Amy DeMartine - 7 Habits of Rugged DevOps

Amy DeMartine

Seven Habits of Rugged DevOps

© 2015 Forrester Research, Inc. Reproduction Prohibited 2

Security breaches seem to be getting worse not better…


Lack of application security is systemic

› 3rd party software is used with latent

vulnerabilities

›Use of unsafe development methods

› Inability to quickly fix security issues as they

arise

›Misconfigured application supporting systems


Source: “DevOps Makes Modern Service Delivery Modern” Forrester report.

Old method: no

coordinated effort,

oftentimes too little

too late in the life

cycle

New method: security visibility across development life cycle to decrease discovery and remediation time


DevOps uses integrated product teams

Security and Risk pros

Infrastructure and Operations pros

Developers

Can Take Advantage Of DevOps To

Increase Application Security

Habit 1: Increase Trust And

Transparency Between Dev, Sec, And

Ops


Stereotypes hold us back…

Infrastructure &

Operations

Department of NO

Application

Development

Department of

Anything Goes

Security and Risk

Department of

Persistent Nagging


Learn To Talk About Security Issues In Their Language…

Outages,

Performance

glitches

Unplanned,

unscheduled

work

Breaches,

vulnerabilities

Infrastructure &

Operations

Application

Development

Security and Risk

Habit 2: Understand The Probability And

Impact Of Specific Risks


Increase knowledge

› Increase visibility into security issues

›Make Dev and Ops part of the conversation

›Use real life examples…discuss

Habit 3: Discard Detailed Security Road

Maps In Favor Of Incremental

Improvements

Discard detailed security roadmap

Create a vision instead

Example vision: We will improve

cybersecurity by having real time

actionable measurements and data

across the life cycle to decrease

remediation time for discovered

vulnerabilities


Source: “Embrace Deming's PDCA Cycle To Continuously Optimize Modern Service Delivery” Forrester Report

Learn to incrementally improve

Habit 4: Use The Continuous Delivery

Pipeline To Incrementally Improve

Security Practices


Source: “The Seven Habits Of Rugged DevOps” Forrester report

Habit 5: Standardize Third-Party

Software And Then Keep Current


1 out of every 16

open source

component

download request is

for a component

with a known

vulnerability

97% of the successfully exploited

vulnerabilities in 2014 trace back to

10 common vulnerabilities and

exposures, eight of which have been

patched for 10 to 12 years

90% of code in modern

applications is open source

31% of companies have

had or suspect a breach in

an open source component


Tackling the risk of 3rd party software including open source

› Use new components

› Use components that do not have any reported CVEs

› Create component library

› Reduce number of versions of a single component

› Don’t forget middleware, OS, network, database, and performance

management tools

› Use continuous delivery pipeline tools to catalog which 3rd party

software is used and where it’s located

And when a vulnerability is identified, use the

continuous delivery pipeline to find all affected

applications, quickly generate a fix and deploy

Habit 6: Govern With Automated Audit

Trails


Automated tools create an audit trail…

›Each tool in the continuous delivery pipeline

includes tracking and logging

›Ability to know exactly who (attackers,

developers, I&O pros, S&R pros, users)

performed what change and when

Protect IP and flag potential insider threat

automatically without ruining the collaboration


Source: “DevOps Makes Modern Service Delivery Modern” and “The Seven Habits Of Rugged DevOps “ Forrester reports

1. Create automatic

security alerts2. Flag high risk

changes

3. Enable proper authentication and authorization

on all systems

5. Define security

based quality gates

4. Track drift across development, testing,

and production environments

Protect IP and flag potential insider threat

automatically without ruining the collaboration

Habit 7: Test Preparedness With Security

Games


Rules of engagement for red teaming

›Pick integrated team for both red and blue teams

›Red team attacks with any resources

›Blue team defends with tools and technology

available in production

›Rotate members to get equal participation

›Can be performed regularly e.g. every Monday

or intermittently

›Make changes in application, infrastructure or

tools as a response


Focus on metrics of visibility and speed while red teaming

› How fast are you at identifying the problem? Do you have the right tools and technology to identify an intrusion?

› How fast are you at remediating a vulnerability? Can you produce and deploy a fix quickly in response?

› Is this an attack that has been tested for?


Seven Habits of Rugged DevOps

Increase Trust And Transparency Between Dev, Sec, And Ops

Understand The Probability And Impact Of Specific Risks

Discard Detailed Security Road Maps In Favor Of Incremental Improvements

Use The Continuous Delivery Pipeline To Incrementally Improve Security Practices

Standardize Third-Party Software And Then Keep Current

Govern With Automated Audit Trails

Test Preparedness With Security Games

1

2

3

4

5

6

7

Thank you

forrester.com

Amy DeMartine

+1 617.613.8906

[email protected]

@AmyDeMartine

Amy DeMartine - 7 Habits of Rugged DevOps

Technology

Transcript of Amy DeMartine - 7 Habits of Rugged DevOps