Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA Conference 2015
4 likes822 views
The document discusses the importance of integrating DevOps with security practices to improve overall system efficiency and security. It highlights the challenges and misunderstandings between development, operations, and security teams and suggests solutions such as continuous integration, social coding, and blameless postmortems. Emphasizing collaboration and shared responsibilities, it argues that a cohesive approach can mitigate risks and enhance performance in software development and deployment.
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA Conference 2015
- 1. Why DevOps != the Wild West and How Embracing it Can Improve Security Dan Cundiff (@pmotch) Target Corporation
- 2. A true story about saying NO to DevOps
- 3. Empathizing with the wild west POV
- 4. Us vs them & The Local Optima problem
- 5. Dev incentive: speed of shipping Ops incentive: availability
- 6. Ops thinks actions by Dev to ↑ speed of shipping means availability ↓
- 7. Dev thinks actions by Ops to ↑ availability means speed of shipping ↓
- 8. Security thinks actions by Dev to ↑ speed of shipping means security ↓
- 9. Dev thinks actions by Security to ↑ security means speed of shipping ↓
- 10. “A system of local optimums is not an optimum system at all; it is a very inefficient system.”
- 11. So how can we have both?
- 12. DevOps!
- 13. Dev + Ops + SecOps = DevOpsSec
- 14. Examples across CALMS spectrum: Culture Automation Lean Measurement Sharing
- 17. CI encourages smaller changes, making it easier to spot security issues
- 18. Social coding = Who changed what, when, and why; git blame + pull request commentary
- 19. Social coding = A pull request is a code review
- 20. Social coding = PRs seeking +1s from security partners
- 21. Social coding = Ability to ask questions on any line of code
- 22. Security documentation as code
- 23. Security team’s processes and tools need to be responsive to CI/CD (e.g. FIM configurable continuously vs quarterly)
- 24. Give security access to your backlogs; tag commits with issue IDs
- 25. ChatOps, conversation-driven development, stitching in security events, security teams listening and talking, etc.
- 26. Dev and Ops sharing metrics/logs Better coverage; melds silos of responsibility
- 27. Blameless post mortems, even for security https://codeascraft.com/2012/05/22/blameless-postmortems/
- 28. Infrastructure-as-code = fast testable mass patches
- 29. Infrastructure-as-code = knowing if a security change broke the app
- 30. Infrastructure-as-code = clear state of security config
- 31. We need APIs to security vendor products http://devops.com/blogs/devops-a-wake-up-call-to-security-vendors/
- 32. Auditors like it.* Reduced human involvement.
- 33. Share what you’re learning and doing inside and outside of the company.
- 34. Leaders, think Kaisen. Value all employee’s ideas across Dev and Sec/Ops.
- 35. Leaders, find the risk takers pioneering this, and protect them.
- 36. Pioneers, find your forward-thinking security partners and bring them along with you.
- 37. We are hiring!
- 38. Thanks! Dan Cundiff (@pmotch) Target Corporation