DevOpsSec: Building CI/CD with Security Teams

A presentation at AFCEA Fort Knox Event in September 2017 in Fort Knox, KY 40121, USA by Shawn Wells

Slide 1

Slide 1

Slide 2

Slide 2

DevOpsSec: Building CI/CD with Security Teams Shawn Wells Chief Security Strategist Red Hat Pubic Sector shawn@redhat.com || 443-534-0130

Slide 3

Slide 3

Late 1990’s

Slide 4

Slide 4

Slide 5

Slide 5

Slide 6

Slide 6

Early 2000’s

Slide 7

Slide 7

Slide 8

Slide 8

Slide 9

Slide 9

Find the “software pirate”

Slide 10

Slide 10

Y2K

Slide 11

Slide 11

15 d l o s r a ye

Slide 12

Slide 12

Slide 13

Slide 13

Slide 14

Slide 14

Slide 15

Slide 15

Slide 16

Slide 16

Slide 17

Slide 17

15 d l o s r a ye

Slide 18

Slide 18

o t ess c c a g n i l l , c Se i s u m , ” s e i v o M “ e r a w t f so

Slide 19

Slide 19

g n i z i t e n o M r o s n e “S ” a t da

Slide 20

Slide 20

d e t s u B 0 0 0 2 l Fal :(

Slide 21

Slide 21

Slide 22

Slide 22

: 1 0 0 2 Spring 15yo y t i r u c e s a h t i w … e c n a r a cle

Slide 23

Slide 23

g n i t i o l p x E g n i z i t e n o M r o s n e “S ” a t da

Slide 24

Slide 24

Slide 25

Slide 25

Slide 26

Slide 26

Slide 27

Slide 27

Slide 28

Slide 28

Slide 29

Slide 29

Slide 30

Slide 30

Slide 31

Slide 31

Slide 32

Slide 32

Slide 33

Slide 33

Slide 34

Slide 34

Slide 35

Slide 35

RELEASES PER YEAR 1/day 1/hour

Slide 36

Slide 36

DevOps RELEASES PER YEAR 1/day 1/hour

Slide 37

Slide 37

Slide 38

Slide 38

The Problem Applications require complicated installation and integration every time they are deployed 38

Slide 39

Slide 39

THE PROBLEM DEVELOPERS 39 I.T. OPERATIONS

Slide 40

Slide 40

DEVOPS 40 Everything as code Application monitoring Automate everything Rapid feedback Continuous Integration/Delivery Rebuild vs. Repair Application is always “releaseable” Delivery pipeline

Slide 41

Slide 41

A Solution Adopting a container strategy will allow applications to be easily shared and deployed. 41

Slide 42

Slide 42

WHAT ARE CONTAINERS? It Depends Who You Ask INFRASTRUCTURE 42 APPLICATIONS ● Sandboxed application processes on a shared Linux OS kernel ● Package my application and all of its dependencies ● Simpler, lighter, and denser than virtual machines ● Deploy to any environment in seconds and enable CI/CD ● Portable across different environments ● Easily access and share containerized components

Slide 43

Slide 43

A SOLUTION Container App Operating System Controlled by IT Operations Virtual Machine Hardware 43 Controlled by Developers

Slide 44

Slide 44

A SOLUTION DEVELOPERS 44 I.T. OPERATIONS

Slide 45

Slide 45

SECURITY MUST EVOLVE DESIGN BUILD SECURITY CHECKLIST ADAPT Security policy, process & procedures RUN MANAGE 45

Slide 46

Slide 46

SECURITY MUST BE CONTINUOUS And integrated throughout the IT lifecycle Identify security requirements & governance models Revise, update, remediate as the landscape changes DESIGN BUILD ADAPT Security policy, process & procedures RUN Built-in from the start; not bolted-on Deploy to trusted platforms with enhanced security capabilities MANAGE Automate systems for security & compliance 46

Slide 47

Slide 47

Slide 48

Slide 48

Slide 49

Slide 49

We have to share to iterate quicker.

Slide 50

Slide 50

A cloud is sharing at run-time.

Slide 51

Slide 51

Open source is sharing at dev-time.

Slide 52

Slide 52

Agility is the capability.

Slide 53

Slide 53

You are the catalyst.

Slide 54

Slide 54

YOU ARE NOT AN IT CRAFTSMAN. YOU ARE AN IT MANUFACTURER.

Slide 55

Slide 55

Slide 56

Slide 56

Contact Info 56 LinkedIn: https://www.linkedin.com/in/shawndwells/ EMail: shawn@redhat.com Cell: 443-534-0130 (US EST) Blog: https://shawnwells.io