2016 AppsecUSA Devops Talk

At AppSecUSA 2016’s DevOps track, I gave a talk titled “Moving to the Left: DevOps practices and the changing role of SecOps”. I was using the State of DevOps Survey that Puppet sponsored as my source material. The video of this talk didn’t get posted anywhere (sadface).

Abstract

As shown in the 2016 State of DevOps Survey, DevOps practices are changing the role of security teams, moving them “to the left” in the SDLC as part of the design phase and no longer simply validating production as being secure. Result: 50% less time remediating security issues.

The State of DevOps Survey has been running for the last 5 years, and the past two in particular have shown that DevOps practices are moving beyond just “Dev” and “Ops” to involve security teams as well as other areas of the business. Various labels are being used to describe this world: SecDevOps, DevSecOps, RuggedDevOps, but the critical inflection point is that the combination of strong automation platforms, continuous delivery, infrastructure-as-code and version control are all enabling security teams to validate and secure apps and infrastructure at the design phase. This minimizes the amount of manual validation of production by security teams, enables faster remediation of security issues and ultimately results in more secure deployments, but only if security teams take this opportunity to revisit existing practices that have built up over time.

In this talk we’ll be covering the high level results of the 2016 State of DevOps Report, the changing role of security teams as well as some anonymized user stories illustrating both how to best take advantage of a growing DevOps practice within your organization and major missteps observed in the field.