Live blog from DevOps Connect – get the slides now by emailing email@example.com
Note: this page does not auto-refresh
It is time for me to sign off. The Rugged DevOps sessions at DevOps connect were, well rugged. They brought reality to DevOps implementations and make sure security plays the role that it needs to in application development. I encourage you to get all the slides. And enhance your journey to fast paced AppSec in a modern software world.
@zanelackey and Andrew Becherer of DataDog explore what they would tell their pre-DevOps selves.
They found out at Etsy quickly that visibility was key. “You can fly a plane without instruments” but you probably do not want to. Decentralized visibility was the number one lesson learned. And security cannot live in isolation.
In DevOps some wonder if release automation is a function that will persist, J Paul Reed @jpaulreed is going to explain how release engineering fits in DevOps or becomes DevOps.
Release engineers are often seen as the “no” department, but it does not need to be. And if we keep saying no then they will stop asking. This is true for security as well.
And like security, people only care when it breaks. Otherwise release engineering is transparent. But he believes that the market is starting to get it. Might have been the result of the high volume of hacks in the news.
“Don’t download msvcr100.dll !” – vulnerable libraries individually seem easy to address. But as they propagate, it is a huge issue. And it becomes release engineerings job to stop it.
he believes that security an release automation are in a similar boat. And he urges the teams to unit and surface the challenges to the entire team.
Now Stephan @stephanchenette gets into the specifics of how to build security controls around attack models.
“My talk is a little more straight forward” – yes please
Risk = impact * likelihood so if you spend time addressing impact of attacks, you reduce risk. Don’t just fix the problem. Identify the attackers and their techniques and build an advisory playbook.
A continued theme is to treat security as code. Test your security controls, even build security control unit tests.
To reduce impact prioritize assets by their level of risk. High value targets. Prioritize your controls. Perhaps not all are worth added attention. Now automate down the list.
Check out his slides where he gives examples of the types of attack and example of attack modeling. Shows the entire path of an attacker. Great stuff.
My only question is the resources required to build the playbook and maintain the automation. But in any case it is a strong strategy to broadside security risks.
Justin @dromologue from Chef, will hopefully explain how compliance can or cannot fit into DevOps.
He explains the rabbit hole of just adding lists to lists. Just adding more and more details. Rather he says we should focus on rules, rules that test us, but by doing so make us better.
“Be as good at compliance as you are code”
He is exploring an idea that he calls Compliance at Velocity. It seems to be a fantastic framework. But I think the problem remains, you can’t just walk into your office tomorrow and take over security and compliance. In a large enterprise security is not in the control of a single motivated individual. You have to start somewhere.
We are back from lunch and we start with Shannon @devsecops from Intuit to talk about DevOps – driven by need not desire. “If you are going to do something, do it well, do it early, do it rugged”.
Intuit as you know comes from the financial services space. A space no stranger to security needs.
To Shannon you must get real first. Mistakes will happen. Compliance is no security. And focusing only on reaction is expensive!
She explains that the Security Operations teams need to share all that they know with DevOps. Helping them help you. New to me was the ratio she showed that on average for every 100 developers their are 10 operations people and only 1 security person. This is crazy to think about.
Shannon is doing a great job explaining that the journey is messy. And it is hard. The two tips she gave that I really liked was building a security services API and “a red team” testing your application as a hacker would.
Amy DeMartine from Forrester is going to share the 7 steps she has identified from interviews in rugged DevOps.
While DevOps is scary for security teams. It does support faster remideation. Smaller units of delivery are easier to test and identify. But you have to do the same with security procedures and road maps. The detailed plans just end up in a drawer anyway.
She advocates building product teams that include all the stakeholders. Embrace your personas but understand the impact of your POV.
Kim Zetter from Wired is starting a fun chat on the best hacks of 2015.
Every year the types of hacks increase in volume and impact. The 2015 winner for worst hack was to the US office of personnel management. Which was not just data on individuals but networks of individuals. The lack of awareness and preparedness by the department is shocking.
Ashley Madison was a form of a ransom attack. But a very unique one. We forget the exposing of internal emails. One of which implied their own hacking initiatives.
Even security vendors are not safe. Kaspersky and Junipers firewall made headlines. The later was a battle ground for control over a extended period.
