continuous opportunity: devops &...
TRANSCRIPT
![Page 1: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/1.jpg)
August 2017
Continuous Opportunity:DevOps & Security
August 15, 2017
© 2016-2017 SANS Institute | All Rights Reserved
![Page 2: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/2.jpg)
![Page 3: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/3.jpg)
Ben Allen
@mr_secure Continuous Opportunity: DevOps & Security 3
• Security Engineer at SANS Institute• Operations Engineer, Developer at SANS prior to Security• Network Security Analyst … Architect at UMN• GCIA, GPEN, GWEB, GWAPT, GMON
• Contact [email protected] @mr_secure
Introduction
![Page 4: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/4.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 4
Agenda• Continuous Opportunity:
DevOps & Security
C O N T I N U O U S O P P O R T U N I T Y
1. The DevOps Movement2. Shifting Security Left3. Examples
![Page 5: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/5.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 5
A LONG TIME AGO IN A GALAXY FAR, FAR AWAY
• Waterfall developmentPhased delivery in large projects
• Slow, gated deployment cyclesSeveral months between releases
• Numerous handoffs between teamsDev -> QA -> Users -> Ops -> Sec
![Page 6: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/6.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 6
HOW’S THAT WORKING FOR YOU?
• Customers provide feedback too late in the process
• Delays between handoffs• Security is left until the very end• High risk / failed deployments• Slow deployment cycles cause:
Projects are delayed and over budgetLong zero-day vulnerability windows
![Page 7: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/7.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 7
HOW’S THAT WORKING FOR YOU?
![Page 8: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/8.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 8
• AgileBreak down walls between development and the business / customer
• DevOpsBreak down walls between development and operations
• SecDevOpsBreak down walls between security and development, operations, business
BREAKING DOWN THE WALLS
![Page 9: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/9.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 9
Much of the Security DNA in DevOps comes from a few leaders aka “unicorns”:• Etsy
Security in continuous delivery, “a Just Culture”• Netflix
Security in AWS, Simian Army• Facebook
Security at scale, OSQuery• Twitter
Self-service security for developers
DEVOPS UNICORNS
![Page 10: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/10.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 10
Online crafts market place (PCI regulated), established in 2005. Over 1 million sellers, 21 million buyers.
In the beginning (2008):• Difficulty scaling up engineering, ops teams• Reliability, downtime problems during deployments• Production releases 2 times per week• Each release takes 4 hours• Deployment process of a large enterprise
CASE STUDY | ETSY BEFORE
![Page 11: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/11.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 11
Fast forward to 2012:• Continuous Deployment (CD)
50 changes to production per day• Dark launching (aka feature flags)• A Just Culture
Blameless post-mortems (and Morgue)It is safe to make mistakes – as long as you participate in solving themRecord what happened and learn from it
• Dev and Ops all take on-call rotations• Measure and track everything
CASE STUDY | ETSY AFTER
![Page 12: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/12.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 12
DEVOPS PRINCIPLES
DevOps is about CAMS:
• Culture - People and process first. If you don’t have culture, all automation attempts will be fruitless.
• Automation - This is where you start once you understand your culture. At this point, the tools can start to stitch together an automation fabric for DevOps.
• Measurement - If you can’t measure, you can’t improve.• Sharing - Sharing is the feedback loop in the CAMS cycle.
John WillisWhat Devops Means to Me, July 2010
![Page 13: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/13.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 13
WHY? - DEVOPS RESULTS
This faster delivery cycle lets teams experiment, creating a feedback loop with customers. The result? The entire organization benefits, as measured by profitability, productivity, and market share.
2017 State of DevOps Report
![Page 14: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/14.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 14
Puppet / DORA 2017 State of DevOps Report for high-performing organizations:• Deploy changes 46 times more often• Lead times are >440 times shorter• Change failure rate is 5 times lower• Failure recovery is 96 times faster• Spend 50% less time remediating security issues
• https://puppet.com/2017-devops-report
2017 STATE OF DEVOPS
![Page 15: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/15.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 15
Agenda• Continuous Opportunity:
DevOps & Security
C O N T I N U O U S O P P O R T U N I T Y
1. The DevOps Movement2. Shifting Security Left3. Examples
![Page 16: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/16.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 16
50 DEPLOYMENTS A DAY!
How does security keep up?
No pen testing?
No security sprints?
No control gates?
No time for source code assessments?
![Page 17: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/17.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 17
• Configuration Managementaka Infrastructure as CodePuppet, Chef, Ansible, Salt, CFEngine
• Continuous IntegrationJenkins, Travis, Bamboo, TeamCity
• Continuous DeliveryJenkins, Chef Delivery, Atlassian Bamboo, Amazon AWS Code Pipeline
• Continuous Deployment• Continuous Monitoring
CAMS - AUTOMATION
![Page 18: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/18.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 18
Keep up with the pace of continuous delivery by:• Identify risks using threat modeling during planning• Automate unit testing for security stories• Iterative, incremental scans during code, test, and release
SHIFTING SECURITY LEFT
SecDevOps
![Page 19: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/19.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 19
CAST STUDY | ETSY’S SECURITY PROGRAM | STEP 1 - 3
1 Don’t be an InfoSec jerk. Build security into the frameworks.
2 If it moves, graph it! Real-time monitoring for building attack-driven security defenses
3 Just ship it! Every engineer can push to prod at any time, including security
![Page 20: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/20.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 20
