Rugged DevOps: Bridging Security and DevOps

Mar 31, 20127 likes2,624 views

Rugged DevOps: Bridging Security and DevOps Communities and Practices. These are the slides for the ignite talk by the same name at DevOps Days Austin 2012.

@wickett
Cloud Ops Team
Lead, @NIGlobal
CISSP, GWAPT,
CCSK, GSEC,
GCFW
james@wickett.me
ruggeddevops.org
@LASCONATX

I recognize that my code will be attacked by talented
and persistent adversaries who threaten our physical,
economic, and national security.

I recognize that my code
will be used in ways I
cannot anticipate, in
ways it was not designed,
and for longer than it was
ever intended.

I am rugged, not because it is easy, but because it is
necessary... and I am up for the challenge.

Security vs. Rugged
• Absence of • Veriﬁcation of
Events quality
• Cost • Beneﬁt
• Negative • Positive
• FUD • Known values
• Toxic • Afﬁrming

Rugged-ities
• Maintainability

• Availability

• Survivability

• Defensibility

• Security

• Longevity

• Portability

• Reliability

Ruggedization Theory
Building solutions to handle
adversity will cause
unintended, positive beneﬁts
that will provide value that
would have been unrealized
otherwise.

"Secondly, our network
got a lot stronger as a
result of the LulzSec
attacks."
-Surviving Lulz: Behind the Scenes of
LulzSec @SXSW 2012

Cloud Firewalls and DMZ
(aka Security Groups)
ﬁrewall ﬁrewall ﬁrewall

Web Web Web DMZ x3

ﬁrewall ﬁrewall
DMZ x2
Middle Tier Middle Tier

ﬁrewall ﬁrewall

DB LDAP
DMZ x2

Rugged Beneﬁts
• Control and trafﬁc whitelisting
• Conﬁg management
• Reproducible, automated and source controlled
• No accidental data traversal across products or
dev/test/prod tiers
• Dev and Test identical to Prod tier

source: Gene Kim, “When IT says No @SXSW 2012”

Security sees...
• They give advice that goes unheeded
• Business decisions made w/o regard of risk
• Irrelevancy in the organization
• Constant bearer of bad news
• Feels ignored by their peers (you know,
those devops guys)
• Inequitable distribution of labor

RUGGED

source: Jessica Allen, http://drbl.in/bgwy

Rugged DevOps

• repeatable – no manual steps
• reliable - no DoS here
• reviewable – aka audit
• rapid – fast to build, deploy, restore
• resilient – automated reconﬁguration
• reduced - limited attack surface

If you want to build a ship, don't
drum up people together to collect
wood and don't assign them tasks
and work, but rather teach them to
long for the endless immensity of
the sea
- Antoine Jean-Baptiste Marie Roger de Saint Exupéry

The Philosophy of
Rugged DevOps
&
Principles of Behavior
Driven Development

Introducing Gauntlet
gauntlet, n.
an attack from all sides

an always-attacking
environment for developers
with attacks written in
easy-to-read language
accessible to everyone involved in dev,
ops, security, ...

Put your code through the Gauntlet
custom attacks dirbuster
metasploit sqlmap

fuzzers nessus

w3af nmap

Your web app You

Join Us

• #occupy_stage on Rugged DevOps
• join the email list join.ruggeddevops.org
• twitter: @ruggeddevops
• Gauntlet? Ping me on twitter (@wickett)

This document discusses DevSecOps, which integrates security practices into DevOps workflows to securely develop software through continuous integration and delivery. It outlines the basic DevOps process using Azure Pipelines for CI/CD and defines DevSecOps. The document then discusses challenges with security, benefits of DevSecOps for businesses, and common tools used, before concluding with an example DevSecOps demo using Azure Pipelines with security scans at various stages.

DevSecOps OWASPPriyanka Raghavan

This document discusses implementing DevSecOps at scale. It begins with an introduction and agenda. It then discusses the motivations for DevSecOps, including moving security left and making it a shared responsibility. Next, it describes the current state as lacking security requirements, testing, and tools. The target state involves integrating security earlier using tools like SonarQube and ZAP. It outlines DevSecOps practices like threat modeling, security testing in pipelines, and monitoring. Challenges include aligning teams, reducing wait times, and configuring tools across projects. Lessons learned center around process engineering, knowledge sharing, and establishing security operations.

App sec in the time of docker containersAkash Mahajan

Embacing service-level-objectives of your microservices in your Cl/CDNebulaworks

Shifting left - How to use Continuous Integration tools to bring security into the DevOps world In today's modern software factories, organizations are shifting security to the left. No longer just the purview of firewalls, security needs to be built in during development and deployment processes. By doing so, organizations can ensure they are limiting vulnerabilities getting into production while cutting costs of both downtime and code rework. Key Takeaways: ○ How to ensure that the use of open source doesn’t introduce vulnerabilities and other security risks ○ How to automate the delivery of trusted images using a policy-driven approach ○ Empowering developers to secure their applications, while maintaining segregation of duties ○ Ensuring the consistent flow of images through the pipeline, with no side-doors or introduction of unvetted images ○ Enforcing immutability of containers, preventing container-image drift

The Future of Security and Productivity in Our Newly Remote WorldDevOps.com

Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated. This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks. See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.

Building security into the pipelinesVandana Verma

Vandana Verma is a cybersecurity expert who specializes in DevSecOps. She serves on the OWASP Global Board of Directors as Vice-Chair and is a member of several security review boards. Her work focuses on diversity initiatives in information security. She advocates for integrating security practices throughout the entire software development lifecycle from coding to deployment. This includes having developers take ownership of security and empowering them with tools and processes to build more secure applications within their existing workflows.

