We have free passes for those who’d like to come to DevOps Connect: Rugged DevOps at RSA Conference starting on February 29, 2016. Read the article, Get a Free Pass to DevOps Connect: Rugged DevOps at RSAC, register for your pass and we’ll see you there.
Here’s a chance to fill up your dance card for DevOps Connect: Rugged DevOps at RSAC on February 29. We’ve setup a complete track of #NothingButDevOps for this event. Anyone attending RSAC has a complimentary pass to the event. Need a dance partner? Check this out.
Speakers: Joshua Corman (Sonatype) and John Willis (Docker)
Session Time: 9:00am – 9:30am
Speakers: Jez Humble (JezHumble.net) and Nicole Forsgren (Chef Software)
Session Time: 9:30am – 10:00am
Three years, 20,000 DevOps professionals, and some science… What did we find? Well, the headline is that IT *does* matter if you do it right. With a mix of technology, processes, and a great culture, IT contributes to organizations’ profitability, productivity, and market share. We also found that using continuous delivery and lean management practices not only makes IT better — giving you throughput and stability without tradeoffs — but it also makes your work feel better — making your organizational culture better and decreasing burnout.
Jez and Nicole will share these findings as well as tips and tricks to help make your own DevOps transformation awesome.
2015 in Review: Major Failures in Public Safety and Privacy
Speaker: Kim Zetter (Wired)
In 2015, Kim Zetter, Senior Reporter at Wired, covered major cyber security and privacy failures including “The US Office of Personnel Management’s Struggle to… Manage”, “Ashley Madison Cheaters Were Cheated Out of Their Privacy”, “Gemalto’s Rapid Response to Hack Was a Little Too Rapid”, “Hillary Clinton’s Server”, “Everything We Know About Ukraine’s Power Plant Hack” and “Secret Code Found in Juniper’s Firewalls Shows Risk of Government Backdoors”. This session will look at the people, companies, and events having the most epic security and privacy fails in 2015—and what we can expect to see in 2016.
Kim’s session will lay the groundwork for the afternoon track, where we’ll talk about the need for better, more secure software and development practices through Rugged DevOps and automation of the Software Supply Chain.
Seven Habits of Rugged DevOps
Speaker: Amy DeMartine (Forrester)
Today’s cybercriminals are highly skilled, resourceful, and very determined. Vulnerabilities such as web server misconfigurations or components that include known vulnerabilities give cybercriminals the opportunity to exploit them. Application developers and infrastructure and operations (I&O) pros are uniquely positioned to aid Security and Risk (S&R) pros in closing these vulnerabilities as well as increasing overall cybersecurity by including security practices as a part of DevOps.
Senior Analyst Amy DeMartine will share seven habits every DevOps team needs to embrace to be highly successful at Rugged DevOps.
Applying DevOps Principles to Address Dynamic Changes in Cybersecurity
Speakers: Hasan Yasar (CMU) and Aaron Volkman (CMU)
It is well known in the software development community that implementing DevOps improves outcomes throughout the entire scope of software delivery. DevOps principles focus on helping organizations deliver business value as quickly and consistently as possible. While DevOps principles advocate for improving the coordination between development and operations teams, they can be adapted for any number of domains. The key components of DevOps we want to emulate across other domains are: a) collaboration between project team roles b) infrastructure as code c) automation of tasks & processes, and d) intelligent monitoring of applications and infrastructure.
In this talk we will explore how to apply DevOps to the Cybersecurity domain to address dynamic threats and provide after-the-fact situational awareness. In the same way that advances in software development methodologies were gleaned from DevOps best practices, we can apply lessons learned from DevOps into the Cybersecurity Domain in order to enable efficient cyber-operational behaviors, develop automated processes that respond to potential threats or compromised networks, and use collaboration principles to best decide how to respond to new threats.
Panel: “DevOps Engagement: Politics, People and Process”
Panelists: Paula Thrasher (CSRA), Chris Corriere (Auto-Trader), Cornelius Roberts (Cyber Security Defense Lead), J. Wolfgang Goerlich (Creative Breakthroughs) w/ moderator Chenxi Wang (TwistLock)
DevOps takes more than a plan to implement. It takes creating change at all levels within the enterprise. In this panel discussion, Chenxi Wang talks with four practitioners on what it took to get DevOps engagement at all levels of an organization through the use of the three Ps: Politics, People and Process.
The Journey to DevSecOps
Speaker: Shannon Lietz (Intuit)
This is the end of security as we know it! The introduction of DevOps has changed software development so significantly that there is no going back and now security must change or fail entirely. Join in this lively discussion about the experiments that led to a new way of achieving security at speed and scale.
During this talk, you’ll learn about some of the decisions that have led to true security transformation and discover how one enterprise has taken the challenge of becoming a Rugged Software shop.
