Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of DevOps.com will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security:
Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps
Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities
Examples of security automation, case situations minimizing risk and driving flexibility for DevOps
See how SaaS provider CloudPassage integrates security into its own development and operations workflows
6. DevOps & Security Division
6
This is NOT how we do DevOps at CloudPassage.
Collaboration Division
DevOps Security
Plan Code Test Release Deploy Operate
7. SecDevOps
• Less division
– More collaboration
• Less silos
– More sharing
• Less pipeline
– More chains & links
• Less manual
– More automation
7
Security
Plan
Release
Code
Test
Operate
Deploy
8. Plan
• Release Sherpa
– Ops, Dev, QA
– See a release thru from start to finish
• Change risk management
– What infrastructure changes?
– Unexpected or large code changes?
– Security risk assessment
– Threat vector analysis
Security
Plan
Release
Code
Test
Operate
Deploy
9. Code
• Standards enforcement
– Rubocop, Food Critic, Knife-Spork
• Review Process
– Peer & code review
– Continuous application & infrastructure testing
• Git feature branching
– Change control & isolation
Security
Plan
Release
Code
Test
Operate
Deploy
10. Test
• Automated code testing
– Over 10k tests run automatically
at check in
– Over 10k QA assertions
– Over 130 smoke test suites
• All the modules & third party integrations
• Deploy verifications
• External automated testing
• External code review
Security
Plan
Release
Code
Test
Operate
Deploy
11. Release & Deploy
• Stakeholders approval
• Standardized tools
– Capistrano, Chef
• Deploy testing
– 2-man rule
• System segregation
– Only Ops has production access
Security
Plan
Release
Code
Test
Operate
Deploy
12. • Continuous compliance monitoring
– All systems (prod & non-prod)
– Hourly & daily
– Halo
• Infrastructure security orchestration
– Thousands of control/change points enforced hourly (Chef)
– Validated by Halo
• Continuous risk assessment
– Third-party vulnerability testing of all systems
Operate
Security
Plan
Release
Code
Test
Operate
Deploy
14. Practical SecDevOps Examples
• Security automation potential
– Cloud APIs have exploded
• Latch on to DevOps momentum
– Take advantage of change
– Make Dev and Ops security stakeholders
• Use IFTTT thinking
– Channels, Triggers, Actions, Ingredients
Recipes
14
19. SecDevOps in Summary
19
Old is new
Still solving the same problems,
but in new ways
SecDevOps
Automation
DevOps is here
SecDevOps is required
Security automation is here
And is required in the cloud
Apply IFTTT thinking
If This Then That
Channels, Triggers, Actions, Ingredients Recipes
(need a graphic here. Something like a funnel or other where Channels, Triggers, Actions, Ingredients converge to make a recipe)
Examples
(The same graphic from previous slide, but small)
If code gets checked in, then run static analysis
Examples
If firewall policy changes, then initiate remote scanner
Examples
If breach, then quarantine
Feel free to change these points to you sales next steps.
Feel free to change these points to you sales next steps.