Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security, don't fear the DevOps - presented at DevOpsDays Chicago 2017

Bill Weiss
September 12, 2017
Technology
0
57

Security, don't fear the DevOps - presented at DevOpsDays Chicago 2017

A high-level view of how security teams can better work with DevOps practices and the rest of the company as a whole.

Bill Weiss

September 12, 2017
Tweet

More Decks by Bill Weiss

See All by Bill Weiss
Moving to the left - presented at DevOpsDays Vancouver 2017
billweiss
0
28
Puppet as security tooling - presented at PuppetConf 2016
billweiss
0
31

Other Decks in Technology

See All in Technology
DevOpsDays History and my DevOps story
kawaguti
PRO
9
2.5k
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
350
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
180
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
720
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
290
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
170
家族アルバム みてねにおけるGrafana活用術 / Grafana Meetup Japan Vol.1 LT
isaoshimizu
1
550
推しは推せるときに推せ! プロダクトにフィードバックしていこう
nakasho
0
300
web-application-security
matsuihidetoshi
0
160
Java EE/Jakarta EEの現状と将来 ―クラウドネイティブ時代にJava EEは対応できるのか?―
takakiyo
1
150
継続的な改善 x ⾮連続的な進化
sansantech
PRO
3
150
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
460

Featured

See All Featured
Fireside Chat
paigeccino
21
2.6k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
What's new in Ruby 2.0
geeforr
337
31k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
A better future with KSS
kneath
231
16k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
Done Done
chrislema
178
15k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
2
1.3k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Making Projects Easy
brettharned
108
5.5k

Transcript

  1. Security, don't fear the DevOps

  2. Hi, I’m Bill @BillWeiss almost everywhere [email protected] Principal Security Architect

  3. DevFinSecBizPeopleQualityOps?

  4. DevOps (for everyone)

  5. None
  6. None

  7. Continuous delivery is your friend What does that mean?

  8. Test automation

  9. Deployment automation

  10. Integrating security into delivery

  11. CI and trunk-based development

  12. Version control

  13. That sounds like a lot of work. What’s in it

    for me?

  14. 50% less time remediating

  15. 21% less time on unplanned work

  16. 44% more time on new work!

  17. DevOps (for everyone)

  18. CA(L)MS Thank you, John Willis, Damon Edwards, Jez Humble

  19. Culture Only sometimes like a petri dish

  20. Security, get out of your caves

  21. Security shouldn’t be the only ones thinking about security

  22. Tell people what’s going well, what’s not (when you can)

  23. Admit things go wrong

  24. Automation

  25. Automated is repeatable and auditable

  26. Automated is hands-off

  27. Automated is reliable

  28. Appsec considerations

  29. Get using static analysis, seriously https://github.com/mre/awesome-static-analysis

  30. Advise instead of failing if you have to False positives

    are super annoying

  31. Security failures are bugs You check for regressions, right?

  32. Get checking deps ASAP

  33. SecOps, I didn’t forget about you

  34. Hook all that automated workflow

  35. New server? Check the security profile Open ports, SSL, whatever

    you want

  36. Check before it’s live!

  37. Reproducible provisioning is good You know what’s running where

  38. Reliable provisioning is good You can replace machines!

  39. You can automatically reason about these machines

  40. Lean

  41. Continuous improvement

  42. Kill process if it isn’t valuable

  43. Something something “cyber killchain” something

  44. Metrics!

  45. Disasters get people interested Wins do too, when they come

  46. Figure out what’s important, track it

  47. Charts speak volumes Image courtesy Chris Messina, https://www.flickr.com/photos/factoryjoe/4684029657 CC BY-NC-SA

    2.0

  48. Sharing

  49. Talk about when things go wrong That thing about disasters

    from a few slides ago

  50. Lunch and learns

  51. Make sure you seem human Less “lol, lusers” and more

    “wow, bummer. Let’s do something about that”

  52. Tabletop all the things @badthingsdaily will give you nightmares

  53. None

  54. Appsec folks, would you like… Fewer security bugs making it

    to production?

  55. Appsec folks, would you like… Fewer security regressions?

  56. Appsec folks, would you like… Faster remediation?

  57. SecOps folks, would you like… Faster remediation?

  58. SecOps folks, would you like… Fewer failures?

  59. SecOps folks, would you like… More confident changes (like patching)?

  60. SecOps folks, would you like… More confidence in what’s running

    where?

  61. DevOps (for everyone)

  62. Thank you