SlideShare ist ein Scribd-Unternehmen logo
1 von 109
Downloaden Sie, um offline zu lesen
Infosec In The New World
Order:
Rugged DevOps and More…

Gene Kim
Winnipeg ISACA
April 26, 2012



Session ID:
Where Did The High Performers Come From?
Agenda
 Background of research
 The big unsolved problem
 What is Rugged?
 What is DevOps?
 How do you do Rugged DevOps?
 Things you can do right away




                        3
High Performing IT Organizations
 High performers maintain a posture of compliance
    Fewest number of repeat audit findings
    One-third amount of audit preparation effort
 High performers find and fix security breaches faster
    5 times more likely to detect breaches by automated control
    5 times less likely to have breaches result in a loss event
 When high performers implement changes…
      14 times more changes
      One-half the change failure rate
      One-quarter the first fix failure rate
      10x faster MTTR for Sev 1 outages
 When high performers manage IT resources…
    One-third the amount of unplanned work
    8 times more projects and IT services
    6 times more applications
                                                        Source: IT Process Institute, 2008
Visible Ops: Playbook of High Performers

 The IT Process Institute has
  been studying high-performing
  organizations since 1999
   What is common to all the high
    performers?
   What is different between them
    and average and low
    performers?
   How did they become great?
 Answers have been codified in
  the Visible Ops Methodology


                                     www.ITPI.org
2007: Three Controls Predict 60% Of
Performance

 To what extent does an organization
  define, monitor and enforce the following?
   Standardized configuration strategy
   Process discipline
   Controlled access to production systems




                                              Source: IT Process Institute, 2008
The Downward Spiral
 Operations Sees…                            Dev Sees…
  Fragile applications are prone to          More urgent, date-driven projects
   failure                                     put into the queue
  Long time required to figure out “which    Even more fragile code (less
   bit got flipped”                            secure) put into production
  Detective control is a salesperson         More releases have increasingly
                                               “turbulent installs”
  Too much time required to restore
   service                                    Release cycles lengthen to
                                               amortize “cost of deployments”
  Too much firefighting and unplanned
   work                                       Failing bigger deployments more
                                               difficult to diagnose
  Urgent security rework and
   remediation                                Most senior and constrained IT
                                               ops resources have less time to
  Planned project work cannot complete        fix underlying process problems
  Frustrated customers leave                 Ever increasing backlog of work
  Market share goes down                      that cold help the business win
  Business misses Wall Street                Ever increasing amount of
   commitments                                 tension between IT Ops,
                                               Development, Design…
  Business makes even larger promises
   to Wall Street
                     These aren’t IT or Infosec problems…
                        These are business problems!
My Mission: Figure Out How Break The IT Core
     Chronic Conflict

      Every IT organization is pressured to
       simultaneously:
        Respond more quickly to urgent business needs
        Provide stable, secure and predictable IT service




                   Words often used to describe process improvement:
        “hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not
       aligned with the business, immature, shrill, perpetually focused on irrelevant
                                     technical minutiae…”



                            Source: The authors acknowledge Dr. Eliyahu Goldratt, creator of the Theory of Constraints and
                            author of The Goal, has written extensively on the theory and practice of identifying and resolving
10                          core, chronic conflicts.
Good News: It Can Be Done

Bad News: You Can’t Do It Alone
Ops
QA And Test




 Source: Flickr: vandyll
Development
Infosec
Product Management And Design




 Source: Flickr: birdsandanchors
But…




       18
Ludicrous Speed?




                   19
Ludicrous Speed




                  20
Ludicrous Speed!




                   21
Ludicrous Fail?!




                   22
DevOps:
The Shining Beacon Of Hope
Source: John Allspaw
Source: John Allspaw
Winnipeg ISACA Security is Dead, Rugged DevOps
Source: John Allspaw
Source: John Allspaw
Source: Theo Schlossnagle
Source: Theo Schlossnagle
Source: Theo Schlossnagle
Source: John Jenkins, Amazon.com
What Is Rugged?




         33
Rugged Software Development
Joshua Corman, David Rice, Jeff Williams
2010
Winnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOps
RUGGED SOFTWARE
…so software not only needs to be…
FAST
AGILE
Are You Rugged?
HARSH
UNFRIENDLY
THE MANIFESTO
Winnipeg ISACA Security is Dead, Rugged DevOps
I recognize that my code will be used in ways I
cannot anticipate, in ways it was not designed,
   and for longer than it was ever intended.
Winnipeg ISACA Security is Dead, Rugged DevOps
www.ruggedsoftware.org
                         CrossTalk
http://www.crosstalkonline.org/issues/marchapril-2011.html
What Is Rugged DevOps?




         49
Source: James Wickett
Source: James Wickett
Winnipeg ISACA Security is Dead, Rugged DevOps
DevOps: It’s A Real Movement
 I would never do another startup that didn’t
  employ DevOps like principles
 It’s not just startups – it’s happening in the
  enterprise and in public sector, too
 I believe working in DevOps environments will
  be a necessary skillset 5 years from now
 Just as Agile helped Dev regain trust with the
  business, DevOps will help all of IT
How Do You Do
DevOps?




