SlideShare a Scribd company logo

DevSecOps - The big picture

D
DevSecOpsSg

This document discusses the concepts of DevSecOps at a high level. It begins with a brief history of development methodologies, from Waterfall to Agile, and how Ops became a bottleneck. This led to trends in Agile Operations and collaboration between Dev and Ops, known as DevOps. DevSecOps expands this to incorporate security. It discusses DevSecOps in terms of culture, processes, and technologies, with a focus on secure software development lifecycles, security pipelines, requirements management, and automated testing and monitoring. The goal of DevSecOps is to enable organizations to deliver inherently secure software at DevOps speed.

Technology
1 of 31
Downloaded 102 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
The big picture Culture, Processes and Technologies on a high level
Stefan Streichsbier Company: Vantage Point Twitter: @s_streichsbier Why?
DevSecOps - The big picture
A Brief History of DevOps
In the beginning there was… Source: https://www.flickr.com/photos/37186408@N05/12162302775
Waterfall • Long release cycles • A lot of “WIP” • Functional silos • Incredibly rigid
…then there was Agile Source: https://i.ytimg.com/vi/8Hedq2d1H44/maxresdefault.jpg
Agile • Shorter release cycles • Smaller batch sizes • Cross-functional teams • “Incredibly” agile
Suddenly Ops was the bottleneck
Agile Ops Anyone? 2 major related trends: 1. Agile Operations/Infrastructure 2. Collaboration between dev and ops Ultimately led to the first DevOpsDays in 2009…
So, what is DevOps? • Set of principles and practices for efficient communication and collaboration. (Culture) • Automated deployment pipeline. (Processes) • Supporting tool chain (Technologies)
”[…]it seems as though the problems are just between dev and ops, but test is in there, and you have security objectives. These are top-level concerns of Management […] and have become part of the DevOps picture. In other words, when you hear "DevOps" today, you should probably be thinking DevOpsQATestInfoSec." - Gene Kim
DevSecOps
Target State DevSecOps enables organisations to deliver inherently secure software at DevOps speed.
Security challenges in DevOps • It is clear why companies are moving to DevOps …but how can security keep up with this? Source: https://xebialabs.com/assets/files/whitepapers/ITRev_DevOps_Guide_5_2015.pdf
3 key categories of DevSecOps 1. Culture 2. Processes 3. Technologies
Culture
Culture • Communication and transparency • High-trust environment “blameless postmortem” • Continuous improvement • Everyone is responsible for security • Automate as much as possible • Everything as code
Culture: Open Space Ideas • How did your org switch to Dev(Sec)Ops? • Continuous Improvement (Kaizen) • What are you automating at the moment?
Processes
Processes 1. Secure SDLC 2. Security Pipelines
Processes: Secure SDLC 1. Training 2. Requirements 3. Architecture & Design 4. Coding 5. Testing 6. Deployment 7. Post Deployment
Processes: Sec Pipelines • Opt. critical resource • Reduce friction • Increase visibility • Each step repeatable • Drive up consistency
Security Pipelines
Processes: Open Space Ideas • How are you managing security requirements? • How are you building security into the SDLC? • AppSec Pipelines in the wild • ChatSecOps
TechnologiesDevOps is not supposed to be about “tools”
DevSecOps Technologies 1. Requirements 2. Code: IDE Plugins, SAST 3. Test: Gauntlt, *AST 4. Configure: Sec as Code 5. Maintenance: Patch Management 6. Monitor: Auditing, Attack visibility, RASP Warning about *AST
Technologies: Open Space Ideas • Scaling security requirements • TDD and security in testing • Which *AST technologies have you been using? • Experience with IDE Plugins • Environment management (Dev/Prod parity) • Configuration management (configuration drift) • Patch Management and deployment strategies (e.g. Phoenix)
Summary • DevSecOps enable organisations to deliver inherently secure software at DevOps speed.
Questions?
Inspirations • http://itrevolution.com/heres-how-the-amazing-twitter-infosec-team-helps-devops/ • http://techbeacon.com/devsecops-9-ways-devops-automation-bolster-security-compliance • https://www.checkmarx.com/2015/11/13/devsecops-4-best-practices-the-pros-teach-us-about- security-and-devops/ • http://www.slideshare.net/zanelackey/effective-approaches-to-web-application-security • http://searchdatacenter.techtarget.com/feature/How-to-adopt-a-successful-DevOps-enterprise • https://opensource.com/business/14/7/devops-red-hat • http://www.infoq.com/news/2014/03/etsy-deploy-50-times-a-day • http://www.slideshare.net/mtesauro/taking-appsec-to-11-appsec-pipeline-devops-and-making- things-better • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

