DevOps and the Future of Information Security
- 1. DevOps and the Future of Information Security Darin Morris @techdevdari n in/darinmorris 2018
- 2. In General: What we’re going talk about 2. How “doing DevOps” affects how we secure Data and Computer-centric Information Systems In Particular: 1. What it really means to do DevOps Thoughts I’ve had around DevOps and Security
- 3. Motivation for this talk • I want “information technology practitioners” to become more professional, more productive and happier at work. Many reasons, but some of the more major reasons are: • Information systems need to be of higher quality and delivered faster – we need to really understand the DevOps philosophy to do that well. • Security is often an afterthought in the IT systems lifecycle – that needs to change. • We need a common, meaningful language – not buzzwords!
- 5. DevOps and Security are very broad domains!
- 6. So can we cover enough in only 35 minutes?!
- 7. SOMEONE ONCE TOLD ME NOT TO BITE OFF MORE THAN I COULD CHEW… I said I’d rather CHOKE ON GREATNESS THAN NIBBLE ON MEDIOCRITY.
- 8. Let’s get to know each other a little better!
- 9. Sales or Relationship Management Does this sound like your role? Marketing Finance Leadership (C-Suite) Human Resources Business Analyst / Big Data Analyst General Administrator In-house Legal
- 10. Project Manager or Coordinator Product Manager/Owner Software Architect Software Engineer Test Engineer Provision and Manage IT Infrastructure (IT Ops) Does this sound like your role? Dedicated Security or Compliance Something else? ?
- 11. OK! Less about you. More about me!
- 12. Fun facts about me Most used programming languages: C#, JavaScript “SiliconCape Native” First PC: Pentium 1 with Windows 95 First programming language: Java (JDK 1.3)
- 13. Professional background • I’m a self-taught “Technologist” and I solve problems using technology. • I've been a founder, manager, team lead and software engineer, in various sectors, and in teams of different shapes and sizes. • Microsoft Certified Professional • Certified ScrumMaster • In the process of completing CSSLP, ITIL and ISTQB certifications. • Member of a number of professional IT associations and bodies i.e. OWASP, ISACA, IITPSA • Fulltime full stack software engineer for the past 13 years, primarily focussed on web and cloud-native software.
- 14. Let’s play a game!
- 15. True or False? DevOps is only done by technical staff. Question #1
- 16. True or False? DevOps is a Role. Question #2
- 17. True or False? DevOps is a way of thinking about how we do work. Question #3
- 18. What is DevOps really?
- 20. • DevOps Principles and Practices are compatible with Agile • DevOps is a logical continuation of Agile • Agile serves as an effective enabler of DevOps Myth #1: DevOps replaces Agile
- 21. • Can be made compatible - many areas just become automated. Myth #2: DevOps is incompatible with ITIL
- 22. • Controls are integrated into every stage of daily work of the SDLC resulting in better quality and security and compliance outcomes. Myth #3: DevOps is incompatible with InfoSec and Compliance Image credit: Checkmarx Software Exposure platform (www.checkmarx.com)
- 23. • Rarely the case. Nature of IT Operations work just changes. • Collaborates far earlier in SDLC with development. • Enables developer productivity through APIs and self-service platforms that create environments, test and deploy code, monitor and display production telemetry, etc. • IT Ops become more like Development • i.e. engaged in product development for developers. Myth #4: DevOps means eliminating IT Operations
- 24. • “DevOps isn’t about automation, just as astronomy isn’t about telescopes” - Christopher Little Myth #5: DevOps is just Infrastructure as Code
- 25. DevOps is about Team Work that enables efficient creation of value What DevOp really boils down to
- 26. So, how is Security affected?
- 27. Security and DevOps - DevSecOps? • Security is fundamentally about mitigating risk (you’ll never be 100% secure). • Mitigating risk is enabled by maintaining integrity, availability and confidentially. • Security principles haven’t changed, the way we implement security has.
- 28. Security Fail Securely Minimize attack surface Least Privilege Integrity Auditing Keep Things Simple (Economy of mechanism) Separation of duties/privilege Confidentiality Psychological Acceptability Availability Single Point of Failure Defense in Depth Leverage Existing Components Open Design Complete Mediation Security Principles and Concepts
- 29. That’s a wrap! @techdevdarin in/darinmorris Connect with me:
Editor's Notes
- #3: Aims: 1.1. Cover key principles. 1.2. Take audience on a journey to my AHA moment. 2. Delve into the impact of DevOps on security Clarify Terms and Concepts (Information Technology, Technology, DevOps, QA, Security) Provoke reflection on the way the audience currently does work and thought about what can be done better. Drive home the importance of security in software
- #4: Is a pen and paper information technology?
- #5: Disclaimer 1: I may be biased – I’m a software developer I’ve been thinking about this stuff a lot lately, but I’m probably ignorant to something. There is enough content to write about, never mind a short talk.
- #6: Disclaimer 2: There is potentially a lot we could cover, but we have very little time.
- #7: Disclaimer 2: There is potentially a lot we could cover, but we have very little time.
- #8: I make joke. Har har.
- #16: Answer: False Reason: DevOps isn't any single person's job. It's everyone's job.
- #17: Answer: False Reason: DevOps isn't any single person's job. It's everyone's job.
- #18: Answer: False Reason: DevOps isn't any single person's job. It's everyone's job.
- #20: DevOps is a lot like the Standard Model of particle physics.
- #21: Agile Toronto Conference 2008 Patrick Debois coined to the term DevOps when he organized the first DevOpsDays conference in 2009.
- #29: DevOps is a lot like the Standard Model of particle physics