leveraging your company's devops transformation (appsec usa 2014)

93
Where the Security Rubber Meets the DevOps Road Understanding Your Company’s DevOps Transformation (so you can leverage it for your own goals)

Upload: dev2ops

Post on 13-Jun-2015

843 views

Category:

Technology


3 download

DESCRIPTION

Damon Edwards presentation at AppSec USA 2014 (Denver, CO on 9/19/14)

TRANSCRIPT

Page 2: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

@damonedwards

Page 3: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

devopscafe.org

Page 4: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

DevOps Consulting

Automation Design

OperationsTools

Page 5: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Security Expert

Page 6: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Page 7: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Giving the customer...•What they want•When they want it•At the lowest cost possible

Page 8: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

OpsDev

Page 9: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

OpsDev

DevOps Problems!

Wall o

f C

on

fusio

n

Page 10: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Ah-ha!

OpsDev

Wall of iononfusC

Remove

Shorten

Time to Market

Feedback

Page 11: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Ah-ha!

OpsDev

Wall of iononfusC

Remove

Shorten

Time to Market

Feedback

Page 12: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Signals the org is getting better

Page 13: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Signals the org is getting better

Lead Times (and more predictable)

Page 14: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Signals the org is getting better

Lead Times (and more predictable)

MTTD (Mean Time To Detect)

Page 15: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Signals the org is getting better

Lead Times (and more predictable)

MTTD (Mean Time To Detect)

MTTR (Mean Time to Repair)

Page 16: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Signals the org is getting better

Lead Times (and more predictable)

MTTD (Mean Time To Detect)

MTTR (Mean Time to Repair)

Quality at the Source (Less scrap, caught faster)

Page 17: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Why DevOps?Why Now?

Page 18: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Why DevOps?Why Now?

(If we ignore DevOps, won’t it just blow over?)

Page 19: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

We need the capability to learn faster than our competitors

Page 20: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

The Rise of a New IT Operations Support Model

By 2015, DevOps will evolve from a niche strategy employed by large cloud providers into a mainstream strategy employed

by 20% of Global 2000 organizations

Why DevOps will emerge:

!DevOps is not usually driven from

Why DevOps will not emerge:

!Cultural changes are the hardest to

by 20% of Global 2000 organizations.

!DevOps is not usually driven from the top down and, thus, may be more easily accepted by IT operations teams.

!Cultural changes are the hardest to implement, and DevOps requires a significant rethinking of IT operations conventional wisdom.

!ITIL and other best practices frameworks are acknowledged to have not delivered on their goals, enabling IT organizations to look for

!There is a large body of work with respect to ITIL and other best practices frameworks that is already accepted within the industry enabling IT organizations to look for

new models.

!The growing interest in tools such as Chef, Puppet, etc., will help

accepted within the industry.

!Open source (OSS) management tools, which are more aligned with this approach, have not seen pp p

stimulate demand for OSS-based management

ppsignificant enterprise market share traction.

Page 21: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Page 22: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

2014 State of DevOps Survey

9,200+ Respondents from 110 countries, across all industries

Page 23: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

2014 State of DevOps Survey

9,200+ Respondents from 110 countries, across all industries

Page 24: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

DevOps gives us the capability to learn faster than our competitors

Page 25: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

DevOps is here to stay.

Page 26: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

DevOps is here to stay.( opportunity? risk?)

Page 27: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Opportunity for InfoSec: Reset the relationship

Dev

Ops

Page 28: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Slios are the #1 enemy of throughput and quality

DevTeam

Release Team

OpsTeam

BusinessTeam

Page 29: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Slios are the #1 enemy of throughput and quality

DevTeam

Release Team

OpsTeam

BusinessTeam

Handoff!

Handoff!

Handoff!

Page 30: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Slios are the #1 enemy of throughput and quality

DevTeam

Release Team

OpsTeam

BusinessTeam

Application Knowledge

Handoff!

Handoff!

Handoff!

Page 31: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Slios are the #1 enemy of throughput and quality

DevTeam

Release Team

OpsTeam

BusinessTeam

Application Knowledge

Operational Knowledge

Handoff!

Handoff!

Handoff!

Page 32: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Slios are the #1 enemy of throughput and quality

DevTeam

Release Team

OpsTeam

BusinessTeam

Application Knowledge

Operational Knowledge

Business Intent

Handoff!

Handoff!

Handoff!

