SlideShare una empresa de Scribd logo

Working on DevSecOps culture - a team centric view

P
Patrick Debois

A presentation to help you better understand the context in which devsecops transformation happen. With a focus on how the teams are empowered to really care about security. Presented at The Devops Conference - organized by Eficode

Ingeniería
1 de 18
Descargar para leer sin conexión
Back to the roots Patrick Debois | patrick.debois@snyk.io Dev,Sec,Ops & More of the Same 1
A team centric view Patrick Debois | patrick.debois@snyk.io Working on DevSecOps Culture 2
Dev(Sec)Ops Friction Points Know your pains Understand the bottlenecks introduced by Silos you need to overcome. Technical stack, environment, tools Management prioritisation, budget , authority, hiring , incentives Personal education, knowledge, motivation 3 Command & Control Customer Ops Devs Security
Pressure / Shifts Forces At Work Different forces at work will cause movement. Shift Down - Agile Shift Right - DevOps Shift Left - DevSecOps Shift Up - Cloud 4 DevOps Agile CLOUD DevSecOps Ops Customer Devs Security Team https://itrevolution.com/devops-books/
Power to the Team Focus on team Empower the people doing the work to make the right decisions. Delegation of authority does not happen magically overnight. Management becomes supportive vs control. 5 DevOps Agile CLOUD DevSecOps Ops Customer Devs Security Autonomous Team https://davidmarquet.com/books/
Company Collaboration Culture Your CEO will set the tone Organisation have different cultures. Depending on your context you will focus more on automation, metrics, empowerment or command and control. You need to work on ALL layers to embed it in the organization. 6 https://www.reinventingorganizations.com/ Automation - Order & Stability Measure - Scientific & KPIs Command & Control Empower - Customer Centric Evolutionary Collaborative Meritocracy Hierarchy Power Centric Autonomy - Meaning
Dev(Sec)Ops Team Patterns How will security interact? Different topologies exist , some are more efficient than others but it depends on your organization culture. 7 https://web.devopstopologies.com/ Dev and Ops Collaboration Fully Shared Ops Responsibilities Devops with Expiry date Container-Driven Collaboration DevOps Evangelist Team
Team Interaction Modes How will your security team collaborate? Interaction will happen through automation, abstraction AND collaboration 8 https://teamtopologies.com/
Building & Gaining Trust Trust is a Choice Trust is Bi-Directional Asking for Trust vs being Trustworthy 9 https://www.thinbook.com SINCERITY COMPETENCE RELIABILITY Choice to Trust CARE Outcome
4 DevSecOps Areas 10 Areas influence each other Is what we are delivering secure? Is how we are delivering it secure? Do we understand why we are securing it? Do we trust who is delivering it ? What ~ Dev How ~ DevOps Why ~ Sec Who ~ DevSecOps Secure Stack Secure Delivery Security Governance Security Empowerment Team
Secure Stack As a developer we want to make sure that the application is secure and can be operated securely. 11 Code Dependencies Code Container Container Mgmt Cloud & Infra External Services API Management User Mgmt & Authentication Authorisation Secret & Key Mgmt Security Development Operational Monitoring & Metrics Error & Exception Handling Logging Data Privacy Data Licenses Business https://www.manning.com/books/secure-by-design
Secure Delivery As a developer we want to make sure we can build, deliver & operate the service in a secure way 12 Secure Code Secure Code Environment Secure Toolchain Secure Repositories Secure Build Environment Secure Testing CI/Test Development Production Secure Deployment Secure Inventory Asset Mgmt Secure Logging & Monitoring Security Controls Secure Execution Debugging Secure Patch Mgmt Operations Secure Artifacts https://itrevolution.com/devops-books/
Secure Governance As a developer we want to participate in the processes for managing security better 13 https://threatmodelingbook.com/ Vulnerability Management Threat Management Risk Management Backlog Prioritisation Supplier Management Compliance & Legal Requirements Security Incident Management Security Service Level Management Security Team Team
Secure Empowerment As a developer we want to take ownership of the security of our application 14 Learning Culture Collaboration Accountability Authority https://itrevolution.com/agile-conversations/ We want the team to interact with security team to share worries, insights and feedback We want the team to acquire security knowledge and keep learning We want the team to be accountable for security in their stack We want the team to be able to take security decisions autonomously
DevSecOps Maturity 15 Level up each of the aspects gradually - they all influence the progress of the ownership handover Stack Delivery Governance Empowerment Sec Owned Team Embedded
16 Tools & Culture Patrick Debois - #thinktogether Dev(sec)Ops: everything you do to overcome the friction created by silos ... All the rest is plain engineering
Paradoxes You are never done Each of these improvements will be countered by a paradox. You will need to keep investing. 17 Automation - Order & Stability Measure - Scientific & KPIs Command & Control Empower - Customer Centric Evolutionary Collaborative Meritocracy Hierarchy Power Centric Autonomy - Meaning https://www.amazon.com/Tyranny-Metrics -Jerry-Z-Muller/dp/0691174954
Love to hear your feedback ! patrick.debois@snyk.io @patrickdebois #ThinkingTogether 18

