Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps: Build It, Secure It, Run It

j.hand
May 01, 2018
Technology
0
180

DevSecOps: Build It, Secure It, Run It

Where Does Security Belong in DevOps?

Modern architectures and design patterns challenge developers, security, and operations in a whole new way. Instead of developers building and handing to security for testing, today’s developers are a key part of the security team - and vice versa.

In this Modern Security Series episode, we look at how security:

Shifts left - earlier into the development cycle
Shifts right - integrating with operations
Adapts to enable app and service owners to respond faster to threats

j.hand

May 01, 2018
Tweet

More Decks by j.hand

See All by j.hand
Suffer Better
jasonhand
0
200
IGNITE - Scrutinizing the Scrutiny
jasonhand
0
310
Beyond The Mean Time To Recover (MTTR)
jasonhand
1
410
Cognitive Bias & Its Impact on Continuous Improvement
jasonhand
0
100
The Unrealized Role of Monitoring & Alerting ( All Day DevOps edition)
jasonhand
2
310
The Benefit of a Systems Lens: Viewing Feedback from a "Systems Thinking" model
jasonhand
0
420
DevOps Organizational Journey
jasonhand
1
500
ChatOps: Infrastructure As Conversation
jasonhand
1
930
Understanding Cognitive Bias Found in Judgement & Choice
jasonhand
0
540

Other Decks in Technology

See All in Technology
Automatically generating types by running tests
sinsoku
1
490
“パスワードレス認証への道" ユーザー認証の変遷とパスキーの関係
ritou
1
460
改めて学ぶ Trait の使い方 / phpcon odawara 2025
meihei3
1
590
”知のインストール”戦略:テキスト資産をAIの文脈理解に活かす
kworkdev
PRO
9
4.2k
20250413_湘南kaggler会_音声認識で使うのってメルス・・・なんだっけ?
sugupoko
1
410
Lightdashの利活用状況 ー導入から2年経った現在地_20250409
hirokiigeta
2
270
LangfuseでAIエージェントの 可観測性を高めよう!/Enhancing AI Agent Observability with Langfuse!
jnymyk
0
180
さくらの夕べ Debianナイト - さくらのVPS編
dictoss
0
180
2025年春に見直したい、リソース最適化の基本
sogaoh
PRO
0
470
はてなの開発20年史と DevOpsの歩み / DevOpsDays Tokyo 2025 Keynote
daiksy
5
1.4k
試験は暗記より理解 〜効果的な試験勉強とその後への活かし方〜
fukazawashun
0
350
Ops-JAWS_Organizations小ネタ3選.pdf
chunkof
2
120

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
245
12k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
Statistics for Hackers
jakevdp
798
220k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
650
Embracing the Ebb and Flow
colly
85
4.6k
Visualization
eitanlees
146
16k
Agile that works and the tools we love
rasmusluckow
328
21k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
390
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
9
740
Building a Scalable Design System with Sketch
lauravandoore
462
33k

Transcript

  1. Where Does Security fit in DevOps? @jasonhand | @wicke0

  2. The DevSecOps View: Build It, Secure It, Run It, @jasonhand

    | @wicke0

  3. Agenda @jasonhand | @wicke0

  4. Where Have We Been? @jasonhand | @wicke0

  5. How Are We Doing Things Today? @jasonhand | @wicke0

  6. Industry Movement That DevOps thing you keep hearing about @jasonhand

    | @wicke0

  7. Two Shi(s + Adapta&on @jasonhand | @wicke0

  8. Security Shi$s Le$ ! ... earlier into the development cycle

    @jasonhand | @wicke0

  9. Security Shi$s Right ! ... integra*ng with opera*ons @jasonhand |

    @wicke0

  10. Security Adapts ! ... to enable app and service owners

    to respond faster to threats @jasonhand | @wicke0

  11. (Adaptation == Continuous Improvement) @jasonhand | @wicke0

  12. Con$nuous Improvement @jasonhand | @wicke0

  13. DevOps @jasonhand | @wicke0

  14. DevOps An approach to our work where we con.nuously look

    for methods to evaluate and improve the technology, process, and people as they relate to building, deploying, opera.ng, securing, and suppor.ng the value our organiza.on provides. @jasonhand | @wicke0

  15. Jason Hand @jasonhand VictorOps @jasonhand | @wicke0

  16. @jasonhand | @wicke0

  17. James Wicke& @wicke' Signal Sciences @jasonhand | @wicke0

  18. "Many security teams work with a worldview where their goal

    is to inhibit change as much as possible." @jasonhand | @wicke0

  19. Companies are spending a great deal on security, but we

    read of massive computer-related a9acks... @jasonhand | @wicke0

  20. Clearly something is wrong. The root of the problem is

    twofold: we’re protec'ng the wrong things, and we’re hur'ng produc'vity in the process. — Steven M. Bellovin @jasonhand | @wicke0

