SlideShare a Scribd company logo

The Teams Behind DevSecOps

Download as PPTX, PDF
U
Uleska

DevSecOps Personas – what Developers, Security, and Operations think when it comes to people/tech/processes/culture when it comes to rolling out DevSecOps programs. Each of these teams have different drivers, ambitions, blockers, and challenges when it comes to a successful DevSecOps program. As Dale Carnegie said, ‘The only way to get anyone to do anything, is to make them want to do it’ - all the tech and process in the world isn’t going to make it successful if the people and culture (and heart) are not in it. So let’s share what we’ve seen from 100s of company interactions, understand better where everyone is coming from, and how to approach a DevSecOps program that can move the needle like Marty McFly playing Doc Brown’s guitar. We’ve love this to be interactive, so bring your stories and questions. Gary's Bio Gary Robinson has been working in software and cyber security for 20+ years, as a coder, pen tester, consultant, Security Architect at Citi, Global Board member at OWASP, and heading up Uleska to focus on DevSecOps for the last 5 years. Gary’s focused on the people, process, technology, and culture aspect of DevSecOps – as someone who’s worked in all three spaces during his time – and what drivers, blockers, etc each experience with ‘DevSecOps’, ‘shift-left’, ‘secure by design’, and the rest. -------- Find out more about us  www.uleska.com/ Follow us on LinkedIn  https://www.linkedin.com/company/uleska/ Follow us on Twitter  https://twitter.com/uleska_sec/

