DM
Uploaded byDarin Morris
188 views

DevSecOps with Microsoft Tech

DevSecOps with Microsoft Tech discusses how security fits within DevOps practices. DevOps aims to improve quality and speed of delivery through collaboration between development and operations teams. Security is often an afterthought but needs to be integrated throughout the software development lifecycle. DevSecOps ensures security controls are implemented at every stage to improve quality, security and compliance outcomes. Key principles like least privilege, defense in depth and auditing still apply, but are implemented more frequently and at a more localized scale through DevOps practices.

Embed presentation

DevSecOps with Microsoft Tech Darin Morris @techdevdari n in/darinmorris
In General: What we’re going talk about 2. How “doing DevOps” affects how we secure Data and Computer-centric Information Systems In Particular: 1. What it really means to do DevOps Thoughts I’ve had around DevOps and Security
Motivation for this talk • I want “information technology practitioners” to become more professional, more productive and happier at work. Many reasons, but some of the more major reasons are: • Information systems need to be of higher quality and delivered faster – we need to really understand the DevOps philosophy to do that well. • Security is often an afterthought in the IT systems lifecycle – that needs to change. • We need a common language – not buzzwords.
DevOps and Security are very broad domains!
SOMEONE ONCE TOLD ME NOT TO BITE OFF MORE THAN I COULD CHEW… I said I’d rather CHOKE ON GREATNESS THAN NIBBLE ON MEDIOCRITY.
Let’s get to know each other a little better!
Fun facts about me Most used programming languages: C#, JavaScript “SiliconCape Native” First PC: Pentium 1 with Windows 95 First programming language: Java (JDK 1.3)
Professional background • I’m a self-taught “Technologist” and I solve problems using technology. • I've been a founder, manager, team lead and software engineer, in various sectors, and in teams of different shapes and sizes. • Microsoft Certified Professional • Certified ScrumMaster • In the process of completing CSSLP, ITIL and ISTQB certifications. • Member of a number of professional IT associations and bodies i.e. OWASP, ISACA, IITPSA • Fulltime full stack software engineer for the past 13 years, primarily focussed on web and cloud-native software.
OK! Less about me. More about you!
Sales or Relationship Management Does this sound like your role? Marketing Finance Leadership (C-Suite) Human Resources Business Analyst / Big Data Analyst General Administrator In-house Legal
Project Manager or Coordinator Product Manager/Owner Software Architect Software Engineer Test Engineer Provision and Manage IT Infrastructure (IT Ops) Does this sound like your role? Dedicated Security or Compliance Something else? ?
Let’s play a game!
True or False? DevOps is only done by technical staff. Question #1
True or False? DevOps is a Role. Question #2
True or False? DevOps is a way of thinking about how we do work. Question #3
It’s DevOps – not DevITOps (Nor is it BizDevOps or DevTestOps or OpsDev or even DevSecOps)
Things DevOps is associated with
What is DevOps really?
• DevOps Principles and Practices are compatible with Agile • DevOps is a logical continuation of Agile • Agile serves as an effective enabler of DevOps Myth #1: DevOps replaces Agile
• Can be made compatible - many areas just become automated. Myth #2: DevOps is incompatible with ITIL
• Controls are integrated into every stage of daily work of the SDLC resulting in better quality and security and compliance outcomes. Myth #3: DevOps is incompatible with InfoSec and Compliance Image credit: Checkmarx Software Exposure platform (www.checkmarx.com)
• Rarely the case. Nature of IT Operations work just changes. • Collaborates far earlier in SDLC with development. • Enables developer productivity through APIs and self-service platforms that create environments, test and deploy code, monitor and display production telemetry, etc. • IT Ops become more like Development • i.e. engaged in product development for developers. Myth #4: DevOps means eliminating IT Operations
• “DevOps isn’t about automation, just as astronomy isn’t about telescopes” - Christopher Little Myth #5: DevOps is just Infrastructure as Code
DevOps is about Team Work that enables efficient creation of value What DevOp really boils down to
Not convinced? Read these books Gene KimPatrick Debois John Willis Jaz Humble Kevin Behr George Spafford
So where does Security fit in?
Security and DevOps - DevSecOps? • Security is fundamentally about mitigating risk (you’ll never be 100% secure). • Mitigating risk is enabled by maintaining integrity, availability and confidentially. • Security principles haven’t changed, the way we implement security has.
Security Fail Securely Minimize attack surface Least Privilege Auditing Keep Things Simple (Economy of mechanism) Confidentiality Psychological Acceptability Availability Single Point of Failure Defense in Depth Leverage Existing Components Open Design Complete Mediation Security Principles and Concepts Separation of duties/privilege Integrity
Where is Security and Compliance applied?
Questions?
Key Take-aways! 1. DevOps is primarily about a culture of teamwork that enables efficient creation of value at all levels of an organization. 2. Security principles haven’t changed, security and compliance just happens more often and at more localized scale.
That’s a wrap! @techdevdarin in/darinmorris Connect with me:

