SlideShare a Scribd company logo

The Case For Continuous Security

Threat Stack, profile picture
Threat Stack

DevOps aims to shorten feedback loops and allow teams to quickly iterate on changes and ship features. However, continuously deploying changes also introduces security risks that must be monitored. SecDevOps seeks to address this by continually monitoring the security implications of operational changes, improving security response times while still allowing for continuous deployment. Implementing continuous security through a SecDevOps methodology is an important challenge that companies need to solve in order to fully benefit from DevOps practices.

Technology
Related topics:
Cloud Security InsightsContinuous Integration
1 of 28
Downloaded 19 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
THE CASE FOR CONTINUOUS SECURITY By Pete Cheslock Senior Director of Ops and Support at Threat Stack @petecheslock
DevOps is a term that has absolutely blown up in the last 5 years.
However, many had an immediate adverse reaction towards Yet Another Buzzword
…especially when the core concepts of “DevOps” were things people had been doing for YEARS!
The Case For Continuous Security
To shorten the feedback loop in development cycles, allowing teams to iterate quickly on changes and ship features to customer sooner. The Core Tenant of DevOps
Mainstream DevOps = Easily accessible cloud infrastructure + Maturity of operational tooling
For companies starting new product development initiatives, using Configuration Management is table stakes to iterate quickly!
IaaS providers today make it as easy as possible to provision systems to meet infrastructure needs — and quickly.
Physical Data Center Public Compute Resources for flexibility and accessibility provided by Amazon, Google, Microsoft
Companies leverage Infrastructure as Code for major speed to market benefits The Competitive Advantage
Companies can now provision hundreds (or thousands) of compute instances in mere minutes. ! This is an every day activity!
Continuous Integration Continuous Deployment But who (or what) is continually monitoring the state of your operational security?!
The Case For Continuous Security
Junior sysadmins can now make changes to: ! • a Chef Recipe • a Puppet Manifest • an Ansible Playbook ! ! …and deploy it to production — in minutes… Today…
What is the scope of that change?
to be slowed down by the security team ! or ! configuration management changes to be passed through a Change Control Board Sysadmins DON’T Want:
to change a variable, open a pull request, and once merged, their operational tooling to do the rest! ! They want their change to hit production servers ASAP. Sysadmins Want:
This is where SecDevOps (or SecOps) comes in. (ignore the fact that it’s a silly buzzword just like DevOps…)
If DevOps seeks to value empathy between these two teams that traditionally had different incentives for their positions… Developers Operations value constant change value stability
…then SecDevOps seeks to evoke the SAME outcome with Security teams (and the rest of the business)
If you’re continually deploying changes, you must be continually monitoring security implications for operational changes.
Often times there is no single person that is able to say with absolute certainty which changes to infrastructure have additional risks towards your security posture.
And, if you have a traditional network security organization that manually reviews and approves changes to production… ! ! You’ve introduced the newest bottleneck in your organization. ! ! ! ! ! !
A SecDevOps methodology allows you to improve your security monitoring and response times, while maintaining your ability to continually deploy changes SecDevOps is the answer to this discussion.
This is the most important (and exciting!) problem to solve in many organizations!
But it is also one of the hardest problems to solve. ! This is why at Threat Stack, we’re all excited to be in a unique position to actively help companies solve this.
Start Implementing Continuous Security Today! ! threatstack.com

More Related Content

PDF
3 Reasons Why The Host Rules Intrusion Detection in The Cloud
Threat Stack
 
PDF
4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices
Threat Stack
 
PPTX
Should You Use Security Point Solutions?
Threat Stack
 
PDF
SHOWDOWN: Threat Stack vs. Red Hat AuditD
Threat Stack
 
PPTX
It All Started With a Wager About System Upgrades
Threat Stack
 
PDF
Using security to drive chaos engineering
Dinis Cruz
 
PPTX
#ATAGTR2021 Presentation : "Chaos engineering: Break it to make it" by Anupa...
Agile Testing Alliance
 
PDF
Chaos engineering intro
Shantanu Deshpande
 
3 Reasons Why The Host Rules Intrusion Detection in The Cloud
Threat Stack
 
4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices
Threat Stack
 
Should You Use Security Point Solutions?
Threat Stack
 
SHOWDOWN: Threat Stack vs. Red Hat AuditD
Threat Stack
 
It All Started With a Wager About System Upgrades
Threat Stack
 
Using security to drive chaos engineering
Dinis Cruz
 
#ATAGTR2021 Presentation : "Chaos engineering: Break it to make it" by Anupa...
Agile Testing Alliance
 
Chaos engineering intro
Shantanu Deshpande
 

What's hot (20)