                67
The Prescriptive DevOps Cookbook

                    “DevOps Cookbook” Authors
                       Patrick DeBois, Mike
                        Orzen, John Willis

                    Goals
                       Codify how to start and finish
                        DevOps transformations
                       How does Development, IT
                        Operations and Infosec
                        become dependable partners
                       Describe in detail how to
                        replicate the transformations
                        describe in “When IT Fails: The
                        Novel”
“The Goal” by Dr. Eliyahu Goldratt
71
72
The First Way:
Systems Thinking
The First Way:
Systems Thinking



(Business)         (Customer)
The First Way:
Systems Thinking (Left To Right)

 Never pass defects to downstream work centers
 Never allow local optimization to create global
  degradation
 Increase flow: elevate bottlenecks, reduce WIP,
  throttle release of work, reduce batch sizes
 Understanding where reliance is placed
Phase 1: Extend the Agile CI/CR Processes
 Assign Ops person into Dev team
 Create one-step Dev, Test and Production
  environment creation procedure in Sprint 0
 Create the one-step automated code
  deployment procedure
 Define roles of Dev, QA, Prod Mgmt and Infosec
The First Way:
Systems Thinking: Infosec Insurgency
 Have infosec attend the daily Agile standups
    Gain awareness of what the team is working on
 Find the automated infrastructure project team
  (e.g., puppet, chef)
    Provide hardening guidance
    Integrate and extend their production configuration
     monitoring
 Find where code packaging is performed
    Integrate security testing pre- and post-deployment
 Integrate into continuous integration and release
  process
    Add security test scripts to automated test library
The First Way:
Outcomes
 Determinism in the release process
 Continuation of the Agile and CI/CR processes
 Creating single repository for code and environments
 Packaging responsibility moves to development
 Consistent Dev, QA, Int, and Staging environments, all
  properly built before deployment begins
 Decrease cycle time
    Reduce deployment times from 6 hours to 45 minutes
    Refactor deployment process that had 1300+ steps
     spanning 4 weeks
 Faster release cadence
The Second Way:
Amplify Feedback Loops
The Second Way:
Amplify Feedback Loops (Right to Left)

 Protect the integrity of the entire system of
  work, versus completion of tasks
 Expose visual data so everyone can see how
  their decisions affect the entire system
Phase 2: Extend Release Process And Create
Right -> Left Feedback Loops

 Embed Dev into Ops escalation process
 Invite Dev to post-mortems/root cause analysis
  meeting
 Create necessary rollback procedures (instead
  of fixing forward)
 Create application monitoring/metrics to aid in
  Ops work (e.g., incident/problem management)
 Actively manage flow of work across org
  boundaries
The Second Way:
Amplify Feedback Loops: Infosec Insurgency
 Extend criteria of what changes/deploys cannot be
  made without triggering full retest
 Create reusable Infosec use and abuse stories that
  can be added to every project
    “Handle peak traffic of 4MM users and constant 4-6
     Gb/sec Anonymous DDoS attacks”
 Integrate Infosec and IR into the Ops/Dev escalation
  processes (e.g., RACI)
 Pre-enable, shield streamline successful audits
    Document separation of duty and compensating controls
    Don’t let them disrupt the work
The Second Way:
Outcomes
 Andon cords that stop the production line
 Kanban to control work
 Project freeze to reduce work in process
 Eradicating “quick fixes” that circumvent the process
 Ops user stories are part of the Agile planning
  process
 Better build and deployment systems
 More stable environment
 Happier and more productive staff
Definition: Kanban Board
 Signaling tool to reduce WIP and increase flow




                        84
The Third Way:
Culture Of Continual Experimentation And
Learning
The Third Way:
Culture Of Continual Experimentation And
Learning

 Foster a culture that rewards:
   Experimentation (taking risks) and learning from
    failure
   Repetition is the prerequisite to mastery
 Why?
   You need a culture that keeps pushing into the danger
    zone
   And have the habits that enable you to survive in the
    danger zone
You Don’t Choose Chaos Monkey…
Chaos Monkey Chooses You
Phase 3: Organize Dev and Ops To Achieve
Organizational Goals

 Allocate 20% of Dev cycles to non-functional
  requirements
 Build Ops user stories and environments in Dev
  that can be reused across all projects (e.g.,
  deployment, capacity, security)
 Integrate fault injection and resilience into
  design, development and production (e.g.,
  Chaos Monkey)
 Prioritize backlog to manage technical debt
Winnipeg ISACA Security is Dead, Rugged DevOps
The Third Way:
Culture Of Continual Experimentation And
Learning: Infosec
 Add Infosec fixes to the Agile backlog
    Make technical debt visible
    Help prioritize work against features and other non-functional requirements
 Weaponize the Security Monkey
    Evil/Fuzzy/Chaotic Monkey
    Eridicate SQLi and XSS defects in our lifetime
 Let loose the Security Monkies and the Simian Army
 Eliminate needless complexity
 Become the standard bearer: 20% of Dev cycles spent on
  non-functional requirements
 Take work out of the system
 Keep decreasing cycle time: it increases work that the system
  can achieve
The Third Way:
Outcomes
 Dedicated time spent on improving daily work (best practice:
  20% of Dev dedicated to non-functional requirements)
 Continual reduction of unplanned work
 More cycles for planned work
 Projects completed to pay down technical debt and increase
  flow
 Elimination of needless complexity
 More resilient code and environments
 Balancing nimbleness and practiced repetition
 Enabling wider range of risk/reward balance
What Does Transformation Feel Like?