Page 33: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Slios are the #1 enemy of throughput and quality

DevTeam

Release Team

OpsTeam

BusinessTeam

Application Knowledge

Operational Knowledge

Business Intent

Handoff!

Handoff!

Handoff!

Ownership but limited Accountability

Page 34: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Slios are the #1 enemy of throughput and quality

DevTeam

Release Team

OpsTeam

BusinessTeam

Application Knowledge

Operational Knowledge

Business Intent

Handoff!

Handoff!

Handoff!

Ownership but limited Accountability

Accountability but noOwnership

Page 35: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Redraw the organization to eliminate silos

DevTeam

Release Team

OpsTeam

BusinessTeam

Page 36: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Redraw the organization to eliminate silos

DevTeam

Release Team

OpsTeam

BusinessTeam

Cross Functional Delivery Team

Aligned by value streams or customer identifiable services

Cross Functional Delivery Team

Cross Functional Delivery Team

Page 37: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Redraw the organization to eliminate silos

DevTeam

Release Team

OpsTeam

BusinessTeam

Cross Functional Delivery Team

Aligned by value streams or customer identifiable services

Cross Functional Delivery Team

Cross Functional Delivery Team

Freedom & Responsibility

Culture is key to enabling

Page 38: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Redraw the organization to eliminate silos

DevTeam

Release Team

OpsTeam

BusinessTeam

Cross Functional Delivery Team

Aligned by value streams or customer identifiable services

Cross Functional Delivery Team

Cross Functional Delivery Team

Freedom & Responsibility

Culture is key to enabling Google:

“Cloud Operations at Netflix”“Actionable Metrics Netflix”

Roy Rapoport

Different

Talk

Page 39: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

How?

Dev

Ops

Page 40: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Turn information flow into artifact flow

Customer

Shared Drive Test

Shared Drive Prod

Commits

RolloutSchedule

README

MOP

ReleaseSchedule

PRD

PRD

Release Memos

Tasks

QA Forum Ticket

Remedy Ticket

Estimates

Patch Calendar

QA forum

MOP

README

ERR

ERR

MOP, SOP

PRD

DesignSpecs

crit bugs

email

Lockdown control

checklist

New Targets

Remedy Ticket

Single Image Server

XML

BRD

ERR

BTS

QA Environment

Documentum

Production

Packages

Customer communication

L/T = 28dP/T = 7dH/C = 1S/R =

Stephen / Xi

Product Program Planning

L/T = 105dP/T = 46dH/C = 15

S/R = 100%John Robert

Release Program Management

L/T = P/T =H/C =S/R =

Erica Smith

Engineering Planning Process

L/T = 45dP/T = 18dH/C = 23

S/R = Bob SmithPreliminary

Development

L/T = 45dP/T = 21dH/C = 140

S/R = Bob Smith

FullDevelopment

L/T = 75dP/T = 43dH/C = 130

S/R = Bob Smith

Build

L/T = 1dP/T = 0.3d

H/C = 2S/R = 33%John Doe

Selective Promotion

L/T = 90dP/T = 15dH/C = 5S/R =

Steve Young

QA Test

L/T = 105dP/T = 11dH/C = 42

S/R =Sam Young

Engineering Release

L/T = 60dP/T = 1dH/C = 1

S/R = >5%Victoria Doe

Release Promotion

L/T = 60dP/T = 0.2d

H/C = 1S/R = >5%

Victoria Doe

Cloud Services Release

L/T = 60dP/T = 16dH/C = 3

S/R = 3%Reggie / Carlos

Change Control

L/T = 42dP/T =H/C =S/R =

Peter Lee

Deploy Release

L/T = 90dP/T = 8dH/C = 8

S/R = 2%Lewis S./Peter Y.

Server Provisioning

L/T = 24dP/T = 4dH/C = 3

S/R = 50%Jen Garza

BRD

Server Acceptance

L/T = 14dP/T = 1dH/C = 4.5

S/R = 15%Lynn A. etc

derived reqs.

PRD

QA Forum Ticket

Service pack review

L/T = 56dP/T = 7dH/C = 6

S/R = 100%Suresh Wu

M

PD(3)

PD(3)

EPM

EP(2)

PD

M(3)

W(2)M

TS

M(3)

M(2)

W(2)

M(2)

EP

EP

EP(3)

W

W

EP

W

PD

TS(2)

M

M

M(2)

M W(2) EP

M

D

EPM(3)

D

W

EP

PD D(3)

Current state value stream map

L/T Lead time

P/T Process time

H/C Head count

S/R Scrap rate

D Defects

EP Extra processes

M Motion

PD Partially done

TS Task switching

W Waiting

Product Management

Engineering

Cloud Services

Technical Support

Page 41: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Turn information flow into artifact flow

Customer

Shared Drive Test

Shared Drive Prod

Commits

RolloutSchedule

README

MOP

ReleaseSchedule

PRD

PRD

Release Memos

Tasks

QA Forum Ticket

Remedy Ticket

Estimates

Patch Calendar

QA forum

MOP

README

ERR

ERR

MOP, SOP

PRD

DesignSpecs

crit bugs

email

Lockdown control

checklist

New Targets

Remedy Ticket

Single Image Server

XML

BRD

ERR

BTS

QA Environment

Documentum

Production

Packages

Customer communication

L/T = 28dP/T = 7dH/C = 1S/R =

Stephen / Xi

Product Program Planning

L/T = 105dP/T = 46dH/C = 15

S/R = 100%John Robert

Release Program Management

L/T = P/T =H/C =S/R =

Erica Smith

Engineering Planning Process

L/T = 45dP/T = 18dH/C = 23

S/R = Bob SmithPreliminary

Development

L/T = 45dP/T = 21dH/C = 140

S/R = Bob Smith

FullDevelopment

L/T = 75dP/T = 43dH/C = 130

S/R = Bob Smith

Build

L/T = 1dP/T = 0.3d

H/C = 2S/R = 33%John Doe

Selective Promotion

L/T = 90dP/T = 15dH/C = 5S/R =

Steve Young

QA Test

L/T = 105dP/T = 11dH/C = 42

S/R =Sam Young

Engineering Release

L/T = 60dP/T = 1dH/C = 1

S/R = >5%Victoria Doe

Release Promotion

L/T = 60dP/T = 0.2d

H/C = 1S/R = >5%

Victoria Doe

Cloud Services Release

L/T = 60dP/T = 16dH/C = 3

S/R = 3%Reggie / Carlos

Change Control

L/T = 42dP/T =H/C =S/R =

Peter Lee

Deploy Release

L/T = 90dP/T = 8dH/C = 8

S/R = 2%Lewis S./Peter Y.

Server Provisioning

L/T = 24dP/T = 4dH/C = 3

S/R = 50%Jen Garza

BRD

Server Acceptance

L/T = 14dP/T = 1dH/C = 4.5

S/R = 15%Lynn A. etc

derived reqs.

PRD

QA Forum Ticket

Service pack review

L/T = 56dP/T = 7dH/C = 6

S/R = 100%Suresh Wu

M

PD(3)

PD(3)

EPM

EP(2)

PD

M(3)

W(2)M

TS

M(3)

M(2)

W(2)

M(2)

EP

EP

EP(3)

W

W

EP

W

PD

TS(2)

M

M

M(2)

M W(2) EP

M

D

EPM(3)

D

W

EP

PD D(3)

Current state value stream map

L/T Lead time

P/T Process time

H/C Head count

S/R Scrap rate

D Defects

EP Extra processes

M Motion

PD Partially done

TS Task switching

W Waiting

Product Management

Engineering

Cloud Services

Technical Support

Page 42: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Drive all changes through a SDLC

Page 43: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Code

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Dev Ops *

Collaboration

Tests

Drive all changes through a SDLC

Page 44: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Code

Versioned Release

Tests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Dev Ops *

Collaboration

Drive all changes through a SDLC

Page 45: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Code

Versioned Release

Tests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Dev Ops *

Collaboration

Dev Ops *

Execute Operations Procedures

Drive all changes through a SDLC

Page 46: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Code

Versioned Release

Tests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Dev Ops *

Collaboration

Dev Ops *

Execute Operations Procedures

Drive all changes through a SDLCSame People!!

Page 47: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Code

Versioned Release

Tests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Dev Ops *

Collaboration

Dev Ops *

Execute Operations Procedures

SERVICEDrive all changes through a SDLC

Page 48: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

How?

Dev

Ops

Page 49: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

What about cross-cutting concerns?

(PO • Dev • Test • SRE)Cross Functional Delivery Team

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironmentsPackages

SOURCE

QA Security EnvironmentsMonitoring

---Metrics

Page 50: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

What about cross-cutting concerns?

