SlideShare a Scribd company logo

SecDevOps: The New Black of IT

Download as PPTX, PDF
CloudPassage, profile picture
CloudPassage

The document discusses the integration of security within DevOps, termed 'SecDevOps,' emphasizing collaboration and automation to enhance security measures across the development cycle. It outlines practices such as continuous compliance monitoring, automated testing, and stakeholder involvement to reduce silos and improve overall security posture. Practical examples illustrate how organizations can leverage DevOps momentum to incorporate security more effectively into their processes.

Technology
Related topics:
Cloud Security Insights
1 of 21
Downloaded 117 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
SecDevOps: The New Black of IT Andrew Storms CloudPassage Director of DevOps Alan Shimmel DevOps.com CEO & Co-founder
1994 1995 2009
Cloud or Not – Still the Same • Infrastructure • Data & Storage • Identity & Access Controls • Privacy • Governance • Audit & Compliance 3
Infrastructure as code Instrumentation What about DevOps? Orchestration Continuous everything
about security DevOps? What with
DevOps & Security Division 6 This is NOT how we do DevOps at CloudPassage. Collaboration Division DevOps Security Plan Code Test Release Deploy Operate
SecDevOps • Less division – More collaboration • Less silos – More sharing • Less pipeline – More chains & links • Less manual – More automation 7 Security Plan Release Code Test Operate Deploy
Plan • Release Sherpa – Ops, Dev, QA – See a release thru from start to finish • Change risk management – What infrastructure changes? – Unexpected or large code changes? – Security risk assessment – Threat vector analysis Security Plan Release Code Test Operate Deploy
Code • Standards enforcement – Rubocop, Food Critic, Knife-Spork • Review Process – Peer & code review – Continuous application & infrastructure testing • Git feature branching – Change control & isolation Security Plan Release Code Test Operate Deploy
Test • Automated code testing – Over 10k tests run automatically at check in – Over 10k QA assertions – Over 130 smoke test suites • All the modules & third party integrations • Deploy verifications • External automated testing • External code review Security Plan Release Code Test Operate Deploy
Release & Deploy • Stakeholders approval • Standardized tools – Capistrano, Chef • Deploy testing – 2-man rule • System segregation – Only Ops has production access Security Plan Release Code Test Operate Deploy
• Continuous compliance monitoring – All systems (prod & non-prod) – Hourly & daily – Halo • Infrastructure security orchestration – Thousands of control/change points enforced hourly (Chef) – Validated by Halo • Continuous risk assessment – Third-party vulnerability testing of all systems Operate Security Plan Release Code Test Operate Deploy
JIRAgitChefCapistranoHalo Initiate Approve Implement Audit Records Deploy (Infrastructure) Audit Records Deploy (App Code) Audit Records Audit Records Update Baselines Continuous Monitoring Audit Records End to end audit trail, built into the agile process… “AGILE ASSURANCE”
Practical SecDevOps Examples • Security automation potential – Cloud APIs have exploded • Latch on to DevOps momentum – Take advantage of change – Make Dev and Ops security stakeholders • Use IFTTT thinking – Channels, Triggers, Actions, Ingredients  Recipes 14
Practical SecDevOps Automation 15
Practical SecDevOps Automation 16 git-push
Practical SecDevOps Automation 17
Practical SecDevOps Automation 18
SecDevOps in Summary 19 Old is new Still solving the same problems, but in new ways SecDevOps Automation DevOps is here SecDevOps is required Security automation is here And is required in the cloud
More Resources 20 Explore: www.DevOps.com Learn: blog.cloudpassage.com Start: www.cloudpassage.com/halo
Thank you! 21 Q&A

More Related Content

PDF
Embracing the Rise of SecDevOps
Tom Cappetta
 
PPTX
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
PDF
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
PDF
Integrating DevOps and Security
Stijn Muylle
 
PDF
Continuous Security Testing - DevSecCon
Stephen de Vries
 
PPTX
Automating security tests for Continuous Integration
Stephen de Vries
 
PDF
A Secure DevOps Journey
Sonatype
 
Embracing the Rise of SecDevOps
Tom Cappetta
 
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
Integrating DevOps and Security
Stijn Muylle
 
Continuous Security Testing - DevSecCon
Stephen de Vries
 
Automating security tests for Continuous Integration
Stephen de Vries
 
A Secure DevOps Journey
Sonatype
 

What's hot (20)

PPTX
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
PDF
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
PPTX
Integrating Security into DevOps
CloudPassage
 
PDF
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
PDF
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
PDF
Proactive Security AppSec Case Study
Andy Hoernecke
 
PDF
T23 HTML5 Security Testing at Spotify
TechWell
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
PDF
Devops, Secops, Opsec, DevSec *ops *.* ?
Kris Buytaert
 
PDF
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
Abhay Bhargav
 
PDF
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
PPTX
DevOps & Security: Here & Now
Checkmarx
 
PDF
Ast in CI/CD by Ofer Maor
DevSecCon
 
PPTX
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
PPTX
Continuous Security Testing in a Devops World #OWASPHelsinki
Stephen de Vries
 
PDF
Security in a Continuous Delivery World
Dinis Cruz
 
PPTX
DevSecOps
Cheah Eng Soon
 
PDF
SecDevOps
Peter Lamar
 
PPTX
Integrating security into Continuous Delivery
Tom Stiehm
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
Integrating Security into DevOps
CloudPassage
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
Proactive Security AppSec Case Study
Andy Hoernecke
 
T23 HTML5 Security Testing at Spotify
TechWell
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Kris Buytaert
 
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
Abhay Bhargav
 
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
DevOps & Security: Here & Now
Checkmarx
 
Ast in CI/CD by Ofer Maor
DevSecCon
 
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Continuous Security Testing in a Devops World #OWASPHelsinki
Stephen de Vries
 
Security in a Continuous Delivery World
Dinis Cruz
 
DevSecOps
Cheah Eng Soon
 
SecDevOps
Peter Lamar
 
Integrating security into Continuous Delivery
Tom Stiehm
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
Ad

Similar to SecDevOps: The New Black of IT (20)

PPTX
Secure DevOPS Implementation Guidance
Tej Luthra
 
PPTX
DevOps to DevSecOps Journey..
Siddharth Joshi
 
PPTX
Are your DevOps and Security teams friends or foes?
Reuven Harrison
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
your techdigest
 
PPTX
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
ScalaCode
 
PDF
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
PPTX
DevSecOps Best Practices-Safeguarding Your Digital Landscape
stevecooper930744
 
PDF
Dev secops opsec, devsec, devops ?
Kris Buytaert
 
PPTX
What_is_DevOps_how_it's_very_useful_in_daily_Life.
anilpmuvvala
 
PPTX
What is DevOps And How It Is Useful In Real life.
anilpmuvvala
 
PPTX
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
PDF
Scale security for a dollar or less
Mohammed A. Imran
 
PPTX
What_is_DevOps.pptx
mridulsharma774687
 
PDF
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
DevOps.com
 
PDF
How DevOps Development Companies Streamline Operations.pdf
Agile Infoways LLC
 
PDF
DevOps Automation: Boosting Efficiency and Productivity
FredReynolds2
 
PDF
You build it - Cyber Chicago Keynote
John Willis
 
PDF
Divine and felonios cyber security devopsdays austin 2018
John Willis
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Secure DevOPS Implementation Guidance
Tej Luthra
 
DevOps to DevSecOps Journey..
Siddharth Joshi
 
Are your DevOps and Security teams friends or foes?
Reuven Harrison
 
The Rise of DevSecOps in CI_CD Workflows.pdf
your techdigest
 
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
From DevOps to DevSecOps: Evolution of Secure Software Development
ScalaCode
 
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
stevecooper930744
 
Dev secops opsec, devsec, devops ?
Kris Buytaert
 
What_is_DevOps_how_it's_very_useful_in_daily_Life.
anilpmuvvala
 
What is DevOps And How It Is Useful In Real life.
anilpmuvvala
 
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
Scale security for a dollar or less
Mohammed A. Imran
 
What_is_DevOps.pptx
mridulsharma774687
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
DevOps.com
 
How DevOps Development Companies Streamline Operations.pdf
Agile Infoways LLC
 
DevOps Automation: Boosting Efficiency and Productivity
FredReynolds2
 
You build it - Cyber Chicago Keynote
John Willis
 
Divine and felonios cyber security devopsdays austin 2018
John Willis
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Ad

More from CloudPassage (20)

PDF
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
CloudPassage
 
PPTX
CloudPassage Careers
CloudPassage
 
PPTX
Transforming the CSO Role to Business Enabler
CloudPassage
 
PPTX
Rethinking Security: The Cloud Infrastructure Effect
CloudPassage
 
PPTX
Webinar compiled powerpoint
CloudPassage
 
PPTX
Security and Compliance for Enterprise Cloud Infrastructure
CloudPassage
 
PPTX
Technologies You Need to Safely Use the Cloud
CloudPassage
 
PPT
Cloud Security: Make Your CISO Successful
CloudPassage
 
PDF
Secure Cloud Development Resources with DevOps
CloudPassage
 
PPTX
45 Minutes to PCI Compliance in the Cloud
CloudPassage
 
PPTX
Comprehensive Cloud Security Requires an Automated Approach
CloudPassage
 
PPTX
Security that works with, not against, your SaaS business
CloudPassage
 
PDF
What You Need To Know About The New PCI Cloud Guidelines
CloudPassage
 
PPTX
What You Haven't Heard (Yet) About Cloud Security
CloudPassage
 
PPTX
Meeting PCI DSS Requirements with AWS and CloudPassage
CloudPassage
 
PPTX
Delivering Secure OpenStack IaaS for SaaS Products
CloudPassage
 
PPTX
CloudPassage Overview
CloudPassage
 
PPTX
PCI and the Cloud
CloudPassage
 
PDF
Halo Installfest Slides
CloudPassage
 
PPTX
Automating Security for the Cloud - Make it Easy, Make it Safe
CloudPassage
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
CloudPassage
 
CloudPassage Careers
CloudPassage
 
Transforming the CSO Role to Business Enabler
CloudPassage
 
Rethinking Security: The Cloud Infrastructure Effect
CloudPassage
 
Webinar compiled powerpoint
CloudPassage
 
Security and Compliance for Enterprise Cloud Infrastructure
CloudPassage
 
Technologies You Need to Safely Use the Cloud
CloudPassage
 
Cloud Security: Make Your CISO Successful
CloudPassage
 
Secure Cloud Development Resources with DevOps
CloudPassage
 
45 Minutes to PCI Compliance in the Cloud
CloudPassage
 
Comprehensive Cloud Security Requires an Automated Approach
CloudPassage
 
Security that works with, not against, your SaaS business
CloudPassage
 
What You Need To Know About The New PCI Cloud Guidelines
CloudPassage
 
What You Haven't Heard (Yet) About Cloud Security
CloudPassage
 
Meeting PCI DSS Requirements with AWS and CloudPassage
CloudPassage
 
Delivering Secure OpenStack IaaS for SaaS Products
CloudPassage
 
CloudPassage Overview
CloudPassage
 
PCI and the Cloud
CloudPassage
 
Halo Installfest Slides
CloudPassage
 
Automating Security for the Cloud - Make it Easy, Make it Safe
CloudPassage
 

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
KodekX | Application Modernization Development
KodekX
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
KodekX | Application Modernization Development
KodekX
 

SecDevOps: The New Black of IT

Editor's Notes

  • #16: Apply IFTTT thinking If This Then That Channels, Triggers, Actions, Ingredients Recipes (need a graphic here. Something like a funnel or other where Channels, Triggers, Actions, Ingredients converge to make a recipe)
  • #17: Examples (The same graphic from previous slide, but small) If code gets checked in, then run static analysis
  • #18: Examples If firewall policy changes, then initiate remote scanner
  • #19: Examples If breach, then quarantine
  • #21: Feel free to change these points to you sales next steps.
  • #22: Feel free to change these points to you sales next steps.