SlideShare a Scribd company logo

DevOps & Security from an Enterprise Toolsmith's Perspective

D
dev2ops

Slides from presentation by Alex Honor and Damon Edwards at DevOps Connect at RSA 2015 in San Francisco on April 20, 2015. Abstract: IT organizations are feeling the squeeze from seemingly conflicting business mandates. At one moment the message is “Go Go Go. DevOps, Lean Startup, Continuous Delivery… move faster and give more people access”. The next moment the message is “Be more secure. Compliance above all. Keep us out of the press!”. Damon Edwards and Alex Honor work with many enterprises who are facing these challenges. This talk is an in the trenches view of how these companies are responding and learning to go faster and be more secure.

Technology
1 of 71
Download to read offline
Go Fast AND Be Secure? DevOps and Security from an Enterprise Toolsmith’s Perspective Alex Honor Damon Edwards
@damonedwards Damon Edwards Alex Honor @alexhonor
DevOps Consulting Automation Design Operations Tools
Business Demands Our #1 priority is moving faster than our competitors!
IT Responds
IT Responds
IT Responds
… but what about security and compliance?
Business Demands Our #1 priority is moving faster than our competitors! Our #1 priority is security and compliance!and
IT Under Pressure
Can we go faster and be more secure?
Can we go faster and be more secure?
What gets in the way?
Everything is different
Everything is different ● Many servers hand built
Everything is different ● Many servers hand built ● Custom is the rule
Everything is different ● Many servers hand built ● Custom is the rule ● Inconsistent access control policy and rules
Everything is different ● Many servers hand built ● Custom is the rule ● Inconsistent access control policy and rules ● Network spaghetti topology reflects snowflakes
Everything is different ● Many servers hand built ● Custom is the rule ● Inconsistent access control policy and rules ● Network spaghetti topology reflects snowflakes ● … it’s always a network problem ;-)
Multiplied by Datacenter ● Geographically spread ● Generations of hardware & software ● WAN latencies and bandwidths ● Sometimes outsourced
Culture clashes between silos
Culture clashes between silos ● “Too much change breaks stuff” - Ops
Culture clashes between silos ● “Too much change breaks stuff” - Ops ● “Let me do it myself” - Dev
Culture clashes between silos ● “Too much change breaks stuff” - Ops ● “Let me do it myself” - Dev ● “This is dangerous!” - Sec
Culture clashes between silos ● “Too much change breaks stuff” - Ops ● “Let me do it myself” - Dev ● “This is dangerous!” - Sec ● “It’s not ready” - QA
Culture clashes between silos ● “Too much change breaks stuff” - Ops ● “Let me do it myself” - Dev ● “This is dangerous!” - Sec ● “It’s not ready” - QA ● Finger pointing - everyone
Bureaucracy to get anything delivered “Have you got 27B-6?” - said a guy, in a downstream silo “I’m a bit of a stickler for paperwork” “All I need is a ACL/VIP/etc”
It always ends up an escalation ● Who yells loudest ● Cube driveby and who you know ● Crisis at deadline or outage ● Sometimes still a rubber stamp
Hard to see how delivery work gets done across the organization
Process Islands Multiple Development teams out here somewhere
Process Islands “I know there are problems delivering, not sure where, but I know they are outside my island of control” “We all have the best intentions from our perspective
Process Islands
Process Islands
Process Islands
Process Islands I really wish to deploy multiple times daily Friday evening
Process Islands Monday morning
Process Islands
Process Islands Everybody on bridge call with the boss
Complicated and self inflicted ● Left hand doesnt know what the right hand doing ● “Bandaids” and “exception is the rule” ● Telephone and Tribal knowledge ● Low MTTD/MTTR
How do we know when things are getting any better?
You’ll know you are better when...
You’ll know you are better when... ● Security policy is applied reliably and consistently
You’ll know you are better when... ● Security policy is applied reliably and consistently ● Security isn’t the bottleneck
You’ll know you are better when... ● Security policy is applied reliably and consistently ● Security isn’t the bottleneck ● An audit trail is easy to pull together
You’ll know you are better when... ● Security policy is applied reliably and consistently ● Security isn’t the bottleneck ● An audit trail is easy to pull together ● Security engineers aren’t left out until the end of the party (or never consulted)
You’ll know you are better when... ● Security policy is applied reliably and consistently ● Security isn’t the bottleneck ● An audit trail is easy to pull together ● Security engineers aren’t left out until the end of the party (or never consulted) ● Everyone has the control they need (without root)
You’ll know you are better when... ● Security policy is applied reliably and consistently ● Security isn’t the bottleneck ● An audit trail is easy to pull together ● Security engineers aren’t left out until the end of the party (or never consulted) ● Everyone has the control they need (without root) ● Nobody feels like they are having the rug pulled out from underneath them
Shift left: Host OS SDLC Collaborate with source code Artifacts move through the “supply chain”
Bastion host
Bastion host ● centralized access point for authorized access
Bastion host ● centralized access point for authorized access ● disallow home run connections
Bastion host ● centralized access point for authorized access ● disallow home run connections ● dispatcher interfaces remote execution layer
Bastion host ● centralized access point for authorized access ● disallow home run connections ● dispatcher interfaces remote execution layer ● hides network complexity like jump boxes per DC
Bastion host ● centralized access point for authorized access ● disallow home run connections ● dispatcher interfaces remote execution layer ● hides network complexity like jump boxes per DC
User traceability: Delegate account ● User logs in as himself to bastion host ● Remote commands and processes run under a service account ● Eg, SSH keys used for delegate account identity
User traceability: End to end ● User logs in as himself to bastion host ● Remote commands executed using same user account ● Eg., User may raise privilege via sudo
White List and Wrapper ● No ad-hoc interactive logins. ● Use wrapper script and a white list ● Escalate privilege with sudo ● Not foolproof! SELinux still considered too hard for most eg.: ssh forced command (~/.ssh/ authorized_keys: command=wrapper.sh and $SSH_ORIGINAL_COMMAND)
Leverage the toolchain to enforce policy
Leverage the toolchain to enforce policy Design and code reviews
Leverage the toolchain to enforce policy Design and code reviews Code and binary scans
Leverage the toolchain to enforce policy Design and code reviews Code and binary scans “Bake” security tests into your “immune system”
Leverage the toolchain to enforce policy Design and code reviews Code and binary scans “Bake” security tests into your “immune system” Component vulnerability and governance
Leverage the toolchain to enforce policy Design and code reviews Code and binary scans “Bake” security tests into your “immune system” Component vulnerability and governance Access policy and operational security checks
Automate Evidence Collection for Audits
Automate Evidence Collection for Audits What’s the change?
Automate Evidence Collection for Audits What’s the change? How did you validate the change?
Automate Evidence Collection for Audits What’s the change? How did you validate the change? How was the change distributed?
Automate Evidence Collection for Audits What’s the change? How did you validate the change? How was the change distributed? Who did what when and where?
Automate Evidence Collection for Audits What’s the change? How did you validate the change? How was the change distributed? Who did what when and where? What executed on the node?
Summary ● Shift left ● Bastion host ● User traceability ● White lists and wrappers ● Leverage the toolchain to enforce policy ● Automate evidence collection for audits
● Shift left ● Bastion host ● User traceability ● White lists and wrappers ● Leverage the toolchain to enforce policy ● Automate evidence collection for audits ● ? Summary

