Crossing the DevOps Infosec Divide
Transcript of Crossing the DevOps Infosec Divide
CrossingtheDevOps&InfoSecDivide
GeneKim,DevOpsResearcher,Co-authorof“TheDevOpsHandbook”and“ThePhoenixProject”DerekWeeks,VPandDevOpsAdvocate,SonatypeTimBuntel,VPofProducts,XebiaLabs
Housekeeping
▪ Thiswebinarisbeingrecorded▪ Linkstotheslidesandtherecordingwill
bemadeavailableaNerthepresentaOon
▪ YoucanpostquesOonsviatheGoToWebinarControlPanel
Meetyourpresenters
GeneKimDevOpsResearcher,Co-authorof“TheDevOpsHandbook”and“ThePhoenixProject”
DerekWeeksVPandDevOpsAdvocate
Sonatype
TimBuntelVPofProducts
XebiaLabs
TheHardTruthStateofDevOps&InfoSecToday
100:1DevelopersOutnumberApplicaOonSecurity
Source: Sonatype DevSecOps Community Survey, 2017
Waterfall-naOveteamsintroducesecuritylate,extendingfeedbackloops
AreInfoSecteams/policiesslowingITdown?
Source: Sonatype DevSecOps Community Survey, 2017
Keepingsecurityinitsplace
100:1developersoutnumberapplicaOonsecurity
Misalignedmetricscreatecultureofblame
KPIsandMetricsinOpposiOon
• ReleasingsoNware• CycleOmereducOon• Storypoints
• PrevenOng(bad)soNwarefrombeingreleased• Returningittodevelopmentstage• ApplicaOoncoverage
Development
Security
TheGoodNewsPaYernsthatWork
Highperformersaremoreagile
200x
2,555x
More Frequent Deployments
Faster Lead Times than their Peers
Source: Puppet/DORA: 2016 State Of DevOps Report: https://puppet.com/resources/white-paper/2016-state-of-devops-report
Highperformersaremorereliable
3x
24x
Lower Change Failure Rate
Faster Mean Time to Recover (MTTR)
Source: Puppet/DORA: 2016 State Of DevOps Report: https://puppet.com/resources/white-paper/2016-state-of-devops-report
Highperformersaremoresecureandcontrolled
2x
29%
Less Time Spent Remediating Security Issues
More Time Spent on New Work
Source: Puppet/DORA: 2016 State Of DevOps Report: https://puppet.com/resources/white-paper/2016-state-of-devops-report
CapitalOne:DevSecOps
Source: Tapabrata Pal, Capital One
DevSecOps
Keepingsecurityinitsplace
Whereissecuritybeingautomated?
Source: Sonatype DevSecOps Community Survey, 2017
Saving56,000hours
Buildsecurityin
MakeSecurity Forexample…
PartoftheTeam(notanotherteam)
SecurityChampionsinDev
PartoftheProduct(notsomethingdonetotheproduct)
AbuserStoriesRightAlongwithUserStories
PartoftheMission(notsomethingtogetpast)
CareerDevelopment,SecurityBugBounty,
“Askaprogrammertoreviewtenlinesofcode,they’llfindtenissues.Askthemtoreviewfivehundredlinesofcode,they’llsay:‘looksgood.’”
–GirayÖzil,oncodereviews
DevSecOpsPaYerns
EnsureSecurityofOurSoLwareSupplyChain
EnsureSecurityoftheEnvironment
IntegrateInformaMonSecurityintoProducMonTelemetry
CreaMngSecurityTelemetryinOurApplicaMons
CreaMngSecurityTelemetryinOurEnvironment
ProtectOurDeploymentPipeline
Source: DevOps Handbook
IntegrateSecurityintoDevelopmentIteraMonDemonstraMons
IntegrateSecurityintoDefectTrackingandPostMortems
IntegratePrevenMveSecurityControlsintoSharedSourceCodeRepositoriesandSharedServices
IntegrateSecurityintoOurDeploymentPipeline
EnsureSecurityoftheApplicaMon
RegisterforPart2inthiswebinarseries!
Thursday,April27th8amPT|11amET|5pmCET
ADevSecOpsDemo:Early,Everywhere,AtScale
hYp://bit.ly/XL-SonatypeRobVanstoneXebiaLabs
IlkkaTurunenSonatype
QuesOons?
ThankYou!