CAST STUDY | ETSY’S SECURITY PROGRAM | STEP 4 - 7
4 Security cannot be a blocker. Don’t cry wolf. Practical, realistic trade-offs.
5 Designated hackers assigned to a handful (~ 5) projects.
6 Engineering / Security job rotations
7 Bug bounties, both internal and external
![Page 21: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/21.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 21
Make security a first class citizen during development workflow:• Static Application Security Testing (SAST) is built into the IDE• Commits trigger automated security scans (out of band)• Light-weight, accurate static analysis scans (in the pipeline)• Alerts when high-risk code is changed• Automated unit testing for security features• Fast accurate feedback which returns pass / fail results
SHIFTING SECURITY LEFT – CONTINUOUS INTEGRATION
![Page 22: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/22.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 22
Security tools for static analysis:• Free / open source:
Find security bugs, Phan, CAT.NET, Brakeman, Bandit, Flawfinder, QARK• Commercial:
HP Fortify, Checkmarx, Coverity, IBM AppScan Source, Klocwork, Veracode, Brakeman Pro
Security tools for vulnerable dependencies:• Free / open source:
OWASP Dependency Check, SafeNuGet, Retire.js• Commercial:
Sonatype, Black Duck, Palamida, Source Clear
STATIC ANALYSIS TOOLS
![Page 23: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/23.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 23
Automate various dynamic tests throughout the delivery pipeline:• Functional security testing
Automate tests against authentication, authorization, password management using Selenium or similar tool
• Dynamic Application Security Testing (DAST)Black box scanners looking for known classes of weaknessLibrary of past flaws to scan for
SHIFTING SECURITY LEFT – CONTINUOUS DELIVERY
![Page 24: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/24.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 24
Security tools for dynamic analysis• Free / open source:
ZAP, Arachni, w3af, Skipfish, Nikto• Commercial:
Burp Suite, HP WebInspect, IMB AppScan, Nessus, Veracode, WhiteHat Sentinel
• CI Scanning frameworks:Gauntlt, F-Secure, BDD-Security, Mozilla Minion, Yahoo Gryffin
DYNAMIC ANALYSIS TOOLS
![Page 25: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/25.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 25
Leverage monitoring tools and approaches for security monitoring:• Look for attack signatures
Authentication failures, 4XX/5XX errors, database syntax errors, login failures, access control exceptions
• Correlate with traffic information (source, type)• Feed trends and anomalies back to monitoring tools
Must watch: Christopher Rimondi “Using DevOps Monitoring Tools to Increase Security Visibility”• https://www.youtube.com/watch?v=TNCVv9itQf4
SHIFTING SECURITY LEFT – CONTINUOUS MONITORING
![Page 26: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/26.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 26
CONTINUOUS MONITORING – DASHBOARD - Etsy
![Page 27: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/27.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 27
• Hygieia – Capitol One (https://github.com/capitalone/Hygieia)
CONTINUOUS MONITORING - DASHBOARD
![Page 28: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/28.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 28
Agenda• Continuous Opportunity:
DevOps & Security
C O N T I N U O U S O P P O R T U N I T Y
1. The DevOps Movement2. Shifting Security Left3. Examples
![Page 29: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/29.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 29
• AWS CodePipeline used to build Java App• AWS CodeBuild ”Build” phase creates docker container• AWS CodeBuild “Test” phase runs SAST, Dependency checks• Data published into Jenkins
• Integrate security testing into the build process
SHIFTING SECURITY LEFT
![Page 30: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/30.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 30
![Page 31: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/31.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 31
![Page 32: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/32.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 32
![Page 33: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/33.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 33
![Page 34: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/34.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 34
![Page 35: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/35.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 35
• Backstory: Basic OS-level monitoring on hostsUsing collectd to gather disk/cpu/network stats & ship to graphite
• What can we identify?
• Note: These data sets are based on simulations, not actual incidents
MONITORING FOR SECURITY
![Page 36: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/36.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 36
Data Exfiltration?
![Page 37: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/37.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 37
Ransomware?
![Page 38: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/38.jpg)
@mr_secure Continuous Opportunity: DevOps & Security 38
Opportunities that SecDevOps presents:• Trade inefficient, ineffective point-in-time compliance snapshots
for continuous, real-time verification• Build security testing, scanning, and reviews into the pipeline to
find low hanging fruit & prevent regressions• Reduce time spent on security remediation• Ensure the entire project team understands the hostile
environment their applications face via continuous feedback from production
PARTING THOUGHTS
![Page 39: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/39.jpg)
Questions ?
@mr_secure Continuous Opportunity: DevOps & Security 39
![Page 40: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/40.jpg)
![Page 41: Continuous Opportunity: DevOps & Securityblogs.sans.org/appsecstreetfighter/files/2017/08/... · @mr_secure Continuous Opportunity: DevOps & Security 14 Puppet / DORA 2017 State of](https://reader031.vdocuments.us/reader031/viewer/2022040409/5ec7e7989b761d7a4112ae1c/html5/thumbnails/41.jpg)
CREDITS
SPEAKERBen [email protected]@mr_secure
AUTHORSJim Bird@jimrbird
Ben Allen@mr_secure
SANS EMAILGENERAL INQUIRIES: [email protected]: [email protected]: [email protected]/PR: [email protected]
DEVELOPER RESOURCESsoftware-security.sans.orgTwitter: @sansappsec
@mr_secure Continuous Opportunity: DevOps & Security 41