Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Discussion Primer Andy Willingham March 28, 2017 OWASP Cincinnati

Published byFrank Newton Modified over 6 years ago

Similar presentations

Presentation on theme: "A Discussion Primer Andy Willingham March 28, 2017 OWASP Cincinnati"— Presentation transcript:

1 A Discussion Primer Andy Willingham March 28, 2017 OWASP Cincinnati
SecDevOps A Discussion Primer Andy Willingham March 28, 2017 OWASP Cincinnati

2 Overview What is DevOps? What is SecDevOps? Different Views
Why it matters to you?

3 What Is DevOps? Collaboration and Cooperation between Dev, QA, and IT Ops Involves the Build, Test, and Delivery aspects of a SDLC Impacts software delivery and infrastructure changes Often involves "imbedding" members of one function into the other functions. Goal is to improve the speed of delivery and the quality of the delivered product Term "Continuous Delivery" is often used in conjunction One problem (depending on your viewpoint) is that it can and does increase the number of defects released into production. This is considered acceptable because in most cases the fix is coming in a release or two (and for high performing teams that may be later today)

4 The intersection of 3 Key domains
DevOps Ven Diagram Or a better way to look at it……. The intersection of 3 Key domains

5

6 Think of SecDevOps as a set of best
What Is SecDevOps? SecDevOps is about using the wonders of automation to tackle security-related problems including composition analysis, configuration management, selecting approved images/containers, use of immutable servers, and other techniques to address security challenges facing operations teams. It also helps to eliminate certain classes of attacks. For instance immutable servers in a security zone which blocks port 22 can prevent both hackers and administrators from logging in. (Securosis) What about Rugged DevOps? Rugged is about bashing your code prior to production, to ensure it holds up to external threats once it gets into production, and using runtime code to help applications protect themselves. Be as mean to your code as attackers will, and make it resilient against attacks. (Securosis) In simplest terms, Rugged DevOps is more developer-focused, while SecDevOps is more operations-focused. (Securosis) Think of SecDevOps as a set of best practices designed to help organizations implant secure coding deep in the heart of their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent outcome of DevOps approaches

7 In English This Time Think of SecDevOps—sometimes called “Rugged DevOps” or “security at speed”—as a set of best practices designed to help organizations implant secure coding deep in the heart of their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent outcome of DevOps approaches

8 What’s in a Name DevOpsSec? SecDevOps? DevSecOps? Rugged DevOps
Is there a difference or is it a SEIM SIEM thing?

9 Different Views Integrating Security into DevOps (Securing DevOps)
Integrating DevOps into Security Ops (Applying DevOps to SecOps) msc-cissp-mbcs-citp DevOpsSec - Name implies no change. Security is still last SecDevOps - Name implies Security FIRST!!!!!! Isn’t always practical but maybe one day. DevSecOps - Name implies that Security is in the middle. Could even imply that we are in the middle of EVERYTHING! devsecops-whats-in-a-name.html

10 Why It Matters Cost The cost to fix a found, unexploited security vulnerability far outweighs the cost to prevent it. The cost of a successful exploit of the vulnerability increases by orders of magnitude The cost of lost time that could be spent writing new code over rewriting old code Brand and Reputational cost can decrease marketshare. People are more forgiving in brick and mortar and even online. Less so in Mobile. Increases Time to Market when done right Quicker testing Testing smaller chunks of code more often and more throughly Quicker fixes Mitigates vulnerabilities faster (think of how long it used to take from discovery to release fix) Quicker fixes improves brand image (responsiveness, takes security seriously, cares about ME)

11 Common Sense IT JUST MAKES SENSE
Why adopt DevOps in the first place only to encounter last-minute changes to meet security requirements down the road? SecDevOps’ promised payoff of more secure applications created more quickly seems compelling enough to get increasing numbers of organizations to do just that. SecDevOps, in contrast, automates the secure coding component of development to satisfy the needs of the security team to establish and maintain software that is immediately secure in production.

