SlideShare una empresa de Scribd logo

Continuous Security: 5 Ways DevOps Improves Security

Sonatype
Sonatype

David Mortman, Chief Security Architect & Distinguished Engineer, Dell Software Josh Corman, CTO, Sonatype

Tecnología
1 de 36
Descargar para leer sin conexión
#RSAC SESSION ID: David Mortman Joshua Corman Continuous Security: 5 Ways DevOps Improves Security ASD-T07R CTO Sonatype @joshcorman Chief Security Architect & Distinguished Engineer Dell Software @mortman
#RSAC @mortman @joshcorman 2   10/23/2013    @joshcorman   “It’s  not  enough  to  do  your  best;  you  must  know  what  to  do,  and  then  do  your   best”  Deming  @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcormanON  TIME     ON  BUDGET   ACCEPTABLE   QUALITY/RISK   Dev’s  core  moJvaJons  are  to  be  OnTime,  OnBudget,  w/  Acceptable  Quality/Risk   @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman 4
#RSAC @mortman @joshcorman 5 “Don’t  Go  Chasin’  Waterfalls”  Dev  started  w/  Waterfall,  but  modern  demands   require  us  to  go  faster  @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   Waterfall’s  Design  -­‐>  Dev  -­‐>  Test  -­‐>  Deploy  may  go  1.5-­‐3yrs  b/w  releases.   @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman Agile  goats;  not  goat  rodeo.  “We  need  to  be  agile,  but  not  fragile.”   @RuggedSoWware  @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   Agile  /  CI   Agile  &  Lean  Jghtened  Design  -­‐>  Build  -­‐>  Test  cycle  releasing  6-­‐12+  smaller   batches/yr  @joshcorman  @mortman  #RSAC  #DevOps    
#RSAC @mortman @joshcormanDevOps It  may  feel  like  DevOps  is  Pandora’s  Box,  but  it’s  open…  and  hope  remains.  ;)   @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   DevOps  /  CD   Agile  /  CI   Agile  made  dev  faster  but  wasn’t  enough.  DevOps  extends  pa`erns  to  Ops  4  mutual   gains  @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcormanSW Supply Chains 11 Deming  drove  Toyota  Supply  Chains.  We  can  EXTEND  DevOps  w/  his  quality/safety   pa`erns  @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   SW  Supply  Chain   DevOps  /  CD   Agile  /  CI   SW  SupplyChains  enable  faster,  more  efficient  dev  by  reducing  elecJve  complexity/ risk++  @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcormanSW Supply Chains Our  SW  Supply  Chain  is  only  as  strong  as  its  weakest  link.  Can  you  say  #OpenSSL?   @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman Toyota   Advantage   Toyota   Prius   Chevy   Volt   Unit  Cost   61%   $24,200   $39,900   Units  Sold   13x   23,294   1,788   In-­‐House   ProducJon   50%   27%   54%   Plant  Suppliers   16%     (10x  per)   125   800   Firm-­‐Wide   Suppliers   4%   224   5,500   Comparing the Prius and the Volt Toyota  Prius  (v  Volt)  used  1/6th  suppliers,  be`er  leveraged,  for  60%  price  &  12x   sales  @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcormanDevOps Defined Is  #DevOps  a  Culture?  A  Process?  A  Toochain?  YES;  but  the  greatest  of  these  is   Culture/Empathy  @joshcorman  @mortman  #RSAC    
#RSAC @mortman @joshcorman Myths  abound  RE:  Security  &  #DevOps.  We  FUD-­‐Haters  should  deal  w/  facts   @joshcorman  @mortman  #RSAC    
#RSAC @mortman @joshcorman RE:  #DevOps  &  Security:  You’re  enJtled  to  your  own  opinions,  but  not  to  your  own   facts.  @joshcorman  @mortman  #RSAC    
#RSAC @mortman @joshcorman MythBusted:  “ITIL  &  ChangeMngt  can’t  be  done  w/  #DevOps  ”  <-­‐  It  can  even  make   it  easier/be`er  @joshcorman  @mortman  #RSAC  
#RSAC @mortman @joshcorman True  #DevOps  +  Security  isn’t  all  rainbows  &  unicorns.  Unicorn  p00p  has  to  be   worked  thru  @joshcorman  @mortman  #RSAC    
