Professional Documents
Culture Documents
B U I L D I N G R U G G E D S O F T WA R E
• DEVOPS
• PUBLIC CLOUD
• AGILE
• SCRUM
• LEAN
• LOW-CODE
• NO-CODE
• NO OPS
• …
https://www.google.com/trends/
• Several years after the Agile Manifesto, DevOps.com was registered in 2004
• Google searches for “DevOps” started to rise in 2010
• Major influences:
• Saving your Infrastructure from DevOps / Chicago Tribune
• DevOps: A Culture Shift, Not a Technology / Information Week
• DevOps: A Sharder’s Tale from Etsy
• DevOps.com articles
• RuggedSoftware.org was registered in 2010
• As of 2013, DevSecOps is on the map…
…
4 Copyright © DevSecOps Foundation 2015-2016
What’s the business benefit?
http://donsmaps.com/images22/mutta1200.jpg
Security is
Traditional
Everyone’s
Security
Responsibility
DEVSECOPS
9 Copyright © DevSecOps Foundation 2015-2016
The Art of DevSecOps
DevSecOps
How do I secure
How do I secure What component Is my app getting
is secure enough? secrets for the attacked? How?
my app?
app?
Most costly mistakes Typical gates for Mistakes and drift often happen
Happen during design security after design and build phases that
checks & balances result in weaknesses and potentially exploits
Better than walking, for sure… Can this be motorized When can I bring my kids with me? Awesome!
but not by much... to go faster and for longer trips? Does it come in Red?
Security must shift left with a Science Mindset like all other Ops…
How do I secure
How do I secure What component Is my app getting
is secure enough? secrets for the attacked? How?
my app?
app?
Most costly mistakes Typical gates for Mistakes and drift often happen
Happen during design security after design and build phases that
checks & balances result in weaknesses and potentially exploits
16
X
Page 3 of 433
https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf
17
Security as Code / Everything as Code
Data Center
stand up to constant cloud • BADGE IN
• AUTHORIZED PERSONNEL ONLY
evolution and lessons learned. • BACKGROUND CHECKS
mistakes.
Cloud Provider
• CHOOSE STRONG PASSWORDS
• Traditional security policies do
Network
• USE MFA
• ROTATE API CREDENTIALS
not 1:1 translate to Full Stack • CROSS-ACCOUNT ACCESS
deployments.
Page 3 of 433
Source
CI Server Test & Scan Artifacts Deploy Monitoring
Code
PRODUCT
SCRUM TEAM
Cloud
accounts threat intel
EC2
CloudTrail
S3 ingestion insights
security
Glacier security science
tools & data
MTTR
Days… 6 months
• devsecops.org
• @devsecops on Twitter
• DevSecOps on LinkedIn
• DevSecOps on Github
• RuggedSoftware.org
• Compliance at Velocity