Recomendados

DevOps: What, who, why and how?
DevOps: What, who, why and how?DevOps: What, who, why and how?
DevOps: What, who, why and how?Red Gate Software
 
Saving the DoD $800M: How Portfolio Management is the Missing Link Between Ag...
Saving the DoD $800M: How Portfolio Management is the Missing Link Between Ag...Saving the DoD $800M: How Portfolio Management is the Missing Link Between Ag...
Saving the DoD $800M: How Portfolio Management is the Missing Link Between Ag...VMware Tanzu
 
How We Do DevOps at Walmart: OneOps OSS Application Lifecycle Management Plat...
How We Do DevOps at Walmart: OneOps OSS Application Lifecycle Management Plat...How We Do DevOps at Walmart: OneOps OSS Application Lifecycle Management Plat...
How We Do DevOps at Walmart: OneOps OSS Application Lifecycle Management Plat...WalmartLabs
 
iSQI Certification Days DASA – DevOps & ISTQB Frank Frambach
iSQI Certification Days DASA – DevOps & ISTQB Frank FrambachiSQI Certification Days DASA – DevOps & ISTQB Frank Frambach
iSQI Certification Days DASA – DevOps & ISTQB Frank FrambachIevgenii Katsan
 
DevOps Explained
DevOps ExplainedDevOps Explained
DevOps ExplainedRichard Seroter
 
The business case for devops
The business case for devopsThe business case for devops
The business case for devopsMatthew Skelton
 
DevOps & Cloud - The Essentials for Digital Transformation
DevOps & Cloud - The Essentials for Digital TransformationDevOps & Cloud - The Essentials for Digital Transformation
DevOps & Cloud - The Essentials for Digital TransformationCloudJourneee
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Vimal Suba
 

Recomendados

DevOps: What, who, why and how?
DevOps: What, who, why and how?DevOps: What, who, why and how?
DevOps: What, who, why and how?Red Gate Software
 
Saving the DoD $800M: How Portfolio Management is the Missing Link Between Ag...
Saving the DoD $800M: How Portfolio Management is the Missing Link Between Ag...Saving the DoD $800M: How Portfolio Management is the Missing Link Between Ag...
Saving the DoD $800M: How Portfolio Management is the Missing Link Between Ag...VMware Tanzu
 
How We Do DevOps at Walmart: OneOps OSS Application Lifecycle Management Plat...
How We Do DevOps at Walmart: OneOps OSS Application Lifecycle Management Plat...How We Do DevOps at Walmart: OneOps OSS Application Lifecycle Management Plat...
How We Do DevOps at Walmart: OneOps OSS Application Lifecycle Management Plat...WalmartLabs
 
iSQI Certification Days DASA – DevOps & ISTQB Frank Frambach
iSQI Certification Days DASA – DevOps & ISTQB Frank FrambachiSQI Certification Days DASA – DevOps & ISTQB Frank Frambach
iSQI Certification Days DASA – DevOps & ISTQB Frank FrambachIevgenii Katsan
 
DevOps Explained
DevOps ExplainedDevOps Explained
DevOps ExplainedRichard Seroter
 
The business case for devops
The business case for devopsThe business case for devops
The business case for devopsMatthew Skelton
 
DevOps & Cloud - The Essentials for Digital Transformation
DevOps & Cloud - The Essentials for Digital TransformationDevOps & Cloud - The Essentials for Digital Transformation
DevOps & Cloud - The Essentials for Digital TransformationCloudJourneee
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Vimal Suba
 
DevOps Certification
DevOps CertificationDevOps Certification
DevOps CertificationAakash Yadav
 