                  92
Find What’s Most Important First
Quickly Find What Is Different…
Before Something Bad Happens…
Find Risk Early…
Communicate It Effectively To Peers…
Hold People Accountable…
Based On Objective Evidence…
Answer Important Questions…
Recognize Compounding Technical Debt…
That Gets Worse…
And Fixing It…




 Source: Pingdom
Have What We Need, When When We Need
It…
Big Things Get Done Quickly…
Ever Increasing Situational Mastery…
Help The Business Win…
With Support From Your Peers…
And Do More With Less Effort…
This Is An Important Problem
 Operations Sees…                            Dev Sees…
  Fragile applications are prone to          More urgent, date-driven projects
   failure                                     put into the queue
  Long time required to figure out “which    Even more fragile code (less
   bit got flipped”                            secure) put into production
  Detective control is a salesperson         More releases have increasingly
                                               “turbulent installs”
  Too much time required to restore
   service                                    Release cycles lengthen to
                                               amortize “cost of deployments”
  Too much firefighting and unplanned
   work                                       Failing bigger deployments more
                                               difficult to diagnose
  Urgent security rework and
   remediation                                Most senior and constrained IT
                                               ops resources have less time to
  Planned project work cannot complete        fix underlying process problems
  Frustrated customers leave                 Ever increasing backlog of work
  Market share goes down                      that cold help the business win
  Business misses Wall Street                Ever increasing amount of
   commitments                                 tension between IT
                                               Ops, Development, Design…
  Business makes even larger promises
   to Wall Street
When IT Fails: The Novel and The DevOps
  Cookbook


                               Coming in July 2012


                               “In the tradition of the best MBA case studies, this
                                book should be mandatory reading for business
                                and IT graduates alike.”
                                Paul Muller, VP Software Marketing, Hewlett-
                                Packard


Gene Kim, Tripwire founder,
                               “The greatest IT management book of our
Visible Ops co-author           generation.”
                                Branden Williams, CTO Marketing, RSA
When IT Fails: The Novel and The DevOps
  Cookbook

                            Our mission is to positively affect the
                             lives of 1 million IT workers by 2017

                            If you would like the “Top 10 Things You
                             Need To Know About DevOps,” sample
                             chapters and updates on the book:

                               Sign up at http://itrevolution.com
Gene Kim, Tripwire
founder, Visible Ops co-       Email genek@realgenekim.me
author                         Hand me a business card
Thank You




            113
Appendix




           114
Resources
 From the IT Process Institute
  www.itpi.org
    Both Visible Ops Handbooks
    ITPI IT Controls Performance Study

 Rugged Software by Corman, et al:
  http://ruggedsoftware.org
 “Continuous Delivery: Reliable Software
  Releases through Build, Test, and
  Deployment Automation” by
  Humble, Farley
 Follow us…
    @JoshCorman, @RealGeneKim
    mailto:genek@realgenekim.me
    http://realgenekim.me/blog
Common Traits of High Performers
Culture of…
Change management
   Integration of IT operations/security via problem/change management
   Processes that serve both organizational needs and business objectives
   Highest rate of effective change

Causality
   Highest service levels (MTTR, MTBF)
   Highest first fix rate (unneeded rework)

Compliance and continual reduction of
operational variance
   Production configurations
   Highest level of pre-production staffing
   Effective pre-production controls
   Effective pairing of preventive and detective controls

                               Source: IT Process Institute
Visible Ops: Playbook of High Performers
 The IT Process Institute has been
  studying high-performing
  organizations since 1999
   What is common to all the high
    performers?
   What is different between them and
    average and low performers?
   How did they become great?
 Answers have been codified in the
  Visible Ops Methodology
 The “Visible Ops Handbook” is
  available from the ITPI
                                         www.ITPI.org
IT Operations Increases Process Rigor
 Standardize deployment
 Standardize unplanned work: make it repeatable
 Modify first response: ensure constrained
  resources have all data at hand to diagnose
 Elevate preventive activities to reduce incidents
Help Development…
 Help them see downstream effects
   Unplanned work comes at the expense of planned
    work
   Technical debt retards feature throughput
   Environment matters as much as the code
 Allocate time for fault modeling, asking “what
  could go wrong?” and implementing
  countermeasures
Help QA…
 Ensure test plans cover not only code
  functionality, but also:
   Suitability of the environment the code runs in
   The end-to-end deployment process
 Help find variance…
   Functionality, performance, configuration
   Duration, wait time and handoff errors, rework, …
John Pesche, CISO

                     CISO for 12 years
                     39 years old
                     Aggressive career
                      climber
                     Ex-Big Four auditor
John Pesche, CISO
Winnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOps
John Pesche, CISO
John Pesche, CISO

Weitere ähnliche Inhalte

Was ist angesagt?

2014 State Of DevOps Findings! Velocity Conference
2014 State Of DevOps Findings! Velocity Conference2014 State Of DevOps Findings! Velocity Conference
2014 State Of DevOps Findings! Velocity ConferenceGene Kim
 
When IT Fails The Business Fails...
When IT Fails The Business Fails...When IT Fails The Business Fails...
When IT Fails The Business Fails...Gene Kim
 
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!Gene Kim
 
Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps Gene Kim
 
2012 05 corp fin 1c
2012 05 corp fin 1c2012 05 corp fin 1c
2012 05 corp fin 1cGene Kim
 
SecureWorld - Communicating With Your CFO
SecureWorld - Communicating With Your CFOSecureWorld - Communicating With Your CFO
SecureWorld - Communicating With Your CFOGene Kim
 
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesKeeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
 
SecureWorld: Security is Dead, Rugged DevOps 1f
SecureWorld:  Security is Dead, Rugged DevOps 1fSecureWorld:  Security is Dead, Rugged DevOps 1f
SecureWorld: Security is Dead, Rugged DevOps 1fGene Kim
 
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience ReportGene Kim
 
2012 Velocity London: DevOps Patterns Distilled
2012 Velocity London: DevOps Patterns Distilled2012 Velocity London: DevOps Patterns Distilled
2012 Velocity London: DevOps Patterns DistilledGene Kim
 
DevOps State of the Union 2015
DevOps State of the Union 2015DevOps State of the Union 2015
DevOps State of the Union 2015Ernest Mueller
 
DevOps Kanban Meet Up 3/22/12
DevOps Kanban Meet Up 3/22/12DevOps Kanban Meet Up 3/22/12
DevOps Kanban Meet Up 3/22/12Gene Kim
 
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...Gene Kim
 
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?Gene Kim
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)Gene Kim
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was ReleasedGene Kim
 
2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene Kim2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene KimGene Kim
 
Tui the phoenix project book review
Tui the phoenix project book reviewTui the phoenix project book review
Tui the phoenix project book reviewRudiger Wolf
 
The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
 
When IT Fails: A Business Novel - ITSM Academy Webinar
When IT Fails: A Business Novel - ITSM Academy WebinarWhen IT Fails: A Business Novel - ITSM Academy Webinar
When IT Fails: A Business Novel - ITSM Academy WebinarITSM Academy, Inc.
 

