why secdevops will save the cloud
DESCRIPTION
DevOps unite: Infrastructure as code took the community by storm. Various Configuration Management solutions started making themselves available, code was written, and progress was made. But something was still missing. The cloud has left us questioning our surroundings. Who has access, what are the controls, what services are publicly available and which are safely kept behind “locked” doors? What is our risk, and how efficiently was it assessed?TRANSCRIPT
WHY SECDEVOPS WILL SAVE THE CLOUD
By Bill Young, Sr. Infrastructure Engineer for Threat Stack
THE WORLD HAS CHANGED !
!
!
!
!
!
!
It’s in the Earth. It’s in the packet loss.
This is the age of the cloud.
We were not without our skeptics,
but we knew what was happening.
A revolution was on our doorstep. !
!
!
!
!
!
!
!
We wanted it all!
We wanted it yesterday.
Configuration Management
Automation Orchestration
Continuous Integration Delivery
New concepts were born… !
Titles were given… !
!
and philosophies of win floated around the web like confetti.
…we weren’t sure where we were going, but we knew where we didn’t want to be…
Configuration drift!
Tedious provisioning of systems!
Lack of acceptance!
Unit tests!
Our fears were real, so we sought answers.
DevOps is born.
“This is the solution we’ve been
searching for!”
So, what is a “DevOp”?
We’ve all heard the jargon, the marketing pitches,
!
but what is it really?
def·i·ni·tion !
!
DevOps is not a team, nor an organizational role. !
It is a philosophy of collaboration.
“In the long history of humankind (and animal kind, too) those who learned to collaborate and improvise most
effectively have prevailed.” - Charles Darwin
For years, we’ve sectioned off teams
Developers to the left Operations to the right
Security teams…where did they go? Who knows, really…
!
Applications and services were developed and passed over the wall to Operations
where they pieced things together to create a working environment.
It was how we “got shit done.”
Yet, something had always been missing.
Where was the bottleneck? How do we optimize our development and deployment pipelines?”
!
!
Things need to be faster! Mush! Mush! Fellow Engineers!
DevOps, unite!
!
Configuration Management solutions became available! !
Code was written! !
Progress was made!
Infrastructure as Code Took the Community By STORM!
…but something was still missing. !
Something of incredible value!
SECURITY!
Were we really foolish enough to believe that these progressive methodologies would save us from something
so integral to our success? !
!
Security, why have we forsaken you?
Who has access? What are the controls? What services are publicly available? Which are safely kept behind “locked” doors? What is our risk? How efficiently was it assessed?
The cloud has left us questioning our surroundings
If you have yet to ask yourself those questions,
it will only be a matter of time before you are
one of the Lost.
What is it?! !
Where did it come from?! !
Is it just another silly buzzword?
Suddenly, the SecDevOps Methodology appeared
It is natural progression.
Without complete ownership of our systems and their supporting environments,
we need to protect ourselves.
That’s why SecDevOps, or SecOps, is a natural extension of DevOps
The rate of change leaves little room for Security teams to properly assess risk in applications and infrastructure code.
!
!
Without bringing Security into the fold, we will continue to be at risk of ever-looming threats.
By integrating our Security tool-chains into our DevOps pipeline,
we can effectively mitigate our risks and continue our journey
towards a secure, automated infrastructure.
The Solution.