DevSecOps What Why and HowNotSoSecure Global Services

This document discusses DevSecOps, including what it is, why it is needed, and how to implement it. DevSecOps aims to integrate security into development tools and processes to promote a "secure by default" culture. It is needed because traditional security approaches cannot keep up with the rapid pace of DevOps. Implementing DevSecOps involves automating security checks and tests into the development pipeline and promoting collaboration between development, security, and operations teams. The document provides examples of tools that can be used and case studies of DevSecOps implementations.

DevSecOps at the GSAChris Downey

We will delve into the creation of the GSA's DevSecOps guide, progression towards componentized and lego-pieced ATO's (leveraging reusable Infrastructure and Configuration as-Code modules), Cloud.gov "Heroku for government", "how to" be Cloud agnostic, and more. Our DevSecOps meetup: https://www.meetup.com/DevSecOps-NoVA The Handbook: https://tech.gsa.gov/guides/dev_sec_ops_guide/ Our speakers group: https://handbook.tts.gsa.gov/tech-portfolio/ His team's areas of responsibility: https://digital.gov/services/

Secure Your Code Implement DevSecOps in Azurekloia

Policy as code what helm developers need to know about securityLibbySchulze

1) The document discusses a 3 step process for securing Helm charts: define security requirements, use policy as code to encode the requirements, and implement guardrails like scans to ensure the requirements are met. 2) It provides examples of writing Rego policy that checks for secrets in environment variables, privilege escalation settings, and running as root. 3) Tools like Terrascan can scan Helm charts and infrastructure as code for policy violations and be integrated into CI/CD pipelines to prevent insecure configurations from being deployed.

Hybrid Cloud NetworkingSVForum Cloud SIG

This document discusses hybrid cloud networking challenges and solutions. It presents typical web application deployments on-premises and in the cloud. Architectural challenges with hybrid clouds include performance, reliability, and security. Implementation challenges involve using switched versus routed networks and managing IP addresses, routes, and network appliances across environments. The document proposes two approaches for hybrid cloud networking - a routed virtual private cloud using routing and firewalls, and a switched virtual private cloud using virtual switches and tunnels to simplify connectivity while maintaining security and performance.

Hacking into your containers, and how to stop it!Eric Smalling

This document discusses hacking into containers and how to stop it. It begins with an overview of increased security responsibilities for developers as containers add operating system level concerns. It then demonstrates hacking techniques and defenses that can be used in depth, such as minimizing images, not running as root, read only root filesystems, secrets management, and network policies. Key takeaways are that fast security feedback is important for developers and implementing known secure practices for building and running containers can help mitigate vulnerabilities.

DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC

This document outlines 5 key practices for modern security success in DevSecOps: 1) Cloud & DevSecOps practices, 2) Pre-Commit controls like the "paved road" of secure templates, 3) Commit controls through CI/CD pipelines, 4) Acceptance controls for supply chain security, and 5) Operations controls for continuous security compliance. The presentation provides examples for implementing controls at each stage to integrate security practices into the DevSecOps workflow.

[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOpsDaniel Oh

This document discusses DevSecOps, which is about continuously integrating security into DevOps processes and tools. It describes how development and operations teams traditionally view security, and why DevSecOps is important given trends like cloud computing, microservices, and open source software usage. The document then outlines ways to secure assets, development, operations, and APIs using open source tools as part of a DevSecOps approach. These include securing container registries and images, integrating security testing into builds, and using monitoring and logging tools to detect issues.

Cisco Cloud Networking Workshop Cisco Canada

This document provides an agenda and instructions for a Cisco Cloud Networking Workshop. The agenda includes demonstrations of the Cisco Meraki dashboard, MX security appliances, MS switches, MR wireless access points, and SM device management. Attendees are given instructions to log into the Meraki dashboard for a hands-on lab exploring configuration of MX firewalls, MS switches, wireless SSIDs on MR access points, and network policies. The document also provides overviews of Cisco Meraki's cloud-managed networking portfolio and features for network security, management, and device mobility.

Cloud Security at NetflixJason Chan

Jason Chan is a cloud security architect at Netflix who discussed Netflix's approach to cloud security. Some key points include: (1) Netflix has developed a "cloud appropriate" security model that embraces automation, self-service, and tooling; (2) The cloud presents both security challenges around shared responsibility and advantages around visibility; and (3) Netflix's Security Monkey framework automates security monitoring and analysis through APIs. Regulatory compliance is also addressed through segmentation, access control, and leveraging tooling for auditability.

Netflix Open Source Meetup Season 4 Episode 3aspyker

In this episode, we will focus on security in the cloud at scale. We’ll have Netflix speakers discussing existing and upcoming security-related OSS releases, and we’ll also have external speakers from organizations that are using and contributing to Netflix security OSS. First, Patrick Kelley from Netflix’s Security Operations team will speak about RepoMan, an upcoming OSS release designed to right-size AWS permissions. Then, Wes Miaw from Netflix’s Security Engineering team will discuss MSL (Message Security Layer). We have two external speakers for this event - Chris Dorros from OpenDNS/Cisco will talk about his use of and contributions to Lemur, and Ryan Lane from Lyft will talk about their use of BLESS. After the talks, we’ll have OSS authors at demo stations to answer questions and provide demos of Netflix security OSS, including Lemur, MSL, and Security Monkey.

Practical Guide to Securing KubernetesLacework

This document provides an overview and best practices for securing Kubernetes (K8s) clusters. It discusses common threats like exposed dashboards, APIs, and etcd stores. It also covers risks from within the cluster like compromised nodes and pods or vulnerabilities in container images. The document recommends 10 essential practices for securing K8s like image scanning, role-based access control, security boundaries, upgrades, pod security policies, node hardening, audit logging, and host/container logging. It emphasizes the importance of a security-aware development process and provides resources for further information.

Integrating Security into DevOpsCloudPassage

This document discusses integrating security into DevOps practices. It notes that while DevOps embraces cloud automation and agility, security can slow things down. Traditional security approaches are ill-suited for cloud environments. The document introduces CloudPassage Halo as a security-as-a-service platform that provides automated security controls like firewall management, intrusion detection and vulnerability scanning across cloud infrastructure in a self-service manner. It also describes the CloudPassage Halo architecture and demostrates some of its features. Finally, it promotes the CloudPassage Halo API toolbox and offers six months of free developer access to the platform.

Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire

Have you ever needed to wrestle a legacy application onto a modern, scalable cloud platform, while increasing security test coverage? Sometimes real applications are not easily stuffed into a Docker container and deployed in a container orchestration system. In this talk, Modus Create Principal Architect Richard Bullington-McGuire will show how to compose Jenkins, Docker, Terraform, Packer, Ansible, Packer, Vagrant, Gauntlt, OpenSCAP, the CIS Benchmark for Linux, AWS CodeDeploy, Auto Scaling Groups, Application Load Balancers, and other AWS services to create a performant and scalable solution for deploying applications. A local development environment using Vagrant mirrors the cloud deployment environment to minimize surprises upon deployment.

Cloud-native Datacornelia davis

<November 2017 Updated from earlier presentations on Cloud-native Data> Cloud-native applications form the foundation for modern, cloud-scale digital solutions, and the patterns and practices for cloud-native at the app tier are becoming widely understood – statelessness, service discovery, circuit breakers and more. But little has changed in the data tier. Our modern apps are often connected to monolithic shared databases that have monolithic practices wrapped around them. As a result, the autonomy promised by moving to a microservices application architecture is compromised. What we need are patterns and practices for cloud-native data. The anti-patterns of shared databases and simple proxy-style web services to front them give way to approaches that include use of caches (Netflix calls caching their hidden microservice), database per service and polyglot persistence, modern versions of ETL and data integration and more. In this session, aimed at the application developer/architect, Cornelia will look at those patterns and see how they serve the needs of the cloud-native application.

Splitting the Check on Compliance and SecurityJason Chan

1) Developers prioritize speed and innovation while auditors focus on compliance and predictability. The resolution is adopting tools like Spinnaker that provide traceability in development pipelines to satisfy both groups. 2) Tools like Penguin allow continuous monitoring of application security risks across microservices rather than one-time assessments. 3) Compartmentalization through practices like tokenization and microservices limits the impact of breaches by restricting access on a need-to-know basis.

10 tips for Cloud Native SecurityKarthik Gaekwad

Kube Apps in actionKarthik Gaekwad

Karthik Gaekwad is a cloud native evangelist at Oracle Cloud who previously worked on Oracle's Managed Kubernetes team. He discusses his background in teaching and community building. Common challenges to adopting cloud native technologies include complexity, cultural challenges, lack of training, security, and monitoring. Oracle provides managed Kubernetes services on Oracle Cloud Infrastructure to help with managing Kubernetes control and data planes, container networking and storage, and security. Karthik demonstrates a sample ecommerce application deployed to Kubernetes.

PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com

DevOps and CI/CD make for faster code releases, but they also create new challenges for security practices. Think about TLS and code-signing certificates. Almost every component in CI/CD – binaries, builds, web servers and containers – needs certificates to authenticate and verify trust, but traditional PKI processes just can't scale in DevOps environments. Join Keyfactor and Infinite Ranges to learn how PKI and certificate management fits within the CI/CD pipeline and why an integrated and automated approach is key to success. In this webinar, we'll discuss: How applications in the DevOps toolchain use PKI (i.e. Jenkins, Kubernetes, Istio, etc.) The risks of unmanaged or untracked certificates in DevOps environments Best practices to support visibility, compliance and automation of certificates in CI/CD

Automated Security Testingseleniumconf

This document discusses automated security testing using the Zed Attack Proxy (ZAP) tool. It describes how ZAP can be used to passively and actively scan web applications for security vulnerabilities by intercepting HTTP traffic. It also provides examples of integrating ZAP into continuous integration builds using its REST API and tasks for Ant and Maven. While automated testing finds many issues, some vulnerabilities still require human intelligence to identify false positives and negatives.

Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker

Security testing is an important part of any (agile) secure software development lifecyle. Still, security testing is often understood as an activity done by security testers in the time between "end of development" and "offering the product to customers." Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, we believe that security testing should be integrated into the daily development activities. To achieve this, we developed a security testing strategy, as part of SAP's security development lifecycle which supports the specific needs of the various software development models at SAP. In this presentation, we will briefly presents SAP's approach to an agile secure software development process in general and, in particular, present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools.

Continous Integration of (JS) projects & check-build philosophyFrançois-Guillaume Ribreau

Security is Dead. Long Live Rugged DevOps: IT at Ludicrous SpeedGene Kim

This document provides an overview of a presentation given by Joshua Corman and Gene Kim on the topics of security, DevOps, and Rugged DevOps. Some key points: - Joshua Corman is the director of security intelligence at Akamai Technologies and Gene Kim is a researcher and author known for his work on IT performance and DevOps. - They discuss how traditional security models are no longer effective due to increasing development speeds and how Rugged DevOps combines principles of DevOps and security. - Rugged DevOps focuses on operational discipline, situational awareness, and countermeasures to provide security in a way that does not hinder development workflows and speeds. - The presentation

More Related Content

What's hot (18)

