters ● What to do about it ● Key Takeaways
  • 5.
    First things first-- Why does DevOps matter?
  • 6.
    Businesses do whatthey need to do to survive and succeed. If their customers need agility then they will evolve to accommodate that.
  • 7.
    27% Percentage of organizationsthat have made the switch to DevOps, according to the 2017 State of DevOps Report
  • 8.
    How is therole of Security changing?
  • 9.
    Then ● Protect thePerimeter ● SDLC Gates ● On-premise Data Center and Workforce
  • 10.
    Now ● Vendor Risk(goes both ways) ● Apps and APIs ● Mobile Workforce Endpoints
  • 11.
    Why do youthink Security matters for DevOps?
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
    Why does Securitymatter for DevOps? Sales / Acquisition
  • 24.
    Why does Securitymatter for DevOps? Sales / Acquisition Press
  • 25.
    Why does Securitymatter for DevOps? Sales / Acquisition Press Compliance
  • 28.
  • 29.
  • 32.
  • 35.
  • 37.
  • 39.
    Security for DevOps It’sabout preventing unplanned work and rework. It’s also about trust. “Super Tribe”
  • 40.
    NIST Cybersecurity Framework 1.Identify 2. Prevent 3. Detect 4. Respond 5. Recover
  • 41.
  • 42.
    1. Identify ● Learnthe business ○ Learn the DevOps tool chain ○ Understand what functions are critical ● Eliminate scope where you can ● Supply chain management Identify Prevent Re spo nd Re cov er Det ect
  • 43.
    2. Prevent ● Attack-drivenawareness ○ Learn from the past ● Policy and procedures ○ E.g. change management and secret management ● Reduce technical debt ○ Vendor patches and updates ● On-demand security testing Identify Prevent Re spo nd Re cov er Det ect
  • 44.
    3. Detect, Respond,Recover Detect ● Logging, monitoring, alerting Respond ● Incident response planning ○ Supply chain considerations Recover ● Post mortem ● Lessons learned Identify Prevent Re spo nd Re cov er Det ect
  • 45.
    Key Takeaways Security forDevOps must be: ● Business driven ○ Understand business risks and tradeoffs ○ Supply chain (both ways) ○ Scoping matters ● On-demand ○ DevOps toolchain (Slack, GitHub, JIRA, etc.) ○ But manual still matters ● Built to fit a culture of trust ○ Real not theoretical ○ Valid not false positive ○ Trust but verify Resources and References ● The Phoenix Project (novel) ● Enabling DevOps: A Security Imperative (podcast) ● 2017 State of DevOps ● DZone’s Guide to Automated Testing ● NIST Cybersecurity Framework ● Special thanks to Mike Shema, Esben Friis-Jensen, Christian Hansen, and Cameron Clifford