Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Working on DevSecOps culture - a team centric view

A presentation to help you better understand the context in which devsecops transformation happen. With a focus on how the teams are empowered to really care about security.

Presented at The Devops Conference - organized by Eficode

  • Sé el primero en comentar

Working on DevSecOps culture - a team centric view

  1. 1. Back to the roots Patrick Debois | patrick.debois@snyk.io Dev,Sec,Ops & More of the Same 1
  2. 2. A team centric view Patrick Debois | patrick.debois@snyk.io Working on DevSecOps Culture 2
  3. 3. Dev(Sec)Ops Friction Points Know your pains Understand the bottlenecks introduced by Silos you need to overcome. Technical stack, environment, tools Management prioritisation, budget , authority, hiring , incentives Personal education, knowledge, motivation 3 Command & Control Customer Ops Devs Security
  4. 4. Pressure / Shifts Forces At Work Different forces at work will cause movement. Shift Down - Agile Shift Right - DevOps Shift Left - DevSecOps Shift Up - Cloud 4 DevOps Agile CLOUD DevSecOps Ops Customer Devs Security Team https://itrevolution.com/devops-books/
  5. 5. Power to the Team Focus on team Empower the people doing the work to make the right decisions. Delegation of authority does not happen magically overnight. Management becomes supportive vs control. 5 DevOps Agile CLOUD DevSecOps Ops Customer Devs Security Autonomous Team https://davidmarquet.com/books/
  6. 6. Company Collaboration Culture Your CEO will set the tone Organisation have different cultures. Depending on your context you will focus more on automation, metrics, empowerment or command and control. You need to work on ALL layers to embed it in the organization. 6 https://www.reinventingorganizations.com/ Automation - Order & Stability Measure - Scientific & KPIs Command & Control Empower - Customer Centric Evolutionary Collaborative Meritocracy Hierarchy Power Centric Autonomy - Meaning
  7. 7. Dev(Sec)Ops Team Patterns How will security interact? Different topologies exist , some are more efficient than others but it depends on your organization culture. 7 https://web.devopstopologies.com/ Dev and Ops Collaboration Fully Shared Ops Responsibilities Devops with Expiry date Container-Driven Collaboration DevOps Evangelist Team
  8. 8. Team Interaction Modes How will your security team collaborate? Interaction will happen through automation, abstraction AND collaboration 8 https://teamtopologies.com/
  9. 9. Building & Gaining Trust Trust is a Choice Trust is Bi-Directional Asking for Trust vs being Trustworthy 9 https://www.thinbook.com SINCERITY COMPETENCE RELIABILITY Choice to Trust CARE Outcome
  10. 10. 4 DevSecOps Areas 10 Areas influence each other Is what we are delivering secure? Is how we are delivering it secure? Do we understand why we are securing it? Do we trust who is delivering it ? What ~ Dev How ~ DevOps Why ~ Sec Who ~ DevSecOps Secure Stack Secure Delivery Security Governance Security Empowerment Team
  11. 11. Secure Stack As a developer we want to make sure that the application is secure and can be operated securely. 11 Code Dependencies Code Container Container Mgmt Cloud & Infra External Services API Management User Mgmt & Authentication Authorisation Secret & Key Mgmt Security Development Operational Monitoring & Metrics Error & Exception Handling Logging Data Privacy Data Licenses Business https://www.manning.com/books/secure-by-design
  12. 12. Secure Delivery As a developer we want to make sure we can build, deliver & operate the service in a secure way 12 Secure Code Secure Code Environment Secure Toolchain Secure Repositories Secure Build Environment Secure Testing CI/Test Development Production Secure Deployment Secure Inventory Asset Mgmt Secure Logging & Monitoring Security Controls Secure Execution Debugging Secure Patch Mgmt Operations Secure Artifacts https://itrevolution.com/devops-books/
  13. 13. Secure Governance As a developer we want to participate in the processes for managing security better 13 https://threatmodelingbook.com/ Vulnerability Management Threat Management Risk Management Backlog Prioritisation Supplier Management Compliance & Legal Requirements Security Incident Management Security Service Level Management Security Team Team
  14. 14. Secure Empowerment As a developer we want to take ownership of the security of our application 14 Learning Culture Collaboration Accountability Authority https://itrevolution.com/agile-conversations/ We want the team to interact with security team to share worries, insights and feedback We want the team to acquire security knowledge and keep learning We want the team to be accountable for security in their stack We want the team to be able to take security decisions autonomously
  15. 15. DevSecOps Maturity 15 Level up each of the aspects gradually - they all influence the progress of the ownership handover Stack Delivery Governance Empowerment Sec Owned Team Embedded
  16. 16. 16 Tools & Culture Patrick Debois - #thinktogether Dev(sec)Ops: everything you do to overcome the friction created by silos ... All the rest is plain engineering
  17. 17. Paradoxes You are never done Each of these improvements will be countered by a paradox. You will need to keep investing. 17 Automation - Order & Stability Measure - Scientific & KPIs Command & Control Empower - Customer Centric Evolutionary Collaborative Meritocracy Hierarchy Power Centric Autonomy - Meaning https://www.amazon.com/Tyranny-Metrics -Jerry-Z-Muller/dp/0691174954
  18. 18. Love to hear your feedback ! patrick.debois@snyk.io @patrickdebois #ThinkingTogether 18

×