Recommended

DevOps: The Future is Already Here — It’s Just Unevenly Distributed
DevOps: The Future is Already Here — It’s Just Unevenly DistributedDevOps: The Future is Already Here — It’s Just Unevenly Distributed
DevOps: The Future is Already Here — It’s Just Unevenly Distributeddev2ops
 
DevOps Paradox: Going Faster Brings Higher Quality, Lower Costs, & Better Out...
DevOps Paradox: Going Faster Brings Higher Quality, Lower Costs, & Better Out...DevOps Paradox: Going Faster Brings Higher Quality, Lower Costs, & Better Out...
DevOps Paradox: Going Faster Brings Higher Quality, Lower Costs, & Better Out...dev2ops
 
DevOps Requires Agility
DevOps Requires AgilityDevOps Requires Agility
DevOps Requires AgilityStephen Ritchie
 
DevOps Kaizen: Practical Steps to Start & Sustain a Transformation
DevOps Kaizen: Practical Steps to Start & Sustain a TransformationDevOps Kaizen: Practical Steps to Start & Sustain a Transformation
DevOps Kaizen: Practical Steps to Start & Sustain a Transformationdev2ops
 
DOES15 - Mike Bland - Pain Is Over, If You Want It
DOES15 - Mike Bland - Pain Is Over, If You Want ItDOES15 - Mike Bland - Pain Is Over, If You Want It
DOES15 - Mike Bland - Pain Is Over, If You Want ItGene Kim
 
ROOTS2011 Continuous Delivery
ROOTS2011 Continuous DeliveryROOTS2011 Continuous Delivery
ROOTS2011 Continuous DeliveryOle Christian Rynning
 
DOES 2016 Sciencing the Crap Out of DevOps
DOES 2016 Sciencing the Crap Out of DevOpsDOES 2016 Sciencing the Crap Out of DevOps
DOES 2016 Sciencing the Crap Out of DevOpsNicole Forsgren
 
Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...
Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...
Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...dev2ops
 

Recommended

DevOps: The Future is Already Here — It’s Just Unevenly Distributed
DevOps: The Future is Already Here — It’s Just Unevenly DistributedDevOps: The Future is Already Here — It’s Just Unevenly Distributed
DevOps: The Future is Already Here — It’s Just Unevenly Distributeddev2ops
 
DevOps Paradox: Going Faster Brings Higher Quality, Lower Costs, & Better Out...
DevOps Paradox: Going Faster Brings Higher Quality, Lower Costs, & Better Out...DevOps Paradox: Going Faster Brings Higher Quality, Lower Costs, & Better Out...
DevOps Paradox: Going Faster Brings Higher Quality, Lower Costs, & Better Out...dev2ops
 
DevOps Requires Agility
DevOps Requires AgilityDevOps Requires Agility
DevOps Requires AgilityStephen Ritchie
 
DevOps Kaizen: Practical Steps to Start & Sustain a Transformation
DevOps Kaizen: Practical Steps to Start & Sustain a TransformationDevOps Kaizen: Practical Steps to Start & Sustain a Transformation
DevOps Kaizen: Practical Steps to Start & Sustain a Transformationdev2ops
 
DOES15 - Mike Bland - Pain Is Over, If You Want It
DOES15 - Mike Bland - Pain Is Over, If You Want ItDOES15 - Mike Bland - Pain Is Over, If You Want It
DOES15 - Mike Bland - Pain Is Over, If You Want ItGene Kim
 
ROOTS2011 Continuous Delivery
ROOTS2011 Continuous DeliveryROOTS2011 Continuous Delivery
ROOTS2011 Continuous DeliveryOle Christian Rynning
 
DOES 2016 Sciencing the Crap Out of DevOps
DOES 2016 Sciencing the Crap Out of DevOpsDOES 2016 Sciencing the Crap Out of DevOps
DOES 2016 Sciencing the Crap Out of DevOpsNicole Forsgren
 
Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...
Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...
Without Self-Service Operations, the Cloud is Just Expensive Hosting 2.0 - (a...dev2ops
 
Agile 2 - The Next Iteration of Agile - Lisa Cooney for Agile Nova 7-29-2021
Agile 2 - The Next Iteration of Agile - Lisa Cooney for Agile Nova 7-29-2021Agile 2 - The Next Iteration of Agile - Lisa Cooney for Agile Nova 7-29-2021
Agile 2 - The Next Iteration of Agile - Lisa Cooney for Agile Nova 7-29-2021Lisa Boyer Cooney (she/her)
 
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)dev2ops
 
Visualizing Work: If you can't see it, you can't manage it
Visualizing Work: If you can't see it, you can't manage itVisualizing Work: If you can't see it, you can't manage it
Visualizing Work: If you can't see it, you can't manage itFernando Cuenca
 
