A lot of security people have a bad attitude about DevOps. Heck, sometimes it’s for good reasons. Lots of vendors are selling “DevOps in a box”, they’ll come in and “do the DevOps for you”, etc. What can you end up with? Lots of people with root access to servers with real data on them, code being deployed straight into production without appropriate testing, dogs and cats living together, mass hysteria!
I’m here to show you that it doesn’t have to be that way. I come armed with data from several years of the State of DevOps Report that shows how enterprises are finding security wins in embracing DevOps. I’ll show results of that survey and talk about trends in what we’ve seen. As well, I’ll talk about processes that a security team can put into place to make measurable wins for their infosec program. Not in security? I’ll show you what you can do to help out and start shipping better software or services. This isn’t just for web app shops either, we’ll talk about doing this in enterprise IT where you don’t get the luxury of writing everything you have to run.
As a red-and-blue-team member turned sysadmin herder, Bill Weiss had an early introduction to automation in security, and he’s spent the rest of his career trying to bring that idea to more places. He started out working in the .gov, moved to Chicago to spend several years at a financial services SaaS, and finally made it to Portland in 2015 to join Puppet as the Manager of SysOps, which he thinks is a way better term than “sysadmin”. Quite recently he moved to be a security architect, working to make Puppet even more secure in new and interesting ways.