Copyright © 2015 evident.io1

THE MARRIAGE OF SECOPS AND DEVOPS

Adapted from material presented by DevOps.com and Evident.io

Sebastian Taphanel, CISSP-ISSEPPrincipal Solutions ArchitectSeptember 29th, 2016

Copyright © 2015 evident.io2

Alan Shimel, Founder and Editor-In-Chief at DevOps.com, is an often-cited personality in the security and technology community and a sought-after speaker at industry and government events, Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology.

CEO Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level. After years of building, operating, and securing services in AWS, he set out to make security approachable and repeatable for companies of all sizes. Tim led technology teams at Adobe, Ingenuity, Ticketmaster, and McAfee.

Original Contributors:

.

Gene Kim is a multiple award winning CTO, researcher and author. He was founder and CTO of Tripwire for 13 years. He has written three books, including The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win and the upcoming DevOps Handbook. He has worked with some of the top Internet companies on improving deployment flow and increasing the rigor around IT operational processes.

Shannon Lietz has over two decades of experience pursuing advanced security defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s cloud security strategy, roadmap and implementation in support of corporate innovation. Previous to joining Intuit, Ms. Lietz worked for ServiceNow, Sony, and consulted for many Fortune 500 organizations.

Copyright © 2015 evident.io3

…DevSecOps is an Evolving Story

Copyright © 2015 evident.io4

CLOUD SECURITY THEN AND NOW

From:To:

Copyright © 2015 evident.io5

DEVSECOPS: INNOVATIVE SOLUTIONSIssues:• DevOps Requires Continuous Deployments• Fast Decision Making is Critical to Success• Traditional Security Doesn’t Scale or Move Fast Enough

DevSecOps Solutions:• Security Automation• Security to Scale• Objective Criteria• Proactive Security Monitoring• Continuous Detection & Response

Copyright © 2015 evident.io6

THE DEVSECOPS MANIFESTO

• Leaning in vs. Saying “No”• Data & Security Science vs. FUD• Open Collaboration vs. Security-Only Requirements• Security Services with APIs vs. Mandated Controls• Business Driven Security vs. Rubber Stamp Security• Red & Blue Team Exploit Testing vs. Theoretical Vulnerabilities• 24x7 Proactive Security vs. Reacting• Shared Threat Intelligence vs. Silos• Compliance Operations vs. Checklists

Via: http://www.devsecops.org

Copyright © 2015 evident.io7

SECURITY AS CODE

The code that describes the infrastructure should inherit the same values applied to application code:

• Not JUST Revision Control

• Make Use of Bug Tracking/Ticketing Systems

• Peer Reviews of Changes Before They Happen

• Establish Infrastructure Code Patterns/Designs

• Test Infrastructure Changes Like Code Changes Security as Code

VS.

Page 3 of 433

Copyright © 2015 evident.io8

Copyright © 2015 evident.io9

Copyright © 2015 evident.io10

Copyright © 2015 evident.io11

Copyright © 2015 evident.io12

SECURITY VIA API’S

• Programmatically Test Environments• Determine State at a Specific Point in Time• Repeatable Processes• Scalable Operations• Easy Automation• Repeatable• Auditable• Easy to Iterate• Environmental Consistency

Copyright © 2015 evident.io13

DEVSECOPS IS A TEAM SPORT

Operations

Red Team

Blue Team

Developers

Security

Copyright © 2015 evident.io14

BE READY TO MAKE DECISIONS

Copyright © 2015 evident.io15

DEVSECOPS SUCCESS

Keys to Success:• Detecting and Resolving Security Issues Quickly

• Using Native Security Capabilities When Possible

• Enlisting and Enabling the Organization

• Educating Inline with Bite-Size Chunks

Copyright © 2015 evident.io16

DEVSECOPS PRINCIPLES

• DevSecOps is a Journey, not a Destination• Small Security Teams Can Have a Profound Impact• Organize Around Self-Service and Enablement• Translate Security for the Layperson• Perfection is the Enemy… get Rugged

Copyright © 2015 evident.io17

Copyright © 2015 evident.io18

Copyright © 2015 evident.io19

Alan Shimel• DevOps.com• ashimmy@devops.com• @ashimmy

Gene Kim• genek@itrevolution.net • @RealGeneKim

Tim Prendergast:• Evident.io• Tim@evident.io• @auxome

Original Contributors:

Shannon Lietz• Intuit.com• Shannon_Lietz@intuit.com

Copyright © 2015 evident.io20

Q & A - ANY QUESTIONS?

THANKS FOR PARTICIPATING!

SEBASTIAN@EVIDENT.IO

HTTPS://WWW.LINKEDIN.COM/IN/SEBASTIANTAPHANEL