#RSAC @mortman @joshcorman spending   a`ack  risk   Source:  Normalized  CObIT  spending  across  IDC,  Gartner,  The  451  Group;  since  groupings  vary   Host  Security    ~$10B   Data  Security    ~$5B   People  Security    ~$4B   Network  Security    ~$20B   SoWware   Security   ~$0.5B     Assembled  3rd  Party  &   OpenSource   Components     ~90%  of  most   applicaJons     Almost  No  Spending   Wri`en  Code  Scanning   SW Status Quo: Most attacked; least spend Worse,  w/in  SoWware,  exisJng  dollars  go  to  the  <=  10%  wri`en       StatusQuo:  SW  is  MOST  a`acked  &  gets  LEAST  SecSpend;  most  on  10%  of  code  we   write  @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcormanInsanity Einstein's  Insanity:  We  could  do  the  same  thing  over  &  over  expecJng  different   results  @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman WRT  Security  &  #DevOps  We  lose  things  AND  we  gain  things.  We’ll  look  at  5  things   we  gain  @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman This  was  added  b/c  the  Red  Hat  in  the  “Lost  &  Found”  made  @mortman  giggle  &  he   forced  it  upon  @joshcorman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman1) Instrumentation 1)  InstrumentaJon!  #DevOps  instruments  EVERYTHING  &  Security  can  use  it  in   MANY  ways  @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman2) Be Mean To Your Code! 2)  Be  Mean  To  Your  Code!  To  avoid  failure;  fail  all  the  Jme  #ChaosMonkey  #Gauntlt   #BrakeMan  @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman 3)  Complexity  Is  Enemy  of  “All  The  Things”!  All  #DevOps  parJes  benefit  from   reducing  complexity  @joshcorman  @mortman  #RSAC  
#RSAC @mortman @joshcorman DecomposiJon  lowers  complexity  adds  security  and  reliability  @mortman   @joshcorman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman Simple  >  Complex.  Simple  !=  Easy  though.  There  is  no  easy  bu`on,  but  there  is  an   easiER  one.  @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman 4)  Implicit  and  Explicit  Change  Management.  Change  is  good  and  leads  to  stability   and  fights  stagnaJon.  @joshcorman  @mortman  #rsac  #devops  
#RSAC @mortman @joshcorman All  of  Chuck  Norris’s  Change  Controls  are  Full  Cycle  and  they’re  always  approved!   @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman 5)  Empathy  is  the  killer  app!  Silos  prohibit  sharing  and  empathy….  #RSAC  #DevOps   @mortman  @joshcorman  
#RSAC @mortman @joshcorman Madame  CISO,  Tear  Down  This  Wall!  #RSAC  #DevOps  @mortman  @joshcorman  
#RSAC @mortman @joshcorman Defensible  Infrastructure   10%     Wri`en   OperaFonal  Excellence   SituaFonal  Awareness   Counter-­‐ measures   The  soWware  &  hardware  we   build,  buy,  and  deploy.  90%  of   soWware  is  assembled  from  3rd   party  &  Open  Source     MOST  IMPACT:  BUY/BUILD  DEFENSIBLE  SOFTWARE   DefensibleIT  &  OpsExcellence  have  MOST  Security  impact,  but  elude  CISO  influence   BUT...  @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC @mortman @joshcorman 34 10/23/2013    @joshcorman   Defensible  Infrastructure   OperaFonal  Excellence   SituaFonal  Awareness   Counter-­‐ measures   DevOps   DevOps   DevOps   [cont]  #DevOps  smashes  silos  &  finally  enables  the  MUCH  LARGER  Security  gains  in   both  @joshcorman  @mortman  #RSAC  #DevOps    
#RSAC @mortman @joshcormanApply! u  Stop resisting… “Survival isn’t mandatory” – Deming u  Josh’s RSAC EU Keynote http://youtu.be/m4Y_K7MXQxQ u  Read “The Phoenix Project” by Gene Kim u  http://itrevolution.com/books/phoenix-project-devops-book/ u  Watch videos from RSAC “DevOps Connect” Rugged DevOps Day u  http://www.sonatype.org/nexus/2015/04/13/devops-connect-secops-editon-at- rsac-2015-speakers-and-schedule/ u  Grab tooling: u  Gauntlt, BrakeMan, Chaos Monkey, and the Simian Army u  Start small, start anywhere, start TODAY! Get  on  the  train  before  the  train  gets  on  you!  Don’t  delay,  start  today!   @joshcorman  @mortman  #RSAC  #DevOps  
#RSAC Conclusion/Wrap-Up Follow  Us  &  Rugged  #DevOps  at:     @mortman  @joshcorman  @RuggedSoWware  @RuggedDevOps  @iamthecavalry    

Recomendados

DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecSonatype
 
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...Burr Sutter
 
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesKeeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014Puppet
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryJames Wickett
 
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...Gene Kim
 
The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
 

Recomendados

DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecSonatype
 
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...Burr Sutter
 
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesKeeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014Puppet
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryJames Wickett
 
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...Gene Kim
 
The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
 
Why Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimWhy Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimDynatrace
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentTom Stiehm
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
 
My 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary JourneyMy 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary JourneyBurr Sutter
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?Gene Kim
 
DevOps and Audit
DevOps and AuditDevOps and Audit
DevOps and AuditJeff Gallimore
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsC4Media
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Burr Sutter
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionKeet Sugathadasa
 
Pragmatic Security and Rugged DevOps - SXSW 2015
Pragmatic Security and Rugged DevOps - SXSW 2015Pragmatic Security and Rugged DevOps - SXSW 2015
Pragmatic Security and Rugged DevOps - SXSW 2015James Wickett
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
Togaf
TogafTogaf
TogafZakaria Haddadi
 
Security Essentials
Security EssentialsSecurity Essentials
Security EssentialsAshley Deuble
 

Más contenido relacionado

La actualidad más candente

Why Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimWhy Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimDynatrace
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentTom Stiehm
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
 
My 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary JourneyMy 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary JourneyBurr Sutter
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?Gene Kim
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsC4Media
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Burr Sutter
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionKeet Sugathadasa
 
Pragmatic Security and Rugged DevOps - SXSW 2015
Pragmatic Security and Rugged DevOps - SXSW 2015Pragmatic Security and Rugged DevOps - SXSW 2015
Pragmatic Security and Rugged DevOps - SXSW 2015James Wickett
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 

La actualidad más candente (20)

Why Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimWhy Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene Kim
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanent
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
 
My 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary JourneyMy 'Phoenix Project'—One Developer's Evolutionary Journey
My 'Phoenix Project'—One Developer's Evolutionary Journey
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
 
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
 
DevOps and Audit
DevOps and AuditDevOps and Audit
DevOps and Audit
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
 
Pragmatic Security and Rugged DevOps - SXSW 2015
Pragmatic Security and Rugged DevOps - SXSW 2015Pragmatic Security and Rugged DevOps - SXSW 2015
Pragmatic Security and Rugged DevOps - SXSW 2015
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 

Destacado

Oracle Unified Method (OUM)
Oracle Unified Method (OUM) Oracle Unified Method (OUM)
Oracle Unified Method (OUM) UBC Corporation
 
Cessez de presser le citron – gérez la capacité pour atteindre vos résultats
Cessez de presser le citron – gérez la capacité pour atteindre vos résultatsCessez de presser le citron – gérez la capacité pour atteindre vos résultats
Cessez de presser le citron – gérez la capacité pour atteindre vos résultatsPMI-Montréal
 
La valeur d’affaires: L’indicateur qui peut changer le succès des projets
La valeur d’affaires: L’indicateur qui peut changer le succès des projetsLa valeur d’affaires: L’indicateur qui peut changer le succès des projets
La valeur d’affaires: L’indicateur qui peut changer le succès des projetsPyxis Technologies
 
Deming to Devops
Deming to Devops Deming to Devops
Deming to Devops John Willis
 
ProjectLibre1.5 - Lesson 5 - Reports
ProjectLibre1.5 - Lesson 5 - ReportsProjectLibre1.5 - Lesson 5 - Reports
ProjectLibre1.5 - Lesson 5 - ReportsHezequias Vasconcelos
 
Ceph Block Devices: A Deep Dive
Ceph Block Devices: A Deep DiveCeph Block Devices: A Deep Dive
Ceph Block Devices: A Deep DiveRed_Hat_Storage
 
LISA 2011 Keynote: The DevOps Transformation
LISA 2011 Keynote: The DevOps TransformationLISA 2011 Keynote: The DevOps Transformation
LISA 2011 Keynote: The DevOps Transformationbenrockwood
 
From Continuous Integration to DevOps - Japan Innovate 2013
From Continuous Integration to DevOps - Japan Innovate 2013From Continuous Integration to DevOps - Japan Innovate 2013
From Continuous Integration to DevOps - Japan Innovate 2013Sanjeev Sharma
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introductionaqel aqel
 
Oracle et les offres infastructure as a service
Oracle et les offres infastructure as a serviceOracle et les offres infastructure as a service
Oracle et les offres infastructure as a serviceEASYTEAM
 
Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Combell NV
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
devops - what's missing? what's next?
devops - what's missing? what's next?devops - what's missing? what's next?
devops - what's missing? what's next?Andrew Shafer
 
Hébergements scalables, Human talks Grenoble
Hébergements scalables, Human talks GrenobleHébergements scalables, Human talks Grenoble
Hébergements scalables, Human talks GrenoblePhilippe Le Van
 

Destacado (20)

Togaf
TogafTogaf
Togaf
 
Security Essentials
Security EssentialsSecurity Essentials
Security Essentials
 
Agile security
Agile securityAgile security
Agile security
 
Oracle Unified Method (OUM)
Oracle Unified Method (OUM) Oracle Unified Method (OUM)
Oracle Unified Method (OUM)
 
Cessez de presser le citron – gérez la capacité pour atteindre vos résultats
Cessez de presser le citron – gérez la capacité pour atteindre vos résultatsCessez de presser le citron – gérez la capacité pour atteindre vos résultats
Cessez de presser le citron – gérez la capacité pour atteindre vos résultats
 
La valeur d’affaires: L’indicateur qui peut changer le succès des projets
La valeur d’affaires: L’indicateur qui peut changer le succès des projetsLa valeur d’affaires: L’indicateur qui peut changer le succès des projets
La valeur d’affaires: L’indicateur qui peut changer le succès des projets
 
Deming to Devops
Deming to Devops Deming to Devops
Deming to Devops
 
ProjectLibre1.5 - Lesson 5 - Reports
ProjectLibre1.5 - Lesson 5 - ReportsProjectLibre1.5 - Lesson 5 - Reports
ProjectLibre1.5 - Lesson 5 - Reports
 
Ceph Block Devices: A Deep Dive
Ceph Block Devices: A Deep DiveCeph Block Devices: A Deep Dive
Ceph Block Devices: A Deep Dive
 
Stop to start
Stop to startStop to start
Stop to start
 
What is Cobit
What is CobitWhat is Cobit
What is Cobit
 
LISA 2011 Keynote: The DevOps Transformation
LISA 2011 Keynote: The DevOps TransformationLISA 2011 Keynote: The DevOps Transformation
LISA 2011 Keynote: The DevOps Transformation
 
From Continuous Integration to DevOps - Japan Innovate 2013
From Continuous Integration to DevOps - Japan Innovate 2013From Continuous Integration to DevOps - Japan Innovate 2013
From Continuous Integration to DevOps - Japan Innovate 2013
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introduction
 
Oracle et les offres infastructure as a service
Oracle et les offres infastructure as a serviceOracle et les offres infastructure as a service
Oracle et les offres infastructure as a service
 
Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
devops - what's missing? what's next?
devops - what's missing? what's next?devops - what's missing? what's next?
devops - what's missing? what's next?
 
Hébergements scalables, Human talks Grenoble
Hébergements scalables, Human talks GrenobleHébergements scalables, Human talks Grenoble
Hébergements scalables, Human talks Grenoble
 
Migrer de V vers l'Agile
Migrer de V vers l'AgileMigrer de V vers l'Agile
Migrer de V vers l'Agile
 

Similar a Continuous Security: 5 Ways DevOps Improves Security

Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOpJames Wickett
 
How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security peoplePriyanka Aash
 
DevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratchDevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratchPete Cheslock
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
Epistemological Problem of Application Security
Epistemological Problem of Application SecurityEpistemological Problem of Application Security
Epistemological Problem of Application SecurityJames Wickett
 