Was ist angesagt? (20)

2014 State Of DevOps Findings! Velocity Conference
2014 State Of DevOps Findings! Velocity Conference2014 State Of DevOps Findings! Velocity Conference
2014 State Of DevOps Findings! Velocity Conference
 
When IT Fails The Business Fails...
When IT Fails The Business Fails...When IT Fails The Business Fails...
When IT Fails The Business Fails...
 
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
 
Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps
 
2012 05 corp fin 1c
2012 05 corp fin 1c2012 05 corp fin 1c
2012 05 corp fin 1c
 
SecureWorld - Communicating With Your CFO
SecureWorld - Communicating With Your CFOSecureWorld - Communicating With Your CFO
SecureWorld - Communicating With Your CFO
 
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesKeeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
 
SecureWorld: Security is Dead, Rugged DevOps 1f
SecureWorld:  Security is Dead, Rugged DevOps 1fSecureWorld:  Security is Dead, Rugged DevOps 1f
SecureWorld: Security is Dead, Rugged DevOps 1f
 
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
 
2012 Velocity London: DevOps Patterns Distilled
2012 Velocity London: DevOps Patterns Distilled2012 Velocity London: DevOps Patterns Distilled
2012 Velocity London: DevOps Patterns Distilled
 
DevOps State of the Union 2015
DevOps State of the Union 2015DevOps State of the Union 2015
DevOps State of the Union 2015
 
DevOps Kanban Meet Up 3/22/12
DevOps Kanban Meet Up 3/22/12DevOps Kanban Meet Up 3/22/12
DevOps Kanban Meet Up 3/22/12
 
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
 
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released
 
2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene Kim2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene Kim
 
Tui the phoenix project book review
Tui the phoenix project book reviewTui the phoenix project book review
Tui the phoenix project book review
 
The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)
 
When IT Fails: A Business Novel - ITSM Academy Webinar
When IT Fails: A Business Novel - ITSM Academy WebinarWhen IT Fails: A Business Novel - ITSM Academy Webinar
When IT Fails: A Business Novel - ITSM Academy Webinar
 

Andere mochten auch

Вы управляете проектом или проект управляет вами?
Вы управляете проектом или проект управляет вами?Вы управляете проектом или проект управляет вами?
Вы управляете проектом или проект управляет вами?КоммандКор
 
Osi pi oracle ems 9-9-15
Osi pi oracle ems 9-9-15Osi pi oracle ems 9-9-15
Osi pi oracle ems 9-9-15John Fisher
 
7. mastering wordpress
7. mastering wordpress7. mastering wordpress
7. mastering wordpressMoreNiche
 
Financial regulation sept2010
Financial regulation sept2010Financial regulation sept2010
Financial regulation sept2010EuclidNetwork
 
SEO Ranking Factors
SEO Ranking FactorsSEO Ranking Factors
SEO Ranking FactorsMoreNiche
 
Putting civil society on the economic and policy map of the world
Putting civil society on the economic and policy map of the worldPutting civil society on the economic and policy map of the world
Putting civil society on the economic and policy map of the worldEuclidNetwork
 
6. merchant qa advanced health
6. merchant qa   advanced health6. merchant qa   advanced health
6. merchant qa advanced healthMoreNiche
 
Многопользовательский компьютер
Многопользовательский компьютерМногопользовательский компьютер
Многопользовательский компьютерКоммандКор
 
4. removing risk from affiliate marketing
4. removing risk from affiliate marketing4. removing risk from affiliate marketing
4. removing risk from affiliate marketingMoreNiche
 

Andere mochten auch (15)

Portable Air Conditioner
Portable Air ConditionerPortable Air Conditioner
Portable Air Conditioner
 
Kenett On Information NYU-Poly 2013
Kenett On Information NYU-Poly 2013Kenett On Information NYU-Poly 2013
Kenett On Information NYU-Poly 2013
 
Virtual Tour
Virtual TourVirtual Tour
Virtual Tour
 
iSell - beckend of eSexshop
iSell - beckend of eSexshopiSell - beckend of eSexshop
iSell - beckend of eSexshop
 
Вы управляете проектом или проект управляет вами?
Вы управляете проектом или проект управляет вами?Вы управляете проектом или проект управляет вами?
Вы управляете проектом или проект управляет вами?
 
Osi pi oracle ems 9-9-15
Osi pi oracle ems 9-9-15Osi pi oracle ems 9-9-15
Osi pi oracle ems 9-9-15
 
7. mastering wordpress
7. mastering wordpress7. mastering wordpress
7. mastering wordpress
 
Financial regulation sept2010
Financial regulation sept2010Financial regulation sept2010
Financial regulation sept2010
 
SEO Ranking Factors
SEO Ranking FactorsSEO Ranking Factors
SEO Ranking Factors
 
Working for Dedevan
Working for DedevanWorking for Dedevan
Working for Dedevan
 
Putting civil society on the economic and policy map of the world
Putting civil society on the economic and policy map of the worldPutting civil society on the economic and policy map of the world
Putting civil society on the economic and policy map of the world
 
6. merchant qa advanced health
6. merchant qa   advanced health6. merchant qa   advanced health
6. merchant qa advanced health
 
