Downloaded 30 times
Uploaded byPerforce
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
The document presents strategies for implementing secure DevOps to counteract the evolving risks in modern service delivery, emphasizing the need for collaboration among development, operations, and security teams. It discusses the rapid threat landscape and offers best practices for ensuring security within a DevOps framework. The importance of automation, standardization, and the detection of anomalous behavior is highlighted as essential for maintaining secure and efficient software development processes.
More Related Content
Similar to Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
![Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]](https://cdn.slidesharecdn.com/ss_thumbnails/agenticcommunityseries-day3-cfd-251120170304-ddef8112-thumbnail.jpg?width=640&height=640&fit=bounds)
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
- 1. Secure DevOps: Overcoming theRisks of Modern Service Delivery Kurt Bittner & Rick Holland Forrester Research
- 2. Featuring: 2 Agenda The DevOpsRevolution Threat Landscape Best Practices for Secure DevOps Q&A Chris Hoover GVP, Products & Marketing Perforce Software
- 3. Featuring: 3 Today’s Presenters Kurt Bittner PrincipalAnalyst Application Development and Delivery Rick Holland Principal Analyst Security & Risk
- 4. Featuring: 4 Agenda The DevOpsRevolution Threat Landscape Best Practices for Secure DevOps Q&A
- 5. 5 http://www.linkconstructiongroup.net/project.cfm?id=42© Golden GateBridge, Highway and Transportation District Why DevOps? It’s simple: intense, and increasing competition. “We don’t compete with other banks. We compete with Apple, Paypal, and Google.” (CIO, Large Banking organization)
- 6. Featuring: 6 Fast application delivery= better business results Less risk Less waste Lower cost Happier customers October 20, 2014, “The Software-Powered Business” © 2015 Forrester Research, Inc. Reproduction Prohibited
- 7. Featuring: 7 Seven Habits OfHighly Successful DevOps © 2015 Forrester Research, Inc. Reproduction Prohibited
- 8. The future isalready here — it's just not very evenly distributed. William Gibson
- 9. Could you manuallydeploy an airbag? What if a hacker deployed your airbag when you are driving at highway speed? Source: https://farm4.staticflickr.com/3570/3654967093_8181dff16c_o.jpg
- 10. 10http://blogs-images.forbes.com/sethporges/files/2014/05/googlecar-e1401261602733.jpg What about kidnappingby hacking an autonomous vehicle?
- 11. Software is eatingthe world
- 12. Companies in everyindustry need to assume a software revolution is coming
- 13. Featuring: 13 But security missedthe memo CONTINUOUS FRICTION © 2015 Forrester Research, Inc. Reproduction Prohibited
- 14. Featuring: 14 But security missedthe memo CONTINUOUS NAGGING © 2015 Forrester Research, Inc. Reproduction Prohibited
- 15. Featuring: 15 Agenda The DevOpsRevolution Threat Landscape Best Practices for Secure DevOps Q&A © 2015 Forrester Research, Inc. Reproduction Prohibited
- 16. Featuring: 16 Companies & agenciesare overwhelmed © 2015 Forrester Research, Inc. Reproduction Prohibited
- 17. Featuring: 17 >75% of compromisesoccurred in days Source: http://www.verizonenterprise.com/DBIR/2014 © 2015 Forrester Research, Inc. Reproduction Prohibited
- 18. Featuring: 18 Yet only 25%were discovered in days Source: http://www.verizonenterprise.com/DBIR/2014/ © 2015 Forrester Research, Inc. Reproduction Prohibited
- 19. Featuring: 19 Code Spaces goesout of business Deleted EBS snapshots, S3 buckets, all AMIs © 2015 Forrester Research, Inc. Reproduction Prohibited
- 20. Featuring: 20 The 90s called,wants its security approach back Static and dynamic code analysis can take days Bolt on security cannot keep pace with DevOps © 2015 Forrester Research, Inc. Reproduction Prohibited
- 21. 21 http://media-cdn.tripadvisor.com/media/photo-s/02/ce/93/e8/auditorium- theatre.jpg Manual security processesare often little more than Risk Management Theater
- 22. Instead of brightideas We have broken bulbsSource: https://farm2.staticflickr.com/1105/1471414696_b7e 134d097_o.jpg
- 23. 23 The perimeter isdead! https://www.flickr.com/photos/23879276@N00/3318932796