(PO • Dev • Test • SRE)Cross Functional Delivery Team

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironmentsPackages

SOURCE

QA Security EnvironmentsMonitoring

---Metrics

QA as aService

Security as aService

Metrics as aService

Env. as aService

Page 51: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

What about cross-cutting concerns?

(PO • Dev • Test • SRE)Cross Functional Delivery Team

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironmentsPackages

SOURCE

pull pull pull pull

QA Security EnvironmentsMonitoring

---Metrics

QA as aService

Security as aService

Metrics as aService

Env. as aService

Page 52: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Be a service provider

pull

Cross-Cutting Concern X

✓ Standardized offerings

✓ Pulled by users (not pushed)

✓ On-demand and self-service

✓ Implementation knowledge not necessary for normal use

✓ Provider spends their time building service and coaching users

X as a Service

Page 53: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

How to start being a service providerpull

Cross-Cutting Concern X

X as a Service

Page 54: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

How to start being a service providerpull

Cross-Cutting Concern X

X as a Service

Page 55: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

How to start being a service providerpull

Cross-Cutting Concern X

X as a Service

Define your offerings1

Page 56: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

How to start being a service providerpull

Cross-Cutting Concern X

X as a Service

Define your offerings1

Page 57: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

How to start being a service providerpull

Cross-Cutting Concern X

X as a Service

Define your offerings1

Tame the tool sprawl2

Page 58: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

How to start being a service providerpull

Cross-Cutting Concern X

X as a Service

Define your offerings1

Tame the tool sprawl2

Page 59: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

How to start being a service providerpull

Cross-Cutting Concern X

X as a Service

Define your offerings1

Tame the tool sprawl2

Setup self-service interfaces3

Page 60: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

How to start being a service providerpull

Cross-Cutting Concern X

X as a Service

Define your offerings1

Tame the tool sprawl2

Setup self-service interfaces3

Page 61: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

How to start being a service providerpull

Cross-Cutting Concern X

X as a Service

Define your offerings1

Tame the tool sprawl2

Setup self-service interfaces3

Setup secure access4

Page 62: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

How to start being a service providerpull

Cross-Cutting Concern X

X as a Service

Define your offerings1

Tame the tool sprawl2

Setup self-service interfaces3

Setup secure access4

Page 63: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

How to start being a service providerpull

Cross-Cutting Concern X

X as a Service

Define your offerings1

Tame the tool sprawl2

Setup self-service interfaces3

Setup secure access4

Plug: Give Rundeck a try --> rundeck.org

Page 64: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

What about things that can’t be automated?

Dev

Ops

Page 65: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Good rule of thumb:Tickets are for exceptions, not the daily work

XX

TicketSystem

??

X

Page 66: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Good rule of thumb:Tickets are for exceptions, not the daily work

XX

TicketSystem

??

X

Manual request queues lead to...• Bottlenecks• Increased lead times• Reinforces organizational silos • Misinterpretation or omissions

Page 67: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

How do we mitigate the negative impact of manual request queues?

Dev

Ops

Page 68: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Service E

Service C

Up NextDoing

Post MortemPlan it Do it Review it

Backlog prioritized by stakeholders Task

Task

Service A

Task

Task

Task

Task Task

Service B

Service D

Emergency - Type 1

Emergency - Type 2

Task

Task

Task

Task

Task

Task Task

Task Task Task

TaskTask

Task

Task Task

Task Task

Task

Task

Use a work management system like Kanban

Page 69: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Service E

Service C

Up NextDoing

Post MortemPlan it Do it Review it

Backlog prioritized by stakeholders Task

Task

Service A

Task

Task

Task

Task Task

Service B

Service D

Emergency - Type 1

Emergency - Type 2

Task

Task

Task

Task

Task

Task Task

Task Task Task

TaskTask

Task

Task Task

Task Task

Task

Task

Only works if you set and enforce:• Service catalog and backlog rules• WIP and SLA per service type• WIP per person

Use a work management system like Kanban

Page 70: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Service E

Service C

Up NextDoing

Post MortemPlan it Do it Review it

Backlog prioritized by stakeholders Task

Task

Service A

Task

Task

Task

Task Task

Service B

Service D

Emergency - Type 1

Emergency - Type 2

Task

Task

Task

Task

Task

Task Task

Task Task Task

TaskTask

Task

Task Task

Task Task

Task

Task

Only works if you set and enforce:• Service catalog and backlog rules• WIP and SLA per service type• WIP per person

