cultural change for it’s not all tech: devsecops

CONFIDENTIAL Designator

1

Red Hat Security SymposiumVictoria, BC

It’s not all tech: cultural change for DevSecOps

Mike Bursellchief security architect, Red Hat

OPTIO

NAL SECTION

MARKER O

R TITLE

CONFIDENTIAL DesignatorAGENDA

2 Source:Insert source data hereInsert source data hereInsert source data here

Part I:

What is DevOps? And DevSecOps?

Part II:

Tools, process or culture? Which is most

important?

Summary

DevOps - more than just technology

CONFIDENTIAL Designator

Part I:

What is DevOps?

3

4

What is DevOps? And DevSecOps?“DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.”[1]

DESIGNBUILD

RUN

MANAGE

ADAPT

[1] https://theagileadmin.com/what-is-devops/

5

What is DevOps? And DevSecOps?

[1] https://theagileadmin.com/what-is-devops/[2] http://www.devsecops.org/blog/2015/2/15/what-is-devsecops

“DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.”[1]

“The purpose and intent of DevSecOps is to build on the mindset that ‘everyone is responsible for security’...”[2]

DESIGNBUILD

RUN

MANAGE

ADAPT

6

DevOps and DevSecOps

“For 20 years, people have been leaving security till last” - colleague

7

DevOps and DevSecOps

“For 20 years, people have been leaving security till last” - colleague

“…you could have missed the last two words out.” - me

8

DevOps and DevSecOps

“For 20 years, people have been leaving security till last” - colleague

“…you could have missed the last two words out.” - me

Classic waterfall project

DesignDevelop

TestStage

Deploy

9

DevOps and DevSecOps

“For 20 years, people have been leaving security till last” - colleague

“…you could have missed the last two words out.” - me

Classic waterfall project

DesignDevelop

TestStage

Deploy

Security!

10

DevOps and DevSecOps

“For 20 years, people have been leaving security till last” - colleague

“…you could have missed the last two words out.” - me

Classic waterfall project - project manager’s hope

DesignDevelop

TestStage

Deploy

Security!

11

DevOps and DevSecOps

“For 20 years, people have been leaving security till last” - colleague

“…you could have missed the last two words out.” - me

Classic waterfall project - security architect’s guesstimate

DesignDevelop

TestStage

DeploySecurity!

12

DevOps and DevSecOps

“For 20 years, people have been leaving security till last” - colleague

“…you could have missed the last two words out.” - me

Classic waterfall project - actual

DesignDevelop

TestStage

DeSecurity!

13

DevOps and DevSecOps

“For 20 years, people have been leaving security till last” - colleague

“…you could have missed the last two words out.” - meDESIGN

BUILD

RUN

MANAGE

ADAPT

14

DevOps and DevSecOps

“For 20 years, people have been leaving security till last” - colleague

“…you could have missed the last two words out.” - me

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

CONFIDENTIAL Designator

Example 1:

where the expertise lies

15

16

“Devs and shinies”

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

(the Smaug problem)

17

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Steps in the process

18

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Steps in the process

19

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Process management points● Semi-permeable membranes● Automated!● Apply policies ● Exercise governance● Log, audit

CONFIDENTIAL Designator

Example 2:

loving your inner auditor

20

21

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Identify security requirements & governance models

22

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Identify security requirements & governance models

Built-in from the start; not bolted on

23

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Identify security requirements & governance models

Built-in from the start; not bolted on

Deploy to trusted platforms with enhanced security capabilities

24

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Identify security requirements & governance models

Built-in from the start; not bolted on

Deploy to trusted platforms with enhanced security capabilities

Automate systems with security & compliance

25

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Identify security requirements & governance models

Built-in from the start; not bolted on

Deploy to trusted platforms with enhanced security capabilities

Automate systems with security & compliance

Revise, update, remediate as the landscape changes

26

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Identify security requirements & governance models

Built-in from the start; not bolted on

Deploy to trusted platforms with enhanced security capabilities

Automate systems with security & compliance

Revise, update, remediate as the landscape changes

27

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Identify security requirements & governance models

Built-in from the start; not bolted on

Deploy to trusted platforms with enhanced security capabilities

Automate systems with security & compliance

Revise, update, remediate as the landscape changes

These steps are the “most obviously” Dev and Ops

28

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Identify security requirements & governance models

Built-in from the start; not bolted on

Deploy to trusted platforms with enhanced security capabilities

Automate systems with security & compliance

Revise, update, remediate as the landscape changes

These steps are the “most obviously” Dev and Ops

But without these steps you’re not “doing” DevOps

29

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Identify security requirements & governance models

Revise, update, remediate as the landscape changes

Governance

30

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Identify security requirements & governance models