DevOps: Benefits & Future Trends
DevOps: Benefits & Future TrendsDevOps: Benefits & Future Trends
DevOps: Benefits & Future Trends9 series
 
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...Gene Kim
 
DevOps Transition Strategies
DevOps Transition StrategiesDevOps Transition Strategies
DevOps Transition StrategiesAlec Lazarescu
 
DevOps Deep Dive Webinar: Building a business case for agile and devops
DevOps Deep Dive Webinar: Building a business case for agile and devopsDevOps Deep Dive Webinar: Building a business case for agile and devops
DevOps Deep Dive Webinar: Building a business case for agile and devopsBasis Technologies
 
What Is DevOps?
What Is DevOps?What Is DevOps?
What Is DevOps?Soumya De
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introductionSridhara T V
 
DevOps: IT's Automation Revolution
DevOps: IT's Automation RevolutionDevOps: IT's Automation Revolution
DevOps: IT's Automation RevolutionIBM UrbanCode Products
 
Moving to Continuous Delivery with XebiaLabs XL Release
Moving to Continuous Delivery with XebiaLabs XL ReleaseMoving to Continuous Delivery with XebiaLabs XL Release
Moving to Continuous Delivery with XebiaLabs XL ReleaseXebiaLabs
 
DevOps Process
DevOps ProcessDevOps Process
DevOps ProcessAmal Dev
 
Devops skills you got what it takes ?
Devops skills you got what it takes ?Devops skills you got what it takes ?
Devops skills you got what it takes ?Initcron Systems Private Limited
 
What is DevOps?
What is DevOps?What is DevOps?
What is DevOps?Mukta Aphale
 
DevOps Challenges and Best Practices
DevOps Challenges and Best PracticesDevOps Challenges and Best Practices
DevOps Challenges and Best PracticesBrian Chorba
 
What is-not-devops!
What is-not-devops!What is-not-devops!
What is-not-devops!Narayanan Krishnamurthy
 
The Journey to DevOps #MFSummit2017
The Journey to DevOps #MFSummit2017The Journey to DevOps #MFSummit2017
The Journey to DevOps #MFSummit2017Micro Focus
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsMatthew David
 
DevOps-Redefining your IT Strategy-28thJan15
DevOps-Redefining your IT Strategy-28thJan15DevOps-Redefining your IT Strategy-28thJan15
DevOps-Redefining your IT Strategy-28thJan15Edureka!
 
Salesforce DevOps: Where Do You Start?
Salesforce DevOps: Where Do You Start?Salesforce DevOps: Where Do You Start?
Salesforce DevOps: Where Do You Start?Chandler Anderson
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...SlideTeam
 
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows DevDOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows DevGene Kim
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldShannon Lietz
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_programShannon Lietz
 

Más contenido relacionado

La actualidad más candente

DevOps Certification
DevOps CertificationDevOps Certification
DevOps CertificationAakash Yadav
 
DevOps: Benefits & Future Trends
DevOps: Benefits & Future TrendsDevOps: Benefits & Future Trends
DevOps: Benefits & Future Trends9 series
 
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...Gene Kim
 
DevOps Transition Strategies
DevOps Transition StrategiesDevOps Transition Strategies
DevOps Transition StrategiesAlec Lazarescu
 
DevOps Deep Dive Webinar: Building a business case for agile and devops
DevOps Deep Dive Webinar: Building a business case for agile and devopsDevOps Deep Dive Webinar: Building a business case for agile and devops
DevOps Deep Dive Webinar: Building a business case for agile and devopsBasis Technologies
 
What Is DevOps?
What Is DevOps?What Is DevOps?
What Is DevOps?Soumya De
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introductionSridhara T V
 
Moving to Continuous Delivery with XebiaLabs XL Release
Moving to Continuous Delivery with XebiaLabs XL ReleaseMoving to Continuous Delivery with XebiaLabs XL Release
Moving to Continuous Delivery with XebiaLabs XL ReleaseXebiaLabs
 
DevOps Process
DevOps ProcessDevOps Process
DevOps ProcessAmal Dev
 
DevOps Challenges and Best Practices
DevOps Challenges and Best PracticesDevOps Challenges and Best Practices
DevOps Challenges and Best PracticesBrian Chorba
 
The Journey to DevOps #MFSummit2017
The Journey to DevOps #MFSummit2017The Journey to DevOps #MFSummit2017
The Journey to DevOps #MFSummit2017Micro Focus
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsMatthew David
 
DevOps-Redefining your IT Strategy-28thJan15
DevOps-Redefining your IT Strategy-28thJan15DevOps-Redefining your IT Strategy-28thJan15
DevOps-Redefining your IT Strategy-28thJan15Edureka!
 
