how devops becomes devopssec
TRANSCRIPT
How DevOps becomes DevOpsSec
Chris Raethke
@codesoda Software Engineering + Microelectronics
Enterprise engineering teams < Startup Guy Bridging development and security practices
• DevOps as double edged sword • How to introduce DevOpsSec • Decreasing friction between Teams • Accelerating your ROI
Things we’ll cover
why are we here?
Old School Thinking (1995)
Build the Biggest Fence Ever!
Fast forward to 2015CLOUD / SAAS MOBILE / BYOD
DISTRIBUTED/SOA AGILE / LEAN
we’re not just building the internet…
Our businesses are part of it
The New Normal
Move security as close as possible to the code
and the data
DevOps as a double edged sword
Ops Don’t break anything
Dev, Ops and Sec teams have different goals
Sec Break Everything
Devs Build all the things
DevOps > rapid changes > moar bugs/vulns faster
!
Feedback Loops are essential
Move fast and break things
start simple, take small steps,
easy wins
The secret..
How to introduce DevOpsSec
“developers have to care about their code”
Feel the LoveCode is the team’s baby
At least Peer Review Code
Even better TDD / CI
Continue to automatecode style/quality reviews
static security analysis
Abuse cases (malicious user stories)
“everyone has to care about
process”
Decreasing friction between Dev and Sec
and Ops
500 devs != 5 security engs
protect sales/marketing and admin staff from phishing
Monitor/scan server infrastructure !
review 500*dev code for the …day!
Security Responsibilities
!
crowd sourcing
to the rescue!
because..people are
the new automation
Lotsa bugs,
best dev training
ever
make better decisions..
aggregate vuln data which types of issues, in which parts, of which applications !
Less chest poking, more mentoring + learning
Accelerate Security ROI
moar automation
reproduceable & testable production server configurations
app log monitoring
security config monitoring
build it like it’s broken
build it like assume it’s broken
deliberate small“simulated” fires
The best indicator of the next bug is
the last bug. !
@alsmola
Summary
� Small steps mean easy wins � Developers have to care about code � Security is a process, not a product � Don’t wait for a fire to hire fire fighters � Crowd sourcing can augment your team
!
