Controlled Chaos: The Inevitable Marriage of DevOps & Security

Black Hat USA 2019

Presented by: Nicole Forsgren, Kelly Shortridge
Date: Wednesday August 07, 2019
Time: 16:00 - 16:50
Location: South Pacific

We've all heard "software is eating the world" – that most organizations are becoming software organizations in some form. In this new era, DevOps rises as the engine of the business, and organizations resisting its ascension empirically fall behind. Those in information security often view DevOps as demons by another name and assume that if they aren't a hyperscale tech organization, they can safely ignore these trends.

In reality, information security has a choice: marry with their DevOps colleagues and embrace the philosophy of controlled chaos, or eventually be shoved aside, descending into impotence and irrelevancy. In this session, we'll explain the basics of DevOps and the concepts of resilience and chaos engineering. Using large-scale survey data, we'll illuminate which factors determine whether an organization is "elite" in this software-dominant world. We'll then uncover how DevOps' priorities and goals aren't so dissimilar from modern infosec's goals.

We'll delve into implications for security programs, particularly the shift from security for its own sake to security as an enabler of business objectives. Then, we'll expose why chaos and resilience engineering represents the future of security programs – and why it catalyzes the dawn of defensive innovation. We'll show how chaos and resilience fit with the C.I.A. triad and why the D.I.E. triad of distributed, immutable, and ephemeral might be the model of the future. Focusing on practical implementation, we'll examine metrics, GameDays, and existing resiliency tools that security teams can adopt and extend to meet their goals.

Finally, we'll propose pragmatic approaches for security teams to make a marriage to DevOps last through a love of controlled chaos. We'll conclude by discussing partnership opportunities with DevOps to support the organization on its path to leetness – and to transform security from a frustrating cost center to a lean, mean, innovation machine.

Kelly Shortridge

Kelly Shortridge is currently VP of Product Strategy at Capsule8. Kelly is known for research into the applications of behavioral economics to information security and has spoken at conferences internationally including Black Hat USA, AusCERT, Hacktivity, Troopers, and ZeroNights. Kelly previously served in product roles at SecurityScorecard and BAE Systems Applied Intelligence after co-founding IperLane, a security startup which was acquired. Kelly began their career as an investment banking analyst at Teneo Capital covering the data security and analytics sectors.

Nicole Forsgren

Dr. Nicole Forsgren does research and strategy at Google Cloud following the acquisition of her startup DevOps Research and Assessment (DORA) by Google. She is co-author of the book Accelerate: The Science of Lean Software and DevOps, and is best known for her work measuring the technology process and as the lead investigator on the largest DevOps studies to date. She has been an entrepreneur, professor, sysadmin, and performance engineer. Nicole's work has been published in several peer-reviewed journals. Nicole earned her PhD in Management Information Systems from the University of Arizona, and is a Research Affiliate at Clemson University and Florida International University.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats