SlideShare a Scribd company logo

Silver Lining for Miles: DevOps for Building Security Solutions

S
SeniorStoryteller

This document summarizes a presentation about how security teams can adapt to DevOps and continuous deployment models. It discusses how code deployment has shifted to near-instantaneous changes, security is no longer a gatekeeper, and workarounds will happen if security causes delays. To embrace agility, security must decentralize and provide visibility into the development process for all teams, not just security, by surfacing security data. The key lessons are that embracing DevOps actually helps rather than harms security when done with visibility across rapid iterative changes.

Technology
1 of 38
Downloaded 52 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Silver Linings for Miles: DevOps for Building Secure Solutions zane@signalsciences.com @zanelackey apb@datadoghq.com @andrewbecherer
Who are these guys anyway? • Zane built and led the Etsy Security Team (spoiler alert: much of what this presentation is about) and co-founded Signal Sciences • Andrew ran a large application security consulting practice for iSEC/NCC Group and is now leading the Datadog Security Team (spoiler alert: also much of what this presentation is about)
This talk is about lessons learned being at the forefront of the shift to agile/continuous deployment/DevOps
For security teams, the world has changed in three fundamental ways: – Agility means code deployment is trending to near-instantaneous – Security is no longer the gatekeeper to deployment – If security is a blocker, it will be routed around
Near-instantaneous deployment?
A simulation of deploying code in the waterfall model
What is this shifting to?
An agility example: Etsy pushes to production 50 times a day on average
Constant iteration in production via feature flags, ramp ups, A/B testing
But doesn’t the rapid rate of change mean things are less secure?!
Actually, the opposite is true
They key to realize is vulnerabilities occur in all development methodologies …But there’s no such thing as an out-of- band patch in continuous deployment
They key to realize is vulnerabilities occur in all development methodologies …But there’s no such thing as an out-of- band patch in continuous deployment
Compared to: “We’ll rush that security fix. It will go out … in about 6 weeks.” - Former vendor at Etsy
What makes continuous deployment safe?
What makes continuous deployment safe? Visibility
Silver Lining for Miles: DevOps for Building Security Solutions
Source: http://www.slideshare.net/mikebrittain/advanced-topics-in-continuous-deployment
The same hard lessons are slowly shifting to security
Ex: Which of these is a quicker way to spot an attack?
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
Increase agility by surfacing security visibility for everyone, not just the security team
Having to talk to security to get security awareness causes delays
Having to talk to security to get security awareness causes delays Delays get routed around
To embrace agility, security has to decentralize
Without strong gating we never get security eyes on code
Did you ever really, I mean really, have security eyes on code?
Let’s do better. …But there’s no such thing as an out-of- band patch in continuous deployment
“Communities of practice are groups of people who share a concern, a set of problems, or a passion about a topic, and who deepen their knowledge and expertise in this area by interacting on an ongoing basis.“ …But there’s no such thing as an out-of-band patch in continuous deployment
Design for “aliveness.”
Challenge: Maintain informality while building trust across time-zones.
Can we measure it? …But there’s no such thing as an out-of- band patch in continuous deployment
Pro-move: Link your local practices to global practices to build Extended Knowledge Systems.
In closing, remember…
Silver Lining for Miles: DevOps for Building Security Solutions
Lessons Learned: – Embracing DevOps/Agile/Continuous Deployment helps not harms security – Visibility is the key to moving quickly and safely – You (in the general case) are never going to be able to hire enough staff, so steal everyone else’s
Thank you! zane@signalsciences.com @zanelackey apb@datadoghq.com @andrewbecherer

More Related Content

PDF
Ops Happen: Improve Security Without Getting in the Way
SeniorStoryteller
 
PPTX
Amy DeMartine - 7 Habits of Rugged DevOps
SeniorStoryteller
 
PPTX
The Journey to DevSecOps
SeniorStoryteller
 
PPTX
The R.O.A.D to DevOps
SeniorStoryteller
 
PDF
What we learned from three years sciencing the crap out of devops
Nicole Forsgren
 
PPTX
Open Source Defense for Edge 2017
Adrian Sanabria
 
PPTX
Security and DevOps Overview
Adrian Sanabria
 
PDF
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Tom Stiehm
 
Ops Happen: Improve Security Without Getting in the Way
SeniorStoryteller
 
Amy DeMartine - 7 Habits of Rugged DevOps
SeniorStoryteller
 
The Journey to DevSecOps
SeniorStoryteller
 
The R.O.A.D to DevOps
SeniorStoryteller
 
What we learned from three years sciencing the crap out of devops
Nicole Forsgren
 
Open Source Defense for Edge 2017
Adrian Sanabria
 
Security and DevOps Overview
Adrian Sanabria
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Tom Stiehm
 

What's hot (17)

PPTX
2016 virus bulletin
Adrian Sanabria
 
PDF
Building Security Controls around Attack Models
SeniorStoryteller
 
PPTX
451 AppSense Webinar - Why blame the user?
Adrian Sanabria
 
PDF
New Barriers of Transformation
DevOps Indonesia
 
PDF
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
DevSecOpsSg
 
PPTX
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 
PPTX
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
PDF
DevSecOps - The big picture
DevSecOpsSg
 
PDF
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
DevOps Indonesia
 
PPTX
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
PPTX
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24
 
PDF
Building a Modern Security Engineering Organization
Zane Lackey
 
PPTX
Turning security into code by Jeff Williams
DevSecCon
 
PPTX
State of DevSecOps - DevOpsDays Jakarta 2019
Stefan Streichsbier
 
PDF
Chaos engineering for cloud native security
Kennedy
 
PPTX
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
PDF
Why does security matter for devops by Caroline Wong
DevSecCon
 
2016 virus bulletin
Adrian Sanabria
 
Building Security Controls around Attack Models
SeniorStoryteller
 
451 AppSense Webinar - Why blame the user?
Adrian Sanabria
 
New Barriers of Transformation
DevOps Indonesia
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
DevSecOpsSg
 
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
DevSecOps - The big picture
DevSecOpsSg
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
DevOps Indonesia
 
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24
 
Building a Modern Security Engineering Organization
Zane Lackey
 
Turning security into code by Jeff Williams
DevSecCon
 
State of DevSecOps - DevOpsDays Jakarta 2019
Stefan Streichsbier
 
Chaos engineering for cloud native security
Kennedy
 
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
Why does security matter for devops by Caroline Wong
DevSecCon
 
Ad

Viewers also liked (15)

PDF
Guns, Germs and Microservices w/ John Willis and Josh Corman
SeniorStoryteller
 
PDF
Release Engineering and Rugged DevOps: An Intersection?
SeniorStoryteller
 
PPTX
Applying DevOps Principles to Address Dynamic Changes in Cyber Security
SeniorStoryteller
 
PPTX
Rugged DevOps at Scale with Rich Mogull
SeniorStoryteller
 
PPTX
Lean Security
SeniorStoryteller
 
PDF
2016 - IGNITE - No Assholes
devopsdaysaustin
 
PPTX
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
PDF
Rugged DevOps: Bridging Security and DevOps
James Wickett
 
PPTX
DevOps & Security: Here & Now
Checkmarx
 
PDF
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
PDF
DevSecOps - Building Rugged Software
SeniorStoryteller
 
PDF
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
PPTX
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
PPTX
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
Guns, Germs and Microservices w/ John Willis and Josh Corman
SeniorStoryteller
 
Release Engineering and Rugged DevOps: An Intersection?
SeniorStoryteller
 
Applying DevOps Principles to Address Dynamic Changes in Cyber Security
SeniorStoryteller
 
Rugged DevOps at Scale with Rich Mogull
SeniorStoryteller
 
Lean Security
SeniorStoryteller
 
2016 - IGNITE - No Assholes
devopsdaysaustin
 
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Rugged DevOps: Bridging Security and DevOps
James Wickett
 
DevOps & Security: Here & Now
Checkmarx
 
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
DevSecOps - Building Rugged Software
SeniorStoryteller
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
Ad

Similar to Silver Lining for Miles: DevOps for Building Security Solutions (20)

PDF
The State of DevSecOps
DevOps Indonesia
 
PPTX
State of DevSecOps - GTACS 2019
Stefan Streichsbier
 
PDF
The New Security Playbook: DevSecOps
James Wickett
 
PPTX
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
 
PPTX
2016 - Safely Removing the Last Roadblock to Continuous Delivery
devopsdaysaustin
 
PPTX
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
Turja Narayan Chaudhuri
 
PPTX
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
Turja Narayan Chaudhuri
 