Use a work management system like Kanban

Your standardized offerings

Page 71: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Service E

Service C

Up NextDoing

Post MortemPlan it Do it Review it

Backlog prioritized by stakeholders Task

Task

Service A

Task

Task

Task

Task Task

Service B

Service D

Emergency - Type 1

Emergency - Type 2

Task

Task

Task

Task

Task

Task Task

Task Task Task

TaskTask

Task

Task Task

Task Task

Task

Task

Only works if you set and enforce:• Service catalog and backlog rules• WIP and SLA per service type• WIP per person

Use a work management system like Kanban

Your standardized offerings

SLA per service type

Page 72: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Service E

Service C

Up NextDoing

Post MortemPlan it Do it Review it

Backlog prioritized by stakeholders Task

Task

Service A

Task

Task

Task

Task Task

Service B

Service D

Emergency - Type 1

Emergency - Type 2

Task

Task

Task

Task

Task

Task Task

Task Task Task

TaskTask

Task

Task Task

Task Task

Task

Task

Only works if you set and enforce:• Service catalog and backlog rules• WIP and SLA per service type• WIP per person

Use a work management system like Kanban

Your standardized offerings

SLA per service type

Enforce WIP to protect capacity and hit commitments!

Page 73: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

..But Security! ...But Compliance!

Dev

Ops

Page 74: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Security and Compliance Opportunity

Page 75: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Security and Compliance Opportunity

Design and Code Reviews

Page 76: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Security and Compliance Opportunity

Code and Binary Scanning

Design and Code Reviews

Page 77: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Security and Compliance Opportunity

Code and Binary Scanning

Design and Code Reviews

“Bake” security tests into your “immune system”

Page 78: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Security and Compliance Opportunity

Code and Binary Scanning

Design and Code Reviews

“Bake” security tests into your “immune system”

Component vulnerability and governance

Page 79: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Security and Compliance Opportunity

Code and Binary Scanning

Design and Code Reviews

“Bake” security tests into your “immune system”

Component vulnerability and governance

Access policy and operational security checks

Page 80: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Security and Compliance Opportunity

Page 81: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Security and Compliance Opportunity

What’s the change?

Page 82: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Security and Compliance Opportunity

What’s the change?

How did you validate the change?

Page 83: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Security and Compliance Opportunity

What’s the change?

Where did the change go?

How did you validate the change?

Page 84: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Security and Compliance Opportunity

What’s the change?

Where did the change go?

How did you validate the change?

Who has access to what environment?Who did what when and where?

Page 85: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Security and Compliance Opportunity

What’s the change?

Where did the change go?

How did you validate the change?

Who has access to what environment?Who did what when and where?

What was executed on the box to make the change?

Page 86: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

CodeTests

SourceRepo

Config EnvSpecRun-book

Auto-mation

CIServer

PackageRepo

OperationsConsole

ShellPowershell

Pre-ProductionEnvironments

ShellPowershell

ProductionEnvironment

Packages

Ope

ratio

ns

Dev

elop

men

t

SOURCE

Security and Compliance Opportunity

What’s the change?

Where did the change go?

How did you validate the change?

Who has access to what environment?Who did what when and where?

What was executed on the box to make the change?

Change things here

Run / control things here

Page 87: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Are you helping your company to...

Page 88: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Reduce cycle time AND improve quality?

Are you helping your company to...

Page 89: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Reduce cycle time AND improve quality?

Eliminate handoffs or reduce the friction of those handoffs that can't be eliminated?

Are you helping your company to...

Page 90: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Reduce cycle time AND improve quality?

Eliminate handoffs or reduce the friction of those handoffs that can't be eliminated?

Improve tool-to-tool artifact flow and eliminate manual information flow?

Are you helping your company to...

Page 91: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Reduce cycle time AND improve quality?

Eliminate handoffs or reduce the friction of those handoffs that can't be eliminated?

Improve tool-to-tool artifact flow and eliminate manual information flow?

Eliminate manually-fulfilled request queues and other sources of waiting?

Are you helping your company to...

Page 92: Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Reduce cycle time AND improve quality?

Eliminate handoffs or reduce the friction of those handoffs that can't be eliminated?

Improve tool-to-tool artifact flow and eliminate manual information flow?

Eliminate manually-fulfilled request queues and other sources of waiting?

Improve awareness and understanding of the current state and desired state of the end-to-end system?

Are you helping your company to...