DevSecOps at the GSAChris Downey

Secure Your Code Implement DevSecOps in Azurekloia

Policy as code what helm developers need to know about securityLibbySchulze

Hybrid Cloud NetworkingSVForum Cloud SIG

Hacking into your containers, and how to stop it!Eric Smalling

DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC

[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOpsDaniel Oh

Cisco Cloud Networking Workshop Cisco Canada

Cloud Security at NetflixJason Chan

Netflix Open Source Meetup Season 4 Episode 3aspyker

Practical Guide to Securing KubernetesLacework

Integrating Security into DevOpsCloudPassage

Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire

Cloud-native Datacornelia davis

Splitting the Check on Compliance and SecurityJason Chan

10 tips for Cloud Native SecurityKarthik Gaekwad

Kube Apps in actionKarthik Gaekwad

PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com

DevSecOps at the GSAChris Downey

Secure Your Code Implement DevSecOps in Azurekloia

Policy as code what helm developers need to know about securityLibbySchulze

Hybrid Cloud NetworkingSVForum Cloud SIG

Hacking into your containers, and how to stop it!Eric Smalling

DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC

[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOpsDaniel Oh

Cisco Cloud Networking Workshop Cisco Canada

Cloud Security at NetflixJason Chan

Netflix Open Source Meetup Season 4 Episode 3aspyker

Practical Guide to Securing KubernetesLacework

Integrating Security into DevOpsCloudPassage

Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire

Cloud-native Datacornelia davis

Splitting the Check on Compliance and SecurityJason Chan

10 tips for Cloud Native SecurityKarthik Gaekwad

Kube Apps in actionKarthik Gaekwad

PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com

Viewers also liked (20)

Automated Security Testingseleniumconf

Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker

Continous Integration of (JS) projects & check-build philosophyFrançois-Guillaume Ribreau

Security is Dead. Long Live Rugged DevOps: IT at Ludicrous SpeedGene Kim

AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group

Measuring the effectiveness of any security activity is widely discussed – security leaders debate the topic with a religious fervor rivaling that of any other hot button issue. Virtually every organization has some sort of application security training effort, but data on training effectiveness remains scarce. Last year our research team delivered the first-ever survey that captured developer awareness of secure coding concepts and the impact of formal application security training on a developer’s ability to write secure code. We learned that most software developer were aware of certain application security concepts, yet when asked how to write more secure code, they faired poorly. This year’s 600-developer survey provides more quantitative data on what software developers understand about application security, both concepts and practices. It dives most deeply into awareness of defensive coding practices, which most developers largely did not grasp in the 2013 survey. It also is separates respondents by roles, so we can better understand how architects, developers, and QA staff grasp key application security concepts and put them to work. It better captures how software developers learn in general, so one can tailor any security training effort to how software developers, in practice, actually learn. This information will provide data to application security managers responsible for corporate security training that should allow them them to make more fact-based decisions about security training.

Pythonista も ls を読むべきか？Katsunori FUJIWARA

DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver

Security testautomationLinkesh Kanna Velu

This document discusses security test automation. It defines security testing and some key terms like vulnerability, spoofing, and SQL injection. It recommends tools from the OWASP project like ZAP and describes how to integrate ZAP into an automation workflow. An example workflow is described that uses ZAP to find issues like password autocomplete, application errors, and missing security headers. Integrating security scans with CI builds is advocated to improve security with little additional effort.

Continuous Security Testing in a Devops World #OWASPHelsinkiStephen de Vries

Cybersecurity by the numbersAPNIC

Threat Modeling And AnalysisLalit Kale

Continuous and Visible Security Testing with BDD-SecurityStephen de Vries

Automating security tests for Continuous IntegrationStephen de Vries

Two models for running automated security tests in a CI/CD pipeline: either blocking or parallel security tests Integration depends on the level of cultural integration of security into DevOps. 3 Models of test ownership: 1. Owned by Security team - least desirable 2. Owned by DevOps, overseen by security - better 3. Owned by SecDevOps, look Ma, no silos. Overview of BDD-Security Configuring Jenkins with BDD-Security as inline tests

Building Risk Management into Enterprise Architectureiasaglobal

By Bill Estrem, MN Chapter Conference 11/15/2013 Get Lucky: Building Risk Management into Enterprise Architecture This presentation will examine how enterprise architects can apply risk management capabilities to the development and operation of an enterprise architecture. The approach incorporates the TOGAF 9 Risk Management framework along with other risk management methods. In particular, the approach will focus on the The Open Group Risk Management Taxonomy and Risk Assessment standard. Bill Estrem - President of Metaplexity Associates LLC

Integración contínua con JenkinsCésar Hernández

El documento habla sobre la integración continua y Jenkins. Explica los problemas con el ciclo de vida del software tradicional como falta de automatización y visibilidad. Jenkins es una herramienta que monitorea tareas de manera repetitiva para construir y probar software continuamente, resolviendo parcialmente estos problemas. Ofrece ventajas como prevención de errores y aseguramiento de calidad.

OWASP WTE - Now in the Cloud!Matt Tesauro

This document provides information about the OWASP Web Testing Environment (WTE) project and its leader Matt Tesauro. It discusses the history and goals of the WTE project, which provides a collection of web application security testing tools in an easy-to-use environment. It also outlines ideas for the future of the project, such as providing automated cloud-based instances of the WTE and aligning its tools with the OWASP Testing Guide.

New Farming Methods in the Epistemological Wasteland of Application SecurityJames Wickett

Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches. We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing. http://lascon.org http://lascon2015.sched.org/event/175e3c828095386b2fa0fc660b2502a3

Real World Application Threat Modelling By ExampleNCC Group

This document provides an overview of threat modeling a virtual appliance called the Djigzo Email Encryption Gateway. It describes a process for enumerating the technologies, interfaces, and functionality of the appliance without initial knowledge. This includes getting shell access, mapping listening ports, reviewing processes, and examining the database. Next, it creates high-level and low-level dataflow diagrams. Finally, it develops an initial threat model by brainstorming threats against different interfaces like the web interface, admin console, and mail transfer agent. The presentation concludes that thorough threat modeling requires deep security knowledge and significant effort to understand risks and verify mitigations.

The Journey to DevSecOpsSeniorStoryteller

This document discusses the evolution of DevSecOps and provides guidance for security professionals. It notes that DevSecOps approaches have gained popularity as DevOps has grown over the past decade. It recommends that security professionals focus on detection over protection, embrace a blameless culture of continuous improvement, and get involved in DevSecOps communities to help build security tools and practices.