1 of 20
Download to read offline
‘DevSecOps’ Personas
About us Is a platform that helps you scale application security by fully automating and orchestrating your preferred security tools in CI/CD. Gary Robinson Founder & Chief Security Officer Been a dev, a sec, and an ops.
What we will cover?
‘DevSecOps’ Personas � Who are ‘The Dev’? � Who are ‘The Ops’? � Who are ‘The Sec’? � Challenges, insights, and observations
The ‘Dev’
Generic Developer (Team) Job Identifying code solutions for stakeholder or customer problems. Work with architecture, QA, support, UI/UX, Ops, Security on wider solution implementation. Skills Software development in target languages and frameworks. Deploying solution on cloud / infrastructure. Debugging, fixing bugs. Agile. Compilation. DevOps. Culture Impress / Maturity Getting better skills at the specifics of code / language / frameworks. Learning Design Patterns. Cloud / infrastructure work for running solutions. Faster delivery. Look to lead coders as top. Job Progression Moving up the ranks to senior, lead, becoming an architect (technical) or management. Can get technically specific (security?) , but tends to be sideways move, not upwards.
Relationships With Operations Operations has moved much more to a realm that devs understand. Cloud, IaC, etc means dev can naturally fit ops in. Many advances created by developers (open source & commercial). With Security Know the basics of the technicality, but processes / logistics typically seen as a blocker. Some companies will push security a lot more than others. Doesn’t work with how dev works. Tooling Experience ‘one tool for one job’. GitHub, Atlassian, and many others have focused on quick time to use and incorporating the ‘whole solution’. Security breaks this mould with lots of tools. Drives / Pressures Getting shit done. Always a large backlog of features / fixes. Plenty of other devs competing for promotions. Focus issues to work on - clarity and prioritization. Security communication.
Discuss: Dev -> Ops Was Natural Progression ● Developers already knew ops (cloud, OSs, builds) to get solution working. ● Cloud and CI/CD systems built for developers (techies), security tools not. ● Unless developer wants to ‘move into security’ they are not rewarded for learning it. So many other skills they can learn with more job prospects.
The ‘Ops’
Generic Operations (Team) Job Setup Cloud and infrastructure, as well as DevOps environments. Experts on Cloud, OS, infrastructure, CI/CD, which means lots of vendor knowledge. Skills Generic network and OS skills, then mostly focused on vendor environments (e.g. AWS expert, CircleCI, etc). Some scripting skills, but not full programmers. Culture Impress / Maturity Badges and skills in vendor products, e.g. AWS routes of learning. Solutions that save time, make tech easier to use, support, maintain. Look to large cool enterprises as the leaders. Job Progression Junior to Senior to Lead. More use they are to the company, more job security. Potentially Release Manager (technical) or Head of DevOps, or into management.
Relationships With Development Have seen development interact more with technical operations. Growing ops code in codelines with blurred ownership. With Security Know the basics of the technicality, but processes / logistics typically seen as a blocker. Lots of patching (never-ending). Don’t like large security blocks in CI/CD. Tooling Usually vendor / tech driven. Vendor architecture comes first, then ‘getting it working’ with scripts, skills, and knowledge. Would like to create from scratch, but under time pressures. Drives / Pressures Business wants software out faster, ops are the grease that makes that happen for real. Speed, speed, speed.
Discuss: DevSecOps Requires Coding Glue ● Security tech and processes need to be ‘fitted in’ for seamless interaction, without constant changes ● Serious lack of consistency among security tools. ● Devs and Operations can do it, but don’t have security skills to know what to do
The ‘Sec’
Generic Security (Team) Job Tends to be operations security or development security. Tasked with providing technical assurance in various ways. Outnumbered 100 to 1 by dev (ops unknown). Skills Knowledgeable on types of technical hack. Know how to use tools in their area. Able to triage security issues. Likely zero to little programming skills. Culture Impress / Maturity Finding issues, learning hacks, using tools. Talking about latest breaches. Job Progression Junior to Senior to Lead. More move into management quicker due to shortage. Developing skills and serving time conducting pen tests, testing, thread modeling, etc, moves up ranks.
Relationships With Development Out of loop and tend to add work instead of solutions. Devs want priorities, not scattergun. Though usually one dev team ‘into security’. Issues outside of dev skills (e.g. linters). With Operations Security personnel may have ops knowledge, but not always. Want to be invited to the ‘devops’ party (90% of ‘DevSecOps’ jobs from sec), but may not know how CI/CD works (tech and culture). Tooling Usually scattered, sometimes tied to large vendor products, but also open source / kali / OWASP tools as well. Don’t know dev or ops tools well. Drives / Pressures To find issues, that’s currency. Maybe pressure to scale, given so many projects, but that’s likely managements’ pain. Insights, metrics, & continuous improvements.
Discuss: Sec & Dev Skills Very Different ● Security folks are not software developers. Unlikely to find security bugs in a pure code review. ● Developers don’t know all the different types of security issues / controls there can be. ● Depending on company / vertical, developers may not be driven on security at all (majority?). High rate of mix across industries with devs and operations moving.
Discuss: Shift Left breaks Separation of Duties ● Shift-left puts developers in more control of security execution (scale) ● This confuses the separation of duties most regulations demand. ● If fully shifted left security may not have visibility which causes its own problems.
Discuss: DevSecOps Can’t Scale Today ● Nearly always DevOps in place before security - engine already running ● 100 to 1 doesn’t work, especially since that 1 generally doesn’t have all the necessary skills. Not enough security champions. ● Ironman vs Terminator
Discuss: Security Tools Needs To Change ● Security tools pride on skills to use, instead of ease of use ● Nature of security is scattered, reflected in tools, which adds confusion and complexity ● Little standardization: prioritization, taxonomy, outputs, inputs (DAST)
Questions & Discussion
Ad

Recommended

Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
AWS Well-Architected Framework
AWS Well-Architected FrameworkAWS Well-Architected Framework
AWS Well-Architected Framework
run_frictionless
 
Azure DevOps Tests Plan
Azure DevOps Tests PlanAzure DevOps Tests Plan
Azure DevOps Tests Plan
Denis Voituron
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
OCTO Technology
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfSoftware Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
ICS
 
DevOps vs Agile | DevOps Tutorial For Beginners | DevOps Training | Edureka
DevOps vs Agile | DevOps Tutorial For Beginners | DevOps Training | EdurekaDevOps vs Agile | DevOps Tutorial For Beginners | DevOps Training | Edureka
DevOps vs Agile | DevOps Tutorial For Beginners | DevOps Training | Edureka
Edureka!
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
Organiser son CI/CD - présentation
Organiser son CI/CD - présentation Organiser son CI/CD - présentation
Organiser son CI/CD - présentation
Julien Garderon
 
DevOps Foundation
DevOps FoundationDevOps Foundation
DevOps Foundation
Homepree Rloy
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
Robert Sell
 
Dev ops
Dev opsDev ops
Dev ops
Jitander Kapil
 
Introduction to DevOps | Edureka
Introduction to DevOps | EdurekaIntroduction to DevOps | Edureka
Introduction to DevOps | Edureka
Edureka!
 