Lean Software Development: Values and Principles
Lean Software Development: Values and PrinciplesLean Software Development: Values and Principles
Lean Software Development: Values and PrinciplesBalaji Sathram
 
IPSE QA Freelancer Awards - We are the Makers
IPSE QA Freelancer Awards - We are the MakersIPSE QA Freelancer Awards - We are the Makers
IPSE QA Freelancer Awards - We are the MakersDavid Walker
 
The devops laboratory - 1 year later
The devops laboratory - 1 year laterThe devops laboratory - 1 year later
The devops laboratory - 1 year laterJavier Turégano Molina
 
DevOps Culture Shift: Expanding On-Call Responsibilties
DevOps Culture Shift: Expanding On-Call ResponsibiltiesDevOps Culture Shift: Expanding On-Call Responsibilties
DevOps Culture Shift: Expanding On-Call ResponsibiltiesVictorOps
 
Itsm governance and infrastructure as code
Itsm governance and infrastructure as codeItsm governance and infrastructure as code
Itsm governance and infrastructure as codedesktophero
 
No Projects - Beyond Projects (Refreshed version)
No Projects - Beyond Projects (Refreshed version)No Projects - Beyond Projects (Refreshed version)
No Projects - Beyond Projects (Refreshed version)allan kelly
 
Putting Devs On-Call: How to Empower Your Team
Putting Devs On-Call: How to Empower Your TeamPutting Devs On-Call: How to Empower Your Team
Putting Devs On-Call: How to Empower Your TeamVictorOps
 
2016 State of DevOps
2016 State of DevOps2016 State of DevOps
2016 State of DevOpsNicole Forsgren
 
Support and Initiate a DevOps Transformation
Support and Initiate a DevOps TransformationSupport and Initiate a DevOps Transformation
Support and Initiate a DevOps Transformationdev2ops
 
DevOps: What's Buried in the Fine Print
DevOps: What's Buried in the Fine PrintDevOps: What's Buried in the Fine Print
DevOps: What's Buried in the Fine PrintJeffery Smith
 
DOES15 - Elisabeth Hendrickson - Its All About Feedback
DOES15 - Elisabeth Hendrickson - Its All About FeedbackDOES15 - Elisabeth Hendrickson - Its All About Feedback
DOES15 - Elisabeth Hendrickson - Its All About FeedbackGene Kim
 
Limited WIP Meeting presentation - The Phoenix Project book review
Limited WIP Meeting presentation - The Phoenix Project book reviewLimited WIP Meeting presentation - The Phoenix Project book review
Limited WIP Meeting presentation - The Phoenix Project book reviewRudiger Wolf
 
Pragmatic Microservices
Pragmatic MicroservicesPragmatic Microservices
Pragmatic MicroservicesRandy Shoup
 
Anotherpm an example of agile survival
Anotherpm an example of agile survivalAnotherpm an example of agile survival
Anotherpm an example of agile survivalСергей Бережной
 
Why Even DevOp?
Why Even DevOp?Why Even DevOp?
Why Even DevOp?VMware Tanzu
 
Agile for Me- CodeStock 2009
Agile for Me- CodeStock 2009Agile for Me- CodeStock 2009
Agile for Me- CodeStock 2009Adrian Carr
 
Holistic Product Development
Holistic Product DevelopmentHolistic Product Development
Holistic Product DevelopmentGary Pedretti
 
Agnostic Continuous Delivery
Agnostic Continuous DeliveryAgnostic Continuous Delivery
Agnostic Continuous DeliveryHervé Leclerc
 
Journey into dev ops
Journey into dev opsJourney into dev ops
Journey into dev opsCachet Software Solutions Ltd
 

More Related Content

What's hot

Agile 2 - The Next Iteration of Agile - Lisa Cooney for Agile Nova 7-29-2021
Agile 2 - The Next Iteration of Agile - Lisa Cooney for Agile Nova 7-29-2021Agile 2 - The Next Iteration of Agile - Lisa Cooney for Agile Nova 7-29-2021
Agile 2 - The Next Iteration of Agile - Lisa Cooney for Agile Nova 7-29-2021Lisa Boyer Cooney (she/her)
 
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)dev2ops
 
Visualizing Work: If you can't see it, you can't manage it
Visualizing Work: If you can't see it, you can't manage itVisualizing Work: If you can't see it, you can't manage it
Visualizing Work: If you can't see it, you can't manage itFernando Cuenca
 
Lean Software Development: Values and Principles
Lean Software Development: Values and PrinciplesLean Software Development: Values and Principles
Lean Software Development: Values and PrinciplesBalaji Sathram
 
IPSE QA Freelancer Awards - We are the Makers
IPSE QA Freelancer Awards - We are the MakersIPSE QA Freelancer Awards - We are the Makers
IPSE QA Freelancer Awards - We are the MakersDavid Walker
 
DevOps Culture Shift: Expanding On-Call Responsibilties
DevOps Culture Shift: Expanding On-Call ResponsibiltiesDevOps Culture Shift: Expanding On-Call Responsibilties
DevOps Culture Shift: Expanding On-Call ResponsibiltiesVictorOps
 
Itsm governance and infrastructure as code
Itsm governance and infrastructure as codeItsm governance and infrastructure as code
Itsm governance and infrastructure as codedesktophero
 
No Projects - Beyond Projects (Refreshed version)
No Projects - Beyond Projects (Refreshed version)No Projects - Beyond Projects (Refreshed version)
No Projects - Beyond Projects (Refreshed version)allan kelly
 
Putting Devs On-Call: How to Empower Your Team
Putting Devs On-Call: How to Empower Your TeamPutting Devs On-Call: How to Empower Your Team
Putting Devs On-Call: How to Empower Your TeamVictorOps
 
Support and Initiate a DevOps Transformation
Support and Initiate a DevOps TransformationSupport and Initiate a DevOps Transformation
Support and Initiate a DevOps Transformationdev2ops
 