More Related Content

PPTX
Security and DevOps Overview
byAdrian Sanabria
 
PPTX
DevOps and the Future of InfoSec
byDarin Morris
 
PPTX
Open Source Defense for Edge 2017
byAdrian Sanabria
 
PPTX
DevOps and the Future of Information Security
byDarin Morris
 
PPTX
451 AppSense Webinar - Why blame the user?
byAdrian Sanabria
 
PDF
Shifting Security Left - The Innovation of DevSecOps - AgileDC
byTom Stiehm
 
PDF
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
PPTX
Colin Domoney -
byDevSecCon
 
Security and DevOps Overview
byAdrian Sanabria
 
DevOps and the Future of InfoSec
byDarin Morris
 
Open Source Defense for Edge 2017
byAdrian Sanabria
 
DevOps and the Future of Information Security
byDarin Morris
 
451 AppSense Webinar - Why blame the user?
byAdrian Sanabria
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
byTom Stiehm
 
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
Colin Domoney -
byDevSecCon
 

What's hot

PPTX
The Teams Behind DevSecOps
byUleska
 
PPTX
The Journey to DevSecOps
bySeniorStoryteller
 
PDF
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
byTom Stiehm
 
PPTX
Amy DeMartine - 7 Habits of Rugged DevOps
bySeniorStoryteller
 
PPTX
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
byAdrian Sanabria
 
PPTX
2016 virus bulletin
byAdrian Sanabria
 
PPTX
The R.O.A.D to DevOps
bySeniorStoryteller
 
PDF
Outpost24 webinar - The economics of penetration testing in the new threat la...
byOutpost24
 
PPTX
Finding Security a Home in a DevOps World
byShannon Lietz
 
PDF
BHack 2012 - How to protect your web applications
byMagno Logan
 
PPTX
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
PPTX
Shifting Security Left from the Lean+Agile 2019 Conference
byTom Stiehm
 
PDF
What we learned from three years sciencing the crap out of devops
byNicole Forsgren
 
PDF
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
byDJ Schleen
 
PDF
Long-term IT projects
byPaweł Lewtak
 
PDF
Ops Happen: Improve Security Without Getting in the Way
bySeniorStoryteller
 
PDF
What We Learned from Three Years of Sciencing the Crap Out of DevOps
bySeniorStoryteller
 
PPTX
DevSecCon Asia 2017 Arun N: Securing chatops
byDevSecCon
 
PPTX
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
byAdrian Sanabria
 
PPTX
Failure is inevitable but it isn't permanent
byTom Stiehm
 
The Teams Behind DevSecOps
byUleska
 
The Journey to DevSecOps
bySeniorStoryteller
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
byTom Stiehm
 
Amy DeMartine - 7 Habits of Rugged DevOps
bySeniorStoryteller
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
byAdrian Sanabria
 
2016 virus bulletin
byAdrian Sanabria
 
The R.O.A.D to DevOps
bySeniorStoryteller
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
byOutpost24
 
Finding Security a Home in a DevOps World
byShannon Lietz
 
BHack 2012 - How to protect your web applications
byMagno Logan
 
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
Shifting Security Left from the Lean+Agile 2019 Conference
byTom Stiehm
 
What we learned from three years sciencing the crap out of devops
byNicole Forsgren
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
byDJ Schleen
 
Long-term IT projects
byPaweł Lewtak
 
Ops Happen: Improve Security Without Getting in the Way
bySeniorStoryteller
 
What We Learned from Three Years of Sciencing the Crap Out of DevOps
bySeniorStoryteller
 
