Beruflich Dokumente
Kultur Dokumente
-- FOUNDER --
⭒
http://www.geekwire.com/2016/study-aws-45-share-public-cloud-infrastructure-market-microsoft-google-ibm-combined/
⭒
⭒
DevOps hiring is up ~2000% in last 5 years!
• Imagine solving the world’s
problems faster by collaborating
and taking responsibility.
• In connection with Cloud
Computing, DevOps is the cultural
enabler needed to scale creativity
and innovation.
• With the goal of solving customer
problems faster, no wonder DevOps
is taking over. ~1500% increase
In 2 years
⭒
@petecheslock
⭒
⭒
BANG
HEAD
HERE
✥
What’s Happening?
value
customer
visible
rugged software
customer-driven
innovation
domain names commodity bound
search engine
mobile
web app
informational website
growth
transparent
security emerging
fewer better
suppliers
devsecops
agile
devops
continuous deployment traditional
security traditional
SDLC
Catching up takes
red team
continuous integration commitment
penetration
testing
security as code
compliance cloud
evolution
genesis custom- product commodity
built (+rental) (+utility)
⭒
What is DevSecOps?
DevSecOps is the practice of developing safer software sooner by involving all
needed parties in the creative process and practicing continuous improvement
from high fidelity actionable feedback with context.
• IS IS NOT
• A Mindset and Holistic Approach • A One-Size-Fits-All Approach
• A Collection of Processes & Tools • A Single Tool or Method
• A Means of Building Security and Compliance into • Just a means of adding Security into
Software Continuous Delivery
• A Community Driven Effort • Invented by Vendors
• A Strategy Driven by Learning and Experiments • A Strategy Driven by Perfection and
Compliance
Shares concepts with Rugged Software, Rugged DevOps, SecDevOps, DevOpsSec, DevOps
✥
Measurable
Proactive
Reactive
Insanity
4 5
2 3
1
Burp Crawl Walk Run Fly
Culture Surprising with lots of Full Awareness but Integrated & Talked Measured by Execs Context driven
Push Back Feeling Helpless about by Execs; decisions
Feedback loop
integrated
Skills Skills developed Skills lining up with job Skill development Proactive skill Knowledge evolves
outside of job function functions paired with job development to meet inline / Lessons savored
roadmap demands
Program / Outcomes Just getting by Orderly Processes & Reduced number of Measurable difference Predictive & Proactive
Faster Reactions Incidents in attacks
Security Priorities P0/Critical P0 and P1s P0 and P1s Attack Surface driven Stay ahead of Bad guys
Waiting for Attackers Some Hygiene Compliance & measured
1 ⭒
Security Hierarchy of Needs at RSA
https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/4864/CSV-R10F-Securely-Moving-Data-to-the-Cloud-with-Confidence-and-Customer-Focus.pdf
• Prove it!
• Attack Maps provide the basics faster than API KEY EXPOSURE ->
other methods.
8 HRS
DEFAULT CONFIGS ->
24 HRS
• Measure and learn in order to stay ahead. SECURITY GROUPS ->
24 HRS
ESCALATION OF PRIVS -> 5 D
KNOWN VULN ->
8 HRS
5 ✥
What’s the best way to organize around it?
5 ✥
How will I know when I am doing it well?
CAPEC ATT&CK
% Adjusted for Related Attack Methods % Adjusted for Attack Surface & Environment
PREDICT
Target: 80%
PREVENTION DETECTION
PATTERNS & CONTROLS RULES & PROCESSES
✥
With your help, Software Safer Sooner can be a reality...
value
customer
visible
rugged software
customer-driven
innovation
domain names commodity bound
search engine
mobile
web app
informational website
growth
transparent
security emerging
fewer better
suppliers
devsecops
agile
devops
continuous deployment traditional
security traditional
SDLC
Catching up takes
red team
continuous integration commitment
penetration
testing
security as code
compliance cloud
evolution
genesis custom- product commodity
built (+rental) (+utility)
⭒
Get Involved and Join the Community
• devsecops.org
• @devsecops on Twitter
• DevSecOps on LinkedIn
• DevSecOps on Github
• RuggedSoftware.org
• Compliance at Velocity