More Related Content

PDF
devops
Somkiat Puisungnoen
 
PDF
DevSecOps Implementation Journey
DevOps Indonesia
 
PPTX
DevOps Introduction
Robert Sell
 
PDF
DevSecOps in Baby Steps
Priyanka Aash
 
PDF
The State of DevSecOps
DevOps Indonesia
 
PDF
Introduction to DevSecOps
Setu Parimi
 
PDF
DevSecOps
Tomas Honzak
 
PPTX
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
devops
Somkiat Puisungnoen
 
DevSecOps Implementation Journey
DevOps Indonesia
 
DevOps Introduction
Robert Sell
 
DevSecOps in Baby Steps
Priyanka Aash
 
The State of DevSecOps
DevOps Indonesia
 
Introduction to DevSecOps
Setu Parimi
 
DevSecOps
Tomas Honzak
 
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 

What's hot (20)

PPTX
Introduction to DevOps
Hawkman Academy
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PPTX
DevSecOps
Cheah Eng Soon
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
PPTX
DevOps Overview
Sagar Mody
 
PDF
DevSecOps What Why and How
NotSoSecure Global Services
 
PDF
Slide DevSecOps Microservices
Hendri Karisma
 
PDF
How to implement DevOps in your Organization
Dalibor Blazevic
 
PDF
DevOps Powerpoint Presentation Slides
SlideTeam
 
PPTX
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
PPTX
DevOps to DevSecOps Journey..
Siddharth Joshi
 
PPTX
DEVSECOPS.pptx
MohammadSaif904342
 
PPSX
DevOps
Matthew Jones
 
PPTX
DevOps & Security: Here & Now
Checkmarx
 
PPTX
Devops online training ppt
KhalidQureshi31
 
PPTX
CICD Pipeline - AWS Azure
Ratan Das
 
PDF
Demystifying DevSecOps
Archana Joshi
 
PPTX
How to Get Started with DevSecOps
CYBRIC
 
PDF
The What, Why, and How of DevSecOps
Cprime
 
PDF
DevOps
Hakan Yüksel
 
Introduction to DevOps
Hawkman Academy
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
DevSecOps
Cheah Eng Soon
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
DevOps Overview
Sagar Mody
 
DevSecOps What Why and How
NotSoSecure Global Services
 
Slide DevSecOps Microservices
Hendri Karisma
 
How to implement DevOps in your Organization
Dalibor Blazevic
 
DevOps Powerpoint Presentation Slides
SlideTeam
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DevOps to DevSecOps Journey..
Siddharth Joshi
 
DEVSECOPS.pptx
MohammadSaif904342
 
DevOps
Matthew Jones
 
DevOps & Security: Here & Now
Checkmarx
 
Devops online training ppt
KhalidQureshi31
 
CICD Pipeline - AWS Azure
Ratan Das
 
Demystifying DevSecOps
Archana Joshi
 
How to Get Started with DevSecOps
CYBRIC
 
The What, Why, and How of DevSecOps
Cprime
 
DevOps
Hakan Yüksel
 
Ad

Viewers also liked (19)

PDF
DevSecOps - Building Rugged Software
SeniorStoryteller
 
PDF
Programming Language Selection
Dhananjay Nene
 
PDF
Building A Great API - Evan Cooke, Cloudstock, December 2010
Twilio Inc
 
KEY
2012: Putting your robots to work: security automation at Twitter
Neil Matatall
 
