SlideShare a Scribd company logo

Zero to Ninety in Securing DevOps

•
DevSecOps Days, profile picture
DevSecOps Days

The document outlines strategies for integrating DevSecOps effectively within organizations, emphasizing the importance of relationships, maturity assessment, and a culture of security. It highlights the need for defined processes, checklists, and metrics to measure success while navigating the transition from DevOps to DevSecOps. The author, J. Wolfgang Goerlich, stresses the significance of collaboration and communication to achieve security as a product throughout the development lifecycle.

Technology
1 of 36
Downloaded 35 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Zero to Ninety in Securing DevOps J Wolfgang Goerlich VP Strategic Programs, CBI
CIO CISO Dev AppSecDevOps
Developers Security It takes two years for technology to go from builders to breakers.
Zero to Ninety in Securing DevOps
Relationships Perception Competency Deliver Wins
Zero to Ninety in Securing DevOps
DevSecOps Learn Assess Plan
DevSecOps Learn Assess Plan
Are we really doing DevOps? Really?
Ad Hoc Defined Optimized Ad Hoc Defined Optimized DevOps What are our levels of maturity?
What is the CI/CD pipeline? Wait … pipelines?
Who’s who? Establish relationships.
Wins • Directory of people • Inventory of DevOps’d apps • Inventory of CI/CD pipelines • Stay alive (task and stress management)
DevSecOps Learn Assess Plan
Code Review SCA
Don’t go too fast.
Assess. Don’t audit. (No one likes auditors)
Build a Checklist.
Hug a Checklist • NIST SP 800-64 Development Lifecycle • NIST SP 800-190 Container Security • ISO 27002 (Yeah, I know) • ISO 27034 Application Security • CSA Guidance 4.0 Application Security • BSIMM, SAMM Maturity
And the most important checklist of them all … the one from the Customers.
Follow the money.
Assess and? Build relationships.
Wins • Find a champion Advisory council • Find a pilot pipeline Business case • Define a maturity model Security backlog • Still alive (task and stress management)
DevSecOps Learn Assess Plan
Threat Model Vuln
Measure success. Define metrics.
Create a culture of quality and security one line of code at a time
30 90 60
Zero to Ninety in Securing DevOps
Security as a Product
Security as a Product • Features: Security Requirements • Process: Borrow from DevOps • Experience: Borrow from UXD Apply industrial design principles and DevOps methods to build our product
Wins • Innovators and adopters Advisory council • Pipeline security feature Business case • Communicate roadmap Security backlog • Alive! So alive. And kicking!
DevSecOps Learn Assess Plan Relationships Perception Competency Deliver Wins
DevSecOps Learn Assess Plan Follow the Money Build a Backlog Define Success Implement, Iterate
J Wolfgang Goerlich VP Strategic Programs, CBI @jwgoerlich https://jwgoerlich.com Thank you.
Zero to Ninety in Securing DevOps

More Related Content

What's hot (20)

PDF
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
PDF
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
 
PPTX
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
PPTX
How to Get Started with DevSecOps
CYBRIC
 
PDF
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
PDF
DevSecOps for the DoD
JamesHarmison
 
PDF
The New Security Playbook: DevSecOps
James Wickett
 
PDF
Dev secops. Real experience.
Vitaly Balashov
 
PDF
PIACERE - DevSecOps Automated
PIACERE
 
PDF
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
PDF
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
PDF
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
PDF
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
PDF
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
PDF
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
PPT
DevSecOps Singapore introduction
Stefan Streichsbier
 
PDF
Talk DevSecOps to me
Michelle Ribeiro
 
PDF
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
PDF
DevSecOps What Why and How
NotSoSecure Global Services
 
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
 
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
How to Get Started with DevSecOps
CYBRIC
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
DevSecOps for the DoD
JamesHarmison
 
The New Security Playbook: DevSecOps
James Wickett
 
Dev secops. Real experience.
Vitaly Balashov
 
PIACERE - DevSecOps Automated
PIACERE
 
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
DevSecOps Singapore introduction
Stefan Streichsbier
 
Talk DevSecOps to me
Michelle Ribeiro
 
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
DevSecOps What Why and How
NotSoSecure Global Services
 

Similar to Zero to Ninety in Securing DevOps (20)

PPTX
Measure and Accelerate Your Software Delivery
Anand Chauhan
 
PPTX
Threat Modeling All Day!
Steven Carlson
 
PDF
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
Dan Cundiff
 
PPTX
Dev ops
Jitander Kapil
 
PDF
Scale security for a dollar or less
Mohammed A. Imran
 
PPTX
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24
 
PPTX
Are your DevOps and Security teams friends or foes?
Reuven Harrison
 
PDF
Comprehensive Guide to Hire DevOps Engineer.pdf
EcosmobTechnologies1
 
PDF
Software architecture in a DevOps world
Bert Jan Schrijver
 
PDF
DevOps for absolute beginners (2022 edition)
Ahmed Misbah
 
PDF
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 
PPTX
Devops intro
Pallavi Mudaliar
 
PPTX
DevOps Culture transformation in Modern Software Delivery
Najib Radzuan
 
PPTX
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
Siva Rama Krishna Chunduru
 
PDF
Continuous Security / DevSecOps- Why How and What
Marc Hornbeek
 
PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
PPTX
What is DevOps
Kyle Hailey
 
PDF
TDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOps
Bert Jan Schrijver
 
PDF
DevOpsing Greenfield - AgileDC2018 - Mills - v1.4 2018.10.15
Rich Mills
 
PDF
JavaLand 2022 - Software architecture in a DevOps world
Bert Jan Schrijver
 
Measure and Accelerate Your Software Delivery
Anand Chauhan
 
Threat Modeling All Day!
Steven Carlson
 
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
Dan Cundiff
 
Dev ops
Jitander Kapil
 
Scale security for a dollar or less
Mohammed A. Imran
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24
 
Are your DevOps and Security teams friends or foes?
Reuven Harrison
 
Comprehensive Guide to Hire DevOps Engineer.pdf
EcosmobTechnologies1
 
Software architecture in a DevOps world
Bert Jan Schrijver
 
DevOps for absolute beginners (2022 edition)
Ahmed Misbah
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 
Devops intro
Pallavi Mudaliar
 
DevOps Culture transformation in Modern Software Delivery
Najib Radzuan
 
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
Siva Rama Krishna Chunduru
 
Continuous Security / DevSecOps- Why How and What
Marc Hornbeek
 
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
What is DevOps
Kyle Hailey
 
TDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOps
Bert Jan Schrijver
 
DevOpsing Greenfield - AgileDC2018 - Mills - v1.4 2018.10.15
Rich Mills
 
JavaLand 2022 - Software architecture in a DevOps world
Bert Jan Schrijver
 
Ad

Recently uploaded (20)

PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
introduction to computer hardware and sofeware
chauhanshraddha2007
 
PDF
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
Generative AI vs Predictive AI-The Ultimate Comparison Guide
Lily Clark
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PPTX
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PDF
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
introduction to computer hardware and sofeware
chauhanshraddha2007
 
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Generative AI vs Predictive AI-The Ultimate Comparison Guide
Lily Clark
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
The Future of Artificial Intelligence (AI)
Mukul
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
Ad

Zero to Ninety in Securing DevOps