Salesforce DevOps: Where Do You Start?
Salesforce DevOps: Where Do You Start?Salesforce DevOps: Where Do You Start?
Salesforce DevOps: Where Do You Start?Chandler Anderson
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...SlideTeam
 
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows DevDOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows DevGene Kim
 

La actualidad más candente (20)

DevOps Certification
DevOps CertificationDevOps Certification
DevOps Certification
 
DevOps: Benefits & Future Trends
DevOps: Benefits & Future TrendsDevOps: Benefits & Future Trends
DevOps: Benefits & Future Trends
 
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...
DOES14 - Jonny Wooldridge - The Cambridge Satchel Company - 10 Enterprise Tip...
 
DevOps Transition Strategies
DevOps Transition StrategiesDevOps Transition Strategies
DevOps Transition Strategies
 
DevOps Deep Dive Webinar: Building a business case for agile and devops
DevOps Deep Dive Webinar: Building a business case for agile and devopsDevOps Deep Dive Webinar: Building a business case for agile and devops
DevOps Deep Dive Webinar: Building a business case for agile and devops
 
What Is DevOps?
What Is DevOps?What Is DevOps?
What Is DevOps?
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introduction
 
DevOps: IT's Automation Revolution
DevOps: IT's Automation RevolutionDevOps: IT's Automation Revolution
DevOps: IT's Automation Revolution
 
Moving to Continuous Delivery with XebiaLabs XL Release
Moving to Continuous Delivery with XebiaLabs XL ReleaseMoving to Continuous Delivery with XebiaLabs XL Release
Moving to Continuous Delivery with XebiaLabs XL Release
 
DevOps Process
DevOps ProcessDevOps Process
DevOps Process
 
Devops skills you got what it takes ?
Devops skills you got what it takes ?Devops skills you got what it takes ?
Devops skills you got what it takes ?
 
What is DevOps?
What is DevOps?What is DevOps?
What is DevOps?
 
DevOps Challenges and Best Practices
DevOps Challenges and Best PracticesDevOps Challenges and Best Practices
DevOps Challenges and Best Practices
 
What is-not-devops!
What is-not-devops!What is-not-devops!
What is-not-devops!
 
The Journey to DevOps #MFSummit2017
The Journey to DevOps #MFSummit2017The Journey to DevOps #MFSummit2017
The Journey to DevOps #MFSummit2017
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
DevOps-Redefining your IT Strategy-28thJan15
DevOps-Redefining your IT Strategy-28thJan15DevOps-Redefining your IT Strategy-28thJan15
DevOps-Redefining your IT Strategy-28thJan15
 
Salesforce DevOps: Where Do You Start?
Salesforce DevOps: Where Do You Start?Salesforce DevOps: Where Do You Start?
Salesforce DevOps: Where Do You Start?
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
 
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows DevDOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
 

Similar a Working on DevSecOps culture - a team centric view

Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldShannon Lietz
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_programShannon Lietz
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessMohammed A. Imran
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Deliverydevopsdaysaustin
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or lessMohammed A. Imran
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenNadira Bajrei
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfTechugo
 

Similar a Working on DevSecOps culture - a team centric view (20)

Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdf
 

Último

Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...ranjana rawat
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 

Último (20)