Kenett on info q and pse
Kenett on info q and pseKenett on info q and pse
Kenett on info q and pse
 
Многопользовательский компьютер
Многопользовательский компьютерМногопользовательский компьютер
Многопользовательский компьютер
 
4. removing risk from affiliate marketing
4. removing risk from affiliate marketing4. removing risk from affiliate marketing
4. removing risk from affiliate marketing
 

Ähnlich wie Winnipeg ISACA Security is Dead, Rugged DevOps

2011 09 19 LSPE Dev Ops Cookbook 1a
2011 09 19 LSPE Dev Ops Cookbook 1a2011 09 19 LSPE Dev Ops Cookbook 1a
2011 09 19 LSPE Dev Ops Cookbook 1aGene Kim
 
2011 09 18 United "Platitudes, reality and promise"
2011 09 18 United "Platitudes, reality and promise"2011 09 18 United "Platitudes, reality and promise"
2011 09 18 United "Platitudes, reality and promise"Gene Kim
 
2011 03 14 dev ops meetup - top lessons creating dev-ops super-tribes 2b
2011 03 14   dev ops meetup - top lessons creating dev-ops super-tribes 2b2011 03 14   dev ops meetup - top lessons creating dev-ops super-tribes 2b
2011 03 14 dev ops meetup - top lessons creating dev-ops super-tribes 2bGene Kim
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
DevSecOps with Microsoft Tech
DevSecOps with Microsoft TechDevSecOps with Microsoft Tech
DevSecOps with Microsoft TechDarin Morris
 
Puppet Channel Sales Training Webinar: Puppet Sales Messaging
Puppet Channel Sales Training Webinar: Puppet Sales MessagingPuppet Channel Sales Training Webinar: Puppet Sales Messaging
Puppet Channel Sales Training Webinar: Puppet Sales MessagingPuppet
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019Stefan Streichsbier
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
DevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDana Gardner
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Deliverydevopsdaysaustin
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps IntroductionRobert Sell
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseJames Wickett
 

Ähnlich wie Winnipeg ISACA Security is Dead, Rugged DevOps (20)

2011 09 19 LSPE Dev Ops Cookbook 1a
2011 09 19 LSPE Dev Ops Cookbook 1a2011 09 19 LSPE Dev Ops Cookbook 1a
2011 09 19 LSPE Dev Ops Cookbook 1a
 
2011 09 18 United "Platitudes, reality and promise"
2011 09 18 United "Platitudes, reality and promise"2011 09 18 United "Platitudes, reality and promise"
2011 09 18 United "Platitudes, reality and promise"
 
2011 03 14 dev ops meetup - top lessons creating dev-ops super-tribes 2b
2011 03 14   dev ops meetup - top lessons creating dev-ops super-tribes 2b2011 03 14   dev ops meetup - top lessons creating dev-ops super-tribes 2b
2011 03 14 dev ops meetup - top lessons creating dev-ops super-tribes 2b
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
DevSecOps with Microsoft Tech
DevSecOps with Microsoft TechDevSecOps with Microsoft Tech
DevSecOps with Microsoft Tech
 
Puppet Channel Sales Training Webinar: Puppet Sales Messaging
Puppet Channel Sales Training Webinar: Puppet Sales MessagingPuppet Channel Sales Training Webinar: Puppet Sales Messaging
Puppet Channel Sales Training Webinar: Puppet Sales Messaging
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
DevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in Heaven
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
Continuous Delivery
Continuous DeliveryContinuous Delivery
Continuous Delivery
 
ROOTS2011 Continuous Delivery
ROOTS2011 Continuous DeliveryROOTS2011 Continuous Delivery
ROOTS2011 Continuous Delivery
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
 

Kürzlich hochgeladen

Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyHanna Klim
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Reportamberjiles31
 
Live-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarLive-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarNathanielSchmuck
 
Personal Brand Exploration Presentation Eric Bonilla
Personal Brand Exploration Presentation Eric BonillaPersonal Brand Exploration Presentation Eric Bonilla
Personal Brand Exploration Presentation Eric BonillaEricBonilla13
 
Fabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsFabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsWristbands Ireland
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.ukaroemirsr
 
NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023Steve Rader
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)tazeenaila12
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato pptElizangelaSoaresdaCo
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..dlewis191
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Winbusinessin
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...AustraliaChapterIIBA
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsP&CO
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfHajeJanKamps
 
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfJohnCarloValencia4
 
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 Building Your Personal Brand on LinkedIn - Expert Planet-  2024 Building Your Personal Brand on LinkedIn - Expert Planet-  2024
Building Your Personal Brand on LinkedIn - Expert Planet- 2024Stephan Koning
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toumarfarooquejamali32
 

Kürzlich hochgeladen (20)

Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agency
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Report
 
Live-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarLive-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry Webinar
 
Personal Brand Exploration Presentation Eric Bonilla
Personal Brand Exploration Presentation Eric BonillaPersonal Brand Exploration Presentation Eric Bonilla
Personal Brand Exploration Presentation Eric Bonilla
 
Fabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsFabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and Festivals
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.uk
 
NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato ppt
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizations
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdf
 
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
 
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 Building Your Personal Brand on LinkedIn - Expert Planet-  2024 Building Your Personal Brand on LinkedIn - Expert Planet-  2024
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 
Investment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV IndustriesInvestment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV Industries
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb to
 