Better and Faster: A Journey Toward Clean Code and Enjoyment
Better and Faster: A Journey Toward Clean Code and EnjoymentBetter and Faster: A Journey Toward Clean Code and Enjoyment
Better and Faster: A Journey Toward Clean Code and EnjoymentChris Holland
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseJames Wickett
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingPacSecJP
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Designing a secure software development process with DevOps
Designing a secure software development process with DevOpsDesigning a secure software development process with DevOps
Designing a secure software development process with DevOpsMike Long
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
RSA 2017 APJ DevSecOps Fabian Slides
RSA 2017 APJ DevSecOps Fabian SlidesRSA 2017 APJ DevSecOps Fabian Slides
RSA 2017 APJ DevSecOps Fabian SlidesFab L
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
DevOps: The New Face Of Application Development - Global Azure Bootcamp
DevOps: The New Face Of Application Development - Global Azure BootcampDevOps: The New Face Of Application Development - Global Azure Bootcamp
DevOps: The New Face Of Application Development - Global Azure BootcampRichard Harbridge
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Eturnti Consulting Pvt Ltd
 
Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)dhubbard858
 

Similar a Continuous Security: 5 Ways DevOps Improves Security (20)

Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
 
How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security people
 
DevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratchDevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratch
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
 
Epistemological Problem of Application Security
Epistemological Problem of Application SecurityEpistemological Problem of Application Security
Epistemological Problem of Application Security
 
Better and Faster: A Journey Toward Clean Code and Enjoyment
Better and Faster: A Journey Toward Clean Code and EnjoymentBetter and Faster: A Journey Toward Clean Code and Enjoyment
Better and Faster: A Journey Toward Clean Code and Enjoyment
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzing
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Designing a secure software development process with DevOps
Designing a secure software development process with DevOpsDesigning a secure software development process with DevOps
Designing a secure software development process with DevOps
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
RSA 2017 APJ DevSecOps Fabian Slides
RSA 2017 APJ DevSecOps Fabian SlidesRSA 2017 APJ DevSecOps Fabian Slides
RSA 2017 APJ DevSecOps Fabian Slides
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
DevOps: The New Face Of Application Development - Global Azure Bootcamp
DevOps: The New Face Of Application Development - Global Azure BootcampDevOps: The New Face Of Application Development - Global Azure Bootcamp
DevOps: The New Face Of Application Development - Global Azure Bootcamp
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
 
Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)
 

Más de Sonatype

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019Sonatype
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOpsSonatype
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps SurveySonatype
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseSonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandSonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealSonatype
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way ForwardSonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizSonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsSonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsSonatype
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure AutomationSonatype
 

Más de Sonatype (20)

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
 

Último

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Último (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Continuous Security: 5 Ways DevOps Improves Security

