DevSecOps - Agile Get-Together 2022.pdf
0 likes53 views
The document discusses DevSecOps and its implications for Agile teams, highlighting the importance of shared ownership, workflow automation, and rapid feedback in DevOps. It emphasizes the need for integrating security concerns into development practices, and how the naming and structure of teams can impact effectiveness. Key metrics for success in transformations, such as lead time and deployment frequency, are also mentioned.
![@sebrose seb.rose@smartbear.com
Who owns security?
Survey
2020
https://devops.com/whos-responsible-for-security-apparently-it-depends/
The [dev] team is
trusted to do its own
security research and
implementation
I regularly put security
suggestions in the
box of suggestions,
only to be ignored
There’s a security team, but it
doesn’t involve face to face
with us, the dev team. So we
just run the dev process
without counting on them
I am the only one
who actually cares
about security in
my organization](https://image.slidesharecdn.com/devsecops-agileget-together2022-221005123305-e3821caf/85/DevSecOps-Agile-Get-Together-2022-pdf-16-320.jpg)
DevSecOps - Agile Get-Together 2022.pdf
- 1. DevSecOps - what does it mean and how will it impact agile teams? Seb Rose Twitter: @sebrose Blog: https://cucumber.io/blog/ E-mail: seb.rose@smartbear.com
- 4. @sebrose seb.rose@smartbear.com DevOps Characterized by key principles: shared ownership, workflow automation, and rapid feedback. At its most successful, DevOps is a combination of specific practices, culture change, and tools. “A set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality” - Bass, Weber, Zhu There is no universally agreed definition of the term. https://en.wikipedia.org/wiki/DevOps
- 5. @sebrose seb.rose@smartbear.com Idealised transformation (US) With the help of a prospective board member and his mysterious philosophy of The Three Ways, Bill starts to see that IT work has more in common with manufacturing plant work than he ever imagined. With the clock ticking, Bill must organize work flow streamline interdepartmental communications, and effectively serve the other business functions at Parts Unlimited.
- 6. @sebrose seb.rose@smartbear.com Idealised transformation (UK) Watch a large software-intensive project, called FPP, that has been running late since day 1, but now, suddenly, needs to launch on an impossibly early date, or else. You feel their pain, and their joy, as they battle problem after problem until, slowly, torturously, they rediscover the few - but fundamental - principles underlying successful commercial software development.
- 7. @sebrose seb.rose@smartbear.com Ideal outcomes DORA metrics - Lead/cycle time (shorter) - Deployment frequency (higher) - Mean time to restore (shorter) - Change fail percentage (lower)
- 8. @sebrose seb.rose@smartbear.com Typical transformation Dev Ops Dev Dev Ops Before After Excessively cynical
- 9. @sebrose seb.rose@smartbear.com Living the dream DevOps
- 10. @sebrose seb.rose@smartbear.com Scaling the dream DevOps DevOps DevOps DevOps DevOps DevOps DevOps DevOps
- 11. @sebrose seb.rose@smartbear.com Ops as platform team Platform tools Ops Dev (use platform tools) platform team Dev (use platform tools) Dev (use platform tools) Dev (use platform tools) Dev (use platform tools)
- 14. @sebrose seb.rose@smartbear.com Agile dream Dev Sec Ops
- 15. @sebrose seb.rose@smartbear.com Orthogonal concerns Dev practices and tools Architecture and design Build pipelines Cloud providers Source control OWASP scans Code vulnerabilities DEVELOPMENT S E C U R I T Y OPERATIONS
- 16. @sebrose seb.rose@smartbear.com Who owns security? Survey 2020 https://devops.com/whos-responsible-for-security-apparently-it-depends/ The [dev] team is trusted to do its own security research and implementation I regularly put security suggestions in the box of suggestions, only to be ignored There’s a security team, but it doesn’t involve face to face with us, the dev team. So we just run the dev process without counting on them I am the only one who actually cares about security in my organization
- 18. @sebrose seb.rose@smartbear.com Building on DevOps Platform tools Ops Dev (use tools provided) Security tools Sec
- 19. @sebrose seb.rose@smartbear.com Platform tools Dev enablement Ops Dev (specify & use tools) Sec Security tools
- 21. @sebrose seb.rose@smartbear.com What’s in a name? O, be some other name! What’s in a name? That which we call a rose By any other name would smell as sweet William Shakespeare, Romeo and Juliet
- 22. @sebrose seb.rose@smartbear.com The name is not the thing
- 23. @sebrose seb.rose@smartbear.com Names are important https://www.digdeeproots.com/articles/on/naming-process/
- 26. @sebrose seb.rose@smartbear.com The name is not the thing Platform teams facilitate delivery AND scaling consistency Takeaways Burnout is a thing
- 27. Seb Rose Twitter: @sebrose Blog: https://cucumber.io/blog/ E-mail: seb.rose@smartbear.com http://bddbooks.com