Continuous Security Testing - DevSecConStephen de Vries

This document discusses integrating security testing into continuous delivery pipelines. It argues that security testing should be performed continuously and automated like other tests, rather than as a separate process. The document recommends that development, operations, and security teams work together in a "SecDevOps" model where security testing is integrated into regular testing workflows and everyone shares responsibility. It presents the BDD-Security framework as an example of how behavior-driven development can be used to automate continuous security testing that runs with each code change.

Automated Security Testingseleniumconf

Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker

Continous Integration of (JS) projects & check-build philosophyFrançois-Guillaume Ribreau

Security is Dead. Long Live Rugged DevOps: IT at Ludicrous SpeedGene Kim

AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group

Pythonista も ls を読むべきか？Katsunori FUJIWARA

DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver

Security testautomationLinkesh Kanna Velu

Continuous Security Testing in a Devops World #OWASPHelsinkiStephen de Vries

Cybersecurity by the numbersAPNIC

Threat Modeling And AnalysisLalit Kale

Continuous and Visible Security Testing with BDD-SecurityStephen de Vries

Automating security tests for Continuous IntegrationStephen de Vries

Building Risk Management into Enterprise Architectureiasaglobal

Integración contínua con JenkinsCésar Hernández

OWASP WTE - Now in the Cloud!Matt Tesauro

New Farming Methods in the Epistemological Wasteland of Application SecurityJames Wickett

Real World Application Threat Modelling By ExampleNCC Group

The Journey to DevSecOpsSeniorStoryteller

Continuous Security Testing - DevSecConStephen de Vries

Similar to Rugged DevOps: Bridging Security and DevOps (20)

Rugged DevOps Will help you build ur cloudzJames Wickett

Gauntlt is a security testing tool that can be integrated into a continuous integration system. It runs automated attacks and penetration tests against code as part of the build process. Gauntlt attacks are written in an easy to read language to make security testing accessible to developers, operations staff, and security teams. This allows different teams to collaborate better and find vulnerabilities earlier in the development process.

The Emergent Cloud Security Toolchain for CI/CDJames Wickett

The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett

All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table. Presented at LASCON 2018, in Austin, TX.

DevSecOps and the CI/CD PipelineJames Wickett

The Emergent Cloud Security Toolchain for CI/CDJames Wickett

The Emergent Cloud Security Toolchain for CI/CD given at RSA Conference 2018 in San Francisco. All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table. Learning Objectives: 1: Learn the emerging patterns for security in CI/CD pipelines. 2: Receive a pragmatic security toolchain for CI/CD to use in your organization. 3: Understand the real meaning of DevSecOps is without all the hype.

The Rugged Way in the Cloud--Building Reliability and Security into SoftwareJames Wickett

Rugged Dev: Building Reliability and Security Into SoftwareInnoTech

The New Security Playbook: DevSecOpsJames Wickett

Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware

Pragmatic Pipeline SecurityJames Wickett

All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler. This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence. From DeliveryConf 2020

Cloud Security for Life Science R&DChris Dagdigian

Q Con New York 2015 Presentation - Conjurconjur_inc

This document discusses securing containers and microservices using a software-defined firewall (SDF) approach. It introduces the SDF pattern which uses gatekeeper and forwarder containers to validate and route traffic. The SDF ensures only authorized communication between containers. It also discusses embedding credentials during deployment using a host factory. Open source projects like Conjur and Summon can provide secrets and integrate with automation tools for continuous and secure deployment of containers.

Stop expecting magic fairy dust: Make apps secure by designPatrick Walsh

Software developers are screwing up the digital world. Security is often an afterthought, or worse, the job of I.T., who is expected to sprinkle magic fairy dust on an app that magically makes it secure. That's an impossible ask and forces a perimeter-based security model that cannot succeed alone in a world of cloud apps, mobile devices, and distributed data. Developers must embrace security by design principles and fundamentally shift their attitude about who is responsible for security.

DDoS AttacksVitor Jesus

The document discusses distributed denial of service (DDoS) attacks. It begins by defining DDoS and DoS attacks, noting that a DDoS attack involves coordinating multiple parties to overwhelm a server or application with traffic. The document then discusses the scale of DDoS attacks over time, how attacks on the scale of terabits per second can be achieved, and how DDoS attacks have become a business. It also summarizes the impact of the Mirai botnet and techniques for mitigating DDoS attacks through detection methods, split intelligence versus resource constraints, and the lack of built-in accountability on the internet.

Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3

This document discusses bridging the gap between penetration testing and red teaming using offensive PowerShell techniques. It describes how standard Windows images often have vulnerabilities, dirty networks with outdated users and services provide easy targets, and domain trusts allow access between organizations. The authors promote the Empire PowerShell agent for post-exploitation, highlighting modules for execution, credential theft, and lateral movement. They provide examples using Empire to inject into processes and extract credentials with Mimikatz.

Kernel Con 2022: Securing Cloud Native WorkloadsGabriel Schuyler

So, you've finished your (rushed by lockdown) lift-and-shift to the cloud, and now your developers are adopting cloud-native workloads such as containers, serverless functions, storage buckets, and databases as a service. These new technologies introduce new attack vectors, and must be defended in unique ways. You're not "just running on someone else's servers" when workloads come and go in seconds. How do you secure a function when the communication layer is opaque to you? Can you govern container use well enough to protect it, but without slowing down developers and the business? Heck, do you even know what's out there? This session will provide you with enough knowledge to begin securing the your most important assets in the cloud. Sure, cloud-native workloads can seem mysterious, but once you know the differences (and hidden pitfalls) of cloud-native workloads, you'll be in good shape to start defending them.

Bridging the GapWill Schroeder

This document summarizes a presentation on bridging the gap between penetration testing and red teaming using offensive PowerShell techniques. It introduces Empire, a pure PowerShell post-exploitation agent, and discusses how weak standard images, dirty networks, and domain trusts can be exploited to escalate privileges and move laterally. Various PowerShell modules for tasks like credential dumping, code execution, and lateral movement are demonstrated.

Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Apostolos Giannakidis

This talk provides an introduction and detailed overview of Java deserialization attacks. You will understand the basic concepts of how Java deserialization exploits (gadget chains) work, what solutions exist and the advantages and disadvantages of each. Finally, a new approach will be presented, using Runtime Virtualization, Compartmentalization and Privilege De-escalation. This talk was presented by Apostolos Giannakidis at the OWASP London meetup on May 2017.

Total Defense Product InformationZeeshan Humayun

Total Defense r12 is a multi-layered Internet security solution from CA that protects against malware in a visually refined and easy to manage way. It uses multiple layers of security to protect systems many times over at a surprisingly affordable price. Total Defense simplifies security management with an intuitive dashboard and one-click policy deployment while providing 24/7 support and global security intelligence through the Security Advisor.

Here Be Dragons: Security Maps of the Container New WorldC4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1KjxPiO. Josh Bregman explores some of the unique security challenges created by both the development workflow and application runtime, explains why and how the current approaches in SecDevOps 1.0 are insufficient, and how SecDevOps 2.0 techniques including Software Defined Firewalls (SDF) provide a promising path forward for all parties involved. Filmed at qconnewyork.com. Josh Bregman is Information Security Architect and Executive Vice President for Technical Sales at Conjur Inc.

Rugged DevOps Will help you build ur cloudzJames Wickett

The Emergent Cloud Security Toolchain for CI/CDJames Wickett

The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett

DevSecOps and the CI/CD PipelineJames Wickett

The Emergent Cloud Security Toolchain for CI/CDJames Wickett

The Rugged Way in the Cloud--Building Reliability and Security into SoftwareJames Wickett

Rugged Dev: Building Reliability and Security Into SoftwareInnoTech

The New Security Playbook: DevSecOpsJames Wickett

Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware

Pragmatic Pipeline SecurityJames Wickett

Cloud Security for Life Science R&DChris Dagdigian

Q Con New York 2015 Presentation - Conjurconjur_inc

Stop expecting magic fairy dust: Make apps secure by designPatrick Walsh

DDoS AttacksVitor Jesus

Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3

Kernel Con 2022: Securing Cloud Native WorkloadsGabriel Schuyler

Bridging the GapWill Schroeder

Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Apostolos Giannakidis

Total Defense Product InformationZeeshan Humayun

Here Be Dragons: Security Maps of the Container New WorldC4Media

More from James Wickett (20)

A Pragmatic Union: Security and SREJames Wickett

A Way to Think about DevSecOps: MEASUREJames Wickett

DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again? In an attempt to answer this question, we will look back in history to learn how engineering decisions affect the lives of those around us, with an eye on how to make meaningful progress today. Along the way, we will highlight the high-performing DevSecOps teams of today and introduce MEASURE, a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together. ---- thanks to Verica https://verica.io and techstrongcon.com

The Security, DevOps, and Chaos Playbook to Change the WorldJames Wickett

A Tale of Woe, Chaos, and BusinessJames Wickett

DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again? In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us and even though the world has radically changed over the last century, we are still facing many of the same root challenges. Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together. From Innotech Austin 2019 and Cloud Austin Nov 2019

A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett

DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for Security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again? In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us, and even though the world has radically changed over the last century, we are still facing many of the same root challenges. Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.

The New Ways of DevSecOps - The Secure Dev 2019James Wickett

Talk given for https://www.thesecuredeveloper.com/events/the-new-ways-of-devsecops DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.

NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett

DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does= chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.

The New Ways of Chaos, Security, and DevOpsJames Wickett

VMware Thought Leadership Series: The New Ways of Chaos, Security, and DevOps Abstract: DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and DevOps closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.

DevOpsDays Austin: Security in the FaaS LaneJames Wickett

James Wickett and Karthik Gaekwad talk about Serverless Security at DevOps Days Austin. Security in FaaS isn't what we are used to, but this talk shows you how what we learned in appsec still applies. Using LambHack, which is a vulnerable serverless application written in Go on AWS Lambda using Sparta, we will evaluate how to do security in serverless. In this talk, we will talk about security strategies and pitfalls in the serverless world. You'll leave with an understanding of how to approach security conversations about serverel Talk goals: - How to approach the security concerns in a serverless world. - Talk about the 'WIP' methodology for serverless security. - Understand current serverless attacks for things to defend against. - Learn what different cloud providers (AWS/GKE/Azure/Oracle Cloud) do to protect you in a serverless world.

The Seven Habits of the Highly Effective DevSecOpJames Wickett

DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And really, what makes a good DevSecOp? This talk highlights the seven habits that the high-performing DevSecOp of today (and tomorrow) should develop. Topics range from empathy to lean to system safety with the hope to uncover a new playbook for devs, ops, and security to work together.

Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett

Release Your Inner DevSecOpJames Wickett

DevSecOps brings security to the DevOps party and it is completely changing the security playbook. This talk will cover 10 practices and patterns we have implemented that bring DevSecOps value to everyone involved. This talk will be loaded with examples that will be usable for developers, security and operations teams and you can take home next week to put into practice. Shannon Lietz, Intuit James WIckett, Signal Sciences RSA Conference 2019

Security in the FaaS LaneJames Wickett

Adversary Driven Defense in the Real WorldJames Wickett

The State of DevSecOps in 2018James Wickett

The document discusses the state of DevSecOps in 2018 based on a survey of over 2,000 respondents. Key findings include that 74% of respondents report mature DevOps practices, but 48% of developers say they don't have enough time for security. 73% of mature DevOps organizations say security breaches drive interest in DevSecOps. The document advocates for greater inclusion of security in DevOps practices and culture.