PDF
dotSecurity2017
Zane Lackey
 
PPTX
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon
 
PDF
A journey into Application Security
Christian Martorella
 
PDF
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
PDF
Security Chaos Engineering: Sustaining Resilience in Software and Systems 1st...
enkeljahija
 
PPTX
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
Izar Tarandach
 
PDF
The Future of DevSecOps
Stefan Streichsbier
 
PPTX
ROOTS2011 Continuous Delivery
Ole Christian Rynning
 
PPTX
Continuous Delivery
Stein Inge Morisbak
 
PDF
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Yazad Khandhadia
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
PDF
Building Security Into Your Cloud IT Practices
Mighty Guides, Inc.
 
PDF
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
Texas.gov
 
The State of DevSecOps
DevOps Indonesia
 
State of DevSecOps - GTACS 2019
Stefan Streichsbier
 
The New Security Playbook: DevSecOps
James Wickett
 
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
devopsdaysaustin
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
Turja Narayan Chaudhuri
 
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
Turja Narayan Chaudhuri
 
dotSecurity2017
Zane Lackey
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon
 
A journey into Application Security
Christian Martorella
 
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
Security Chaos Engineering: Sustaining Resilience in Software and Systems 1st...
enkeljahija
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
Izar Tarandach
 
The Future of DevSecOps
Stefan Streichsbier
 
ROOTS2011 Continuous Delivery
Ole Christian Rynning
 
Continuous Delivery
Stein Inge Morisbak
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Yazad Khandhadia
 
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Building Security Into Your Cloud IT Practices
Mighty Guides, Inc.
 
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
Texas.gov
 

More from SeniorStoryteller (20)

PPTX
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
SeniorStoryteller
 
PPTX
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
SeniorStoryteller
 
PDF
Implementing DevOps in a Regulated Environment - DJ Schleen
SeniorStoryteller
 
PPTX
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
SeniorStoryteller
 
PPTX
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
PDF
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
SeniorStoryteller
 
PDF
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
SeniorStoryteller
 
PDF
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
SeniorStoryteller
 
PDF
Ops Happens: DevOps Beyond Deployment - Damon Edwards
SeniorStoryteller
 
PDF
Building Security In - A Tale of Two Stories - Laksh Raghavan
SeniorStoryteller
 
PDF
Breaking Bad Equilibruim - John Willis
SeniorStoryteller
 
PPTX
NuGet Package Management Done Right
SeniorStoryteller
 
PPTX
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
SeniorStoryteller
 
PPTX
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
PPTX
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
SeniorStoryteller
 
PDF
Heroes’ Journey: Learning from Successful DevOps Transformations
SeniorStoryteller
 
PPTX
Rugged DevOps: Aligning Your Team and Your Powers for Success
SeniorStoryteller
 
PPTX
Create Rugged Applications: Managing Your Software Supply Chain
SeniorStoryteller
 
PPTX
Aligning Your Team and Your Powers for Success
SeniorStoryteller
 
PPTX
Leveraging Nexus Repository Manager at the Heart of DevOps
SeniorStoryteller
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
SeniorStoryteller
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
SeniorStoryteller
 
Implementing DevOps in a Regulated Environment - DJ Schleen
SeniorStoryteller
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
SeniorStoryteller
 
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
SeniorStoryteller
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
SeniorStoryteller
 
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
SeniorStoryteller
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
SeniorStoryteller
 
Building Security In - A Tale of Two Stories - Laksh Raghavan
SeniorStoryteller
 
Breaking Bad Equilibruim - John Willis
SeniorStoryteller
 
NuGet Package Management Done Right
SeniorStoryteller
 
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
SeniorStoryteller
 
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
SeniorStoryteller
 
Heroes’ Journey: Learning from Successful DevOps Transformations
SeniorStoryteller
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
SeniorStoryteller
 
Create Rugged Applications: Managing Your Software Supply Chain
SeniorStoryteller
 
Aligning Your Team and Your Powers for Success
SeniorStoryteller
 
Leveraging Nexus Repository Manager at the Heart of DevOps
SeniorStoryteller
 

Recently uploaded (20)

PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
KodekX | Application Modernization Development
KodekX
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
A Presentation on Artificial Intelligence
memembruh336
 

Silver Lining for Miles: DevOps for Building Security Solutions