Winnipeg ISACA Security is Dead, Rugged DevOps

  • 1. Infosec In The New World Order: Rugged DevOps and More… Gene Kim Winnipeg ISACA April 26, 2012 Session ID:
  • 2. Where Did The High Performers Come From?
  • 3. Agenda  Background of research  The big unsolved problem  What is Rugged?  What is DevOps?  How do you do Rugged DevOps?  Things you can do right away 3
  • 4. High Performing IT Organizations  High performers maintain a posture of compliance  Fewest number of repeat audit findings  One-third amount of audit preparation effort  High performers find and fix security breaches faster  5 times more likely to detect breaches by automated control  5 times less likely to have breaches result in a loss event  When high performers implement changes…  14 times more changes  One-half the change failure rate  One-quarter the first fix failure rate  10x faster MTTR for Sev 1 outages  When high performers manage IT resources…  One-third the amount of unplanned work  8 times more projects and IT services  6 times more applications Source: IT Process Institute, 2008
  • 5. Visible Ops: Playbook of High Performers  The IT Process Institute has been studying high-performing organizations since 1999  What is common to all the high performers?  What is different between them and average and low performers?  How did they become great?  Answers have been codified in the Visible Ops Methodology www.ITPI.org
  • 6. 2007: Three Controls Predict 60% Of Performance  To what extent does an organization define, monitor and enforce the following?  Standardized configuration strategy  Process discipline  Controlled access to production systems Source: IT Process Institute, 2008
  • 7. The Downward Spiral Operations Sees… Dev Sees…  Fragile applications are prone to  More urgent, date-driven projects failure put into the queue  Long time required to figure out “which  Even more fragile code (less bit got flipped” secure) put into production  Detective control is a salesperson  More releases have increasingly “turbulent installs”  Too much time required to restore service  Release cycles lengthen to amortize “cost of deployments”  Too much firefighting and unplanned work  Failing bigger deployments more difficult to diagnose  Urgent security rework and remediation  Most senior and constrained IT ops resources have less time to  Planned project work cannot complete fix underlying process problems  Frustrated customers leave  Ever increasing backlog of work  Market share goes down that cold help the business win  Business misses Wall Street  Ever increasing amount of commitments tension between IT Ops, Development, Design…  Business makes even larger promises to Wall Street These aren’t IT or Infosec problems… These are business problems!
  • 8. My Mission: Figure Out How Break The IT Core Chronic Conflict  Every IT organization is pressured to simultaneously:  Respond more quickly to urgent business needs  Provide stable, secure and predictable IT service Words often used to describe process improvement: “hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not aligned with the business, immature, shrill, perpetually focused on irrelevant technical minutiae…” Source: The authors acknowledge Dr. Eliyahu Goldratt, creator of the Theory of Constraints and author of The Goal, has written extensively on the theory and practice of identifying and resolving 10 core, chronic conflicts.
  • 9. Good News: It Can Be Done Bad News: You Can’t Do It Alone
  • 10. Ops
  • 11. QA And Test Source: Flickr: vandyll
  • 14. Product Management And Design Source: Flickr: birdsandanchors
  • 15. But… 18
  • 29. Source: John Jenkins, Amazon.com
  • 31. Rugged Software Development Joshua Corman, David Rice, Jeff Williams 2010
  • 35. …so software not only needs to be…
  • 36. FAST
  • 37. AGILE
  • 39. HARSH
  • 43. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
  • 45. www.ruggedsoftware.org CrossTalk http://www.crosstalkonline.org/issues/marchapril-2011.html
  • 46. What Is Rugged DevOps? 49
  • 50. DevOps: It’s A Real Movement  I would never do another startup that didn’t employ DevOps like principles  It’s not just startups – it’s happening in the enterprise and in public sector, too  I believe working in DevOps environments will be a necessary skillset 5 years from now  Just as Agile helped Dev regain trust with the business, DevOps will help all of IT
  • 51. How Do You Do DevOps? 67
  • 52. The Prescriptive DevOps Cookbook  “DevOps Cookbook” Authors  Patrick DeBois, Mike Orzen, John Willis  Goals  Codify how to start and finish DevOps transformations  How does Development, IT Operations and Infosec become dependable partners  Describe in detail how to replicate the transformations describe in “When IT Fails: The Novel”
  • 53. “The Goal” by Dr. Eliyahu Goldratt
  • 54. 71
  • 55. 72
  • 57. The First Way: Systems Thinking (Business) (Customer)
  • 58. The First Way: Systems Thinking (Left To Right)  Never pass defects to downstream work centers  Never allow local optimization to create global degradation  Increase flow: elevate bottlenecks, reduce WIP, throttle release of work, reduce batch sizes  Understanding where reliance is placed
  • 59. Phase 1: Extend the Agile CI/CR Processes  Assign Ops person into Dev team  Create one-step Dev, Test and Production environment creation procedure in Sprint 0  Create the one-step automated code deployment procedure  Define roles of Dev, QA, Prod Mgmt and Infosec
  • 60. The First Way: Systems Thinking: Infosec Insurgency  Have infosec attend the daily Agile standups  Gain awareness of what the team is working on  Find the automated infrastructure project team (e.g., puppet, chef)  Provide hardening guidance  Integrate and extend their production configuration monitoring  Find where code packaging is performed  Integrate security testing pre- and post-deployment  Integrate into continuous integration and release process  Add security test scripts to automated test library
  • 61. The First Way: Outcomes  Determinism in the release process  Continuation of the Agile and CI/CR processes  Creating single repository for code and environments  Packaging responsibility moves to development  Consistent Dev, QA, Int, and Staging environments, all properly built before deployment begins  Decrease cycle time  Reduce deployment times from 6 hours to 45 minutes  Refactor deployment process that had 1300+ steps spanning 4 weeks  Faster release cadence
  • 62. The Second Way: Amplify Feedback Loops
  • 63. The Second Way: Amplify Feedback Loops (Right to Left)  Protect the integrity of the entire system of work, versus completion of tasks  Expose visual data so everyone can see how their decisions affect the entire system
  • 64. Phase 2: Extend Release Process And Create Right -> Left Feedback Loops  Embed Dev into Ops escalation process  Invite Dev to post-mortems/root cause analysis meeting  Create necessary rollback procedures (instead of fixing forward)  Create application monitoring/metrics to aid in Ops work (e.g., incident/problem management)  Actively manage flow of work across org boundaries
