cultural change for it’s not all tech: devsecops
TRANSCRIPT
CONFIDENTIAL Designator
1
Red Hat Security SymposiumVictoria, BC
It’s not all tech: cultural change for DevSecOps
Mike Bursellchief security architect, Red Hat
OPTIO
NAL SECTION
MARKER O
R TITLE
CONFIDENTIAL DesignatorAGENDA
2 Source:Insert source data hereInsert source data hereInsert source data here
Part I:
What is DevOps? And DevSecOps?
Part II:
Tools, process or culture? Which is most
important?
Summary
DevOps - more than just technology
CONFIDENTIAL Designator
Part I:
What is DevOps?
3
4
What is DevOps? And DevSecOps?“DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.”[1]
DESIGNBUILD
RUN
MANAGE
ADAPT
[1] https://theagileadmin.com/what-is-devops/
5
What is DevOps? And DevSecOps?
[1] https://theagileadmin.com/what-is-devops/[2] http://www.devsecops.org/blog/2015/2/15/what-is-devsecops
“DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.”[1]
“The purpose and intent of DevSecOps is to build on the mindset that ‘everyone is responsible for security’...”[2]
DESIGNBUILD
RUN
MANAGE
ADAPT
6
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
7
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
8
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
Classic waterfall project
DesignDevelop
TestStage
Deploy
9
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
Classic waterfall project
DesignDevelop
TestStage
Deploy
Security!
10
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
Classic waterfall project - project manager’s hope
DesignDevelop
TestStage
Deploy
Security!
11
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
Classic waterfall project - security architect’s guesstimate
DesignDevelop
TestStage
DeploySecurity!
12
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
Classic waterfall project - actual
DesignDevelop
TestStage
DeSecurity!
13
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - meDESIGN
BUILD
RUN
MANAGE
ADAPT
14
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
CONFIDENTIAL Designator
Example 1:
where the expertise lies
15
16
“Devs and shinies”
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
(the Smaug problem)
17
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Steps in the process
18
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Steps in the process
19
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Process management points● Semi-permeable membranes● Automated!● Apply policies ● Exercise governance● Log, audit
CONFIDENTIAL Designator
Example 2:
loving your inner auditor
20
21
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
22
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted on
23
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted on
Deploy to trusted platforms with enhanced security capabilities
24
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted on
Deploy to trusted platforms with enhanced security capabilities
Automate systems with security & compliance
25
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted on
Deploy to trusted platforms with enhanced security capabilities
Automate systems with security & compliance
Revise, update, remediate as the landscape changes
26
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted on
Deploy to trusted platforms with enhanced security capabilities
Automate systems with security & compliance
Revise, update, remediate as the landscape changes
27
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted on
Deploy to trusted platforms with enhanced security capabilities
Automate systems with security & compliance
Revise, update, remediate as the landscape changes
These steps are the “most obviously” Dev and Ops
28
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted on
Deploy to trusted platforms with enhanced security capabilities
Automate systems with security & compliance
Revise, update, remediate as the landscape changes
These steps are the “most obviously” Dev and Ops
But without these steps you’re not “doing” DevOps
29
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Revise, update, remediate as the landscape changes
Governance
30
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Revise, update, remediate as the landscape changes
Governance
Policy
31
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Revise, update, remediate as the landscape changes
Governance
Policy
Process
32
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Revise, update, remediate as the landscape changes
Governance
Policy
Process
Artefacts
33
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Revise, update, remediate as the landscape changes
Governance
Policy
Process
Artefacts
Audit
34
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Revise, update, remediate as the landscape changes
Governance
Policy
Process
Artefacts
Audit
CONFIDENTIAL Designator
Part II: process or culture?
Which is most important?
35
36
It’s the culture (obviously)
37
1. Get executive buy-in
It’s the culture (obviously)
38
1. Get executive buy-in
2. Choose enthusiasts
It’s the culture (obviously)
39
1. Get executive buy-in
2. Choose enthusiasts
3. Choose cross- functional team
○ (Security folks are people too!)
It’s the culture (obviously)
40
1. Get executive buy-in
2. Choose enthusiasts
3. Choose cross- functional team
○ (Security folks are people too!)
4. Consider who might put obstacles in your way
It’s the culture (obviously)
CONFIDENTIAL Designator
Digression!
41
42
Not invented here● Fear of the unknown
Digression - obstacles
43
Not invented here● Fear of the unknown
My domain● Fear of loss of control
Digression - obstacles
44
Not invented here● Fear of the unknown
My domain● Fear of loss of control
Stuck in my ways● Fear of the new
Digression - obstacles
45
Not invented here● Fear of the unknown
My domain● Fear of loss of control
Stuck in my ways● Fear of the new
People managers● Fear of loss of power
Digression - obstacles
46
Not invented here● Fear of the unknown
My domain● Fear of loss of control
Stuck in my ways● Fear of the new
People managers● Fear of loss of power
Commissioning managers● Fear of loss of deadline
Digression - obstacles
47
Not invented here● Fear of the unknown
My domain● Fear of loss of control
Stuck in my ways● Fear of the new
People managers● Fear of loss of power
Commissioning managers● Fear of loss of deadline
Unions● Fear of lack of certainty
Digression - obstacles
48
Not invented here● Fear of the unknown
My domain● Fear of loss of control
Stuck in my ways● Fear of the new
People managers● Fear of loss of power
Commissioning managers● Fear of loss of deadline
Unions● Fear of lack of certainty
Digression - obstacles
CONFIDENTIAL Designator
Back on track...
49
50
1. Get executive buy-in
2. Choose enthusiasts
3. Choose cross- functional team
○ (Security folks are people too!)
4. Consider who might put obstacles in your way
5. Small feature sets per cycle
It’s the culture (obviously)
51
1. Get executive buy-in
2. Choose enthusiasts
3. Choose cross- functional team
○ (Security folks are people too!)
4. Consider who might put obstacles in your way
5. Small feature sets per cycle
6. Expect to fail … and then succeed
It’s the culture (obviously)
52
1. Get executive buy-in
2. Choose enthusiasts
3. Choose cross- functional team
○ (Security folks are people too!)
4. Consider who might put obstacles in your way
5. Small feature sets per cycle
6. Expect to fail … and then succeed
It’s the culture (obviously)
CONFIDENTIAL Designator
Summary
53
54
Summary
● DevOps allows and forces you to integrate security○ It has to part of the story, because you can’t bolt it on later
● Get the experts in○ Allow responsibilities to live in the right places
● Plan for cultural change○ Tools and processes are important too
55
Summary
● DevOps allows and forces you to integrate security○ It has to part of the story, because you can’t bolt it on later
● Get the experts in○ Allow responsibilities to live in the right places
● Plan for cultural change○ Tools and processes are important too
Q. But where’s the definition of DevSecOps?
56
Summary
● DevOps allows and forces you to integrate security○ It has to part of the story, because you can’t bolt it on later
● Get the experts in○ Allow responsibilities to live in the right places
● Plan for cultural change○ Tools and processes are important too
Q. But where’s the definition of DevSecOps?
A. There isn’t one: it’s a change in mindset.
CONFIDENTIAL Designator
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHat
57
Blog: https://aliceevebob.com/LinkedIn: https://www.linkedin.com/in/mikebursell/Twitter: @MikeCamel
Thank you
OPTIO
NAL SECTION
MARKER O
R TITLE