DevSecOps in the Year 2018James Wickett

Call it what you will - DevSecOps, DevOpsSec, Rugged, Agile Application Security, Shift Left Unicorn Dust AppSec,... The face of security is changing. We'll go through the results of the DevSecOps Community Survey and examine the trends. Then we'll lead a group discussion on the topic. How have you tried to make security part of your SDLC? What have you seen work? What hasn't? What's important to you? From Austin OWASP meetup in June 2018

DevSecOps and the New Path ForwardJames Wickett

AppSec California 2018: The Path of DevOps Enlightenment for InfoSecJames Wickett

LambHack: A Vulnerable Serverless ApplicationJames Wickett

Defense-Oriented DevOps for Modern Software DevelopmentJames Wickett

Presentation from SpringOne Platform 2017 conference by Pivotal. DevOps is the practice of the entire engineering team participating together through the entire service lifecycle of delivering software. This includes security and out of necessity, security as we have known it has completely changed. Through challenges from the outside and forces from within there is a wholesale conversion taking place across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape. There are four key areas that have changed with the rise of DevOps: Treat all systems and infrastructure as code Change the engineering culture to orient around delivery Favor a fast delivery cadence Create feedback loops across the organization With these shifts the organization has new demands and expectations on security. This talk will cover a pragmatic approach and focus on principles, practices and tooling to meet demands in these four key areas.

A Pragmatic Union: Security and SREJames Wickett

A Way to Think about DevSecOps: MEASUREJames Wickett

The Security, DevOps, and Chaos Playbook to Change the WorldJames Wickett

A Tale of Woe, Chaos, and BusinessJames Wickett

A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett

The New Ways of DevSecOps - The Secure Dev 2019James Wickett

NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett

The New Ways of Chaos, Security, and DevOpsJames Wickett

DevOpsDays Austin: Security in the FaaS LaneJames Wickett

The Seven Habits of the Highly Effective DevSecOpJames Wickett

Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett

Release Your Inner DevSecOpJames Wickett

Security in the FaaS LaneJames Wickett

Adversary Driven Defense in the Real WorldJames Wickett

The State of DevSecOps in 2018James Wickett

DevSecOps in the Year 2018James Wickett

DevSecOps and the New Path ForwardJames Wickett

AppSec California 2018: The Path of DevOps Enlightenment for InfoSecJames Wickett

LambHack: A Vulnerable Serverless ApplicationJames Wickett

Defense-Oriented DevOps for Modern Software DevelopmentJames Wickett

Recently uploaded (20)

Big Data Analytics Quick Research Guide by Arthur MorganArthur Morgan

This is a Quick Research Guide (QRG). QRGs include the following: - A brief, high-level overview of the QRG topic. - A milestone timeline for the QRG topic. - Links to various free online resource materials to provide a deeper dive into the QRG topic. - Conclusion and a recommendation for at least two books available in the SJPL system on the QRG topic. QRGs planned for the series: - Artificial Intelligence QRG - Quantum Computing QRG - Big Data Analytics QRG - Spacecraft Guidance, Navigation & Control QRG (coming 2026) - UK Home Computing & The Birth of ARM QRG (coming 2027) Any questions or comments? - Please contact Arthur Morgan at [email protected]. 100% human made.

Splunk Security Update | Public Sector Summit Germany 2025Splunk

Dev Dives: Automate and orchestrate your processes with UiPath MaestroUiPathCommunity

This session is designed to equip developers with the skills needed to build mission-critical, end-to-end processes that seamlessly orchestrate agents, people, and robots. 📕 Here's what you can expect: - Modeling: Build end-to-end processes using BPMN. - Implementing: Integrate agentic tasks, RPA, APIs, and advanced decisioning into processes. - Operating: Control process instances with rewind, replay, pause, and stop functions. - Monitoring: Use dashboards and embedded analytics for real-time insights into process instances. This webinar is a must-attend for developers looking to enhance their agentic automation skills and orchestrate robust, mission-critical processes. 👨‍🏫 Speaker: Andrei Vintila, Principal Product Manager @UiPath This session streamed live on April 29, 2025, 16:00 CET. Check out all our upcoming Dev Dives sessions at https://community.uipath.com/dev-dives-automation-developer-2025/.

The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfAbi john

Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxAnoop Ashok

SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfPrecisely

Special Meetup Edition - TDX Bengaluru Meetup #52.pptxshyamraj55

tecnologias de las primeras civilizaciones.pdffjgm517

Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Aqusag Technologies

2025-05-Q4-2024-Investor-Presentation.pptxSamuele Fogagnolo

Rusty Waters: Elevating Lakehouses Beyond Sparkcarlyakerly1

Spark is a powerhouse for large datasets, but when it comes to smaller data workloads, its overhead can sometimes slow things down. What if you could achieve high performance and efficiency without the need for Spark? At S&P Global Commodity Insights, having a complete view of global energy and commodities markets enables customers to make data-driven decisions with confidence and create long-term, sustainable value. 🌍 Explore delta-rs + CDC and how these open-source innovations power lightweight, high-performance data applications beyond Spark! 🚀

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

How Can I use the AI Hype in my Business Context?Daniel Lehner

𝙄𝙨 𝘼𝙄 𝙟𝙪𝙨𝙩 𝙝𝙮𝙥𝙚? 𝙊𝙧 𝙞𝙨 𝙞𝙩 𝙩𝙝𝙚 𝙜𝙖𝙢𝙚 𝙘𝙝𝙖𝙣𝙜𝙚𝙧 𝙮𝙤𝙪𝙧 𝙗𝙪𝙨𝙞𝙣𝙚𝙨𝙨 𝙣𝙚𝙚𝙙𝙨? Everyone’s talking about AI but is anyone really using it to create real value? Most companies want to leverage AI. Few know 𝗵𝗼𝘄. ✅ What exactly should you ask to find real AI opportunities? ✅ Which AI techniques actually fit your business? ✅ Is your data even ready for AI? If you’re not sure, you’re not alone. This is a condensed version of the slides I presented at a Linkedin webinar for Tecnovy on 28.04.2025.