DevOps: What's Buried in the Fine Print
DevOps: What's Buried in the Fine PrintDevOps: What's Buried in the Fine Print
DevOps: What's Buried in the Fine PrintJeffery Smith
 
DOES15 - Elisabeth Hendrickson - Its All About Feedback
DOES15 - Elisabeth Hendrickson - Its All About FeedbackDOES15 - Elisabeth Hendrickson - Its All About Feedback
DOES15 - Elisabeth Hendrickson - Its All About FeedbackGene Kim
 
Limited WIP Meeting presentation - The Phoenix Project book review
Limited WIP Meeting presentation - The Phoenix Project book reviewLimited WIP Meeting presentation - The Phoenix Project book review
Limited WIP Meeting presentation - The Phoenix Project book reviewRudiger Wolf
 
Pragmatic Microservices
Pragmatic MicroservicesPragmatic Microservices
Pragmatic MicroservicesRandy Shoup
 
Agile for Me- CodeStock 2009
Agile for Me- CodeStock 2009Agile for Me- CodeStock 2009
Agile for Me- CodeStock 2009Adrian Carr
 
Holistic Product Development
Holistic Product DevelopmentHolistic Product Development
Holistic Product DevelopmentGary Pedretti
 

What's hot (20)

Agile 2 - The Next Iteration of Agile - Lisa Cooney for Agile Nova 7-29-2021
Agile 2 - The Next Iteration of Agile - Lisa Cooney for Agile Nova 7-29-2021Agile 2 - The Next Iteration of Agile - Lisa Cooney for Agile Nova 7-29-2021
Agile 2 - The Next Iteration of Agile - Lisa Cooney for Agile Nova 7-29-2021
 
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
 
Visualizing Work: If you can't see it, you can't manage it
Visualizing Work: If you can't see it, you can't manage itVisualizing Work: If you can't see it, you can't manage it
Visualizing Work: If you can't see it, you can't manage it
 
Lean Software Development: Values and Principles
Lean Software Development: Values and PrinciplesLean Software Development: Values and Principles
Lean Software Development: Values and Principles
 
IPSE QA Freelancer Awards - We are the Makers
IPSE QA Freelancer Awards - We are the MakersIPSE QA Freelancer Awards - We are the Makers
IPSE QA Freelancer Awards - We are the Makers
 
The devops laboratory - 1 year later
The devops laboratory - 1 year laterThe devops laboratory - 1 year later
The devops laboratory - 1 year later
 
DevOps Culture Shift: Expanding On-Call Responsibilties
DevOps Culture Shift: Expanding On-Call ResponsibiltiesDevOps Culture Shift: Expanding On-Call Responsibilties
DevOps Culture Shift: Expanding On-Call Responsibilties
 
Itsm governance and infrastructure as code
Itsm governance and infrastructure as codeItsm governance and infrastructure as code
Itsm governance and infrastructure as code
 
No Projects - Beyond Projects (Refreshed version)
No Projects - Beyond Projects (Refreshed version)No Projects - Beyond Projects (Refreshed version)
No Projects - Beyond Projects (Refreshed version)
 
Putting Devs On-Call: How to Empower Your Team
Putting Devs On-Call: How to Empower Your TeamPutting Devs On-Call: How to Empower Your Team
Putting Devs On-Call: How to Empower Your Team
 
2016 State of DevOps
2016 State of DevOps2016 State of DevOps
2016 State of DevOps
 
Support and Initiate a DevOps Transformation
Support and Initiate a DevOps TransformationSupport and Initiate a DevOps Transformation
Support and Initiate a DevOps Transformation
 
DevOps: What's Buried in the Fine Print
DevOps: What's Buried in the Fine PrintDevOps: What's Buried in the Fine Print
DevOps: What's Buried in the Fine Print
 
DOES15 - Elisabeth Hendrickson - Its All About Feedback
DOES15 - Elisabeth Hendrickson - Its All About FeedbackDOES15 - Elisabeth Hendrickson - Its All About Feedback
DOES15 - Elisabeth Hendrickson - Its All About Feedback
 
Limited WIP Meeting presentation - The Phoenix Project book review
Limited WIP Meeting presentation - The Phoenix Project book reviewLimited WIP Meeting presentation - The Phoenix Project book review
Limited WIP Meeting presentation - The Phoenix Project book review
 
Pragmatic Microservices
Pragmatic MicroservicesPragmatic Microservices
Pragmatic Microservices
 
Anotherpm an example of agile survival
Anotherpm an example of agile survivalAnotherpm an example of agile survival
Anotherpm an example of agile survival
 
Why Even DevOp?
Why Even DevOp?Why Even DevOp?
Why Even DevOp?
 
Agile for Me- CodeStock 2009
Agile for Me- CodeStock 2009Agile for Me- CodeStock 2009
Agile for Me- CodeStock 2009
 
Holistic Product Development
Holistic Product DevelopmentHolistic Product Development
Holistic Product Development
 

Viewers also liked

Agnostic Continuous Delivery
Agnostic Continuous DeliveryAgnostic Continuous Delivery
Agnostic Continuous DeliveryHervé Leclerc
 
Rundeck + Nexus (from Nexus Live on June 5, 2014)
Rundeck + Nexus (from Nexus Live on June 5, 2014)Rundeck + Nexus (from Nexus Live on June 5, 2014)
Rundeck + Nexus (from Nexus Live on June 5, 2014)dev2ops
 
Master Chef class: learn how to quickly cook delightful CQ/AEM infrastructures
Master Chef class: learn how to quickly cook delightful CQ/AEM infrastructuresMaster Chef class: learn how to quickly cook delightful CQ/AEM infrastructures
Master Chef class: learn how to quickly cook delightful CQ/AEM infrastructuresFrançois Le Droff
 
Continuous Delivery with Jenkins and Wildfly (2014)
Continuous Delivery with Jenkins and Wildfly (2014)Continuous Delivery with Jenkins and Wildfly (2014)
Continuous Delivery with Jenkins and Wildfly (2014)Tracy Kennedy
 
