“DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality.” - Bass, Len; Weber, Ingo; Zhu, Liming DevOps: A Software Architect's Perspective. Development QA Operations Dev Ops
“The purpose and intent of DevSecOps is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.” - Shannon Lietz, What is DevSecOps?, devsecops.org Development QA Security Operations DevSec Ops
BUILT A ZERO TRUST NETWORK! 25 > The network is always assumed to be hostile > External and internal threats exist on the network at all times > Network locality is not sufficient for deciding trust in a network > Every device, user, and workflow is authenticated and authorized > Policies must be dynamic and calculated from as many sources of data as possible
“The purpose and intent of DevSecOps is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.” - Shannon Lietz, What is DevSecOps?, devsecops.org Development QA Security Operations DevSec Ops
MICROSERVICES 28 role: productpage geo: us role: details geo: us role: reviews geo: us role: ratings geo: us role: productpage geo: eu role: details geo: eu role: reviews geo: eu role: ratings geo: eu productpage → reviews reviews → ratings productpage → details eu ↔ eu us ↔ us
POLICY CONCERNS 29 Platform Tier App Tier InfoSec Tier allow cluster ingress to FE workloads deny cluster ingress & egress for known bad actors deny cluster ingress & egress for embargoed countries deny cluster ingress & egress for PCI workloads allow compliance audit log collector to all workloads pass all other connections to platform tier pass prod workloads connecting to prod workloads pass cluster ingress to FE prod workloads pass dev workloads connecting to dev workloads pass test workloads connecting to test workloads deny all other connections allow front end workloads to app logic workloads allow app logic workloads to database workloads allow DB workloads to connect to DB workloads deny all other connections Tier evaluation order Policy evaluation order Security Ops Devs
AND LOGGING 30 “DevSecOps always requires logging. Every resource is logged, no exceptions. Because without logs, it is like flying blind.” - Fabian Lim, DevSecOps is the Krav Maga of Security (devsecops.org)
trust Visualize, correlate, rem ediate Cloud native and legacy CNX Zero Trust Network Security and Continuous Compliance for Modern Applications Enterprise control and com pliance