Tour of Azure DevOps
Tour of Azure DevOpsTour of Azure DevOps
Tour of Azure DevOps
Callon Campbell
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
DevOps.com
 
Security: The Value of SBOMs
Security: The Value of SBOMsSecurity: The Value of SBOMs
Security: The Value of SBOMs
Weaveworks
 
Devopsguys DevOps 101 for recruiters
Devopsguys DevOps 101 for recruitersDevopsguys DevOps 101 for recruiters
Devopsguys DevOps 101 for recruiters
DevOpsGroup
 
Tips for Effective Data Science in the Enterprise
Tips for Effective Data Science in the EnterpriseTips for Effective Data Science in the Enterprise
Tips for Effective Data Science in the Enterprise
Lisa Cohen
 
About DevOps in simple steps
About DevOps in simple stepsAbout DevOps in simple steps
About DevOps in simple steps
Ihor Odynets
 
The Power of Azure DevOps
The Power of Azure DevOpsThe Power of Azure DevOps
The Power of Azure DevOps
Jeff Bramwell
 
DevOps
DevOpsDevOps
DevOps
Yoshan madhumal
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Microsoft Viva - understanding the four types of Viva
Microsoft Viva - understanding the four types of VivaMicrosoft Viva - understanding the four types of Viva
Microsoft Viva - understanding the four types of Viva
Matthew Carter
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
Techugo
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
Techugo
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
Techugo
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
Enov8
 
Ad

More Related Content

What's hot (17)

Organiser son CI/CD - présentation
Organiser son CI/CD - présentation Organiser son CI/CD - présentation
Organiser son CI/CD - présentation
Julien Garderon
 
DevOps Foundation
DevOps FoundationDevOps Foundation
DevOps Foundation
Homepree Rloy
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
Robert Sell
 
Dev ops
Dev opsDev ops
Dev ops
Jitander Kapil
 
Introduction to DevOps | Edureka
Introduction to DevOps | EdurekaIntroduction to DevOps | Edureka
Introduction to DevOps | Edureka
Edureka!
 
Tour of Azure DevOps
Tour of Azure DevOpsTour of Azure DevOps
Tour of Azure DevOps
Callon Campbell
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
DevOps.com
 
Security: The Value of SBOMs
Security: The Value of SBOMsSecurity: The Value of SBOMs
Security: The Value of SBOMs
Weaveworks
 
Devopsguys DevOps 101 for recruiters
Devopsguys DevOps 101 for recruitersDevopsguys DevOps 101 for recruiters
Devopsguys DevOps 101 for recruiters
DevOpsGroup
 
Tips for Effective Data Science in the Enterprise
Tips for Effective Data Science in the EnterpriseTips for Effective Data Science in the Enterprise
Tips for Effective Data Science in the Enterprise
Lisa Cohen
 
About DevOps in simple steps
About DevOps in simple stepsAbout DevOps in simple steps
About DevOps in simple steps
Ihor Odynets
 
The Power of Azure DevOps
The Power of Azure DevOpsThe Power of Azure DevOps
The Power of Azure DevOps
Jeff Bramwell
 
DevOps
DevOpsDevOps
DevOps
Yoshan madhumal
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Microsoft Viva - understanding the four types of Viva
Microsoft Viva - understanding the four types of VivaMicrosoft Viva - understanding the four types of Viva
Microsoft Viva - understanding the four types of Viva
Matthew Carter
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 
Organiser son CI/CD - présentation
Organiser son CI/CD - présentation Organiser son CI/CD - présentation
Organiser son CI/CD - présentation
Julien Garderon
 
DevOps Foundation
DevOps FoundationDevOps Foundation
DevOps Foundation
Homepree Rloy
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
Robert Sell
 
Dev ops
Dev opsDev ops
Dev ops
Jitander Kapil
 
Introduction to DevOps | Edureka
Introduction to DevOps | EdurekaIntroduction to DevOps | Edureka
Introduction to DevOps | Edureka
Edureka!
 