- 24. Featuring: 24 Except for theperimeters between our teams Development is the “Department of No.” Operations is the “Department of No” as well. Security is the “Department of Hell No!” © 2015 Forrester Research, Inc. Reproduction Prohibited
- 25. Featuring: 26 Agenda The DevOpsRevolution Threat Landscape Best Practices for Secure DevOps Q&A
- 26. Ford’s great innovation:the assembly line https://upload.wikimedia.org/wikipedia/commons/2/29/Ford_assembly_line_-_1913.jpg
- 27. 28 Lean Value StreamMapping http://en.wikipedia.org/wiki/Value_stream_mapping © 2015 Forrester Research, Inc. Reproduction Prohibited
- 28. Featuring: 29 Faster Delivery =Faster Remediation Idea Understand Needs Develop Test Deploy Customer Value 3 days 5 days 5 days 3 days 10 days7 days 4 days 9 days Total = 47 days 1 day feedback July 25, 2014 “Define A Software Delivery Strategy For Business Innovation”© 2015 Forrester Research, Inc. Reproduction Prohibited
- 29. 30 Idea proposed Understand Needs & Invent Solutions Functional Testing Deploy Solution Customer Value Load, Performance, Security, … Testing UAT/Explora toryTesting Release Decision Ensure only authorized changes Automate and control deployments Make release decisions based on test data Provide standard, secure environments Develop, Commit & Build Detect vulnerabilities Eliminate the “console” Detect intrusions Feedback New Capabilities Prevention is better than remediation
- 30. 31 Idea proposed Understand Needs & Invent Solutions Functional Testing Deploy Solution Customer Value Load, Performance, Security, … Testing UAT/Explora toryTesting Release Decision Automate and control deployments Make release decisions based on test data Provide standard, secure environments Detect vulnerabilities Eliminate the “console” Detect intrusions Feedback New Capabilities Ensure only authorized changes Develop, Commit & Build
- 31. Featuring: 32 Don’t forget aboutthe insider threats CERT 2014 US State of Cybercrime Survey Base: 557 respondents. Software Engineering Institute https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=298318 Insiders commit: Fraud Theft of IP Sabotage © 2015 Forrester Research, Inc. Reproduction Prohibited
- 32. Featuring: 33 Terminated worker cripplesemployer Deleted 88 virtual servers in seconds © 2015 Forrester Research, Inc. Reproduction Prohibited
- 33. Featuring: 34 Ensure authorized changeswith analytics Quickly identifying unauthorized changes is paramount. Behavioral analytics can detect a myriad of anomalous or unauthorized changes © 2015 Forrester Research, Inc. Reproduction Prohibited
- 34. Featuring: 35 Identify anomalous/malicious behavior overtime: Is Rick accessing code he has never accessed before? Is Rick accessing code that his peers don’t access? Are Rick’s work hours unusual? (8-5 CST, but now 2am) Why is Rick suddenly uploading code to Dropbox? © 2015 Forrester Research, Inc. Reproduction Prohibited
- 35. Featuring: 36 http://blog.jki.net/news/niweek-2012-fire-and-forget-bulletproof-builds-using-continuous- integration-with-labview-video-slides-now-available/ Ensure only authorized changes Continuous integrationensures healthy code © 2015 Forrester Research, Inc. Reproduction Prohibited
- 36. 37 Idea proposed Understand Needs & Invent Solutions Functional Testing Deploy Solution Customer Value Load, Performance, Security, … Testing UAT/Explora toryTesting Release Decision Ensure only authorized changes Automate and control deployments Make release decisions based on test data Develop, Commit & Build Detect vulnerabilities Eliminate the “console” Detect intrusions Feedback New Capabilities Provide standard, secure environments * * *
- 37. 38 http://www.flickr.com/photos/38392483@N00/385912858 “Infrastructure As Art” Every hand-crafted environment is unique No auditability of changes Often, no control over change access No repeatability “It works fine in my environment.” Inconsistency Creates Vulnerability
- 38. 39 Complexity leads tovulnerability https://sndrs.ca/page/2/
- 39. 40 http://www.datacenterknowledge.com/wp-content/uploads/2011/05/ITPAC-Servers- 470.jpg › Standard VM/Containerconfigurations › Configurations version controlled › Managed Change authorization › Changes automated, repeatable, auditable “Infrastructure As Code” Versioned Repository Configuration Info Configured Environment Test Data Test Data Configuration Info Service Virtualization Test Data Management Deployment Automation