PPTX
Introduction to DevSecOps
abhimanyubhogwan
 
PPTX
The R.O.A.D to DevOps
SeniorStoryteller
 
PPTX
The Journey to DevSecOps
SeniorStoryteller
 
PPTX
The Next Wave of Reliability Engineering
Michael Kehoe
 
PPTX
Overcoming Security Challenges in DevOps
Alert Logic
 
PDF
DevSecOps - The big picture
DevSecOpsSg
 
PDF
Chaos engineering for cloud native security
Kennedy
 
PPTX
Introduction to Chaos Engineering
Raymond Adrian (Rad) Butalid
 
PDF
Chaos Engineering and Systems Reliability
Sylvain Hellegouarch
 
PDF
DevSecOps in Baby Steps
Priyanka Aash
 
PPTX
DevSecCon KeyNote London 2015
Shannon Lietz
 
PDF
Integrating DevOps and Security
Stijn Muylle
 
PPTX
Introduction to Puppet Enterprise 2016.5
Puppet
 
PDF
Chaos Engineering - The Art of Breaking Things in Production
Keet Sugathadasa
 
PDF
Nick Drage & Fraser Scott - Epic battle devops vs security
DevSecCon
 
PDF
SRE in Startup
Ladislav Prskavec
 
PDF
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
PDF
An Introduction to Chaos Engineering
Gremlin
 
PDF
Silver Lining for Miles: DevOps for Building Security Solutions
SeniorStoryteller
 
PPTX
Getting Started with Splunk Enterprise Hands-On Breakout Session
Splunk
 
Introduction to DevSecOps
abhimanyubhogwan
 
The R.O.A.D to DevOps
SeniorStoryteller
 
The Journey to DevSecOps
SeniorStoryteller
 
The Next Wave of Reliability Engineering
Michael Kehoe
 
Overcoming Security Challenges in DevOps
Alert Logic
 
DevSecOps - The big picture
DevSecOpsSg
 
Chaos engineering for cloud native security
Kennedy
 
Introduction to Chaos Engineering
Raymond Adrian (Rad) Butalid
 
Chaos Engineering and Systems Reliability
Sylvain Hellegouarch
 
DevSecOps in Baby Steps
Priyanka Aash
 
DevSecCon KeyNote London 2015
Shannon Lietz
 
Integrating DevOps and Security
Stijn Muylle
 
Introduction to Puppet Enterprise 2016.5
Puppet
 
Chaos Engineering - The Art of Breaking Things in Production
Keet Sugathadasa
 
Nick Drage & Fraser Scott - Epic battle devops vs security
DevSecCon
 
SRE in Startup
Ladislav Prskavec
 
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
An Introduction to Chaos Engineering
Gremlin
 
Silver Lining for Miles: DevOps for Building Security Solutions
SeniorStoryteller
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Splunk
 
Ad

Viewers also liked (12)

PDF
Cylance Protect-Next-Generation Antivirus-Overview
Innovation Network Technologies: InNet
 
PDF
Robots are among us, but who takes responsibility?
Cyber Security Alliance
 
PPTX
Exploring the Capabilities and Economics of Cybercrime
Cylance
 
PDF
Cylance Information Security: Compromise Assessment Datasheet
Innovation Network Technologies: InNet
 
PDF
You're Off the Hook: Blinding Security Software
Cylance
 
PDF
Embracing Threat Intelligence and Finding ROI in Your Decision
Cylance
 
PPTX
How to Close the SecOps Gap
BMC Software
 
PPTX
10 Hot Digital UK Start-ups To Watch In 2017
Kaitlin McAndrews
 
PDF
Corporations - the new victims of targeted ransomware
Cyber Security Alliance
 
PDF
end-to-end service management with ServiceNow (English)
Orange Business Services
 
PPT
Applying eTOM (enhanced Telecom Operations Map) Framework to Non-Telecommunic...
Alan McSweeney
 
PDF
Hype vs. Reality: The AI Explainer
Luminary Labs
 
Cylance Protect-Next-Generation Antivirus-Overview
Innovation Network Technologies: InNet
 
Robots are among us, but who takes responsibility?
Cyber Security Alliance
 
Exploring the Capabilities and Economics of Cybercrime
Cylance
 
Cylance Information Security: Compromise Assessment Datasheet
Innovation Network Technologies: InNet
 
You're Off the Hook: Blinding Security Software
Cylance
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Cylance
 
How to Close the SecOps Gap
BMC Software
 
10 Hot Digital UK Start-ups To Watch In 2017
Kaitlin McAndrews
 
Corporations - the new victims of targeted ransomware
Cyber Security Alliance
 
end-to-end service management with ServiceNow (English)
Orange Business Services
 
Applying eTOM (enhanced Telecom Operations Map) Framework to Non-Telecommunic...
Alan McSweeney
 
Hype vs. Reality: The AI Explainer
Luminary Labs
 
Ad

Similar to The Case For Continuous Security (20)

PDF
The What, Why, and How of DevSecOps
Cprime
 
PPTX
Secure DevOPS Implementation Guidance
Tej Luthra
 
ODP
Dev ops
Eslam El Husseiny
 
PDF
Dev secops opsec, devsec, devops ?
Kris Buytaert
 
PDF
5 principles-securing-devops-veracode-whitepaper
wardell henley
 
PPTX
Is DevOps Braking Your Company?
conjur_inc
 
PPTX
DevOps to DevSecOps Journey..
Siddharth Joshi
 
PPTX
DevOps and the Future of Information Security
Darin Morris
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
your techdigest
 
PPTX
DevSecCon Keynote
Shannon Lietz
 
PDF
Devops, Secops, Opsec, DevSec *ops *.* ?
Kris Buytaert
 
PPTX
ISACA Ireland Keynote 2015
Shannon Lietz
 
PDF
Why DevSecOps Is Necessary For Your SDLC Pipeline?
Enov8
 
PDF
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
Texas.gov
 
PDF
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
PDF
DevSecOps and the CI/CD Pipeline
James Wickett
 
PDF
Devops (start walking in the same direction) by ops
Demis Rizzotto
 
PPTX
Shift Left for More Secure Apps with F5 NGINX
NGINX, Inc.
 