12 By The Numbers Time and Cost to Fix

13 SecDevOps - The Marriage of DevOps and SecOps
High performers - 30X frequent deployments and doing so 200X faster High Performers - 60X more successful & fix problems 168X faster High Performers - 2X more likely to exceed profit, market share, and productivity goals & have a 50% higher market cap growth over 3 years

14 Appendix

15 ISC2 CyberTrends Report 2017
Only a small minority of organizations consider themselves at the cutting edge of application security (6%) or mature, with all critical application security controls in place (18%). The plurality of organizations feels only somewhat mature (41%) with key application security controls missing or just touching the surface (30%). Q: Where do you think your company is in terms of the maturity of your application security strategy? 6% On the cutting edge – We follow a Secure SDLC or framework like OpenSAMM; even trying new approaches 18% Mature - We have all of the pieces in place 30% Somewhat mature - Some aspects not fully developed or deployed 41% Just touching the surface – Some testing of apps before deployment 5% Not doing anything More reason for getting stuff done early on. Lack of Skills 46% Lack of Budget 45% What if you could replace 3 IS staff with one who is better qualified b/c that person understands what needs to be done early on and makes it happen. Then you don’t have to fix and SecOps becomes less necessary? (Think this through)

16 OWASP Rugged DevOps

17 Links and More Info search-results-feed&utm_content=SecDevOps&utm_source=brighttalk- portal&utm_medium=web and-continuous-delivery-in-a-secure-environment/ devsecops-whats-in-a-name.html devops Gene Kim Book "The Phoenix Project"

Download ppt "A Discussion Primer Andy Willingham March 28, 2017 OWASP Cincinnati"

Similar presentations

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
© 2004 Visible Systems Corporation. All rights reserved. 1 (800) 6VISIBLE www.visible.com Holistic View of the Enterprise Business Development Operations.

© 2004 Visible Systems Corporation. All rights reserved. 1 (800) 6VISIBLE Holistic View of the Enterprise Business Development Operations.
Chapter 30 Agile Requirements Methods. Mitigating Requirements Risk  The entire requirements discipline within the software lifecycle exists for only.

Chapter 30 Agile Requirements Methods. Mitigating Requirements Risk  The entire requirements discipline within the software lifecycle exists for only.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
CS3100 Software Project Management Week 26 - Quality Dr Tracy Hall.

CS3100 Software Project Management Week 26 - Quality Dr Tracy Hall.
& Dev Ops. Sherwin-Williams & DevOps Introduction to Sherwin-Williams.

& Dev Ops. Sherwin-Williams & DevOps Introduction to Sherwin-Williams.
Sirius DevOps Assessment Accelerating Concept to Cash Rolf W. Reitzig Business Agility Senior Practice Manager.

Sirius DevOps Assessment Accelerating Concept to Cash Rolf W. Reitzig Business Agility Senior Practice Manager.
Rod Fontecilla, Ph.D. Vice President Application Services Nov 2015 Deploying Applications Using DevOps.

Rod Fontecilla, Ph.D. Vice President Application Services Nov 2015 Deploying Applications Using DevOps.
Engineering Secure Software. Does Security Even Matter?  Find two other people near you Introduce yourself What is your favorite software development.

Engineering Secure Software. Does Security Even Matter?  Find two other people near you Introduce yourself What is your favorite software development.
FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.

FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.
The Security Sprint By Ramnath Cidambi. Agile and DevOps DevOps is a “recent” concept though the building blocks have existed for a while – The understanding.

The Security Sprint By Ramnath Cidambi. Agile and DevOps DevOps is a “recent” concept though the building blocks have existed for a while – The understanding.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 D4.4 and the EGI review Dr Linda Cornwall 19 th Sept 2011 D4.41.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI D4.4 and the EGI review Dr Linda Cornwall 19 th Sept 2011 D4.41.
READ ME FIRST Use this template to create your Partner datasheet for Azure Stack Foundation. The intent is that this document can be saved to PDF and provided.

READ ME FIRST Use this template to create your Partner datasheet for Azure Stack Foundation. The intent is that this document can be saved to PDF and provided.
Digital Transformation with DevOps

Digital Transformation with DevOps
KRISHNACHANDER KALIYAPERUMAL PROJECT MANAGER

KRISHNACHANDER KALIYAPERUMAL PROJECT MANAGER
Joonas Sirén, Technology Architect, Emerging Technologies Accenture

Joonas Sirén, Technology Architect, Emerging Technologies Accenture
Don’t Forget Security When Delivering Software

Don’t Forget Security When Delivering Software
Presented by Rob Carver

Presented by Rob Carver
Continuous Delivery- Complete Guide

Continuous Delivery- Complete Guide

Similar presentations

Ads by Google