  • 1. #RSAC SESSION ID: David Mortman Joshua Corman Continuous Security: 5 Ways DevOps Improves Security ASD-T07R CTO Sonatype @joshcorman Chief Security Architect & Distinguished Engineer Dell Software @mortman
  • 2. #RSAC @mortman @joshcorman 2   10/23/2013    @joshcorman   “It’s  not  enough  to  do  your  best;  you  must  know  what  to  do,  and  then  do  your   best”  Deming  @joshcorman  @mortman  #RSAC  #DevOps  
  • 3. #RSAC @mortman @joshcormanON  TIME     ON  BUDGET   ACCEPTABLE   QUALITY/RISK   Dev’s  core  moJvaJons  are  to  be  OnTime,  OnBudget,  w/  Acceptable  Quality/Risk   @joshcorman  @mortman  #RSAC  #DevOps  
  • 5. #RSAC @mortman @joshcorman 5 “Don’t  Go  Chasin’  Waterfalls”  Dev  started  w/  Waterfall,  but  modern  demands   require  us  to  go  faster  @joshcorman  @mortman  #RSAC  #DevOps  
  • 6. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   Waterfall’s  Design  -­‐>  Dev  -­‐>  Test  -­‐>  Deploy  may  go  1.5-­‐3yrs  b/w  releases.   @joshcorman  @mortman  #RSAC  #DevOps  
  • 7. #RSAC @mortman @joshcorman Agile  goats;  not  goat  rodeo.  “We  need  to  be  agile,  but  not  fragile.”   @RuggedSoWware  @joshcorman  @mortman  #RSAC  #DevOps  
  • 8. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   Agile  /  CI   Agile  &  Lean  Jghtened  Design  -­‐>  Build  -­‐>  Test  cycle  releasing  6-­‐12+  smaller   batches/yr  @joshcorman  @mortman  #RSAC  #DevOps    
  • 9. #RSAC @mortman @joshcormanDevOps It  may  feel  like  DevOps  is  Pandora’s  Box,  but  it’s  open…  and  hope  remains.  ;)   @joshcorman  @mortman  #RSAC  #DevOps  
  • 10. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   DevOps  /  CD   Agile  /  CI   Agile  made  dev  faster  but  wasn’t  enough.  DevOps  extends  pa`erns  to  Ops  4  mutual   gains  @joshcorman  @mortman  #RSAC  #DevOps  
  • 11. #RSAC @mortman @joshcormanSW Supply Chains 11 Deming  drove  Toyota  Supply  Chains.  We  can  EXTEND  DevOps  w/  his  quality/safety   pa`erns  @joshcorman  @mortman  #RSAC  #DevOps  
  • 12. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   SW  Supply  Chain   DevOps  /  CD   Agile  /  CI   SW  SupplyChains  enable  faster,  more  efficient  dev  by  reducing  elecJve  complexity/ risk++  @joshcorman  @mortman  #RSAC  #DevOps  
  • 13. #RSAC @mortman @joshcormanSW Supply Chains Our  SW  Supply  Chain  is  only  as  strong  as  its  weakest  link.  Can  you  say  #OpenSSL?   @joshcorman  @mortman  #RSAC  #DevOps  
  • 14. #RSAC @mortman @joshcorman Toyota   Advantage   Toyota   Prius   Chevy   Volt   Unit  Cost   61%   $24,200   $39,900   Units  Sold   13x   23,294   1,788   In-­‐House   ProducJon   50%   27%   54%   Plant  Suppliers   16%     (10x  per)   125   800   Firm-­‐Wide   Suppliers   4%   224   5,500   Comparing the Prius and the Volt Toyota  Prius  (v  Volt)  used  1/6th  suppliers,  be`er  leveraged,  for  60%  price  &  12x   sales  @joshcorman  @mortman  #RSAC  #DevOps  
  • 15. #RSAC @mortman @joshcormanDevOps Defined Is  #DevOps  a  Culture?  A  Process?  A  Toochain?  YES;  but  the  greatest  of  these  is   Culture/Empathy  @joshcorman  @mortman  #RSAC    
  • 16. #RSAC @mortman @joshcorman Myths  abound  RE:  Security  &  #DevOps.  We  FUD-­‐Haters  should  deal  w/  facts   @joshcorman  @mortman  #RSAC    
  • 17. #RSAC @mortman @joshcorman RE:  #DevOps  &  Security:  You’re  enJtled  to  your  own  opinions,  but  not  to  your  own   facts.  @joshcorman  @mortman  #RSAC    
  • 18. #RSAC @mortman @joshcorman MythBusted:  “ITIL  &  ChangeMngt  can’t  be  done  w/  #DevOps  ”  <-­‐  It  can  even  make   it  easier/be`er  @joshcorman  @mortman  #RSAC  
  • 19. #RSAC @mortman @joshcorman True  #DevOps  +  Security  isn’t  all  rainbows  &  unicorns.  Unicorn  p00p  has  to  be   worked  thru  @joshcorman  @mortman  #RSAC    