  • 65. The Second Way: Amplify Feedback Loops: Infosec Insurgency  Extend criteria of what changes/deploys cannot be made without triggering full retest  Create reusable Infosec use and abuse stories that can be added to every project  “Handle peak traffic of 4MM users and constant 4-6 Gb/sec Anonymous DDoS attacks”  Integrate Infosec and IR into the Ops/Dev escalation processes (e.g., RACI)  Pre-enable, shield streamline successful audits  Document separation of duty and compensating controls  Don’t let them disrupt the work
  • 66. The Second Way: Outcomes  Andon cords that stop the production line  Kanban to control work  Project freeze to reduce work in process  Eradicating “quick fixes” that circumvent the process  Ops user stories are part of the Agile planning process  Better build and deployment systems  More stable environment  Happier and more productive staff
  • 67. Definition: Kanban Board  Signaling tool to reduce WIP and increase flow 84
  • 68. The Third Way: Culture Of Continual Experimentation And Learning
  • 69. The Third Way: Culture Of Continual Experimentation And Learning  Foster a culture that rewards:  Experimentation (taking risks) and learning from failure  Repetition is the prerequisite to mastery  Why?  You need a culture that keeps pushing into the danger zone  And have the habits that enable you to survive in the danger zone
  • 70. You Don’t Choose Chaos Monkey… Chaos Monkey Chooses You
  • 71. Phase 3: Organize Dev and Ops To Achieve Organizational Goals  Allocate 20% of Dev cycles to non-functional requirements  Build Ops user stories and environments in Dev that can be reused across all projects (e.g., deployment, capacity, security)  Integrate fault injection and resilience into design, development and production (e.g., Chaos Monkey)  Prioritize backlog to manage technical debt
  • 73. The Third Way: Culture Of Continual Experimentation And Learning: Infosec  Add Infosec fixes to the Agile backlog  Make technical debt visible  Help prioritize work against features and other non-functional requirements  Weaponize the Security Monkey  Evil/Fuzzy/Chaotic Monkey  Eridicate SQLi and XSS defects in our lifetime  Let loose the Security Monkies and the Simian Army  Eliminate needless complexity  Become the standard bearer: 20% of Dev cycles spent on non-functional requirements  Take work out of the system  Keep decreasing cycle time: it increases work that the system can achieve
  • 74. The Third Way: Outcomes  Dedicated time spent on improving daily work (best practice: 20% of Dev dedicated to non-functional requirements)  Continual reduction of unplanned work  More cycles for planned work  Projects completed to pay down technical debt and increase flow  Elimination of needless complexity  More resilient code and environments  Balancing nimbleness and practiced repetition  Enabling wider range of risk/reward balance
  • 75. What Does Transformation Feel Like? 92
  • 76. Find What’s Most Important First
  • 77. Quickly Find What Is Different…
  • 78. Before Something Bad Happens…
  • 82. Based On Objective Evidence…
  • 86. And Fixing It… Source: Pingdom
  • 87. Have What We Need, When When We Need It…
  • 88. Big Things Get Done Quickly…
  • 91. With Support From Your Peers…
  • 92. And Do More With Less Effort…
  • 93. This Is An Important Problem Operations Sees… Dev Sees…  Fragile applications are prone to  More urgent, date-driven projects failure put into the queue  Long time required to figure out “which  Even more fragile code (less bit got flipped” secure) put into production  Detective control is a salesperson  More releases have increasingly “turbulent installs”  Too much time required to restore service  Release cycles lengthen to amortize “cost of deployments”  Too much firefighting and unplanned work  Failing bigger deployments more difficult to diagnose  Urgent security rework and remediation  Most senior and constrained IT ops resources have less time to  Planned project work cannot complete fix underlying process problems  Frustrated customers leave  Ever increasing backlog of work  Market share goes down that cold help the business win  Business misses Wall Street  Ever increasing amount of commitments tension between IT Ops, Development, Design…  Business makes even larger promises to Wall Street
  • 94. When IT Fails: The Novel and The DevOps Cookbook  Coming in July 2012  “In the tradition of the best MBA case studies, this book should be mandatory reading for business and IT graduates alike.” Paul Muller, VP Software Marketing, Hewlett- Packard Gene Kim, Tripwire founder,  “The greatest IT management book of our Visible Ops co-author generation.” Branden Williams, CTO Marketing, RSA
  • 95. When IT Fails: The Novel and The DevOps Cookbook  Our mission is to positively affect the lives of 1 million IT workers by 2017  If you would like the “Top 10 Things You Need To Know About DevOps,” sample chapters and updates on the book:  Sign up at http://itrevolution.com Gene Kim, Tripwire founder, Visible Ops co-  Email genek@realgenekim.me author  Hand me a business card
  • 96. Thank You 113
  • 97. Appendix 114
  • 98. Resources  From the IT Process Institute www.itpi.org  Both Visible Ops Handbooks  ITPI IT Controls Performance Study  Rugged Software by Corman, et al: http://ruggedsoftware.org  “Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation” by Humble, Farley  Follow us…  @JoshCorman, @RealGeneKim  mailto:genek@realgenekim.me  http://realgenekim.me/blog
  • 99. Common Traits of High Performers Culture of… Change management  Integration of IT operations/security via problem/change management  Processes that serve both organizational needs and business objectives  Highest rate of effective change Causality  Highest service levels (MTTR, MTBF)  Highest first fix rate (unneeded rework) Compliance and continual reduction of operational variance  Production configurations  Highest level of pre-production staffing  Effective pre-production controls  Effective pairing of preventive and detective controls Source: IT Process Institute
  • 100. Visible Ops: Playbook of High Performers  The IT Process Institute has been studying high-performing organizations since 1999  What is common to all the high performers?  What is different between them and average and low performers?  How did they become great?  Answers have been codified in the Visible Ops Methodology  The “Visible Ops Handbook” is available from the ITPI www.ITPI.org
  • 101. IT Operations Increases Process Rigor  Standardize deployment  Standardize unplanned work: make it repeatable  Modify first response: ensure constrained resources have all data at hand to diagnose  Elevate preventive activities to reduce incidents
  • 102. Help Development…  Help them see downstream effects  Unplanned work comes at the expense of planned work  Technical debt retards feature throughput  Environment matters as much as the code  Allocate time for fault modeling, asking “what could go wrong?” and implementing countermeasures
  • 103. Help QA…  Ensure test plans cover not only code functionality, but also:  Suitability of the environment the code runs in  The end-to-end deployment process  Help find variance…  Functionality, performance, configuration  Duration, wait time and handoff errors, rework, …
  • 104. John Pesche, CISO  CISO for 12 years  39 years old  Aggressive career climber  Ex-Big Four auditor

