![Page 1: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/1.jpg)
Copyright © 2015 evident.io1
THE MARRIAGE OF SECOPS AND DEVOPS
Adapted from material presented by DevOps.com and Evident.io
Sebastian Taphanel, CISSP-ISSEPPrincipal Solutions ArchitectSeptember 29th, 2016
![Page 2: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/2.jpg)
Copyright © 2015 evident.io2
Alan Shimel, Founder and Editor-In-Chief at DevOps.com, is an often-cited personality in the security and technology community and a sought-after speaker at industry and government events, Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology.
CEO Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level. After years of building, operating, and securing services in AWS, he set out to make security approachable and repeatable for companies of all sizes. Tim led technology teams at Adobe, Ingenuity, Ticketmaster, and McAfee.
Original Contributors:
.
Gene Kim is a multiple award winning CTO, researcher and author. He was founder and CTO of Tripwire for 13 years. He has written three books, including The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win and the upcoming DevOps Handbook. He has worked with some of the top Internet companies on improving deployment flow and increasing the rigor around IT operational processes.
Shannon Lietz has over two decades of experience pursuing advanced security defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s cloud security strategy, roadmap and implementation in support of corporate innovation. Previous to joining Intuit, Ms. Lietz worked for ServiceNow, Sony, and consulted for many Fortune 500 organizations.
![Page 3: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/3.jpg)
Copyright © 2015 evident.io3
…DevSecOps is an Evolving Story
![Page 4: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/4.jpg)
Copyright © 2015 evident.io4
CLOUD SECURITY THEN AND NOW
From:To:
![Page 5: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/5.jpg)
Copyright © 2015 evident.io5
DEVSECOPS: INNOVATIVE SOLUTIONSIssues:• DevOps Requires Continuous Deployments• Fast Decision Making is Critical to Success• Traditional Security Doesn’t Scale or Move Fast Enough
DevSecOps Solutions:• Security Automation• Security to Scale• Objective Criteria• Proactive Security Monitoring• Continuous Detection & Response
![Page 6: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/6.jpg)
Copyright © 2015 evident.io6
THE DEVSECOPS MANIFESTO
• Leaning in vs. Saying “No”• Data & Security Science vs. FUD• Open Collaboration vs. Security-Only Requirements• Security Services with APIs vs. Mandated Controls• Business Driven Security vs. Rubber Stamp Security• Red & Blue Team Exploit Testing vs. Theoretical Vulnerabilities• 24x7 Proactive Security vs. Reacting• Shared Threat Intelligence vs. Silos• Compliance Operations vs. Checklists
Via: http://www.devsecops.org
![Page 7: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/7.jpg)
Copyright © 2015 evident.io7
SECURITY AS CODE
The code that describes the infrastructure should inherit the same values applied to application code:
• Not JUST Revision Control
• Make Use of Bug Tracking/Ticketing Systems
• Peer Reviews of Changes Before They Happen
• Establish Infrastructure Code Patterns/Designs
• Test Infrastructure Changes Like Code Changes Security as Code
VS.
Page 3 of 433
![Page 8: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/8.jpg)
Copyright © 2015 evident.io8
![Page 9: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/9.jpg)
Copyright © 2015 evident.io9
![Page 10: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/10.jpg)
Copyright © 2015 evident.io10
![Page 11: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/11.jpg)
Copyright © 2015 evident.io11
![Page 12: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/12.jpg)
Copyright © 2015 evident.io12
SECURITY VIA API’S
• Programmatically Test Environments• Determine State at a Specific Point in Time• Repeatable Processes• Scalable Operations• Easy Automation• Repeatable• Auditable• Easy to Iterate• Environmental Consistency
![Page 13: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/13.jpg)
Copyright © 2015 evident.io13
DEVSECOPS IS A TEAM SPORT
Operations
Red Team
Blue Team
Developers
Security
![Page 14: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/14.jpg)
Copyright © 2015 evident.io14
BE READY TO MAKE DECISIONS
![Page 15: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/15.jpg)
Copyright © 2015 evident.io15
DEVSECOPS SUCCESS
Keys to Success:• Detecting and Resolving Security Issues Quickly
• Using Native Security Capabilities When Possible
• Enlisting and Enabling the Organization
• Educating Inline with Bite-Size Chunks
![Page 16: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/16.jpg)
Copyright © 2015 evident.io16
DEVSECOPS PRINCIPLES
• DevSecOps is a Journey, not a Destination• Small Security Teams Can Have a Profound Impact• Organize Around Self-Service and Enablement• Translate Security for the Layperson• Perfection is the Enemy… get Rugged
![Page 17: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/17.jpg)
Copyright © 2015 evident.io17
![Page 18: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/18.jpg)
Copyright © 2015 evident.io18
![Page 19: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/19.jpg)
Copyright © 2015 evident.io19
Alan Shimel• DevOps.com• [email protected]• @ashimmy
Gene Kim• [email protected] • @RealGeneKim
Tim Prendergast:• Evident.io• [email protected]• @auxome
Original Contributors:
Shannon Lietz• Intuit.com• [email protected]
![Page 20: Developing a Rugged Dev Ops Approach to Cloud Security (Updated)](https://reader031.vdocuments.us/reader031/viewer/2022021922/58ed295f1a28aba1458b456f/html5/thumbnails/20.jpg)
Copyright © 2015 evident.io20
Q & A - ANY QUESTIONS?