DevOpsDays 2022: Security is about to become a DevOps Problem
chipadeedoodah
1 views
28 slides
Oct 16, 2025
Slide 1 of 28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
About This Presentation
"Shift Left" increasingly means "It's a DevOps problem now," and organizations are trying to combine defensive security into operations and devops roles in a new "DevSecOps" movement.
Forever asked to do more with less, DevOps teams are facing yet more additional r...
Slide Content
Security is about to become a DevOps Problem What are you going to do about it?
‹#› The next 25 minutes Shifting Left Tooling InfoSec Team 101 DevOps (Some of) what you need to know to effectively handle your new responsibilities Tools that can help you with your new problem space The people part of security teams, CISOs, and why “shift left” means more work for you A brief history lesson about DevOps, explaining my perspective on the movement
My DevOps Lens ‹#›
How it started
How it’s going
Solve the 5 Predictable Bottlenecks Teams must be able to create an environment for your app on-demand Environment Creation ‹#› Every change should be tested prior to production. Testing Deploying your project must be a single-step process, as fast as possible. Code Deployment Loosely-coupled architecture results in diminished blast radius for failed changes. Architecture “The constraint ends up being product owners, and how many ideas they can come up with.” – Adrian Cockroft, Netflix // Roy Rappaport, Netfix Ideas Beyond The Phoenix Project: The Origins and Evolution Of DevOps 2018 Gene Kim and John Willis
‹#› “ Technical capabilities build upon one another. Continuous delivery and version control amplify each other’s ability to promote high levels of software delivery performance. Combining continuous delivery, loosely-coupled architecture, version control, and continuous integration fosters software delivery performance that is greater than the sum of its parts.” – DORA 2022 State of DevOps Report
Empathy for the Security Team ‹#›
“A half hour later, Tim [the IT Auditor] is still droning on. I stare glumly at the huge stack of findings. Most of these issues are just like the huge, useless reports we get from Information Security, which is another reason why John [the Security Engineer] has such a bad reputation. It’s the never-ending hamster wheel of pain: Information Security fills up people’s inboxes with never-ending lists of critical security remediation work, quarter after quarter. Kim, Gene; Behr, Kevin; Spafford, George. The Phoenix Project . IT Revolution Press The Dreaded Security Backlog Meeting ‹#›
Security in a silo Despite a sweeping remit, security teams often operate apart from the other teams delivering software, with different incentives. Because of their position outside of the workflow, and their power to halt delivery, it’s often very difficult for security engineers to build trust and camaraderie . ‹#›
Security teams theoretically have the power to stop value delivery (though in practice are almost always overruled) Security breaches typically don’t impact the bottom line High CISO turnover has created unstable information security organizations stock prices during and following the high profile security data breaches... have decreased slightly or quickly recovered following the breach. – Harvard Business Review Security gets sidelined ‹#› “ “ https://hbr.org/2015/03/why-data-breaches-dont-hurt-stock-prices
‹#› Average CISO tenure: 18-26 months https://www.cylumena.com/insights/ciso-turnover-problem/
High Trust Means High Performance We found that the biggest predictor of an organization’s application-development security practices was cultural, not technical: high-trust, low-blame cultures focused on performance were 1.6x more likely to have above average adoption of emerging security practices than low trust, high- blame cultures focused on power or rules. – DORA 2022 State of DevOps Report The teams that focus on establishing security practices are significantly more likely to recommend their team to someone else. Further, SLSA-related security practices positively predict both organizational performance and software delivery performance, but this effect needs strong continuous integration capabilities in place to fully emerge. ‹#›
“Shift security left” means “It’s a DevOps problem now”
Shifting Left in Practice ‹#›
Strategic Goals for Devops adopting security Cover the basics The practices that make your DevOps teams effective at delivering highly available, high-quality sites will also enable effective security practices. 1 Develop security superpowers Give your team the ability to quickly check compliance, vulnerabilities, and inventory. 2 Automate Your Audits Automate security tests, and run them constantly in your pipelines next to your code quality tests. 3 ‹#›
Cover the Basics First Build dozens of times a day. Deploy as often as is safe for your environment. Continuous Integration / Continuous Delivery Make sure your environments are represented in pipelines that are themselves tested Infrastructure as Code Every build should result in an immutable artifact, even if you’re shipping to a JIT runtime. Immutable Artifacts ‹#›
“ Implementing software supply chain security controls, like those recommended by the SLSA framework, has a positive effect on software delivery performance when continuous integration is firmly established. Without continuous integration capabilities in place, software delivery performance and security controls might be in conflict.” ‹#› – DORA 2022 State of DevOps Report
Automate security policy to close the gap between work-as-imagined and work-as-done (policy as code) Get a quick, searchable inventory all of your assets and services. Find abandoned projects ASAP. Develop Superpowers Level up ‹#›
Cloud infrastructure provisioned via shadow IT, for experiments, or for ended projects. This infrastructure is no longer maintained, but still connected to the internet and to internal systems. Kristi Perrault, “ What I Have Learned Scaling Serverless First at Liberty Mutual,” https://devopsdays.org/events/2022-denver/program/kristi-perreault/ Cloud Technical Debt ‹#›
Automate Security & Compliance testing Functional Security Compliance Deploy … and fail builds on security & compliance checks
Test the whole supply chain Products like Snyk and Sonatype find problems in upstream libraries. Dependencies Check your IAC code, and also your build infrastructure. Infrastructure automation Don’t forget to test Github/Gitlab, and any other API-based services your company depends on such as Auth0 or LaunchDarkly. SCM and Services ‹#›
Anatomy of policy-as-code ‹#› Describe the intent of the policy. Amazon Linux 2022 Baseline Name Describe a security practice to adopt. Ensure DHCP Server is not installed Control package("dhcp").installed == false package("isc-dhcp-server").installed == false Assertion
Tool Survey ‹#›
‹#› An Incomplete DevOps Security Tools Survey Dependencies Inventory Policy as code IaC Checkers Snyk Sonatype Dependabot Veracode Puppet / Chef AWS System Manager Cnquery Qualys Inspec Checkpoint Conftest Sentinel cnspec Terrascan Tfsec Chekov Conftest cnspec
Currently in Beta! Ask for an invite! Coming Soon cnquery is an open source, cloud-native tool that answers every question about your infrastructure. It provides quick insights into every major technology platform used by developers and DevOps teams today. cnspec is an open source, cloud-native tool that assesses the security of your entire infrastructure. It scans every major technology and tells you where there are gaps that hackers can use to breach your systems. cnquery cnspec ‹#› cnquery & cnspec
About Me @JefrsonStarChip Twitter https://www.linkedin.com/in/jeffersonstarchip/ LinkedIn [email protected] Email Chip Johnson is a Product Manager at Mondoo, focused on making tools you'll love. He's been a part of the DevOps community since 2010, and making and breaking things on the internet since 1993. He most recently held positions at Auth0, Sonatype, and Chef Software. ‹#›
Thank you!
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1
- Slides 28
- Age 49 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
49 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
48 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
35 views
21
Know for Certain
DaveSinNM
23 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views