Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Tony Rice

Tony Rice
October 08, 2015
Technology
0
15

Tony Rice

Security at the Speed of DevOps

DevOps techniques offer significant opportunities to increase delivery efficiency while improving software quality. Dont miss out on opportunities to improve application security, finding defects and vulnerabilities early and often when they are least complex (and expensive) to resolve.

Originally delivered at the 2015 ISSA Triangle InfoSecCon in Raleigh, NC

Tony Rice

October 08, 2015
Tweet

More Decks by Tony Rice

See All by Tony Rice
Solar Eclipses across North Carolina
tonyrice
0
11
Astronomy for Broadcast Meteorologists
tonyrice
0
22
Crowded Space
tonyrice
0
69
Apollo Navigation
tonyrice
0
140
Are Agile Development Methodologies Eroding your Application's Security?
tonyrice
0
30
Effective Test Automation Scripting
tonyrice
0
30
DevSecOps Lessons Learned
tonyrice
0
85
Mars Exploration - NCSU OLLI week 1
tonyrice
0
150
Preventing ID Theft
tonyrice
0
16

Other Decks in Technology

See All in Technology
Babylon.js JAPAN活動紹介 (2024/4)
limes2018
1
120
生産性向上チームの紹介
cybozuinsideout
PRO
1
930
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
IaCジェネレーターとBedrockで詳細設計書を生成してみた
tsukasa_ishimaru
4
890
uvを使ってストレスフリーな Python開発をしよう!
r74tech
0
140
開発パフォーマンスを最大化するための開発体制
ham0215
7
1.1k
Cypress or Playwright?
rainerhahnekamp
0
170
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
3
3.3k
Building a RAG-powered AI chat app with Python and VS Code
pamelafox
0
160
「スニダン」開発組織の構造に込めた意図 ~組織作りはパッションや政治ではない!~
rinchsan
4
620
個人のAWSアカウントをマルチ運用してみた
miura55
2
160
プロンプトエンジニアリングでがんばらない-Agentic Workflow へ-近藤憲児
kenjikondobai
6
1.2k

Featured

See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
242
1.2M
How to Ace a Technical Interview
jacobian
273
22k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Being A Developer After 40
akosma
67
580k
Testing 201, or: Great Expectations
jmmastey
30
6.4k
BBQ
matthewcrist
80
8.8k
Build your cross-platform service in a week with App Engine
jlugia
226
17k
Side Projects
sachag
451
41k
What’s in a name? Adding method to the madness
productmarketing
PRO
17
2.7k
Gamification - CAS2011
davidbonilla
77
4.6k
Code Reviewing Like a Champion
maltzj
515
39k
Faster Mobile Websites
deanohume
300
30k

Transcript

  1. Tony Rice Senior'Applica-on'Security'Engineer,'Cisco'Systems' Security'at'the'Speed'of'DevOps' 2015 ''

  2. 2' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' TL;DR:'Agile'development'moves'too'fast,'hire'robots' Richard Sargent

  3. 3' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Agile'vs.'Waterfall' Sprint'2' Waterfall' Sprint'1' Sprint'3' “The Homer” courtesy

    of Fox Backlog' Backlog' Backlog'

  4. 5' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Requirements' Design' Coding' Test' Deploy' Software Delivery Life

    Cycle

  5. 6' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Requirements' Design' Coding' Test' Deploy' Cost to Fix

    $1' $100V1000' $15' $30' Source: Software Engineering Economics, Barry W. Boehm

  6. 7' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Requirements' Design' Coding' Test' Deploy' Defect Introduction 30%'

    18%' Source: Error Cost Escalation Through the Project Life Cycle, Stecklein, NASA/JSC

  7. 8' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Requirements' Design' Coding' Test' Deploy' Defect Discovery 86%'

    Source: Software Engineering Economics, Barry W. Boehm

  8. 9' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' The'Solu-on' 1.  Introduce'fewer'bugs' 2.  Discover'them'earlier' xkcd#327'

  9. 10' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Requirements' Design' Coding' Test' Deploy' Defect Discovery Yesterday'

    Tomorrow'

  10. 11' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Requirements' &'Design' Coding' Integra-on' Test' Deploy' Source NASA

    JSC Send the Robots

  11. 13' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Requirements' &'Design' Coding' Integra-on' Test' Deploy' Manual Everything

    ✗ Code'merged'by'hand'(senior'developer)' ✗ Ad'hoc'manual'builds,'manual'tests' ✗ Measurement:'customer'complaints'

  12. 14' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Requirements' &'Design' Coding' Integra-on' Test' Deploy' Source NASA

    JSC Hire a Chief Robot

  13. 15' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Requirements' &'Design' Coding' Integra-on' Test' Deploy' Continuous Integration

    ✔ Automated'builds' ✔ Automated'integra-on'tes-ng' Measurement:'build'quality'

  14. 16' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Requirements' &'Design' Coding' Integra-on' Test' Deploy' Secure by

    Design ✔ Security'included'in'requirements' ✔ Common'security'libraries' Measurement:'adop-on'

  15. 17' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Requirements' &'Design' Coding' Integra-on' Test' Deploy' Vulnerability Scanning

    ✔ Automated'Vulnerability'Scanning' ✔ Code'quality'tests' Measurement:'vulnerability'counts'

  16. The'shortest'feedback'loop'I' can'think'of'is'in'front'of'an' audience.' 'V'Demetri'Mar-n,'writer,'Late'Night'with'Conan'O’Brien'

  17. 19' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Requirements' &'Design' Coding' Integra-on' Test' Deploy' Developer Culture

    Shift ✔ Test'driven'development,'unit'test'reuse ✔ Dynamic'&'Sta-c'Automated'Vulnerability'Scanning' ✔ Code'Review'/'Pair'Programming' Measurement:'vulnerability'counts,'code'review'records'

  18. 20' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' TESTING TESTING!! xkcd#303'

  19. 21' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Requirements' &'Design' Coding' Integra-on' Test' Deploy' Continuous Deployment

    ✔ Version'control'for'all'ar-facts ✔ Proac-ve'Monitoring' ✔ Stable,'reproducible'development'environment' Measurement:'deployments'per'day'

  20. 22' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' Continuous Security ✔ Zero'manual'interven-on'from'checkVin'to'deployment' ✔ Only'inputs:'code,'configs'and'tests ✔ Development'priority'on'refactoring'legacy'code,'tests

    Measurement:'code'coverage

  21. 23' ©'2015''Cisco'and/or'its'affiliates.'All'rights'reserved.'''Cisco'Public' •  Haskins,'Bill,'Joneje'Stecklein,'Brandon'Dick,'Gregory'Moroney,'Randy'Lovell,'and'James'Dabney.'" 8.4.2'Error'Cost'Escala-on'Through'the'Project'Life'Cycle."'INCOSE)Interna.onal)Symposium'14.1'(2004):'1723V737.'NASA) Technical)Reports)Server.'NASA'Johnson'Space'Center.'' •  Boehm,'Barry'W.'So<ware)Engineering)Economics.'Englewood'Cliffs,'NJ:'Pren-ceVHall,'1981.'ISBN'0138221227' •  Puppet'Labs.'State)of)DevOps)Report'(2014):.'

    •  'Mar-n,'James.'An)Informa.on)Systems)Manifesto.'Englewood'Cliffs,'NJ:'Pren-ceVHall,'1984.'ISBN'0134647696.' ' Addi-onal'Reading'