DevSecCon Asia 2017 Arun N: Securing chatops
byDevSecCon
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
byAdrian Sanabria
 
Failure is inevitable but it isn't permanent
byTom Stiehm
 

Similar to DevSecOps with Microsoft Tech

PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PPTX
DevOps Introduction
byRobert Sell
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PDF
DevOps vs DevSecOps_ What CTOs Must Know Before Scaling Securely.pdf
byDevseccops.ai
 
PDF
Devops On Cloud Powerpoint Template Slides Powerpoint Presentation Slides
bySlideTeam
 
PDF
Securing DevOps Lifecycle
byDevOps Indonesia
 
PPTX
Devops
bypenetration Tester
 
PPTX
DevOps.pptx
byMohamedSaied877003
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
PDF
Pentest is yesterday, DevSecOps is tomorrow
byAmien Harisen Rosyandino
 
PPT
DevOps in 2014
byDavid Thompson
 
PDF
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
DOCX
DevSecOps – The Importance of DevOps Security in 2023.docx
byXavor Corporation - Redefining Health Technology
 
PPTX
What is DevOps?
byALG Systems (АЛЖ Системс)
 
PPTX
Introduction to DevSecOps OWASP Ahmedabad
bykunwaratul hax0r
 
PDF
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
byTexas.gov
 
PPTX
Ensuring Secure and Efficient Operations with DevOps Security
byDev Software
 
PDF
Devops perspectives3_v03
byJola Reeves
 
PDF
Devops perspectives3_v03
byRichard Banks
 
PDF
DevOps Perspectives 3
byJustin Vaughan-Brown
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
DevOps Introduction
byRobert Sell
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
DevOps vs DevSecOps_ What CTOs Must Know Before Scaling Securely.pdf
byDevseccops.ai
 
Devops On Cloud Powerpoint Template Slides Powerpoint Presentation Slides
bySlideTeam
 
Securing DevOps Lifecycle
byDevOps Indonesia
 
Devops
bypenetration Tester
 
DevOps.pptx
byMohamedSaied877003
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
Pentest is yesterday, DevSecOps is tomorrow
byAmien Harisen Rosyandino
 
DevOps in 2014
byDavid Thompson
 
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
DevSecOps – The Importance of DevOps Security in 2023.docx
byXavor Corporation - Redefining Health Technology
 
What is DevOps?
byALG Systems (АЛЖ Системс)
 
Introduction to DevSecOps OWASP Ahmedabad
bykunwaratul hax0r
 
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
byTexas.gov
 
Ensuring Secure and Efficient Operations with DevOps Security
byDev Software
 
Devops perspectives3_v03
byJola Reeves
 
Devops perspectives3_v03
byRichard Banks
 
DevOps Perspectives 3
byJustin Vaughan-Brown
 

Recently uploaded

PPTX
68b5c214ea502_CraftVerse-ppt-Template.pptx
byAdarshThakare3
 
PDF
Question Generation LLM Gemini - Conference presentation - FIE 2025
bypmmorenom01
 
PDF
MOOC Patterns in edX - Conference presentation - FIE 2025
bypmmorenom01
 
PPTX
AI in Tourism: transforming visitor experience & operations
byAidan Crawford
 