Role of Data Annotation Services in AI-Powered ManufacturingAndrew Leo

Semantic Cultivators : The Critical Future Role to Enable AIartmondano

Build Your Own Copilot & Agents For DevsBrian McKeiver

Manifest Pre-Seed Update | A Humanoid OEM Deeptech In Francechb3

Greenhouse_Monitoring_Presentation.pptx.hpbmnnxrvb

HCL Nomad Web – Best Practices and Managing Multiuser Environmentspanagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-nomad-web-best-practices-and-managing-multiuser-environments/ HCL Nomad Web is heralded as the next generation of the HCL Notes client, offering numerous advantages such as eliminating the need for packaging, distribution, and installation. Nomad Web client upgrades will be installed “automatically” in the background. This significantly reduces the administrative footprint compared to traditional HCL Notes clients. However, troubleshooting issues in Nomad Web present unique challenges compared to the Notes client. Join Christoph and Marc as they demonstrate how to simplify the troubleshooting process in HCL Nomad Web, ensuring a smoother and more efficient user experience. In this webinar, we will explore effective strategies for diagnosing and resolving common problems in HCL Nomad Web, including - Accessing the console - Locating and interpreting log files - Accessing the data folder within the browser’s cache (using OPFS) - Understand the difference between single- and multi-user scenarios - Utilizing Client Clocking

DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxJustin Reock

Building 10x Organizations with Modern Productivity Metrics 10x developers may be a myth, but 10x organizations are very real, as proven by the influential study performed in the 1980s, ‘The Coding War Games.’ Right now, here in early 2025, we seem to be experiencing YAPP (Yet Another Productivity Philosophy), and that philosophy is converging on developer experience. It seems that with every new method we invent for the delivery of products, whether physical or virtual, we reinvent productivity philosophies to go alongside them. But which of these approaches actually work? DORA? SPACE? DevEx? What should we invest in and create urgency behind today, so that we don’t find ourselves having the same discussion again in a decade?

Big Data Analytics Quick Research Guide by Arthur MorganArthur Morgan

Splunk Security Update | Public Sector Summit Germany 2025Splunk

Dev Dives: Automate and orchestrate your processes with UiPath MaestroUiPathCommunity

The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfAbi john

Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxAnoop Ashok

SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfPrecisely

Special Meetup Edition - TDX Bengaluru Meetup #52.pptxshyamraj55

tecnologias de las primeras civilizaciones.pdffjgm517

Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Aqusag Technologies

2025-05-Q4-2024-Investor-Presentation.pptxSamuele Fogagnolo

Rusty Waters: Elevating Lakehouses Beyond Sparkcarlyakerly1

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

How Can I use the AI Hype in my Business Context?Daniel Lehner

Role of Data Annotation Services in AI-Powered ManufacturingAndrew Leo

Semantic Cultivators : The Critical Future Role to Enable AIartmondano

Build Your Own Copilot & Agents For DevsBrian McKeiver

Manifest Pre-Seed Update | A Humanoid OEM Deeptech In Francechb3

Greenhouse_Monitoring_Presentation.pptx.hpbmnnxrvb

HCL Nomad Web – Best Practices and Managing Multiuser Environmentspanagenda

DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxJustin Reock

Rugged DevOps: Bridging Security and DevOps

1. Rugged DevOps Bridging Security and DevOps

2. @wickett Cloud Ops Team Lead, @NIGlobal CISSP, GWAPT, CCSK, GSEC, GCFW [email protected] ruggeddevops.org @LASCONATX

3. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.

4. Security vs. Rugged • Absence of • Verification of Events quality • Cost • Benefit • Negative • Positive • FUD • Known values • Toxic • Affirming

5. Rugged-ities • Maintainability • Availability • Survivability • Defensibility • Security • Longevity • Portability • Reliability

6. Ruggedization Theory Building solutions to handle adversity will cause unintended, positive beneﬁts that will provide value that would have been unrealized otherwise.

7. "Secondly, our network got a lot stronger as a result of the LulzSec attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012

8. Cloud Firewalls and DMZ (aka Security Groups) firewall firewall firewall Web Web Web DMZ x3 firewall firewall DMZ x2 Middle Tier Middle Tier firewall firewall DB LDAP DMZ x2

9. Rugged Benefits • Control and traffic whitelisting • Config management • Reproducible, automated and source controlled • No accidental data traversal across products or dev/test/prod tiers • Dev and Test identical to Prod tier

10. It’s not our problem anymore

11. source: Gene Kim, “When IT says No @SXSW 2012”

12. Security sees... • They give advice that goes unheeded • Business decisions made w/o regard of risk • Irrelevancy in the organization • Constant bearer of bad news • Feels ignored by their peers (you know, those devops guys) • Inequitable distribution of labor

13. RUGGED source: Jessica Allen, http://drbl.in/bgwy

14. Rugged DevOps • repeatable – no manual steps • reliable - no DoS here • reviewable – aka audit • rapid – fast to build, deploy, restore • resilient – automated reconﬁguration • reduced - limited attack surface

15. #occupy_stage

16. If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea - Antoine Jean-Baptiste Marie Roger de Saint Exupéry

17. The Philosophy of Rugged DevOps & Principles of Behavior Driven Development

18. Introducing Gauntlet gauntlet, n. an attack from all sides an always-attacking environment for developers with attacks written in easy-to-read language accessible to everyone involved in dev, ops, security, ...

19. Put your code through the Gauntlet custom attacks dirbuster metasploit sqlmap fuzzers nessus w3af nmap Your web app You

20. Join Us • #occupy_stage on Rugged DevOps • join the email list join.ruggeddevops.org • twitter: @ruggeddevops • Gauntlet? Ping me on twitter (@wickett)

Rugged DevOps: Bridging Security and DevOps

Recommended

More Related Content

What's hot (18)

Viewers also liked (20)

Similar to Rugged DevOps: Bridging Security and DevOps (20)

More from James Wickett (20)

Recently uploaded (20)

Rugged DevOps: Bridging Security and DevOps