Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security, don't fear the DevOps - presented at ...

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Bill Weiss Bill Weiss
September 12, 2017
Technology
0
65

Security, don't fear the DevOps - presented at DevOpsDays Chicago 2017

A high-level view of how security teams can better work with DevOps practices and the rest of the company as a whole.

Avatar for Bill Weiss

Bill Weiss

September 12, 2017
Tweet

More Decks by Bill Weiss

See All by Bill Weiss
Moving to the left - presented at DevOpsDays Vancouver 2017
Avatar for Bill Weiss billweiss
0
32
Puppet as security tooling - presented at PuppetConf 2016
Avatar for Bill Weiss billweiss
0
38

Other Decks in Technology

See All in Technology
~Everything as Codeを諦めない~ 後からCDK
Avatar for mu7889yoon / Yuta Nakamura mu7889yoon
3
450
CDKで始めるTypeScript開発のススメ
Avatar for つくぼし tsukuboshi
1
500
マーケットプレイス版Oracle WebCenter Content For OCI
Avatar for oracle4engineer oracle4engineer
PRO
5
1.6k
量子クラウドサービスの裏側 〜Deep Dive into OQTOPUS〜
Avatar for OQTOPUS oqtopus
0
140
コミュニティが変えるキャリアの地平線:コロナ禍新卒入社のエンジニアがAWSコミュニティで見つけた成長の羅針盤
Avatar for Kento Suzuki kentosuzuki
0
130
データの整合性を保ちたいだけなんだ
Avatar for ShoheiMitani shoheimitani
8
3.2k
クレジットカード決済基盤を支えるSRE - 厳格な監査とSRE運用の両立 (SRE Kaigi 2026)
Avatar for capytan capytan
6
2.8k
Contract One Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
13k
Frontier Agents (Kiro autonomous agent / AWS Security Agent / AWS DevOps Agent) の紹介
Avatar for msysh msysh
3
180
Webhook best practices for rock solid and resilient deployments
Avatar for Guillaume Laforge glaforge
2
300
AzureでのIaC - Bicep? Terraform? それ早く言ってよ会議
Avatar for Toru Makabe torumakabe
1
590
制約が導く迷わない設計 〜 信頼性と運用性を両立するマイナンバー管理システムの実践 〜
Avatar for ないとー bwkw
3
980

Featured

See All Featured
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
Avatar for Helen Beal helenjbeal
1
130
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
141
34k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.4k
Organizational Design Perspectives: An Ontology of Organizational Design Elements
Avatar for Dr. Kim W Petersen kimpetersen
PRO
1
210
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
Avatar for Christian Goodrich cargoodrich
3
100
The Spectacular Lies of Maps
Avatar for Per Axbom axbom
PRO
1
520
What’s in a name? Adding method to the madness
Avatar for The Alliance productmarketing
PRO
24
3.9k
Design in an AI World
Avatar for tapps tapps
0
140
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
Avatar for David Carrasco davidcarrasco
0
67
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
210
24k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
How to Grow Your eCommerce with AI & Automation
Avatar for Katarina Dahlin katarinadahlin
PRO
1
110

Transcript

  1. Security, don't fear the DevOps

  2. Hi, I’m Bill @BillWeiss almost everywhere [email protected] Principal Security Architect

  3. DevFinSecBizPeopleQualityOps?

  4. DevOps (for everyone)

  5. None
  6. None

  7. Continuous delivery is your friend What does that mean?

  8. Test automation

  9. Deployment automation

  10. Integrating security into delivery

  11. CI and trunk-based development

  12. Version control

  13. That sounds like a lot of work. What’s in it

    for me?

  14. 50% less time remediating

  15. 21% less time on unplanned work

  16. 44% more time on new work!

  17. DevOps (for everyone)

  18. CA(L)MS Thank you, John Willis, Damon Edwards, Jez Humble

  19. Culture Only sometimes like a petri dish

  20. Security, get out of your caves

  21. Security shouldn’t be the only ones thinking about security

  22. Tell people what’s going well, what’s not (when you can)

  23. Admit things go wrong

  24. Automation

  25. Automated is repeatable and auditable

  26. Automated is hands-off

  27. Automated is reliable

  28. Appsec considerations

  29. Get using static analysis, seriously https://github.com/mre/awesome-static-analysis

  30. Advise instead of failing if you have to False positives

    are super annoying

  31. Security failures are bugs You check for regressions, right?

  32. Get checking deps ASAP

  33. SecOps, I didn’t forget about you

  34. Hook all that automated workflow

  35. New server? Check the security profile Open ports, SSL, whatever

    you want

  36. Check before it’s live!

  37. Reproducible provisioning is good You know what’s running where

  38. Reliable provisioning is good You can replace machines!

  39. You can automatically reason about these machines

  40. Lean

  41. Continuous improvement

  42. Kill process if it isn’t valuable

  43. Something something “cyber killchain” something

  44. Metrics!

  45. Disasters get people interested Wins do too, when they come

  46. Figure out what’s important, track it

  47. Charts speak volumes Image courtesy Chris Messina, https://www.flickr.com/photos/factoryjoe/4684029657 CC BY-NC-SA

    2.0

  48. Sharing

  49. Talk about when things go wrong That thing about disasters

    from a few slides ago

  50. Lunch and learns

  51. Make sure you seem human Less “lol, lusers” and more

    “wow, bummer. Let’s do something about that”

  52. Tabletop all the things @badthingsdaily will give you nightmares

  53. None

  54. Appsec folks, would you like… Fewer security bugs making it

    to production?

  55. Appsec folks, would you like… Fewer security regressions?

  56. Appsec folks, would you like… Faster remediation?

  57. SecOps folks, would you like… Faster remediation?

  58. SecOps folks, would you like… Fewer failures?

  59. SecOps folks, would you like… More confident changes (like patching)?

  60. SecOps folks, would you like… More confidence in what’s running

    where?

  61. DevOps (for everyone)

  62. Thank you