Enabing DevOps in an SDN World
Enabing DevOps in an SDN WorldEnabing DevOps in an SDN World
Enabing DevOps in an SDN WorldCisco DevNet
 
Journée DevOps : De l'intégration continue au déploiement continu avec Jenkins
Journée DevOps : De l'intégration continue au déploiement continu avec JenkinsJournée DevOps : De l'intégration continue au déploiement continu avec Jenkins
Journée DevOps : De l'intégration continue au déploiement continu avec JenkinsPublicis Sapient Engineering
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)Apigee | Google Cloud
 
AMIS 25: DevOps Best Practice for Oracle SOA and BPM
AMIS 25: DevOps Best Practice for Oracle SOA and BPMAMIS 25: DevOps Best Practice for Oracle SOA and BPM
AMIS 25: DevOps Best Practice for Oracle SOA and BPMMatt Wright
 
Achieving DevOps using Open Source Tools in the Enterprise
Achieving DevOps using Open Source Tools in the EnterpriseAchieving DevOps using Open Source Tools in the Enterprise
Achieving DevOps using Open Source Tools in the EnterpriseCollabNet
 
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...Sonatype
 
Continuous delivery @ hi q
Continuous delivery @ hi qContinuous delivery @ hi q
Continuous delivery @ hi qTomas Riha
 
DevOps for Mobile - DevOpsDays, NY, 2013
DevOps for Mobile - DevOpsDays, NY, 2013DevOps for Mobile - DevOpsDays, NY, 2013
DevOps for Mobile - DevOpsDays, NY, 2013Sanjeev Sharma
 
Architecting &Building Scalable Secure Web API
Architecting &Building Scalable Secure Web APIArchitecting &Building Scalable Secure Web API
Architecting &Building Scalable Secure Web APISHAKIL AKHTAR
 
Monitoring patterns for mitigating technical risk
Monitoring patterns for mitigating technical riskMonitoring patterns for mitigating technical risk
Monitoring patterns for mitigating technical riskItai Frenkel
 
Using Lean Thinking to Identify and Address Delivery Pipeline Bottlenecks
Using Lean Thinking to Identify and Address Delivery Pipeline BottlenecksUsing Lean Thinking to Identify and Address Delivery Pipeline Bottlenecks
Using Lean Thinking to Identify and Address Delivery Pipeline BottlenecksIBM UrbanCode Products
 
atSistemas - Presentación Integración Continua AUG Barcelona enero13
atSistemas - Presentación Integración Continua AUG Barcelona enero13atSistemas - Presentación Integración Continua AUG Barcelona enero13
atSistemas - Presentación Integración Continua AUG Barcelona enero13atSistemas
 
Revolutionizing Enterprise Software Development through Continuous Delivery &...
Revolutionizing Enterprise Software Development through Continuous Delivery &...Revolutionizing Enterprise Software Development through Continuous Delivery &...
Revolutionizing Enterprise Software Development through Continuous Delivery &...People10 Technosoft Private Limited
 

Viewers also liked (20)

Agnostic Continuous Delivery
Agnostic Continuous DeliveryAgnostic Continuous Delivery
Agnostic Continuous Delivery
 
Journey into dev ops
Journey into dev opsJourney into dev ops
Journey into dev ops
 
Rundeck + Nexus (from Nexus Live on June 5, 2014)
Rundeck + Nexus (from Nexus Live on June 5, 2014)Rundeck + Nexus (from Nexus Live on June 5, 2014)
Rundeck + Nexus (from Nexus Live on June 5, 2014)
 
Master Chef class: learn how to quickly cook delightful CQ/AEM infrastructures
Master Chef class: learn how to quickly cook delightful CQ/AEM infrastructuresMaster Chef class: learn how to quickly cook delightful CQ/AEM infrastructures
Master Chef class: learn how to quickly cook delightful CQ/AEM infrastructures
 
Continuous Delivery with Jenkins and Wildfly (2014)
Continuous Delivery with Jenkins and Wildfly (2014)Continuous Delivery with Jenkins and Wildfly (2014)
Continuous Delivery with Jenkins and Wildfly (2014)
 
Enabing DevOps in an SDN World
Enabing DevOps in an SDN WorldEnabing DevOps in an SDN World
Enabing DevOps in an SDN World
 
Continuous Delivery
Continuous DeliveryContinuous Delivery
Continuous Delivery
 
Journée DevOps : De l'intégration continue au déploiement continu avec Jenkins
Journée DevOps : De l'intégration continue au déploiement continu avec JenkinsJournée DevOps : De l'intégration continue au déploiement continu avec Jenkins
Journée DevOps : De l'intégration continue au déploiement continu avec Jenkins
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)
 
AMIS 25: DevOps Best Practice for Oracle SOA and BPM
AMIS 25: DevOps Best Practice for Oracle SOA and BPMAMIS 25: DevOps Best Practice for Oracle SOA and BPM
AMIS 25: DevOps Best Practice for Oracle SOA and BPM
 
Achieving DevOps using Open Source Tools in the Enterprise
Achieving DevOps using Open Source Tools in the EnterpriseAchieving DevOps using Open Source Tools in the Enterprise
Achieving DevOps using Open Source Tools in the Enterprise
 
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
 
Continuous delivery @ hi q
Continuous delivery @ hi qContinuous delivery @ hi q
Continuous delivery @ hi q
 
DevOps for Mobile - DevOpsDays, NY, 2013
DevOps for Mobile - DevOpsDays, NY, 2013DevOps for Mobile - DevOpsDays, NY, 2013
DevOps for Mobile - DevOpsDays, NY, 2013
 
Architecting &Building Scalable Secure Web API
Architecting &Building Scalable Secure Web APIArchitecting &Building Scalable Secure Web API
Architecting &Building Scalable Secure Web API
 
...Lag
...Lag...Lag
...Lag
 
Monitoring patterns for mitigating technical risk
Monitoring patterns for mitigating technical riskMonitoring patterns for mitigating technical risk
Monitoring patterns for mitigating technical risk
 