PDF
OLLD25 - The Edges of University Living Labs session
bySam Rye
 
PDF
PresentationEnglish language learning presentation file
by446814956
 
PDF
King Khaled university .. Presentation .
by446816119
 
PPTX
Sample Equity research report for Lafarge.pptx
bysamuelkingsofficial2
 
PDF
English Learning Presentation (1).pdf....
byhalaalqrni111
 
PPTX
tongue and its prosthodontic considerations
byFebaMariya2
 
PPTX
Spelling.pptx...........................
byroyalamericanschools
 
PPTX
The-Architecture-of-Counter-Ideology.pptx
bynotabolfazlpd
 
PDF
Google_CodeCamp_workshop_FrontendGDG.pdf
bymoharnabgogoi
 
PPTX
2025-11-16 Moses 07 (shared slides).pptx
byDale Wells
 
PPTX
A PowerPoint some information taj-mahal.pptx
byvabb1
 
PPTX
Presentation Healthy Lifestyle for Saudi Women ‎
by446819285
 
PPTX
Presentation schizo (1).pptxguiikkkkkkki
byrashibarthwal
 
PPTX
Bob Stewart James 3 11 16 2025.pptx
byFamilyWorshipCenterD
 
PPTX
Mutliplying and Dividing Fractions Presentation.pp
bykikakashi0
 
PPTX
Unit 03CIVIL SOCIETY AND DEMOCRACY IN PAKISTAN.pptx
bymuskan54863
 
68b5c214ea502_CraftVerse-ppt-Template.pptx
byAdarshThakare3
 
Question Generation LLM Gemini - Conference presentation - FIE 2025
bypmmorenom01
 
