Evolving Security Practices in DevOps: A Holistic Approach

Explore the evolution of security practices within the DevOps landscape, from debunking the myth of DevSecOps non-existence to embracing a shift-left mentality. Discover the challenges of traditional security views, the importance of continuous security integration, and the impact of delivery exposures on software releases. Delve into production security concerns and learn about key metrics like MTTD and MTTR in the context of security incidents and remediation efforts.

• DevOps Security
• Shift-Left Approach
• Continuous Integration
• Production Security
• Security Metrics

madisyn Follow

Uploaded on Jul 18, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. DevSecOps SKILup Day 17-September, 2020 Shift Security Everywhere Tim Johnson

2. Controversial Statement DevSecOps doesn t exist - or shouldn t 2

3. The traditional view of Security PROD DEV TEST SEC PRE 3

4. The Shift Left view of Security SEC DEV TEST PROD PRE 4

5. The Continuous DevOps process 5

6. The Shift Security Left Fallacy 6

7. The Shift Security Left Fallacy What about this side? 7

8. Delivery Security

9. Delivery Exposures Wrong Thing Released 9

10. Delivery Exposures Wrong Thing Released Unknown Changes 10

11. Delivery Exposures Wrong Thing Released Unknown Changes Manual Steps 11

12. Delivery Exposures Wrong Thing Released Unknown Changes Manual Steps Deployment Failure 12

13. Production Security

14. The DORA Metrics MTTD MTTR We found a problem! We fixed the problem! 14

15. The Scary Part MTTR MTTD EXPOSURE We fixed the problem! We found a problem! 15

16. The New Metric - MTTMitigate MTTR MTTD MTTM We turned it off We fixed the problem! We found a problem! - or - Rolled it back 16

17. The Updated DORA Metrics MTTD = MTTM MTTR We found a problem! We fixed the problem! And We instantly; Turned it off - or - Rolled it back 17

18. Shifting Security Everywhere

19. Q: Where does DevSecOps fit? 19

20. A: Everywhere! Delivery Development Production 20

21. Secure in Development Development The right people are making the right changes The right sets of tests were performed The code passed our thresholds 21

22. Immutable pipeline & components Secure in Delivery Delivery Changes detected, analyzed, approved Automated everything - no manual steps Automatic rollback on failure Development The right people are making the right changes The right sets of tests were performed The code passed our thresholds 22

23. Immutable pipeline & components Secure in Production Delivery Changes detected, analyzed, approved Automated everything - no manual steps Automatic rollback on failure Development The right people are making the right changes Bill of materials The right sets of tests were performed Production Instant mitigation without redeployment The code passed our thresholds Graceful recovery and rollbacks 23 Integrated and automated

24. Want to know more? www.cloudbees.com/solutions/d evsecops 24

25. Thank You