- 40. Featuring: 41 Standardized environments make securityscalable, finally Security pros must leverage IT automation tools Ensure consistent configurations and eliminate drift © 2015 Forrester Research, Inc. Reproduction Prohibited
- 41. Featuring: 42 Standardization made Heartbleed lesspainful © 2015 Forrester Research, Inc. Reproduction Prohibited
- 42. 43 Idea proposed Understand Needs & Invent Solutions Deploy Solution Customer Value Release Decision Ensure only authorized changes Automateand control deployments Make release decisions based on test data Provide standard, secure environments Develop, Commit & Build Eliminate the “console” Detect intrusions Feedback New Capabilities Detect vulnerabilities Functional Testing Load, Performance, Security, … Testing UAT/Explora tory Testing
- 43. 44 Ensure only authorized changes Automate andcontrol deployments Provide standard, secure environments Develop, Commit & Build Detect vulnerabilities Eliminate the “console” Detect intrusions Feedback New Capabilities Idea proposed Understand Needs & Invent Solutions Functional Testing Deploy Solution Customer Value Load, Performance, Security, … Testing UAT/Explora tory Testing Make release decisions based on test data Release Decision
- 44. 45 Benefits of basingrelease decisions on test data Increased Confidence Reduced Risk Fewer Incidents Simplified Release Decisions
- 45. 46 Idea proposed Understand Needs & Invent Solutions Functional Testing Deploy Solution Customer Value Load, Performance, Security, … Testing UAT/Explora toryTesting Release Decision Ensure only authorized changes Make release decisions based on test data Provide standard, secure environments Develop, Commit & Build Detect vulnerabilities Eliminate the “console” Detect intrusions Feedback New Capabilities Automate and control deployments Automating deployment reduces vulnerability
- 46. 47 Add slides onARA– what it is, how it works http://h30499.www3.hp.com/t5/Grounded-in-the-Cloud/Transform-DevOps-with- Application-Release-Automation/ba-p/5952497#.VTZ73c5Gceo Benefits of Automating Deployment Increase reliability Eliminate manual errors A typical quarterly release at one company consisted of a spreadsheet of over 1000 changes that needed to be made to deploy the software. A THOUSAND OPPORTUNITIES FOR SOMETHING TO GO WRONG. Increase speed Reduce cost
- 47. Featuring: 48 Three Teams, OneGoal Development, Operations and Security must work together to win, serve and retain customers. Deliver consistency • Secure customer experiences • Trustworthy configurations • Minimize human error • Few surprises © 2015 Forrester Research, Inc. Reproduction Prohibited
- 48.
- 49. Featuring: 50 Thank you Kurt Bittner PrincipalAnalyst kbittner@forrester.com @ksbittner Rick Holland Principal Analyst rholland@forrester.com @rickhholland
Editor's Notes
- #12 http://pixabay.com/p-97849/?no_redirect
- #13 http://pixabay.com/p-97849/?no_redirect
- #14 http://pixabay.com/p-97849/?no_redirect
- #15 http://pixabay.com/p-97849/?no_redirect
- #18 2015 Verizon DBIR
- #20 http://pixabay.com/p-97849/?no_redirect
- #21 http://pixabay.com/p-97849/?no_redirect
- #23 https://farm2.staticflickr.com/1105/1471414696_b7e134d097_o.jpg
- #24 http://pixabay.com/p-156676/?no_redirect Perimeter is dead, but not the perimeters we have built up between teams Operations, Architecture, Development, Security Security is all about perimeters so ours are the worst. Department of no One practical way to break down is use same tools
- #28 https://upload.wikimedia.org/wikipedia/commons/9/92/1919_Ford_Model_T_Highboy_Coupe.jpg https://upload.wikimedia.org/wikipedia/commons/2/29/Ford_assembly_line_-_1913.jpg https://upload.wikimedia.org/wikipedia/commons/1/18/Henry_ford_1919.jpg
- #33 http://pixabay.com/p-97849/?no_redirect
- #34 http://pixabay.com/p-97849/?no_redirect
- #35 http://pixabay.com/p-97849/?no_redirect
- #36 http://pixabay.com/p-97849/?no_redirect
- #40 https://upload.wikimedia.org/wikipedia/commons/a/a7/Frankenstein%27s_monster_%28Boris_Karloff%29.jpg http://ia.media-imdb.com/images/M/MV5BMjM3Mzk2MDU3N15BMl5BanBnXkFtZTgwMzg1NTI4MDE@._V1_SX640_SY720_.jpg
- #42 http://pixabay.com/p-97849/?no_redirect
- #49 http://pixabay.com/p-97849/?no_redirect