The third annual “DevOps Connect: DevSecOps” held at RSA Conference 2017 shows just how far DevOps has matured in recent years from IT subculture to mainstream practice. In the presentations in this slide show, you’ll see firsthand accounts where enterprises have transformed legacy methodologies to DevOps practices, building more healthy cultures and, of course, more secure software.
[/nextpage]
Breaking Bad Equilibrium
John Willis
In DevOps we try to identify and fix bad equilibrium. We constantly look for discontinuity in the areas of technical debt, collaboration, risk and work-life balance. In this presentation, John Willis looks at some other successful fields that address equilibrium and discontinuity in their respective fields. Willis looks at areas of behavior economics, cognitive psychology and game theory. He also has some fun with a few pop culture books, movies and game shows as examples of bad and/or Nash equilibrium.
You can see this presentation here.
[/nextpage][nextpage title=”A Tale of Two Stories” ]
Building Security In: A Tale of Two Stories
Laksh Raghavan
The holy grail for software security professionals is to make their development teams treat functional and non-functional requirements as equal citizens. This becomes even more challenging in “agile.” Wouldn’t it be great if you had a quick and easy means by which you can write pertinent and actionable “security stories” and place them into the backlog of all your scrum teams so that they can get prioritized and completed along with “user stories”? The challenge, however, is making this scalable and seamless in a large enterprise with diverse sets of frameworks, application stacks and programming languages. In this talk, Raghavan shares tales from the trenches of implementing such a system—what worked, what proved challenging and the associated outcomes.
You can see this presentation here.
[/nextpage][nextpage title=”2016 State of DevOps Report” ]
DevOps and Security: What We’ve Learned from the 2016 State of DevOps Report
Dr. Nicole Forsgren & Jez Humble
Four years and more than 20,000 survey respondents later, Forsgren and Humble have learned a lot about what makes IT and organizational performance awesome. They also have learned some things about the role that security plays in technology transformations. Their latest research includes insights into trunk-based development, lean product management and employee engagement. Watch this talk for practical takeaways that will make your teams and technology transformations even better.
You can see this presentation here.
[/nextpage][nextpage title=”Bits and Bytes” ]
Where Bits and Bytes Meet Flesh and Blood: DevOps, Cybersecurity and IoT
Joshua Corman
We’ve heard software is eating the world. Corman says software is infecting the world. Our dependence on connected technology is growing faster than our ability to secure it—in areas affecting public safety and human life. Adding millions of lines of code and connecting everything to everything else exposes cyber-physical systems to new accidents and adversaries, Corman contends in this talk. This is truly where bits and bytes meet flesh and blood.
Despite best practices, modern software development and security have allowed 100 of the Fortune 100 to lose intellectual property and sensitive information—even our governments routinely succumb to adversaries. These failure rates cannot stand with the consequences of failure being measured—not in record count—but in human lives and GDP. Paradoxically, Corman says, it may take DevOps to rise to these challenges. Rugged DevOps is finding un-obvious common ground and breakthroughs like software supply chain principles, greater visibility and response agility, and immutable infrastructure. Corman says we must be better, and provides his view of what better looks like.
You can see this presentation here.
[/nextpage][nextpage title=”Release engineering” ]
The Intersection of Release Engineering and Rugged DevOps
Paul Reed
At RSAC 2016, release engineering’s role in rugged DevOps was discussed with a focus on how it relates to software delivery supply chains and the increasingly critically important topic of security and security management.
This year, J. Paul Reed explores what we’ve learned in the past year about the intersection of release engineering and rugged DevOps.
He takes take a deeper dive into specific release engineering techniques and tools that can not only start you on the path to effectively managing your software supply chain, but also pay concrete dividends in making your software’s security posture better and help you remediate issues more quickly when a security issues arises.
He also explores some nascent trends on the frontier of software delivery and security management, including the role of human factors and systems safety in the broader context of fast, sustainable and, yes, secure delivery of increasingly critical software components in our society.
You can see this presentation here.
[/nextpage][nextpage title=”Next Gen Security” ]
Next Gen Security Needs You!
Shannon Lietz
Next-generation software deserves security from the start and better collaboration to effectively reduce the real risks posed by attackers. Some might say this is heresy, but given the endless trend of security breaches from traditional methods, likely not. The ideal state of security has always been to achieve continuous improvement or level 5 maturity. By this very intention, security has always been a significant factor in the production of software but relatively difficult to commoditize because of its complexity.
Using DevSecOps methods and principles, simplicity and high-fidelity controls are emerging within the software industry to help organizations forecast and react faster to attackers. Lietz’s talk provides an essential road map for security practitioners to tackle how to bring DevSecOps to their organization and avoid common pitfalls that have come from early day lessons.