MOOC Patterns in edX - Conference presentation - FIE 2025
bypmmorenom01
 
AI in Tourism: transforming visitor experience & operations
byAidan Crawford
 
OLLD25 - The Edges of University Living Labs session
bySam Rye
 
PresentationEnglish language learning presentation file
by446814956
 
King Khaled university .. Presentation .
by446816119
 
Sample Equity research report for Lafarge.pptx
bysamuelkingsofficial2
 
English Learning Presentation (1).pdf....
byhalaalqrni111
 
tongue and its prosthodontic considerations
byFebaMariya2
 
Spelling.pptx...........................
byroyalamericanschools
 
The-Architecture-of-Counter-Ideology.pptx
bynotabolfazlpd
 
Google_CodeCamp_workshop_FrontendGDG.pdf
bymoharnabgogoi
 
2025-11-16 Moses 07 (shared slides).pptx
byDale Wells
 
A PowerPoint some information taj-mahal.pptx
byvabb1
 
Presentation Healthy Lifestyle for Saudi Women ‎
by446819285
 
Presentation schizo (1).pptxguiikkkkkkki
byrashibarthwal
 
Bob Stewart James 3 11 16 2025.pptx
byFamilyWorshipCenterD
 
Mutliplying and Dividing Fractions Presentation.pp
bykikakashi0
 
Unit 03CIVIL SOCIETY AND DEMOCRACY IN PAKISTAN.pptx
bymuskan54863
 

DevSecOps with Microsoft Tech

  • 1.
    DevSecOps with MicrosoftTech Darin Morris @techdevdari n in/darinmorris
  • 2.
    In General: What we’regoing talk about 2. How “doing DevOps” affects how we secure Data and Computer-centric Information Systems In Particular: 1. What it really means to do DevOps Thoughts I’ve had around DevOps and Security
  • 3.
    Motivation for thistalk • I want “information technology practitioners” to become more professional, more productive and happier at work. Many reasons, but some of the more major reasons are: • Information systems need to be of higher quality and delivered faster – we need to really understand the DevOps philosophy to do that well. • Security is often an afterthought in the IT systems lifecycle – that needs to change. • We need a common language – not buzzwords.
  • 5.
    DevOps and Securityare very broad domains!
  • 6.
    SOMEONE ONCE TOLDME NOT TO BITE OFF MORE THAN I COULD CHEW… I said I’d rather CHOKE ON GREATNESS THAN NIBBLE ON MEDIOCRITY.
  • 7.
    Let’s get toknow each other a little better!
  • 8.
    Fun facts aboutme Most used programming languages: C#, JavaScript “SiliconCape Native” First PC: Pentium 1 with Windows 95 First programming language: Java (JDK 1.3)
  • 9.
    Professional background • I’ma self-taught “Technologist” and I solve problems using technology. • I've been a founder, manager, team lead and software engineer, in various sectors, and in teams of different shapes and sizes. • Microsoft Certified Professional • Certified ScrumMaster • In the process of completing CSSLP, ITIL and ISTQB certifications. • Member of a number of professional IT associations and bodies i.e. OWASP, ISACA, IITPSA • Fulltime full stack software engineer for the past 13 years, primarily focussed on web and cloud-native software.
  • 10.
    OK! Less aboutme. More about you!
  • 11.
    Sales or Relationship Management Doesthis sound like your role? Marketing Finance Leadership (C-Suite) Human Resources Business Analyst / Big Data Analyst General Administrator In-house Legal
  • 12.
    Project Manager or CoordinatorProduct Manager/Owner Software Architect Software Engineer Test Engineer Provision and Manage IT Infrastructure (IT Ops) Does this sound like your role? Dedicated Security or Compliance Something else? ?
  • 13.
  • 14.
    True or False? DevOpsis only done by technical staff. Question #1
  • 15.
    True or False? DevOpsis a Role. Question #2
  • 16.
    True or False? DevOpsis a way of thinking about how we do work. Question #3
  • 17.
    It’s DevOps –not DevITOps (Nor is it BizDevOps or DevTestOps or OpsDev or even DevSecOps)
  • 18.
    Things DevOps isassociated with
  • 19.
  • 20.
    • DevOps Principlesand Practices are compatible with Agile • DevOps is a logical continuation of Agile • Agile serves as an effective enabler of DevOps Myth #1: DevOps replaces Agile
  • 21.
    • Can bemade compatible - many areas just become automated. Myth #2: DevOps is incompatible with ITIL
  • 22.
    • Controls are integratedinto every stage of daily work of the SDLC resulting in better quality and security and compliance outcomes. Myth #3: DevOps is incompatible with InfoSec and Compliance Image credit: Checkmarx Software Exposure platform (www.checkmarx.com)
  • 23.
    • Rarely thecase. Nature of IT Operations work just changes. • Collaborates far earlier in SDLC with development. • Enables developer productivity through APIs and self-service platforms that create environments, test and deploy code, monitor and display production telemetry, etc. • IT Ops become more like Development • i.e. engaged in product development for developers. Myth #4: DevOps means eliminating IT Operations
  • 24.
    • “DevOps isn’tabout automation, just as astronomy isn’t about telescopes” - Christopher Little Myth #5: DevOps is just Infrastructure as Code
  • 25.
    DevOps is aboutTeam Work that enables efficient creation of value What DevOp really boils down to
  • 26.
    Not convinced? Read thesebooks Gene KimPatrick Debois John Willis Jaz Humble Kevin Behr George Spafford
  • 27.
  • 28.
    Security and DevOps- DevSecOps? • Security is fundamentally about mitigating risk (you’ll never be 100% secure). • Mitigating risk is enabled by maintaining integrity, availability and confidentially. • Security principles haven’t changed, the way we implement security has.
  • 29.
    Security Fail Securely Minimize attack surface Least Privilege Auditing KeepThings Simple (Economy of mechanism) Confidentiality Psychological Acceptability Availability Single Point of Failure Defense in Depth Leverage Existing Components Open Design Complete Mediation Security Principles and Concepts Separation of duties/privilege Integrity
  • 30.
    Where is Securityand Compliance applied?
  • 31.
  • 32.
    Key Take-aways! 1. DevOpsis primarily about a culture of teamwork that enables efficient creation of value at all levels of an organization. 2. Security principles haven’t changed, security and compliance just happens more often and at more localized scale.
  • 33.

Editor's Notes

  • #3 Aims: 1.1. Cover key principles. 1.2. Take audience on a journey to my AHA moment. 2. Delve into the impact of DevOps on security Clarify Terms and Concepts (Information Technology, Technology, DevOps, QA, Security) Provoke reflection on the way the audience currently does work and thought about what can be done better. Drive home the importance of security in software
  • #4 Is a pen and paper information technology?
  • #5 Disclaimer 1: I’ve been thinking about this stuff a lot lately, but I’m probably ignorant to something. There is enough content to write about, never mind a short talk.
  • #6 Disclaimer 2: There is potentially a lot we could cover, but we have very little time.
  • #7 I make joke. Har har.
  • #15 Answer: False Reason: DevOps isn't any single person's job. It's everyone's job.
  • #16 Answer: False Reason: DevOps isn't any single person's job. It's everyone's job.
  • #17 Answer: False Reason: DevOps isn't any single person's job. It's everyone's job.
  • #19 DevOps is a lot like the Standard Model of particle physics.
  • #21 Agile Toronto Conference 2008 Patrick Debois coined to the term DevOps when he organized the first DevOpsDays conference in 2009.
  • #30 DevOps is a lot like the Standard Model of particle physics
  • #31 DevOps is a lot like the Standard Model of particle physics