As we wrote about last week, the explosion of DevOps – with 88% of businesses saying they’ve adopted or will adopt DevOps within the next five years – has made it clear that we need to tightly integrate security in the fast-paced, iterative cultures that are DevOps organizations.
We can’t fight DevOps, if we ever did. DevOps is good all around when done right – and security plays a big part in helping DevOps organizations thrive. And luckily for you, lots of security and DevOps people already have experience in how to work in harmony together – and even better, they want to pass their knowledge along. There is some great watching and reading material to draw inspiration, ideas and advice from – so we gathered up 21 of the best talks and other resources we’ve seen to help you along the way.
If you’re completely new to the concept of DevOps, start here. This video by RackSpace offers a simple explanation of the basic principles of DevOps and how the two teams work together to support faster releases, with the end goal of satisfying customers.
Gene Kim, who founded Tripwire, and along with Jez Humble wrote The Phoenix Project, could be called one of the “founding fathers” of DevOps. His other books, The Visible Ops Handbook and Visible Ops Security, are the culmination of a decade and a half of research into how different organizations have adopted DevOps principles before it became “the next big thing.” In other words, Gene knows what he’s talking about – and it’s presentations like this one that display that perfectly.
This primer to the intersection of Security and DevOps was given by James Turnbull, VP of Engineering at KickStarter, at MountainWest RubyConference in 2013. Speaking to a room filled with mostly developers and IT folks, James talks about why DevOps should cooperate with security and how they can work with each other for the better of each team and the organization as a whole.
A great watch for security people interested in seeing what matters to the DevOps team and how you can help facilitate a strong collaboration.
We can’t talk about DevOps without referring to Jez Humble. The creator of the lean methodology and CTO at the automation platform Chef, Jez authored books on Continuous Delivery and Lean Startup, two concepts deeply embedded in DevOps. In this talk, Jez offers realistic advice for all types of organizations looking to adopt the continuous delivery approach. Recommended for those interested in an in-depth look at the steps involved with adoption of CD methodologies and a DevOps culture.
Alert Logic and Chef teamed up for this presentation in a discussion about automation and the lessons security teams can learn from DevOps ecosystems. Watch this presentation for specific examples of how other organizations integrate security controls into their DevOps programs and how to overcome challenges with Application Security technologies.
Josh Corman, CTO at Sonatype and longtime proponent of the DevOps approach, gave this keynote at the 2013 RSA Conference in Europe. “Now is our opportunity to drive security upstream, automate, and evolve… or not,” he says. Josh does a great job discussing the need to change our mindset around security in order to maintain our organizations.
Like Etsy, Twitter is another organization leading the pack in terms of integrating DevOps and Security. The company has changed a lot in its decade of experience and automation has been a big part of that.
Twitter security engineers Justin Collins, the man behind the Brakeman static analysis tool that gets love in our Open Source Tools list and Alex Smolen, along with Neil Matatall (now at GitHub), discuss their process for automating security and offer great advice for organizations looking to do the same.
One of the biggest challenges many security practitioners face within DevOps environments is how to achieve compliance in an ecosystem with so many moving parts. This panel discussion, hosted by Josh Corman at the DevOps Enterprise Summit last year, offers a fresh look at compliance issues and advice from an auditor himself.
Zane Lackey, formerly of Etsy, has given multiple talks discussing the lessons he learned from his time spent building and adapting a security team within Etsy’s DevOps program. Chock full of real-life advice about implementing a Bug Bounty program, incentivizing DevOps to turn to you with their security-related questions (HINT: Don’t be a jerk!), and the keys to effective attack simulations, the video and its slide deck are highly recommended for those looking to improving an already existing or brand new flow between DevOps and Security.
Nick Galbreath, another Etsy alum turned Signal Sciences co-founder gave this talk at DevOpsDays Austin in 2012. With an eye towards Application Security concepts, Nick discusses the need for speed relating to security in DevOps, implying “a standardized, automated system and configuration management.”
He goes into detail on specific ways to make sure security actually gets done in DevOps, including reusing your continuous integration environment, tracking and minimizing SQL injections over time, and making all security issues either immediate or near-immediate fixes. With Nick’s breadth and depth of security and DevOps knowledge, these slides are highly valuable!
Given by our own Product Manager, Helen Bravo, at an OWASP conference a few years back, this presentation offers a high-level overview of DevOps and best practices for integrating security into Continuous Integration/Continuous Delivery (CICD) environments.
This overview of what the convergence of DevOps and Security entails throughout the software development lifecycle (SDLC) was presented by Alan Shimmel of DevOps.com and Andrew Storms from CloudPassage. Short and sweet, this presentation offers a brief conceptualization of how to adapt security processes at every stage.
Given by Gareth Rushgrove, an engineer at Puppetlabs, this presentation discusses the importance of collaboration and shared, automated tools at the intersection of security and DevOps. Recommended for those looking to hear more about why automation is so crucial in these (and any) organizations.
There’s a lot of buzz around different DevOps tools being thrown around, and it can be difficult to break through the noise. So it’s a welcome treat to hear from seasoned professionals about how they’ve successfully used different tools in their DevOps environments. This presentation is just that, given by Ken Johnson of nVisium and Facebook security engineer Chris Gates. From AWS to Jenkins and more, DevOoops offers a great look at the tools and how to best use them.
Entertaining and insightful, this presentation given by David Mortman and Josh Corman at this year’s past RSA USA conference gives great examples of how DevOps and Security have proven to co-exist well and improve each other, for example the tools borne out of DevOps early adopters like Netflix, Twitter and Etsy – tools which have integrated security testing within the deployment pipeline.
Bonus: Make sure to read the tweets at the bottom of most slides for better explanation and hilarious commentary. We’ll add the video of this if/once it becomes available!
Presented by Rich Smith the Director of Security at Etsy, this presentation discusses how security can learn from DevOps and why security must adopt a “security as an enabler” culture in order to work with DevOps.
Etsy is an organization that’s consistently been at the forefront of the organizational evolution of DevOps and security, and presentations like this one make it clear why. If this presentation makes you hungry for similar, make sure to check out Etsy’s Code as Craft page.
This presentation given by Stephen de Vries at OWASP EU in 2014 offers great explanations discusses the challenges and importance of automating security testing for DevOps and having tests fit into the development workflow and continuous integration pipelines.
This short SlideShare presentation given at AWS Re:Invent offers a case study into how a company producing medical devices secures their applications to keep in compliance with HIPAA. Check it out for pointed examples of how the organization protects data provided by their software-powered glucose-dosing device that’s processed over 56,000 glucose readings in over 1,500 patients since 2009.
While not technically a presentation, we couldn’t leave this fantastic resource off the list. Atlassian offers an incredible collection of DevOps related content, which often also discussed security issues. The greatest thing about the Dojo is that it’s all stems from Atlassian’s own efforts with security and DevOps.
With an editorial staff including both Devs and Ops people along with security professionals, this site is a great stop for in-depth content on any DevOps topic you can think of – with plenty of security material included.
What other talks and resources have you enjoyed on DevOps and Security? Share below!
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.