  21. The Past Embrace Secrecy Build a Wall Test when Done

    Certainty Tes:ng @jasonhand | @wicke0

  22. The best way to predict the future is to invent

    it @jasonhand | @wicke0

  23. The Future Embrace Feedback Loops Zero Trust Networks Shi9 Le9

    Adversity Tes=ng @jasonhand | @wicke0

  24. @jasonhand | @wicke0

  25. New Challenges @jasonhand | @wicke0

  26. What is Security’s new place in the delivery pipeline? @jasonhand

    | @wicke0

  27. How? @jasonhand | @wicke0

  28. Integrated & Collabora've @jasonhand | @wicke0

  29. Conversa)ons About Security Earlier @jasonhand | @wicke0

  30. Build It @jasonhand | @wicke0

  31. SDLC Shi$s @jasonhand | @wicke0

  32. Something New @jasonhand | @wicke0

  33. Instrumenta*on @jasonhand | @wicke0

  34. Monitoring & Aler%ng @jasonhand | @wicke0

  35. Does security affect the reliability of a service? @jasonhand |

    @wicke0

  36. Site Reliability Engineering @jasonhand | @wicke0

  37. GDPR General Data Protec-on Regula-on Enforcement Begins: May 25th, 2018

    @jasonhand | @wicke0

  38. Secure It @jasonhand | @wicke0

  39. Shi$s le$ ... earlier into the development cycle @jasonhand |

    @wicke0

  40. 3 Shi&s le& Design Inheritance Tes.ng @jasonhand | @wicke0

  41. Design for the Bad Guys Use Evil User Stories and

    have security tests being wri7en with other unit tests or whatever tes8ng pa7erns you use: TDD, BDD, ATDD, … @jasonhand | @wicke0

  42. New School Security Design Mozilla Rapid Risk Assessment link OWASP

    App Threat Modeling Cheat Sheet link @jasonhand | @wicke0

  43. We Inherit our Problems Heartbleed, shellshock, ... We forget our

    real LOC @jasonhand | @wicke0

  44. Toolchain for Inheritance tes0ng OWASP Dependency Checker Re3re.js link Publish

    a BOM Git-secrets from awslabs link @jasonhand | @wicke0

  45. Security Tes,ng for Developers Code Standards and security tooling runs

    on developer laptops and systems, but also verified by CI system. @jasonhand | @wicke0

  46. The goal should be to come up with a set

    of automated tests that probe and check security configura9ons and run9me system behavior for security features that will execute every 9me the system is built and every 9me it is deployed. @jasonhand | @wicke0

  47. @jasonhand | @wicke0

  48. Gauntlt Framework with Security tes2ng wri5en in a natural language

    that developers, security and opera2ons can understand. @jasonhand | @wicke0

  49. @jasonhand | @wicke0

  50. Gauntlt Gauntlt wraps security tes0ng tools to be part of

    the CI/CD pipeline Open source, MIT License, gauntlt.org @jasonhand | @wicke0

  51. We have saved millions of dollars using Gauntlt for the

    largest healthcare industry project. — Aaron Rinehart, UnitedHealthCare @jasonhand | @wicke0

  52. Lynda.com Security Tes,ng Course link @jasonhand | @wicke0

  53. Shi$s right ... integra*ng with opera*ons @jasonhand | @wicke0

  54. Run It @jasonhand | @wicke0

  55. What Keeps You Up At Night? @jasonhand | @wicke0

  56. Reducing Unknown Unknown @jasonhand | @wicke0

  57. Observability Asking Ques+ons @jasonhand | @wicke0

  58. Can you answer the following ques/on: @jasonhand | @wicke0

  59. Am I under ac#ve a'ack right now? @jasonhand | @wicke0

  60. @jasonhand | @wicke0

  61. Much less, are a%ackers having success? @jasonhand | @wicke0

  62. Detect What Ma*ers Account takeover a-empts Areas of the site

    under a-ack Most likely vectors of a-ack Business logic flows Abuse and Misuse @jasonhand | @wicke0

  63. Threat @jasonhand | @wicke0

  64. Proac&ve & Inten&onal about Learning @jasonhand | @wicke0

  65. Post-Incident Reviews @jasonhand | @wicke0

  66. Cross-Func*onal & Highly Collabora-ve Teams @jasonhand | @wicke0

  67. ChatOps @jasonhand | @wicke0

  68. Audit Trail @jasonhand | @wicke0

  69. SRE Culture of Reliability @jasonhand | @wicke0

  70. Chaos Engineering & Game Days @jasonhand | @wicke0

  71. Value Stream Maps @jasonhand | @wicke0

  72. How Does Security Affect Outcomes? @jasonhand | @wicke0

  73. IT Performance Metrics Deployment Frequency Lead Time For Changes MTTR

    Change Failure Rate Cycle Time @jasonhand | @wicke0

  74. Compliance vs Governance @jasonhand | @wicke0

  75. Done @jasonhand | @wicke0

  76. @jasonhand | @wicke0

  77. Where Does Security fit in DevOps? @jasonhand | @wicke0

  78. Takeaways Shi$s & Adapta-ons Proac-ve Observability Collabora-ve @jasonhand | @wicke0

  79. Takeaways Learning Performance Metrics Governance Con4nuous @jasonhand | @wicke0

  80. Thank You @jasonhand | @wicke0

  81. jhand.co/SREBook jhand.co/PIRBook jhand.co/ChatOpsBook @jasonhand | @wicke0

  82. info.signalsciences.com/appsec- defense-needs-top-five @jasonhand | @wicke0

  83. Lynda.com h"ps:/ /www.lynda.com/So2ware-Development- tutorials/Security-Tes<ng/667367-2.html @jasonhand | @wicke0