Hinweis der Redaktion

  1. How each side Actively impedes the achievement of each other’s goals.
  2. Who are they auditing? IT operations.I love IT operatoins. Why? Because when the developers screw up, the only people who can save the day are the IT operations people. Memory leak? No problem, we’ll do hourly reboots until you figure that out.Who here is from IT operations?Bad day:Not as prepared for the audit as they thoughtSpending 30% of their time scrambling, generating presentation for auditorsOr an outage, and the developer is adamant that they didn’t make the change – they’re saying, “it must be the security guys – they’re always causing outages”Or, there’s 50 systems behind the load balancer, and six systems are acting funny – what different, and who made them differentOr every server is like a snowflake, each having their own personalityWe as Tripwire practitioners can help them make sure changes are made visible, authorized, deployed completely and accurately, find differencesCreate and enforce a culture of change management and causality
  3. Who’s introducing variance? Well, it’s often these guys. Show me a developer who isn’t causing an outage, I’ll show you one who is on vacation.Primary measurement is deploy features quickly – get to market.I’ve worked with two of the five largest Internet companies (Google, Microsoft, Yahoo, AOL, Amazon), and I now believe that the biggest differentiator to great time to market is great operations:Bad day: We do 6 weeks of testing, but deployment still fails. Why? QA environment doesn’t match productionOr there’s a failure in testing, and no one can agree whether it’s a code failure or an environment failureOr changes are made in QA, but no one wrote them down, so they didn’t get replicated downstream in productionBelieve it or not, we as Tripwire practitioners can even help them – make sure environments are available when we need them, that they’re properly configured correctly the first time, document all the changes, replicate them downstream
  4. So who are all these constituencies that we can help, and increase our relevance as Tripwire practitioners and champions?How many people here are in infosec?Goal: protect critical systems and dataSafeguard organizational commitmentsPrevent security breaches, help quickly detect and recover from themBad day: no security standardsNo one is complyingYes, we’re 3 years behind. “Whaddyagonna do about it?”Vs. we (Tripwire owner) can become more relevant and add value by help infosec by leveraging all the configuration guidance out thereMeasure variance between produciton and those known good statesTrust and verify that when management says, we’ve trued up the configurations, they’ve actually done itWhy? Now, more than ever, there are an ever increasing amount of regulatory and contractual requirements to protect systems and data
  5. Tell story of Amazon, Netflix: they care about, availability, securityIt’s not a push, it’s a pull – they’re looking for our help (#1 concern: fear of disintermediation and being marginalized)
  6. At RSA 2009, Josh Corman, Jeff Williams, and David Rice were chatting at the Greylock cocktail party.
  7. So software not only need
  8. …fast, and…
  9. …agile, but it also needs to be…
  10. …rugged. Capable of withstanding…
  11. …the harshest conditions…
  12. …and most unfriendly environments…
  13. [ text ] My personal goal is to prescriptively define 1) what does Dev need to do to become a reliable partner, 2) what does IT Operations need to do to become a realiable partner, and then 3) how do they work together to deliver unbelievable value to the business.Of course, the goal is more than happy coexistence. It’s to replicate the Etsy and LinkedIn stories:Increase the rate of features that we can put into production, while simultaneously maintaining the reliability, stability, security and survivability of the production environment.
  14. [ picture of messy data center ] Ten minutes into Bill’s first day on the job, he has to deal with a payroll run failure. Tomorrow is payday, and finance just found out that while all the salaried employees are going to get paid, none of the hourly factory employees will. All their records from the factory timekeeping systems were zeroed out.Was it a SAN failure? A database failure? An application failure? Interface failure? Cabling error?
  15. http://www.flickr.com/photos/heritagefutures/3110685470/
  16. How each side Actively impedes the achievement of each other’s goals.
  17. But it’s not just about effectiveness and efficiency. Or just about being efficiently effective, or effectively efficient. Which brings us to the second theme of this conference, which is relevance. The work has to mean something to someone. In my journey of studying high performing IT organizations, I’ve run into many non-high performers. And in those organizations, controls functions, and information security is often viewed as the shrill, hysterical people who are trying to create bureaucratic processes, which suck the will to live out of everyone it touches.These are the functions that tend to get marginalized, or worse, totally avoided. “We have an urgent project that needs to get done. Make sure you don’t invite Gene, because he’ll guarantee that it won’t get done.” Our job is to make money for the business, and I’m not sure what Gene’s job is…