Evolving Security Practices in DevOps: A Holistic Approach
Explore the evolution of security practices within the DevOps landscape, from debunking the myth of DevSecOps non-existence to embracing a shift-left mentality. Discover the challenges of traditional security views, the importance of continuous security integration, and the impact of delivery exposures on software releases. Delve into production security concerns and learn about key metrics like MTTD and MTTR in the context of security incidents and remediation efforts.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
DevSecOps SKILup Day 17-September, 2020 Shift Security Everywhere Tim Johnson
Controversial Statement DevSecOps doesn t exist - or shouldn t 2
The traditional view of Security PROD DEV TEST SEC PRE 3
The Shift Left view of Security SEC DEV TEST PROD PRE 4
The Shift Security Left Fallacy What about this side? 7
Delivery Security
Delivery Exposures Wrong Thing Released 9
Delivery Exposures Wrong Thing Released Unknown Changes 10
Delivery Exposures Wrong Thing Released Unknown Changes Manual Steps 11
Delivery Exposures Wrong Thing Released Unknown Changes Manual Steps Deployment Failure 12
Production Security
The DORA Metrics MTTD MTTR We found a problem! We fixed the problem! 14
The Scary Part MTTR MTTD EXPOSURE We fixed the problem! We found a problem! 15
The New Metric - MTTMitigate MTTR MTTD MTTM We turned it off We fixed the problem! We found a problem! - or - Rolled it back 16
The Updated DORA Metrics MTTD = MTTM MTTR We found a problem! We fixed the problem! And We instantly; Turned it off - or - Rolled it back 17
Shifting Security Everywhere
A: Everywhere! Delivery Development Production 20
Secure in Development Development The right people are making the right changes The right sets of tests were performed The code passed our thresholds 21
Immutable pipeline & components Secure in Delivery Delivery Changes detected, analyzed, approved Automated everything - no manual steps Automatic rollback on failure Development The right people are making the right changes The right sets of tests were performed The code passed our thresholds 22
Immutable pipeline & components Secure in Production Delivery Changes detected, analyzed, approved Automated everything - no manual steps Automatic rollback on failure Development The right people are making the right changes Bill of materials The right sets of tests were performed Production Instant mitigation without redeployment The code passed our thresholds Graceful recovery and rollbacks 23 Integrated and automated
Want to know more? www.cloudbees.com/solutions/d evsecops 24