Kim goes on to explore several interesting stores – email firstname.lastname@example.org for instant slide decks – what she highlighted is that every time we do a software release their is risk of becoming one of these stories. So DevOps simply cannot survive without AppSec.
@damonedwards a DevOps consultant – here we go. Now we get real with security.
How do we Shift Left? Those whole build it need to define how to fix it Developers put your thinking cap on! But are developers ready to be on call – do they even know what production looks like?
He suggests you should build a portal. Give everyone visibility. Finding ways to share and offer self service is going to help Ops from feeling all the pressure.
He also says to treat Ops procedures as code. Why not teat the process of delivery the same as an application.
He notes that in order to be successful, integration between all your tools is critical. The Ops stack helps everyone know what is going on and contribute to helping identify and solve issues. Follow the steps and you can Shift Left without calling it DevOps.
Jez – “how many of you are new to DevOps” – about 1/6 of the crowd raised their hand. That is awesome.
They have worked with Puppet Labs to run an annual DevOps study. Which by the way has fantastic data, but seems to attract only respondents who already know DevOps and scripted infrastructure. I think they are about to prove me wrong. They are going to dive into some specifics of that data they collected.
Starting with quantifying culture, which is extremely hard. But culture is a term heavily used in DevOps, so for the skeptics the ability to see it’s impact helps justification. They offered a tool to measure culture internally. I think it would be interesting for organizations to do this as a part of a way to not only measure how their tool chain improves, but also how their team does.
To everyones surprise they can show that the organizations who are most efficient (go faster) are also more able to respond to issues and be more secure. And becasue efficiency comes from happier people, culture cannot be ignored.
We are guilty of thinking of speed as a trade off with security. But the science says otherwise.
Kickoff by Alan Shimel of @DevOpsDotCom and Mark Miller of Sonatype. “Assembling Heroes” is the theme of todays show – it is time to talk about real-world implementations of AppSec in DevOps environments.
Up now “Guns, Germs, and Micro services” with @joshcorman and John Willis . “DevOps is not going away guys”. The reality is everyone is a software company, and whoever is best at software wins. Which means DevOps is not going away. But the human element, culture, habits, is very hard to change.
This is not new technology, historically adoption has been just as bloody. It is a story of the have and have nots. There will be those that resist change, and those who seek a feedback loop, and to leverage tools to move the needle forward.
John focuses on feedback loops. He calls it Cybernetic Feedback Loops. And it is the key to moving faster. But speed by itself could be dangerous. And he now starts to relate speed and feedback to micro services, containers, and of course Docker. A topic where security is commonly sighted as a serious weakness.
John does not address the security concerns, with this audience might have created more. But he does validate the benefit and the convergence of containers and immutable infrastructure with traditional infrastructure management and supply chains. He uses examples from the unicorns in DevOps Google, Netflix etc.
In my opinion we all know who they are, and what they do is not relevant to most. We need to hear from stories about none tech companies. And non-bottom up DevOps applications. The benefits are easily understood. The how, is where a lot of organizations fall flat. I hope to hear more on that today.
Josh ties it all together. He uses the supply chain analogy to show that all the components (which containers are just a component) can be analyzed and policed as apart of any automation. I like the term he uses “software hygiene”.
Good morning from San Francisco. And welcome to the second annual DevOps Connect: Rugged DevOps – at the RSA conference.
Security and DevOps? It might seem like a contradiction, but arguably there is no DevOps without understanding AppSec. DevOps environments without security are destined to remain with Dev only. Their is no way to consider faster software delivery without addressing how it impacts the organizations risk.
Devs, put down your weapons and realize that thinking infrastructure and security first benefits you as well, not just operations. Anymore developers are accountable for the security of their code. If you store or transport passwords in clear text, you are beyond fired, remember Ashley Madison?
At DevOps Connect we will hear from the pros on how enterprise’s embrace speed and stability at the same time. And work security into their continuous software delivery chain.
Watch the Live Stream Here
Latest posts by Chris Riley (see all)
- DevOps Connect: Rugged DevOps at RSA - February 29, 2016
- Is SecOps, DevOps? - January 6, 2015
- Maven Component Management Brings QA Automation to Life - December 3, 2014
- Components as Process - October 20, 2014
- The DevOps Pipeline: People, Process, and Tooling – New Series - September 9, 2014