Tour of Azure DevOps
Tour of Azure DevOpsTour of Azure DevOps
Tour of Azure DevOps
Callon Campbell
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
DevOps.com
 
Security: The Value of SBOMs
Security: The Value of SBOMsSecurity: The Value of SBOMs
Security: The Value of SBOMs
Weaveworks
 
Devopsguys DevOps 101 for recruiters
Devopsguys DevOps 101 for recruitersDevopsguys DevOps 101 for recruiters
Devopsguys DevOps 101 for recruiters
DevOpsGroup
 
Tips for Effective Data Science in the Enterprise
Tips for Effective Data Science in the EnterpriseTips for Effective Data Science in the Enterprise
Tips for Effective Data Science in the Enterprise
Lisa Cohen
 
About DevOps in simple steps
About DevOps in simple stepsAbout DevOps in simple steps
About DevOps in simple steps
Ihor Odynets
 
The Power of Azure DevOps
The Power of Azure DevOpsThe Power of Azure DevOps
The Power of Azure DevOps
Jeff Bramwell
 
DevOps
DevOpsDevOps
DevOps
Yoshan madhumal
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Microsoft Viva - understanding the four types of Viva
Microsoft Viva - understanding the four types of VivaMicrosoft Viva - understanding the four types of Viva
Microsoft Viva - understanding the four types of Viva
Matthew Carter
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 

Similar to The Teams Behind DevSecOps (20)

DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
Techugo
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
Techugo
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
Techugo
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
Enov8
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
Nadira Bajrei
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdf
Techugo
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
Ajeet Singh
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
Product Security
Product SecurityProduct Security
Product Security
Steven Carlson
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevOps and the Future of InfoSec
DevOps and the Future of InfoSecDevOps and the Future of InfoSec
DevOps and the Future of InfoSec
Darin Morris
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLC
Dev Software
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?
Enov8
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
Techugo
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
Techugo
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
Techugo
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
Enov8
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
Nadira Bajrei
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdf
Techugo
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
Ajeet Singh
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
Product Security
Product SecurityProduct Security
Product Security
Steven Carlson
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevOps and the Future of InfoSec
DevOps and the Future of InfoSecDevOps and the Future of InfoSec
DevOps and the Future of InfoSec
Darin Morris
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLC
Dev Software
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?
Enov8
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
Ad

Recently uploaded (20)

tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Ad

The Teams Behind DevSecOps

  • 2. About us Is a platform that helps you scale application security by fully automating and orchestrating your preferred security tools in CI/CD. Gary Robinson Founder & Chief Security Officer Been a dev, a sec, and an ops.
  • 4. ‘DevSecOps’ Personas � Who are ‘The Dev’? � Who are ‘The Ops’? � Who are ‘The Sec’? � Challenges, insights, and observations
  • 6. Generic Developer (Team) Job Identifying code solutions for stakeholder or customer problems. Work with architecture, QA, support, UI/UX, Ops, Security on wider solution implementation. Skills Software development in target languages and frameworks. Deploying solution on cloud / infrastructure. Debugging, fixing bugs. Agile. Compilation. DevOps. Culture Impress / Maturity Getting better skills at the specifics of code / language / frameworks. Learning Design Patterns. Cloud / infrastructure work for running solutions. Faster delivery. Look to lead coders as top. Job Progression Moving up the ranks to senior, lead, becoming an architect (technical) or management. Can get technically specific (security?) , but tends to be sideways move, not upwards.
  • 7. Relationships With Operations Operations has moved much more to a realm that devs understand. Cloud, IaC, etc means dev can naturally fit ops in. Many advances created by developers (open source & commercial). With Security Know the basics of the technicality, but processes / logistics typically seen as a blocker. Some companies will push security a lot more than others. Doesn’t work with how dev works. Tooling Experience ‘one tool for one job’. GitHub, Atlassian, and many others have focused on quick time to use and incorporating the ‘whole solution’. Security breaks this mould with lots of tools. Drives / Pressures Getting shit done. Always a large backlog of features / fixes. Plenty of other devs competing for promotions. Focus issues to work on - clarity and prioritization. Security communication.
  • 8. Discuss: Dev -> Ops Was Natural Progression ● Developers already knew ops (cloud, OSs, builds) to get solution working. ● Cloud and CI/CD systems built for developers (techies), security tools not. ● Unless developer wants to ‘move into security’ they are not rewarded for learning it. So many other skills they can learn with more job prospects.
  • 10. Generic Operations (Team) Job Setup Cloud and infrastructure, as well as DevOps environments. Experts on Cloud, OS, infrastructure, CI/CD, which means lots of vendor knowledge. Skills Generic network and OS skills, then mostly focused on vendor environments (e.g. AWS expert, CircleCI, etc). Some scripting skills, but not full programmers. Culture Impress / Maturity Badges and skills in vendor products, e.g. AWS routes of learning. Solutions that save time, make tech easier to use, support, maintain. Look to large cool enterprises as the leaders. Job Progression Junior to Senior to Lead. More use they are to the company, more job security. Potentially Release Manager (technical) or Head of DevOps, or into management.
  • 11. Relationships With Development Have seen development interact more with technical operations. Growing ops code in codelines with blurred ownership. With Security Know the basics of the technicality, but processes / logistics typically seen as a blocker. Lots of patching (never-ending). Don’t like large security blocks in CI/CD. Tooling Usually vendor / tech driven. Vendor architecture comes first, then ‘getting it working’ with scripts, skills, and knowledge. Would like to create from scratch, but under time pressures. Drives / Pressures Business wants software out faster, ops are the grease that makes that happen for real. Speed, speed, speed.
  • 12. Discuss: DevSecOps Requires Coding Glue ● Security tech and processes need to be ‘fitted in’ for seamless interaction, without constant changes ● Serious lack of consistency among security tools. ● Devs and Operations can do it, but don’t have security skills to know what to do
  • 14. Generic Security (Team) Job Tends to be operations security or development security. Tasked with providing technical assurance in various ways. Outnumbered 100 to 1 by dev (ops unknown). Skills Knowledgeable on types of technical hack. Know how to use tools in their area. Able to triage security issues. Likely zero to little programming skills. Culture Impress / Maturity Finding issues, learning hacks, using tools. Talking about latest breaches. Job Progression Junior to Senior to Lead. More move into management quicker due to shortage. Developing skills and serving time conducting pen tests, testing, thread modeling, etc, moves up ranks.
  • 15. Relationships With Development Out of loop and tend to add work instead of solutions. Devs want priorities, not scattergun. Though usually one dev team ‘into security’. Issues outside of dev skills (e.g. linters). With Operations Security personnel may have ops knowledge, but not always. Want to be invited to the ‘devops’ party (90% of ‘DevSecOps’ jobs from sec), but may not know how CI/CD works (tech and culture). Tooling Usually scattered, sometimes tied to large vendor products, but also open source / kali / OWASP tools as well. Don’t know dev or ops tools well. Drives / Pressures To find issues, that’s currency. Maybe pressure to scale, given so many projects, but that’s likely managements’ pain. Insights, metrics, & continuous improvements.
  • 16. Discuss: Sec & Dev Skills Very Different ● Security folks are not software developers. Unlikely to find security bugs in a pure code review. ● Developers don’t know all the different types of security issues / controls there can be. ● Depending on company / vertical, developers may not be driven on security at all (majority?). High rate of mix across industries with devs and operations moving.
  • 17. Discuss: Shift Left breaks Separation of Duties ● Shift-left puts developers in more control of security execution (scale) ● This confuses the separation of duties most regulations demand. ● If fully shifted left security may not have visibility which causes its own problems.
  • 18. Discuss: DevSecOps Can’t Scale Today ● Nearly always DevOps in place before security - engine already running ● 100 to 1 doesn’t work, especially since that 1 generally doesn’t have all the necessary skills. Not enough security champions. ● Ironman vs Terminator
  • 19. Discuss: Security Tools Needs To Change ● Security tools pride on skills to use, instead of ease of use ● Nature of security is scattered, reflected in tools, which adds confusion and complexity ● Little standardization: prioritization, taxonomy, outputs, inputs (DAST)