Using Lean Thinking to Identify and Address Delivery Pipeline Bottlenecks
Using Lean Thinking to Identify and Address Delivery Pipeline BottlenecksUsing Lean Thinking to Identify and Address Delivery Pipeline Bottlenecks
Using Lean Thinking to Identify and Address Delivery Pipeline Bottlenecks
 
atSistemas - Presentación Integración Continua AUG Barcelona enero13
atSistemas - Presentación Integración Continua AUG Barcelona enero13atSistemas - Presentación Integración Continua AUG Barcelona enero13
atSistemas - Presentación Integración Continua AUG Barcelona enero13
 
Revolutionizing Enterprise Software Development through Continuous Delivery &...
Revolutionizing Enterprise Software Development through Continuous Delivery &...Revolutionizing Enterprise Software Development through Continuous Delivery &...
Revolutionizing Enterprise Software Development through Continuous Delivery &...
 

Similar to DevOps & Security from an Enterprise Toolsmith's Perspective

Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Kris Buytaert
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...DynamicInfraDays
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdfVishwas N
 
Continous Delivery of your Infrastructure
Continous Delivery of your InfrastructureContinous Delivery of your Infrastructure
Continous Delivery of your InfrastructureKris Buytaert
 
Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!Dwolla
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Cigital
 
Devops is a Security Requirement
Devops is a Security RequirementDevops is a Security Requirement
Devops is a Security RequirementKris Buytaert
 
Continuous Delivery: Never Send a Human to Do a Machine’s Job
Continuous Delivery: Never Send a Human to Do a Machine’s JobContinuous Delivery: Never Send a Human to Do a Machine’s Job
Continuous Delivery: Never Send a Human to Do a Machine’s JobTechWell
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software jamieayre
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringAaron Rinehart
 
Don't Suck at Building Stuff - Mykel Alvis at Puppet Camp Altanta
Don't Suck at Building Stuff - Mykel Alvis at Puppet Camp AltantaDon't Suck at Building Stuff - Mykel Alvis at Puppet Camp Altanta
Don't Suck at Building Stuff - Mykel Alvis at Puppet Camp AltantaPuppet
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
Testing and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedTesting and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedLB Denker
 
Securing the Heart of Automated Infrastructure
Securing the Heart of Automated InfrastructureSecuring the Heart of Automated Infrastructure
Securing the Heart of Automated Infrastructurejamfish728
 

Similar to DevOps & Security from an Enterprise Toolsmith's Perspective (20)

SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
Continous Delivery of your Infrastructure
Continous Delivery of your InfrastructureContinous Delivery of your Infrastructure
Continous Delivery of your Infrastructure
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin?
 
Devops is a Security Requirement
Devops is a Security RequirementDevops is a Security Requirement
Devops is a Security Requirement
 
Continuous Delivery: Never Send a Human to Do a Machine’s Job
Continuous Delivery: Never Send a Human to Do a Machine’s JobContinuous Delivery: Never Send a Human to Do a Machine’s Job
Continuous Delivery: Never Send a Human to Do a Machine’s Job
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
 
Don't Suck at Building Stuff - Mykel Alvis at Puppet Camp Altanta
Don't Suck at Building Stuff - Mykel Alvis at Puppet Camp AltantaDon't Suck at Building Stuff - Mykel Alvis at Puppet Camp Altanta
Don't Suck at Building Stuff - Mykel Alvis at Puppet Camp Altanta
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Testing and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedTesting and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons Learned
 
Securing the Heart of Automated Infrastructure
Securing the Heart of Automated InfrastructureSecuring the Heart of Automated Infrastructure
Securing the Heart of Automated Infrastructure
 

More from dev2ops

The History of DevOps (and what you need to do about it)
The History of DevOps (and what you need to do about it)The History of DevOps (and what you need to do about it)
The History of DevOps (and what you need to do about it)dev2ops
 
Bimodal IT: Shortcut to Innovation or Path to Dysfunction?
Bimodal IT: Shortcut to Innovation or Path to Dysfunction?Bimodal IT: Shortcut to Innovation or Path to Dysfunction?
Bimodal IT: Shortcut to Innovation or Path to Dysfunction?dev2ops
 
DevOps Kaizen: Find and Fix What is Really Behind Your Problems
DevOps Kaizen: Find and Fix What is Really Behind Your ProblemsDevOps Kaizen: Find and Fix What is Really Behind Your Problems
DevOps Kaizen: Find and Fix What is Really Behind Your Problemsdev2ops
 
Rundeck's History and Future
Rundeck's History and FutureRundeck's History and Future
Rundeck's History and Futuredev2ops
 
Adobe Presents Internal Service Delivery Platform at Velocity 13 Santa Clara
Adobe Presents Internal Service Delivery Platform at Velocity 13 Santa ClaraAdobe Presents Internal Service Delivery Platform at Velocity 13 Santa Clara
Adobe Presents Internal Service Delivery Platform at Velocity 13 Santa Claradev2ops
 
You Can't Change Culture, But You Can Change Behavior (DevOpsDays Rome 2012)
You Can't Change Culture, But You Can Change Behavior (DevOpsDays Rome 2012)You Can't Change Culture, But You Can Change Behavior (DevOpsDays Rome 2012)
You Can't Change Culture, But You Can Change Behavior (DevOpsDays Rome 2012)dev2ops
 
Operations is a Strategic Weapon (PuppetConf)
Operations is a Strategic Weapon (PuppetConf)Operations is a Strategic Weapon (PuppetConf)
Operations is a Strategic Weapon (PuppetConf)dev2ops
 
DevOps: IT Operations as a Strategic Weapon
DevOps: IT Operations as a Strategic WeaponDevOps: IT Operations as a Strategic Weapon
DevOps: IT Operations as a Strategic Weapondev2ops
 
Velocity 2011: Production Begins in Development
Velocity 2011: Production Begins in DevelopmentVelocity 2011: Production Begins in Development
Velocity 2011: Production Begins in Developmentdev2ops
 