★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 

Working on DevSecOps culture - a team centric view

  • 1. Back to the roots Patrick Debois | patrick.debois@snyk.io Dev,Sec,Ops & More of the Same 1
  • 2. A team centric view Patrick Debois | patrick.debois@snyk.io Working on DevSecOps Culture 2
  • 3. Dev(Sec)Ops Friction Points Know your pains Understand the bottlenecks introduced by Silos you need to overcome. Technical stack, environment, tools Management prioritisation, budget , authority, hiring , incentives Personal education, knowledge, motivation 3 Command & Control Customer Ops Devs Security
  • 4. Pressure / Shifts Forces At Work Different forces at work will cause movement. Shift Down - Agile Shift Right - DevOps Shift Left - DevSecOps Shift Up - Cloud 4 DevOps Agile CLOUD DevSecOps Ops Customer Devs Security Team https://itrevolution.com/devops-books/
  • 5. Power to the Team Focus on team Empower the people doing the work to make the right decisions. Delegation of authority does not happen magically overnight. Management becomes supportive vs control. 5 DevOps Agile CLOUD DevSecOps Ops Customer Devs Security Autonomous Team https://davidmarquet.com/books/
  • 6. Company Collaboration Culture Your CEO will set the tone Organisation have different cultures. Depending on your context you will focus more on automation, metrics, empowerment or command and control. You need to work on ALL layers to embed it in the organization. 6 https://www.reinventingorganizations.com/ Automation - Order & Stability Measure - Scientific & KPIs Command & Control Empower - Customer Centric Evolutionary Collaborative Meritocracy Hierarchy Power Centric Autonomy - Meaning
  • 7. Dev(Sec)Ops Team Patterns How will security interact? Different topologies exist , some are more efficient than others but it depends on your organization culture. 7 https://web.devopstopologies.com/ Dev and Ops Collaboration Fully Shared Ops Responsibilities Devops with Expiry date Container-Driven Collaboration DevOps Evangelist Team
  • 8. Team Interaction Modes How will your security team collaborate? Interaction will happen through automation, abstraction AND collaboration 8 https://teamtopologies.com/
  • 9. Building & Gaining Trust Trust is a Choice Trust is Bi-Directional Asking for Trust vs being Trustworthy 9 https://www.thinbook.com SINCERITY COMPETENCE RELIABILITY Choice to Trust CARE Outcome
  • 10. 4 DevSecOps Areas 10 Areas influence each other Is what we are delivering secure? Is how we are delivering it secure? Do we understand why we are securing it? Do we trust who is delivering it ? What ~ Dev How ~ DevOps Why ~ Sec Who ~ DevSecOps Secure Stack Secure Delivery Security Governance Security Empowerment Team
  • 11. Secure Stack As a developer we want to make sure that the application is secure and can be operated securely. 11 Code Dependencies Code Container Container Mgmt Cloud & Infra External Services API Management User Mgmt & Authentication Authorisation Secret & Key Mgmt Security Development Operational Monitoring & Metrics Error & Exception Handling Logging Data Privacy Data Licenses Business https://www.manning.com/books/secure-by-design
  • 12. Secure Delivery As a developer we want to make sure we can build, deliver & operate the service in a secure way 12 Secure Code Secure Code Environment Secure Toolchain Secure Repositories Secure Build Environment Secure Testing CI/Test Development Production Secure Deployment Secure Inventory Asset Mgmt Secure Logging & Monitoring Security Controls Secure Execution Debugging Secure Patch Mgmt Operations Secure Artifacts https://itrevolution.com/devops-books/
  • 13. Secure Governance As a developer we want to participate in the processes for managing security better 13 https://threatmodelingbook.com/ Vulnerability Management Threat Management Risk Management Backlog Prioritisation Supplier Management Compliance & Legal Requirements Security Incident Management Security Service Level Management Security Team Team
  • 14. Secure Empowerment As a developer we want to take ownership of the security of our application 14 Learning Culture Collaboration Accountability Authority https://itrevolution.com/agile-conversations/ We want the team to interact with security team to share worries, insights and feedback We want the team to acquire security knowledge and keep learning We want the team to be accountable for security in their stack We want the team to be able to take security decisions autonomously
  • 15. DevSecOps Maturity 15 Level up each of the aspects gradually - they all influence the progress of the ownership handover Stack Delivery Governance Empowerment Sec Owned Team Embedded
  • 16. 16 Tools & Culture Patrick Debois - #thinktogether Dev(sec)Ops: everything you do to overcome the friction created by silos ... All the rest is plain engineering
  • 17. Paradoxes You are never done Each of these improvements will be countered by a paradox. You will need to keep investing. 17 Automation - Order & Stability Measure - Scientific & KPIs Command & Control Empower - Customer Centric Evolutionary Collaborative Meritocracy Hierarchy Power Centric Autonomy - Meaning https://www.amazon.com/Tyranny-Metrics -Jerry-Z-Muller/dp/0691174954
  • 18. Love to hear your feedback ! patrick.debois@snyk.io @patrickdebois #ThinkingTogether 18