You can see this presentation here.
[/nextpage][nextpage title=”DevOps in a Regulated Environment” ]
Implementing DevOps in a Regulated Environment: The Aetna Experience
Duane Schleen
One of the big challenges organizations are facing is how to introduce DevOps principles to regulated industries. Industries such as health care or financial services must adhere to stringent security and governance controls, which often make it difficult to adopt new technology stacks such as DevOps and containerization. If you have adopted an agile approach to software development and have plans for moving to DevOps, microservices and containerization, what processes do you follow to avoid compliance missteps? This talk shares Aetna’s journey of modernizing its application stacks and infrastructure.
Schleen covers which considerations went into the design and selection of the DevOps methodologies, which applications were moved to microservices and containerization first and what was observed as a result. Schleen also covers how security departments can help the business understand the advantages of DevOps and containers—removing fear rather than adding fear. Finally, Schleen details the experience of architecting security across a rapidly changing application environment, and how continuous integration and continuous monitoring can go hand in hand in delivering application agility, but also security vigilance and competency.
You can see this presentation here.
[/nextpage][nextpage title=”Ops Happens” ]
Ops Happens: DevOps After Deployment
Damon Edwards
Listen to enough DevOps conference talks and it all starts to sound like: “deployment, deployment, deployment.” But what happens after deployment? What does DevOps mean for other traditional enterprise operations activities such as incident response, problem management and compliance?
Damon Edwards tackles these questions in this session. Here, Edwards examines what happens when the “go fast” ethos of DevOps inspired delivery teams meets the “be stable, be secure, be compliant” mandate of traditional enterprise operations organizations.
Damon also identifies DevOps-inspired principles and practices being leveraged by high-performing enterprises who are currently transforming their operations organizations.
You can see this presentation here.
[/nextpage]
[nextpage title=”Requirements Gathering” ]
Requirements Gathering for a Successful Rugged DevOps Implementation
Hasan Yasar
It is a must to include secure coding practices in application development life cycles to produce rugged software. Yet, each organization’s development pipeline and application is different compared to others. It is also necessary to have preparation prior to having a successful implementation of rugged DevOps. This includes organizational culture, security policy, development platform, application technical stack, operational team involvement and foremost secure coding practices. The questions are: how to assess, what to find as bottleneck, train whom on what, what to measure and, finally, how to monitor. Then, build up your customized integrated DevOps platform where you can build a rugged application along with other quality attributes such as compliances, secure testing, performance monitoring.
The burgeoning concepts of DevOps include a number of concepts that can be applied to increasing the security of developed applications. These include adding risk-based architectural design, automated security testing techniques such as fuzz testing, software penetration testing to the software development cycle or the continuous integration cycle. Applying these and other DevOps principles can have a big impact on creating an environment that is resilient and secure. In this session, Yasar explains how his company figured the right requirements and then how you can utilize this in your own organization for Rugged DevOps.
You can see this presentation here.
[/nextpage][nextpage title=”Getting Security Up to Speed” ]
Getting Security Up to Speed
Oleg Gryb
So, you’ve adopted agile software development life cycle and your DevOps team runs continuous integration/continuous deployment. But what about security? If you haven’t figured out yet how to speed up your security processes , it can easily become a bottleneck and slow down the whole software development process. Gryb shows how to avoid this.
Gryb discusses how to replace old security processes with the new processes, and how to add more security automation tools that utilize existing quality assurance test cases.
You can see this presentation here.
[/nextpage][nextpage title=”Scaling Rugged DevOps” ]
Scaling Rugged DevOps to Thousands of Applications
Tim Chase, Aaron Rinehart, Jeff Williams
Most of the talks on rugged DevOps are trivial. Write a script to hook up your scanner to Jenkins, and your WAF to your SIEM, feed the results to developers via JIRA, and claim victory. If you have multiple tools, maybe push the results into ThreadFix. But very quickly your cup will runneth over with vulnerability reports that need to be manually triaged. If you try to scale, you’ll need a dump truck and an army. If you want to really scale rugged DevOps, you need to get the humans out of the critical path.
In this talk, this trio explores how large enterprises handle this challenge by instrumenting their application portfolio, assessing and protecting applications in parallel and integrations enabling instant notification directly to stakeholders. The result is continuous protection during both development and operations.
You can see this presentation here.
[/nextpage][nextpage title=”Other articles” ]
Other DevOps.com Articles you might like:
Security @ the Speed of DevOps Survey: Efforts Still Lag
The Elusive Definition of DevOps
[/nextpage]