Will DevOps Jump the Shark?
Will DevOps Jump the Shark?Will DevOps Jump the Shark?
Will DevOps Jump the Shark?dev2ops
 
Closing the DevOps gaps
Closing the DevOps gapsClosing the DevOps gaps
Closing the DevOps gapsdev2ops
 
Lloyd Taylor: "Hacking Your Organization"
Lloyd Taylor: "Hacking Your Organization" Lloyd Taylor: "Hacking Your Organization"
Lloyd Taylor: "Hacking Your Organization" dev2ops
 
Process Matters (Cloud2Days / Java2Days conference))
Process Matters (Cloud2Days / Java2Days conference))Process Matters (Cloud2Days / Java2Days conference))
Process Matters (Cloud2Days / Java2Days conference))dev2ops
 
Midnight Cowboy
Midnight CowboyMidnight Cowboy
Midnight Cowboydev2ops
 
Orchestration Panel at Cloud Connect 2010
Orchestration Panel at Cloud Connect 2010Orchestration Panel at Cloud Connect 2010
Orchestration Panel at Cloud Connect 2010dev2ops
 
Provisioning Toolchain Introduction for Velocity Online Conference (March 2010)
Provisioning Toolchain Introduction for Velocity Online Conference (March 2010)Provisioning Toolchain Introduction for Velocity Online Conference (March 2010)
Provisioning Toolchain Introduction for Velocity Online Conference (March 2010)dev2ops
 

More from dev2ops (16)

The History of DevOps (and what you need to do about it)
The History of DevOps (and what you need to do about it)The History of DevOps (and what you need to do about it)
The History of DevOps (and what you need to do about it)
 
Bimodal IT: Shortcut to Innovation or Path to Dysfunction?
Bimodal IT: Shortcut to Innovation or Path to Dysfunction?Bimodal IT: Shortcut to Innovation or Path to Dysfunction?
Bimodal IT: Shortcut to Innovation or Path to Dysfunction?
 
DevOps Kaizen: Find and Fix What is Really Behind Your Problems
DevOps Kaizen: Find and Fix What is Really Behind Your ProblemsDevOps Kaizen: Find and Fix What is Really Behind Your Problems
DevOps Kaizen: Find and Fix What is Really Behind Your Problems
 
Rundeck's History and Future
Rundeck's History and FutureRundeck's History and Future
Rundeck's History and Future
 
Adobe Presents Internal Service Delivery Platform at Velocity 13 Santa Clara
Adobe Presents Internal Service Delivery Platform at Velocity 13 Santa ClaraAdobe Presents Internal Service Delivery Platform at Velocity 13 Santa Clara
Adobe Presents Internal Service Delivery Platform at Velocity 13 Santa Clara
 
You Can't Change Culture, But You Can Change Behavior (DevOpsDays Rome 2012)
You Can't Change Culture, But You Can Change Behavior (DevOpsDays Rome 2012)You Can't Change Culture, But You Can Change Behavior (DevOpsDays Rome 2012)
You Can't Change Culture, But You Can Change Behavior (DevOpsDays Rome 2012)
 
Operations is a Strategic Weapon (PuppetConf)
Operations is a Strategic Weapon (PuppetConf)Operations is a Strategic Weapon (PuppetConf)
Operations is a Strategic Weapon (PuppetConf)
 
DevOps: IT Operations as a Strategic Weapon
DevOps: IT Operations as a Strategic WeaponDevOps: IT Operations as a Strategic Weapon
DevOps: IT Operations as a Strategic Weapon
 
Velocity 2011: Production Begins in Development
Velocity 2011: Production Begins in DevelopmentVelocity 2011: Production Begins in Development
Velocity 2011: Production Begins in Development
 
Will DevOps Jump the Shark?
Will DevOps Jump the Shark?Will DevOps Jump the Shark?
Will DevOps Jump the Shark?
 
Closing the DevOps gaps
Closing the DevOps gapsClosing the DevOps gaps
Closing the DevOps gaps
 
Lloyd Taylor: "Hacking Your Organization"
Lloyd Taylor: "Hacking Your Organization" Lloyd Taylor: "Hacking Your Organization"
Lloyd Taylor: "Hacking Your Organization"
 
Process Matters (Cloud2Days / Java2Days conference))
Process Matters (Cloud2Days / Java2Days conference))Process Matters (Cloud2Days / Java2Days conference))
Process Matters (Cloud2Days / Java2Days conference))
 
Midnight Cowboy
Midnight CowboyMidnight Cowboy
Midnight Cowboy
 
Orchestration Panel at Cloud Connect 2010
Orchestration Panel at Cloud Connect 2010Orchestration Panel at Cloud Connect 2010
Orchestration Panel at Cloud Connect 2010
 
Provisioning Toolchain Introduction for Velocity Online Conference (March 2010)
Provisioning Toolchain Introduction for Velocity Online Conference (March 2010)Provisioning Toolchain Introduction for Velocity Online Conference (March 2010)
Provisioning Toolchain Introduction for Velocity Online Conference (March 2010)
 

Recently uploaded

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 

Recently uploaded (20)

