A presentation to help you better understand the context in which devsecops transformation happen. With a focus on how the teams are empowered to really care about security.
Presented at The Devops Conference - organized by Eficode
Working on DevSecOps culture - a team centric view
1. Back to the roots
Patrick Debois | patrick.debois@snyk.io
Dev,Sec,Ops & More of the Same
1
2. A team centric view
Patrick Debois | patrick.debois@snyk.io
Working on DevSecOps Culture
2
3. Dev(Sec)Ops Friction Points
Know your pains
Understand the bottlenecks
introduced by Silos you need to
overcome.
Technical
stack, environment, tools
Management
prioritisation, budget , authority,
hiring , incentives
Personal
education, knowledge, motivation
3
Command
& Control
Customer
Ops
Devs Security
4. Pressure / Shifts
Forces At Work
Different forces at work will
cause movement.
Shift Down - Agile
Shift Right - DevOps
Shift Left - DevSecOps
Shift Up - Cloud
4
DevOps
Agile
CLOUD DevSecOps
Ops
Customer
Devs Security
Team
https://itrevolution.com/devops-books/
5. Power to the Team
Focus on team
Empower the people doing
the work to make the right
decisions. Delegation of
authority does not happen
magically overnight.
Management becomes
supportive vs control.
5
DevOps
Agile
CLOUD DevSecOps
Ops
Customer
Devs Security
Autonomous
Team
https://davidmarquet.com/books/
6. Company Collaboration Culture
Your CEO will set the tone
Organisation have different
cultures. Depending on your
context you will focus more on
automation, metrics,
empowerment or command
and control. You need to work
on ALL layers to embed it in
the organization.
6
https://www.reinventingorganizations.com/
Automation - Order & Stability
Measure - Scientific & KPIs
Command & Control
Empower - Customer Centric
Evolutionary
Collaborative
Meritocracy
Hierarchy
Power
Centric
Autonomy - Meaning
7. Dev(Sec)Ops Team Patterns
How will security interact?
Different topologies exist ,
some are more efficient than
others but it depends on your
organization culture.
7
https://web.devopstopologies.com/
Dev and Ops
Collaboration
Fully Shared Ops
Responsibilities
Devops
with Expiry date
Container-Driven
Collaboration
DevOps
Evangelist Team
8. Team Interaction Modes How will your security team
collaborate?
Interaction will happen
through automation,
abstraction AND
collaboration
8
https://teamtopologies.com/
9. Building & Gaining Trust
Trust is a Choice
Trust is Bi-Directional
Asking for Trust vs
being Trustworthy
9
https://www.thinbook.com
SINCERITY
COMPETENCE
RELIABILITY
Choice to Trust
CARE
Outcome
10. 4 DevSecOps Areas
10
Areas influence each other
Is what we are delivering secure?
Is how we are delivering it secure?
Do we understand why we are
securing it?
Do we trust who is delivering it ?
What ~ Dev
How ~ DevOps
Why ~ Sec
Who ~ DevSecOps
Secure
Stack
Secure
Delivery
Security
Governance
Security
Empowerment
Team
11. Secure Stack
As a developer we want to make
sure that the application is secure
and can be operated securely.
11
Code
Dependencies
Code
Container
Container Mgmt
Cloud & Infra
External
Services
API
Management
User Mgmt &
Authentication
Authorisation
Secret & Key Mgmt
Security
Development Operational
Monitoring &
Metrics
Error & Exception
Handling
Logging
Data
Privacy Data
Licenses
Business
https://www.manning.com/books/secure-by-design
12. Secure Delivery
As a developer we want to
make sure we can build,
deliver & operate the service
in a secure way
12
Secure Code
Secure Code
Environment
Secure Toolchain
Secure
Repositories
Secure Build
Environment
Secure Testing
CI/Test
Development Production
Secure Deployment
Secure Inventory
Asset Mgmt
Secure Logging &
Monitoring
Security Controls
Secure Execution
Debugging
Secure Patch Mgmt
Operations
Secure Artifacts
https://itrevolution.com/devops-books/
13. Secure Governance
As a developer we want
to participate in the
processes for managing
security better
13
https://threatmodelingbook.com/
Vulnerability Management
Threat Management
Risk Management
Backlog Prioritisation
Supplier Management
Compliance & Legal
Requirements
Security Incident Management
Security Service Level
Management
Security Team
Team
14. Secure Empowerment
As a developer we want to
take ownership of the
security of our application
14
Learning
Culture
Collaboration
Accountability
Authority
https://itrevolution.com/agile-conversations/
We want the team to interact with
security team to share worries,
insights and feedback
We want the team to acquire security
knowledge and keep learning
We want the team to be accountable
for security in their stack
We want the team to be able to take
security decisions autonomously
15. DevSecOps Maturity
15
Level up each of the aspects
gradually - they all
influence the progress of
the ownership handover
Stack Delivery
Governance
Empowerment
Sec
Owned
Team
Embedded
16. 16
Tools & Culture
Patrick Debois - #thinktogether
Dev(sec)Ops: everything you do to overcome the friction
created by silos ... All the rest is plain engineering
17. Paradoxes
You are never done
Each of these improvements
will be countered by a
paradox. You will need to keep
investing.
17
Automation - Order & Stability
Measure - Scientific & KPIs
Command & Control
Empower - Customer Centric
Evolutionary
Collaborative
Meritocracy
Hierarchy
Power
Centric
Autonomy - Meaning
https://www.amazon.com/Tyranny-Metrics
-Jerry-Z-Muller/dp/0691174954
18. Love to hear your feedback !
patrick.debois@snyk.io
@patrickdebois
#ThinkingTogether
18