  • 20. #RSAC @mortman @joshcorman spending   a`ack  risk   Source:  Normalized  CObIT  spending  across  IDC,  Gartner,  The  451  Group;  since  groupings  vary   Host  Security    ~$10B   Data  Security    ~$5B   People  Security    ~$4B   Network  Security    ~$20B   SoWware   Security   ~$0.5B     Assembled  3rd  Party  &   OpenSource   Components     ~90%  of  most   applicaJons     Almost  No  Spending   Wri`en  Code  Scanning   SW Status Quo: Most attacked; least spend Worse,  w/in  SoWware,  exisJng  dollars  go  to  the  <=  10%  wri`en       StatusQuo:  SW  is  MOST  a`acked  &  gets  LEAST  SecSpend;  most  on  10%  of  code  we   write  @joshcorman  @mortman  #RSAC  #DevOps  
  • 21. #RSAC @mortman @joshcormanInsanity Einstein's  Insanity:  We  could  do  the  same  thing  over  &  over  expecJng  different   results  @joshcorman  @mortman  #RSAC  #DevOps  
  • 22. #RSAC @mortman @joshcorman WRT  Security  &  #DevOps  We  lose  things  AND  we  gain  things.  We’ll  look  at  5  things   we  gain  @joshcorman  @mortman  #RSAC  #DevOps  
  • 23. #RSAC @mortman @joshcorman This  was  added  b/c  the  Red  Hat  in  the  “Lost  &  Found”  made  @mortman  giggle  &  he   forced  it  upon  @joshcorman  #RSAC  #DevOps  
  • 24. #RSAC @mortman @joshcorman1) Instrumentation 1)  InstrumentaJon!  #DevOps  instruments  EVERYTHING  &  Security  can  use  it  in   MANY  ways  @joshcorman  @mortman  #RSAC  #DevOps  
  • 25. #RSAC @mortman @joshcorman2) Be Mean To Your Code! 2)  Be  Mean  To  Your  Code!  To  avoid  failure;  fail  all  the  Jme  #ChaosMonkey  #Gauntlt   #BrakeMan  @joshcorman  @mortman  #RSAC  #DevOps  
  • 26. #RSAC @mortman @joshcorman 3)  Complexity  Is  Enemy  of  “All  The  Things”!  All  #DevOps  parJes  benefit  from   reducing  complexity  @joshcorman  @mortman  #RSAC  
  • 27. #RSAC @mortman @joshcorman DecomposiJon  lowers  complexity  adds  security  and  reliability  @mortman   @joshcorman  #RSAC  #DevOps  
  • 28. #RSAC @mortman @joshcorman Simple  >  Complex.  Simple  !=  Easy  though.  There  is  no  easy  bu`on,  but  there  is  an   easiER  one.  @joshcorman  @mortman  #RSAC  #DevOps  
  • 29. #RSAC @mortman @joshcorman 4)  Implicit  and  Explicit  Change  Management.  Change  is  good  and  leads  to  stability   and  fights  stagnaJon.  @joshcorman  @mortman  #rsac  #devops  
  • 30. #RSAC @mortman @joshcorman All  of  Chuck  Norris’s  Change  Controls  are  Full  Cycle  and  they’re  always  approved!   @joshcorman  @mortman  #RSAC  #DevOps  
  • 31. #RSAC @mortman @joshcorman 5)  Empathy  is  the  killer  app!  Silos  prohibit  sharing  and  empathy….  #RSAC  #DevOps   @mortman  @joshcorman  
  • 32. #RSAC @mortman @joshcorman Madame  CISO,  Tear  Down  This  Wall!  #RSAC  #DevOps  @mortman  @joshcorman  
  • 33. #RSAC @mortman @joshcorman Defensible  Infrastructure   10%     Wri`en   OperaFonal  Excellence   SituaFonal  Awareness   Counter-­‐ measures   The  soWware  &  hardware  we   build,  buy,  and  deploy.  90%  of   soWware  is  assembled  from  3rd   party  &  Open  Source     MOST  IMPACT:  BUY/BUILD  DEFENSIBLE  SOFTWARE   DefensibleIT  &  OpsExcellence  have  MOST  Security  impact,  but  elude  CISO  influence   BUT...  @joshcorman  @mortman  #RSAC  #DevOps  
  • 34. #RSAC @mortman @joshcorman 34 10/23/2013    @joshcorman   Defensible  Infrastructure   OperaFonal  Excellence   SituaFonal  Awareness   Counter-­‐ measures   DevOps   DevOps   DevOps   [cont]  #DevOps  smashes  silos  &  finally  enables  the  MUCH  LARGER  Security  gains  in   both  @joshcorman  @mortman  #RSAC  #DevOps    
  • 35. #RSAC @mortman @joshcormanApply! u  Stop resisting… “Survival isn’t mandatory” – Deming u  Josh’s RSAC EU Keynote http://youtu.be/m4Y_K7MXQxQ u  Read “The Phoenix Project” by Gene Kim u  http://itrevolution.com/books/phoenix-project-devops-book/ u  Watch videos from RSAC “DevOps Connect” Rugged DevOps Day u  http://www.sonatype.org/nexus/2015/04/13/devops-connect-secops-editon-at- rsac-2015-speakers-and-schedule/ u  Grab tooling: u  Gauntlt, BrakeMan, Chaos Monkey, and the Simian Army u  Start small, start anywhere, start TODAY! Get  on  the  train  before  the  train  gets  on  you!  Don’t  delay,  start  today!   @joshcorman  @mortman  #RSAC  #DevOps  
  • 36. #RSAC Conclusion/Wrap-Up Follow  Us  &  Rugged  #DevOps  at:     @mortman  @joshcorman  @RuggedSoWware  @RuggedDevOps  @iamthecavalry