PDF
Continuous Security / DevSecOps- Why How and What
Marc Hornbeek
 
PDF
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
Threat Stack
 
The What, Why, and How of DevSecOps
Cprime
 
Secure DevOPS Implementation Guidance
Tej Luthra
 
Dev ops
Eslam El Husseiny
 
Dev secops opsec, devsec, devops ?
Kris Buytaert
 
5 principles-securing-devops-veracode-whitepaper
wardell henley
 
Is DevOps Braking Your Company?
conjur_inc
 
DevOps to DevSecOps Journey..
Siddharth Joshi
 
DevOps and the Future of Information Security
Darin Morris
 
The Rise of DevSecOps in CI_CD Workflows.pdf
your techdigest
 
DevSecCon Keynote
Shannon Lietz
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Kris Buytaert
 
ISACA Ireland Keynote 2015
Shannon Lietz
 
Why DevSecOps Is Necessary For Your SDLC Pipeline?
Enov8
 
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
Texas.gov
 
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
DevSecOps and the CI/CD Pipeline
James Wickett
 
Devops (start walking in the same direction) by ops
Demis Rizzotto
 
Shift Left for More Secure Apps with F5 NGINX
NGINX, Inc.
 
Continuous Security / DevSecOps- Why How and What
Marc Hornbeek
 
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
Threat Stack
 

Recently uploaded (20)

PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
KodekX | Application Modernization Development
KodekX
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Cloud computing and distributed systems.
kkkkkhan
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 

The Case For Continuous Security

  • 1. THE CASE FOR CONTINUOUS SECURITY By Pete Cheslock Senior Director of Ops and Support at Threat Stack @petecheslock
  • 2. DevOps is a term that has absolutely blown up in the last 5 years.
  • 3. However, many had an immediate adverse reaction towards Yet Another Buzzword
  • 4. …especially when the core concepts of “DevOps” were things people had been doing for YEARS!
  • 6. To shorten the feedback loop in development cycles, allowing teams to iterate quickly on changes and ship features to customer sooner. The Core Tenant of DevOps
  • 7. Mainstream DevOps = Easily accessible cloud infrastructure + Maturity of operational tooling
  • 8. For companies starting new product development initiatives, using Configuration Management is table stakes to iterate quickly!
  • 9. IaaS providers today make it as easy as possible to provision systems to meet infrastructure needs — and quickly.
  • 10. Physical Data Center Public Compute Resources for flexibility and accessibility provided by Amazon, Google, Microsoft
  • 11. Companies leverage Infrastructure as Code for major speed to market benefits The Competitive Advantage
  • 12. Companies can now provision hundreds (or thousands) of compute instances in mere minutes. ! This is an every day activity!
  • 13. Continuous Integration Continuous Deployment But who (or what) is continually monitoring the state of your operational security?!
  • 15. Junior sysadmins can now make changes to: ! • a Chef Recipe • a Puppet Manifest • an Ansible Playbook ! ! …and deploy it to production — in minutes… Today…
  • 16. What is the scope of that change?
  • 17. to be slowed down by the security team ! or ! configuration management changes to be passed through a Change Control Board Sysadmins DON’T Want:
  • 18. to change a variable, open a pull request, and once merged, their operational tooling to do the rest! ! They want their change to hit production servers ASAP. Sysadmins Want:
  • 19. This is where SecDevOps (or SecOps) comes in. (ignore the fact that it’s a silly buzzword just like DevOps…)
  • 20. If DevOps seeks to value empathy between these two teams that traditionally had different incentives for their positions… Developers Operations value constant change value stability
  • 21. …then SecDevOps seeks to evoke the SAME outcome with Security teams (and the rest of the business)
  • 22. If you’re continually deploying changes, you must be continually monitoring security implications for operational changes.
  • 23. Often times there is no single person that is able to say with absolute certainty which changes to infrastructure have additional risks towards your security posture.
  • 24. And, if you have a traditional network security organization that manually reviews and approves changes to production… ! ! You’ve introduced the newest bottleneck in your organization. ! ! ! ! ! !
  • 25. A SecDevOps methodology allows you to improve your security monitoring and response times, while maintaining your ability to continually deploy changes SecDevOps is the answer to this discussion.
  • 26. This is the most important (and exciting!) problem to solve in many organizations!
  • 27. But it is also one of the hardest problems to solve. ! This is why at Threat Stack, we’re all excited to be in a unique position to actively help companies solve this.
  • 28. Start Implementing Continuous Security Today! ! threatstack.com