PDF
Introduction to devops 2016
gjdevos
 
PPTX
Introduction to DevOps
Omid Vahdaty
 
PDF
DevSecOps in Baby Steps
Priyanka Aash
 
PDF
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Stefan Streichsbier
 
PDF
DevOps - A Gentle Introduction
Ganesh Samarthyam
 
PDF
Integrating DevOps and Security
Stijn Muylle
 
PDF
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon
 
PPTX
Cloud Native Application Framework
VMware Tanzu
 
PPTX
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Gene Kim
 
PDF
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
PPT
Devops at Netflix (re:Invent)
Jeremy Edberg
 
PPTX
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
Sonatype
 
PDF
DevOps: A Culture Transformation, More than Technology
CA Technologies
 
PPTX
Introducing DevOps
Nishanth K Hydru
 
PPTX
DevOps 101
Ernest Mueller
 
DevSecOps - Building Rugged Software
SeniorStoryteller
 
Programming Language Selection
Dhananjay Nene
 
Building A Great API - Evan Cooke, Cloudstock, December 2010
Twilio Inc
 
2012: Putting your robots to work: security automation at Twitter
Neil Matatall
 
Introduction to devops 2016
gjdevos
 
Introduction to DevOps
Omid Vahdaty
 
DevSecOps in Baby Steps
Priyanka Aash
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Stefan Streichsbier
 
DevOps - A Gentle Introduction
Ganesh Samarthyam
 
Integrating DevOps and Security
Stijn Muylle
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon
 
Cloud Native Application Framework
VMware Tanzu
 
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Gene Kim
 
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Devops at Netflix (re:Invent)
Jeremy Edberg
 
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
Sonatype
 
DevOps: A Culture Transformation, More than Technology
CA Technologies
 
Introducing DevOps
Nishanth K Hydru
 
DevOps 101
Ernest Mueller
 
Ad

Similar to DevSecOps - The big picture (20)

PPTX
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24
 
PPTX
Introduction to DevSecOps
abhimanyubhogwan
 
PPTX
State of DevSecOps - GTACS 2019
Stefan Streichsbier
 
PPTX
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
PPTX
DevSecOps Best Practices-Safeguarding Your Digital Landscape
stevecooper930744
 
PPTX
ISACA Ireland Keynote 2015
Shannon Lietz
 
PDF
Scale security for a dollar or less
Mohammed A. Imran
 
PPTX
DevOps DevSecOps Based on Training Materials
RifqiMultazamOfficia
 
PPTX
State of DevSecOps - DevOpsDays Jakarta 2019
Stefan Streichsbier
 
PDF
Security's DevOps Transformation
Michele Chubirka
 
PDF
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
PPTX
DevSecOps OWASP
Priyanka Raghavan
 
PPTX
DevSecOps Story with added security controls
HareeshNani5
 
PDF
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
PDF
To boldly go where no one has gone before: life after the DevSecOps transform...
Jakub "Kuba" Sendor
 
PDF
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
ScalaCode
 
PDF
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
 
PDF
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
mohitd6
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24
 
Introduction to DevSecOps
abhimanyubhogwan
 
State of DevSecOps - GTACS 2019
Stefan Streichsbier
 
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
stevecooper930744
 
ISACA Ireland Keynote 2015
Shannon Lietz
 
Scale security for a dollar or less
Mohammed A. Imran
 
DevOps DevSecOps Based on Training Materials
RifqiMultazamOfficia
 
State of DevSecOps - DevOpsDays Jakarta 2019
Stefan Streichsbier
 
Security's DevOps Transformation
Michele Chubirka
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
DevSecOps OWASP
Priyanka Raghavan
 
DevSecOps Story with added security controls
HareeshNani5
 
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
To boldly go where no one has gone before: life after the DevSecOps transform...
Jakub "Kuba" Sendor
 
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
From DevOps to DevSecOps: Evolution of Secure Software Development
ScalaCode
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
 
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
mohitd6
 

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Cloud computing and distributed systems.
kkkkkhan
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Teaching material agriculture food technology
LiaRayya
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
KodekX | Application Modernization Development
KodekX
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 

DevSecOps - The big picture