secdevops: the new black of it
DESCRIPTION
Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of DevOps.com will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security: Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities Examples of security automation, case situations minimizing risk and driving flexibility for DevOps See how SaaS provider CloudPassage integrates security into its own development and operations workflowsTRANSCRIPT
SecDevOps: The New Black of IT
Andrew StormsCloudPassageDirector of DevOps
Alan ShimmelDevOps.comCEO & Co-founder
1994 1995 2009
3
Cloud or Not – Still the Same
• Infrastructure
• Data & Storage
• Identity & Access Controls
• Privacy
• Governance
• Audit & Compliance
Infrastructure as codeInstrumentation
What about DevOps?
Orchestration
Continuous everything
about security DevOps?
What with
6
DevOps & Security Division
This is NOT how we do DevOps at CloudPassage.
Collaboration Division
DevOps Security
Plan Code Test Release Deploy Operate
7
SecDevOps
• Less division– More collaboration
• Less silos– More sharing
• Less pipeline– More chains & links
• Less manual– More automation
Security
Plan
Release
Code
Test
Operate
Deploy
Plan
• Release Sherpa– Ops, Dev, QA– See a release thru from start to finish
• Change risk management– What infrastructure changes?– Unexpected or large code changes?– Security risk assessment – Threat vector analysis
Security
Plan
Release
Code
Test
Operate
Deploy
Code
• Standards enforcement– Rubocop, Food Critic, Knife-Spork
• Review Process– Peer & code review– Continuous application & infrastructure testing
• Git feature branching– Change control & isolation
Security
Plan
Release
Code
Test
Operate
Deploy
Test
• Automated code testing– Over 10k tests run automatically
at check in– Over 10k QA assertions– Over 130 smoke test suites
• All the modules & third party integrations• Deploy verifications
• External automated testing
• External code review
Security
Plan
Release
Code
Test
Operate
Deploy
Release & Deploy
• Stakeholders approval
• Standardized tools– Capistrano, Chef
• Deploy testing– 2-man rule
• System segregation– Only Ops has production access
Security
Plan
Release
Code
Test
Operate
Deploy
• Continuous compliance monitoring– All systems (prod & non-prod)– Hourly & daily– Halo
• Infrastructure security orchestration– Thousands of control/change points enforced hourly (Chef)– Validated by Halo
• Continuous risk assessment– Third-party vulnerability testing of all systems
Operate
Security
Plan
Release
Code
Test
Operate
Deploy
JIRA
git
Chef
Capi
stra
noH
alo
Initiate Approve
Implement
AuditRecords
Deploy(Infrastructure)
AuditRecords
Deploy(App Code)
AuditRecords
AuditRecords
UpdateBaselines
ContinuousMonitoring
AuditRecords
End to end audit trail, built into the agile process…“AGILE ASSURANCE”
14
Practical SecDevOps Examples
• Security automation potential– Cloud APIs have exploded
• Latch on to DevOps momentum
– Take advantage of change
– Make Dev and Ops security stakeholders
• Use IFTTT thinking– Channels, Triggers, Actions, Ingredients Recipes
15
Practical SecDevOps Automation
16
Practical SecDevOps Automation
git-push
17
Practical SecDevOps Automation
18
Practical SecDevOps Automation
19
SecDevOps in Summary
Old is newStill solving the same problems,but in new ways
SecDevOps
Automation
DevOps is hereSecDevOps is required
Security automation is hereAnd is required in the cloud
20
More Resources
Explore: www.DevOps.com
Learn: blog.cloudpassage.com
Start: www.cloudpassage.com/halo
21
Thank you!
Q&A