This document discusses democratizing security as the next frontier for DevSecOps adoption in enterprises. It covers evolving delivery practices like Agile, DevOps, and SRE. Democratizing involves making capabilities self-service, granting permission to act with guardrails, and building trust. This includes democratizing infrastructure, software delivery, data, and security by making them technology agnostic, self-service, and including them in the DevSecOps toolchain to improve applications, platforms, processes, and culture. Security chaos engineering and value stream mapping are also discussed as ways to identify vulnerabilities and inefficiencies to continuously improve operational readiness and adoption.
2. • 20+ Years experience in Software Development and Delivery, Cloud
Adoption and Data Modernization
• Led the Data Modernization Practice at Delphix
• Driving the definition of ‘DataOps’ for Application Delivery, and AI and
Machine Learning
• IBM Distinguished Engineer, and IBM’s 1st CTO for DevOps Adoption
owning the DevOps practice
• Chair of the Architecture Review Board for IBM’s response to the
DoD’s JEDI RFP
• Conference Keynote speaker, Blogger, Podcaster and Vlogger
• Author of two bestseller books:
• DevOps For Dummies: https://ibm.biz/BdsPMX
• The DevOps Adoption Playbook: http://amzn.to/2hH7rt2
All about me - Sanjeev Sharma
3. 1. Evolution of Delivery Practices
2. Democratization of Application Delivery
3. Security Chaos Engineering
4. Value Stream Mapping
Agenda
6. Continuous Integration Continuous Delivery
Shift Left Test
Shift Left Ops
Culture
Development SCM Build
Package
Repo Deploy Testing Staging Production FeedbackPlanning Manage
DevOps in a Nutshell:
1. Improve the Application/System being delivered
2. Improve the platform on which it is delivered
3. Improve the processes by which it is being delivered
4. Improve the culture of the organization delivering it
DevOps
7. Why DevSecOps?
Security concerns and challenges
are growing
$57M
Google
GDPR Fine
4700
Breaches
in 2018
11 Bn
Records
exposed 2018
Becoming a
custodian of user
data is becoming
a differentiator
You are not our product. Our
products are iPhones and
iPads. We treasure your data.
We wanna help you keep it
private and keep it safe.
- Tim Cook, CEO, Apple
11. DevOps: Democratizing the Application Delivery Pipeline
Democratize Infrastructure
Democratize Software Delivery
Democratize Data
Democratize Security
Application Delivery
Practitioners
12. Democratizing Infrastructure with Cloud
Become Technology Stack
Agnostic
Self-service Provisioning and
Configuration
Infrastructure as Code (IaaC)
Elastic Services for on-demand
scale
Role Based Access Control
Democratize Infrastructure
1. Improve the platform
2. Improve the processes
3. Improve the culture
13. Democratizing Software Delivery with DevSecOps
Become Technology Stack
Agnostic
Make DevSecOps capabilities
Self Service
Integrated end-to-end toolchain
Automated Testing and Validation
Include Security in the
DevSecOps toolchain
Democratize
Software Delivery
1. Improve the Application/System
2. Improve the processes
3. Improve the culture
14. Democratizing Data
Democratize Data
Become Data Source Agnostic
Make Data Available Self
Service
Manage Data Like Code
Mitigate Data Privacy &
Compliance Risks
Include Data Management in
the DevSecOps toolchain
1. Improve the Application/System
2. Improve the platform
3. Improve the processes
4. Improve the culture
15. Democratizing Security
Become Technology Stack
Agnostic
Make Security* Self Service
Manage Security* Like Code
Automate Mitigation of Security &
Compliance Risks
Include Security* in the DevOps
toolchain
Democratize Security
* Security Implementation, Validation and Enforcement
1. Secure the Application/System
2. Secure the platform
3. Secure the processes
4. Secure the culture
16. Business Initiatives:
Create New Revenue Streams
Improve Quality
Accelerate Time to Market
Comply with Regulations
The Challenge :
High Complexity
High Cost
Multiple Demands
High Complexity
- Multiple Technology stacks
- On Premises and Cloud
- Departmental Silos
- Legacy, Cloud-native, SaaS
applications and services
- Open-source sprawl
High Cost
- Compliance & Governance
Policies
- Regulatory overhead
- Audit and Compliance
overhead
- Cybersecurity threat
preparedness
Multiple Demands
- Business: Innovation and
Monetization
- Developers: Continuous Delivery
- Analytics Teams: Massive,
diverse data sets
- Security Teams: Lack of talent
and technology expertise
18. One way to make sure you can deal
with a flat tire on the freeway, in the
rain, in the middle of the night is to
poke a hole in your tire once a week
in your driveway on a Sunday
afternoon and go through the drill
of replacing it.
Chaos Engineering
19. Antifragile: Things that are
neither fragile or robust,
but rather thrive in chaos.
Achieving Antifragility
20. The Chaos is Real
https://www.sophos.com/en-us/medialibrary/PDFs/Whitepaper/sophos-exposed-cyberattacks-on-cloud-honeypots-wp.pdf
21. Security Chaos Engineering
Security Chaos Engineering is the
discipline of instrumentation, identification,
and remediation of failure within security
controls through proactive experimentation
to build confidence in the system's ability to
defend against malicious conditions in
production.
22. Security Chaos Engineering implementation
1. End-to-end Continuous Instrumentation
2. Continuous Readiness Assessment
3. Continuous Security Gap Analysis
4. Automation to identify, detect, and remediate security failures
5. Focus on vulnerability and failure identification
6. Continuous improvement of Operational Readiness
24. Idea/Feature/Bug Fix/
Enhancement
Production
Development Build QA SIT UAT Prod
PMO
Requirements/
Analyst
Developer
CustomersLine of Business
Build
Engineer
QA Team Integration Tester User/Tester Operations
Artifact Repository
Deployment Engineer
Release Management
Code Repository
Deploy
Get Feedback
Infrastructure as Code/
Cloud Patterns
Feedback
Customer or
Customer Surrogate
Data
Tasks
Artifacts
Value Stream Mapping
to Identify:
• Waste
• Wait-States
• Rework
Value Stream Mapping to Develop an Adoption Roadmap
25. • Review the current state
o Business goals, IT goals, current
initiatives
o Requirements
o Environments
o Repositories
o Data Sources/Architecture
o Roles / Organization
o Metrics
o Other
• Prioritize Waste, Wait states and
Rework
• Create a first pass at a roadmap to
address inefficiencies
Next Step: DevOps Value Stream Mapping Workshop