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 

DevOps & Security from an Enterprise Toolsmith's Perspective

  • 1. Go Fast AND Be Secure? DevOps and Security from an Enterprise Toolsmith’s Perspective Alex Honor Damon Edwards
  • 4. Business Demands Our #1 priority is moving faster than our competitors!
  • 8. … but what about security and compliance?
  • 9. Business Demands Our #1 priority is moving faster than our competitors! Our #1 priority is security and compliance!and
  • 11. Can we go faster and be more secure?
  • 12. Can we go faster and be more secure?
  • 13. What gets in the way?
  • 15. Everything is different ● Many servers hand built
  • 16. Everything is different ● Many servers hand built ● Custom is the rule
  • 17. Everything is different ● Many servers hand built ● Custom is the rule ● Inconsistent access control policy and rules
  • 18. Everything is different ● Many servers hand built ● Custom is the rule ● Inconsistent access control policy and rules ● Network spaghetti topology reflects snowflakes
  • 19. Everything is different ● Many servers hand built ● Custom is the rule ● Inconsistent access control policy and rules ● Network spaghetti topology reflects snowflakes ● … it’s always a network problem ;-)
  • 20. Multiplied by Datacenter ● Geographically spread ● Generations of hardware & software ● WAN latencies and bandwidths ● Sometimes outsourced
  • 22. Culture clashes between silos ● “Too much change breaks stuff” - Ops
  • 23. Culture clashes between silos ● “Too much change breaks stuff” - Ops ● “Let me do it myself” - Dev
  • 24. Culture clashes between silos ● “Too much change breaks stuff” - Ops ● “Let me do it myself” - Dev ● “This is dangerous!” - Sec
  • 25. Culture clashes between silos ● “Too much change breaks stuff” - Ops ● “Let me do it myself” - Dev ● “This is dangerous!” - Sec ● “It’s not ready” - QA
  • 26. Culture clashes between silos ● “Too much change breaks stuff” - Ops ● “Let me do it myself” - Dev ● “This is dangerous!” - Sec ● “It’s not ready” - QA ● Finger pointing - everyone
  • 27. Bureaucracy to get anything delivered “Have you got 27B-6?” - said a guy, in a downstream silo “I’m a bit of a stickler for paperwork” “All I need is a ACL/VIP/etc”
  • 28. It always ends up an escalation ● Who yells loudest ● Cube driveby and who you know ● Crisis at deadline or outage ● Sometimes still a rubber stamp
  • 29. Hard to see how delivery work gets done across the organization
  • 31. Process Islands “I know there are problems delivering, not sure where, but I know they are outside my island of control” “We all have the best intentions from our perspective
  • 35. Process Islands I really wish to deploy multiple times daily Friday evening
  • 39. Complicated and self inflicted ● Left hand doesnt know what the right hand doing ● “Bandaids” and “exception is the rule” ● Telephone and Tribal knowledge ● Low MTTD/MTTR
  • 40. How do we know when things are getting any better?
  • 41. You’ll know you are better when...
  • 42. You’ll know you are better when... ● Security policy is applied reliably and consistently
  • 43. You’ll know you are better when... ● Security policy is applied reliably and consistently ● Security isn’t the bottleneck
  • 44. You’ll know you are better when... ● Security policy is applied reliably and consistently ● Security isn’t the bottleneck ● An audit trail is easy to pull together
  • 45. You’ll know you are better when... ● Security policy is applied reliably and consistently ● Security isn’t the bottleneck ● An audit trail is easy to pull together ● Security engineers aren’t left out until the end of the party (or never consulted)
  • 46. You’ll know you are better when... ● Security policy is applied reliably and consistently ● Security isn’t the bottleneck ● An audit trail is easy to pull together ● Security engineers aren’t left out until the end of the party (or never consulted) ● Everyone has the control they need (without root)
  • 47. You’ll know you are better when... ● Security policy is applied reliably and consistently ● Security isn’t the bottleneck ● An audit trail is easy to pull together ● Security engineers aren’t left out until the end of the party (or never consulted) ● Everyone has the control they need (without root) ● Nobody feels like they are having the rug pulled out from underneath them
  • 48. Shift left: Host OS SDLC Collaborate with source code Artifacts move through the “supply chain”
  • 50. Bastion host ● centralized access point for authorized access
  • 51. Bastion host ● centralized access point for authorized access ● disallow home run connections
  • 52. Bastion host ● centralized access point for authorized access ● disallow home run connections ● dispatcher interfaces remote execution layer
  • 53. Bastion host ● centralized access point for authorized access ● disallow home run connections ● dispatcher interfaces remote execution layer ● hides network complexity like jump boxes per DC
  • 54. Bastion host ● centralized access point for authorized access ● disallow home run connections ● dispatcher interfaces remote execution layer ● hides network complexity like jump boxes per DC
  • 55. User traceability: Delegate account ● User logs in as himself to bastion host ● Remote commands and processes run under a service account ● Eg, SSH keys used for delegate account identity
  • 56. User traceability: End to end ● User logs in as himself to bastion host ● Remote commands executed using same user account ● Eg., User may raise privilege via sudo
  • 57. White List and Wrapper ● No ad-hoc interactive logins. ● Use wrapper script and a white list ● Escalate privilege with sudo ● Not foolproof! SELinux still considered too hard for most eg.: ssh forced command (~/.ssh/ authorized_keys: command=wrapper.sh and $SSH_ORIGINAL_COMMAND)
  • 58. Leverage the toolchain to enforce policy
  • 59. Leverage the toolchain to enforce policy Design and code reviews
  • 60. Leverage the toolchain to enforce policy Design and code reviews Code and binary scans
  • 61. Leverage the toolchain to enforce policy Design and code reviews Code and binary scans “Bake” security tests into your “immune system”
  • 62. Leverage the toolchain to enforce policy Design and code reviews Code and binary scans “Bake” security tests into your “immune system” Component vulnerability and governance
  • 63. Leverage the toolchain to enforce policy Design and code reviews Code and binary scans “Bake” security tests into your “immune system” Component vulnerability and governance Access policy and operational security checks
  • 65. Automate Evidence Collection for Audits What’s the change?
  • 66. Automate Evidence Collection for Audits What’s the change? How did you validate the change?
  • 67. Automate Evidence Collection for Audits What’s the change? How did you validate the change? How was the change distributed?
  • 68. Automate Evidence Collection for Audits What’s the change? How did you validate the change? How was the change distributed? Who did what when and where?
  • 69. Automate Evidence Collection for Audits What’s the change? How did you validate the change? How was the change distributed? Who did what when and where? What executed on the node?
  • 70. Summary ● Shift left ● Bastion host ● User traceability ● White lists and wrappers ● Leverage the toolchain to enforce policy ● Automate evidence collection for audits
  • 71. ● Shift left ● Bastion host ● User traceability ● White lists and wrappers ● Leverage the toolchain to enforce policy ● Automate evidence collection for audits ● ? Summary