Transformation by Compliance
Speaker: Justin Arbuckle (Chef)
It is in fact easy to adopt new approaches (to anything) in large organisations. The pattern appears to be the creation of a new unit or division purpose built to be ‘innovative’ or ‘disruptive’. It is however, less easy to re-integrate the new shiny into the old and dull legacy operations. Often concerns around compliance are foremost. In this talk, I will explain why the pattern is wrong and how confronting compliance issues early actually accelerates your transformation.
Release Engineering’s Role in Rugged DevOps
Speaker: J. Paul Reed (Consultant)
“Many of the problems security engineers face when when attempting to audit and secure the software their organizations ship are created upstream, in the way those products are built and released. Responsibility for those details has long lived with release engineers, but like the security community, they are often seen as the “”folks with the black binders, running around, saying ‘no.'””
The Rugged DevOps movement reframes these longstanding historical problems which span these two disciplines, so it’s important to for these groups to understand each other’s role and, more importantly, the potential intersectionality between their work in this emergent area.
In this talk, we’ll introduce release engineering’s role, how it relates to the software delivery process/pipeline and security and explore that intersectionality between them all.”
Silver Linings for Miles: DevOps for Building Secure Solutions
Speakers: Andrew Becherer (DataDog) and Zane Lackey (Signal Sciences)
DevOps and Agile development processes are popular objects of derision among the cool kids of application security. It turns out that many of these supposed disadvantages have very useful effects on our ability to engineer and operate secure services. This talk will cover two of the primary defects turned advantages.
Security War Games
Speaker: Sam Guckenheimer (Microsoft)
You’re already breached, you just don’t know it. Today’s hacks are based on sophisticated moves by professionals who have jumped the perimeter and you need to defend your site in depth. The tiniest vulnerabilities can be chained into complex moves that compromised privacy, identity and reputation. One of the best techniques is to assume you are breached and regularly hack from the inside, while your site reliability engineers try to detect the hacks in progress. Build regular practice into your DevOps cadence.
Lean Security: Add Business Value without Bringing Waste
Speakers: Ernest Mueller (AlienValut) and James Wickett (Signal Sciences)
Moving fast is a business imperative that you can’t afford to be in opposition to. Lean, DevOps and Continuous Delivery philosophies hinge on the ability to move fast through collaboration, automation, and aligning with the flow of the organization. Security needs to be able to make the same transformation.
As a concrete example of applying these approaches to security, we will show how an Attack Driven approach to devops increases transparency and visibility throughout the organization and pairs with the high-throughput philosophies of DevOps and Continuous Delivery. We will engage in defensive systems thinking to change the attack landscape in our favor, while working with the way the business functions and not against it.
- Understand the Lean, Agile, and DevOps techniques emerging in organizations today
- Be armed with organizational strategies for bridging devops and security
- Take a defensive systems thinking approach to operations (and development)
- Apply the right detection and monitoring with real-world examples
Architectures, Design Patterns, and Coding for Rugged DevOps at Scale
Speaker: Rich Mogull (Security Editor of TidBITS)
It’s one thing to integrate Rugged DevOps into a project, but it’s an entirely different game to run it at scale. Or to use DevOps principles as the foundation for your entire security program. In this session, based on work with multiple large organizations and in our own projects, we will show some technical foundations for going Rugged at scale. We’ll review design patterns for security automation, logging, and other essentials, demonstrate code for managing and integrating Rugged DevOps into the enterprise, and talk about some of the annoying little quirks that make it all just a little bit more difficult than it should be. (Note: demonstrations will be on AWS and code will be in Ruby).
The R.O.A.D. to Rugged DevOps for a Major Airline
Speaker: Dan Glass (American Airlines)
DevOps presents one of the most exciting advancements in IT delivery to date – bringing to fruition the promises of virtualization and automation that many enterprises have struggled to deliver. For IT Security, DevOps presents a unique opportunity to erase some of the most vexing challenges that either increase the risk of an organization or make IT Security a roadblock to progress. However, simply adopting DevOps is not a panacea and IT Security organizations must alter their security strategy to allow for the DevOps culture to flourish.
The R.O.A.D. to security is a comprehensive strategy that can help a security program enable innovation, adapt to emerging threats, and continuously improve security controls.
Latest posts by Mark Miller (see all)
- Expanding Community Engagement at OWASP w/ Greg Anderson [Podcast] - November 30, 2017
- Application Health Check App v.2.3.0-02 - November 28, 2017
- Thoughts on Security in the Modern Software Supply Chain with Caroline Wong and Paula Thrasher - November 16, 2017
- AppSec EU 2017 Belfast in 10 Minutes or Less - May 12, 2017
- The Nexus Exchange: 30 New Integrations from the Community - April 17, 2017