Revise, update, remediate as the landscape changes

Governance

Policy

31

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Identify security requirements & governance models

Revise, update, remediate as the landscape changes

Governance

Policy

Process

32

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Identify security requirements & governance models

Revise, update, remediate as the landscape changes

Governance

Policy

Process

Artefacts

33

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Identify security requirements & governance models

Revise, update, remediate as the landscape changes

Governance

Policy

Process

Artefacts

Audit

34

Steps in the process

Security policy, process &

procedures

DESIGNBUILD

RUN

MANAGE

ADAPT

Identify security requirements & governance models

Revise, update, remediate as the landscape changes

Governance

Policy

Process

Artefacts

Audit

CONFIDENTIAL Designator

Part II: process or culture?

Which is most important?

35

36

It’s the culture (obviously)

37

1. Get executive buy-in

It’s the culture (obviously)

38

1. Get executive buy-in

2. Choose enthusiasts

It’s the culture (obviously)

39

1. Get executive buy-in

2. Choose enthusiasts

3. Choose cross- functional team

○ (Security folks are people too!)

It’s the culture (obviously)

40

1. Get executive buy-in

2. Choose enthusiasts

3. Choose cross- functional team

○ (Security folks are people too!)

4. Consider who might put obstacles in your way

It’s the culture (obviously)

CONFIDENTIAL Designator

Digression!

41

42

Not invented here● Fear of the unknown

Digression - obstacles

43

Not invented here● Fear of the unknown

My domain● Fear of loss of control

Digression - obstacles

44

Not invented here● Fear of the unknown

My domain● Fear of loss of control

Stuck in my ways● Fear of the new

Digression - obstacles

45

Not invented here● Fear of the unknown

My domain● Fear of loss of control

Stuck in my ways● Fear of the new

People managers● Fear of loss of power

Digression - obstacles

46

Not invented here● Fear of the unknown

My domain● Fear of loss of control

Stuck in my ways● Fear of the new

People managers● Fear of loss of power

Commissioning managers● Fear of loss of deadline

Digression - obstacles

47

Not invented here● Fear of the unknown

My domain● Fear of loss of control

Stuck in my ways● Fear of the new

People managers● Fear of loss of power

Commissioning managers● Fear of loss of deadline

Unions● Fear of lack of certainty

Digression - obstacles

48

Not invented here● Fear of the unknown

My domain● Fear of loss of control

Stuck in my ways● Fear of the new

People managers● Fear of loss of power

Commissioning managers● Fear of loss of deadline

Unions● Fear of lack of certainty

Digression - obstacles

CONFIDENTIAL Designator

Back on track...

49

50

1. Get executive buy-in

2. Choose enthusiasts

3. Choose cross- functional team

○ (Security folks are people too!)

4. Consider who might put obstacles in your way

5. Small feature sets per cycle

It’s the culture (obviously)

51

1. Get executive buy-in

2. Choose enthusiasts

3. Choose cross- functional team

○ (Security folks are people too!)

4. Consider who might put obstacles in your way

5. Small feature sets per cycle

6. Expect to fail … and then succeed

It’s the culture (obviously)

52

1. Get executive buy-in

2. Choose enthusiasts

3. Choose cross- functional team

○ (Security folks are people too!)

4. Consider who might put obstacles in your way

5. Small feature sets per cycle

6. Expect to fail … and then succeed

It’s the culture (obviously)

CONFIDENTIAL Designator

Summary

53

54

Summary

● DevOps allows and forces you to integrate security○ It has to part of the story, because you can’t bolt it on later

● Get the experts in○ Allow responsibilities to live in the right places

● Plan for cultural change○ Tools and processes are important too

55

Summary

● DevOps allows and forces you to integrate security○ It has to part of the story, because you can’t bolt it on later

● Get the experts in○ Allow responsibilities to live in the right places

● Plan for cultural change○ Tools and processes are important too

Q. But where’s the definition of DevSecOps?

56

Summary

● DevOps allows and forces you to integrate security○ It has to part of the story, because you can’t bolt it on later

● Get the experts in○ Allow responsibilities to live in the right places

● Plan for cultural change○ Tools and processes are important too

Q. But where’s the definition of DevSecOps?

A. There isn’t one: it’s a change in mindset.

CONFIDENTIAL Designator

linkedin.com/company/red-hat

youtube.com/user/RedHatVideos

facebook.com/redhatinc

twitter.com/RedHat

57

Blog: https://aliceevebob.com/LinkedIn: https://www.linkedin.com/in/mikebursell/Twitter: @MikeCamel

Thank you

OPTIO

NAL SECTION

MARKER O

R TITLE