Hell Has Frozen Over: DevOps & Security

MountainWest RubyConf 2013

by James Turnbull

The video titled "Hell Has Frozen Over: DevOps & Security" features James Turnbull at the MountainWest RubyConf 2013, focusing on the potential collaboration between DevOps and security teams within organizations. Turnbull, who has extensive experience in both security operations and DevOps, discusses the common misconceptions and tensions that exist between these two groups, highlighting their respective perspectives on each other's roles.

Key Points Discussed:

Understanding the Conflict: Turnbull reflects on the prevalent negative views that Dev and Ops personnel often hold towards security teams, seeing them as obstacles rather than allies. Conversely, security teams may view the rise of DevOps as chaotic and potentially disastrous for security protocols.
Importance of Cooperation: The core message centers around the idea that both DevOps and security can coexist and even thrive together if they understand and appreciate each other's contributions.
What DevOps Means for Security: Turnbull explains how the practices and principles of DevOps can enhance security measures, ultimately leading to better protection and risk management.
Selling DevOps to Security: He shares strategies for advocating DevOps practices to security teams, emphasizing the shared goal of improving the organization’s security posture while maintaining agility.
Changing the Risk Landscape: DevOps can help shift risk perceptions in organizations, allowing for more proactive approaches to security issues, rather than solely focusing on reactive measures.
Mutual Benefits: Turnbull stresses that security professionals have valuable insights that could significantly benefit the DevOps process, creating an environment of mutual respect and shared goals.

Conclusion:

The talk concludes with a positive outlook on the relationship between DevOps and security, indicating that with open communication and cooperation, they can form a "long and prosperous friendship". This collaboration can lead to innovation and improved outcomes for both development processes and security practices in organizations, suggesting that despite past grievances, a united approach can make both teams more effective.

00:00:20.480 Good morning! My talk this morning is called "Hell Is Frozen Over: DevOps and Security". We are going to explore how they can cooperate.

00:00:34.079 So, who am I? I'm James Turnbull. I work at Puppet Labs, and I was one of the early employees there. Before that, I was the release manager for the Puppet project and wrote a lot of the documentation, which has thankfully been improved by other contributors since. Additionally, I reported to the Chief Security Officer at a large Australian bank and ran an incident response team for those familiar with Computer Emergency Response Teams.

00:00:45.399 My background includes about 20 years in security architecture and operations. I've authored six technical books, two of which are about Puppet. Recently, I released a book titled "The Logstash Book" about Logstash, which is an open-source logging tool. Even if you don't buy the book, I recommend looking into Logstash; it's quite excellent. If you're using something like Splunk, Logstash is a very affordable alternative.

00:01:16.080 As an Australian, I have a unique accent and a tendency to speak quite quickly. If you don't understand something I say, please don't hesitate to raise your hand and let me know. There are a few other Australians in the audience who may understand me better, but I appreciate your patience. I must also warn you that, as an Australian, I occasionally use inappropriate language in my presentations. I apologize in advance if that happens. I'm working hard to keep it under control.

00:02:04.360 Does anyone here work in operations? (pause) Okay, not a huge crowd. How about developers? (pause) I believe Jean and I are the only security people in the room, is that correct? (pause) And Josh, I guess you could claim that too; he has experience in the past. I've spent about ten years working in IT security in both small and large organizations. My last position was in a massive enterprise with approximately 50,000 employees, 6,000 IT staff, and around 300 in IT security.

00:02:37.160 I left that job to work at a startup, largely because I found the corporate environment unfulfilling. Here are a few things I disliked about the role. Firstly, security personnel often face distrust. I would visit project teams, and project managers would often hide, going to get coffee when they heard I was coming. This reaction is typical because security professionals aren’t usually seen as the bearer of good news. More often, I'm the one saying, "We just tested that code, and you should really salt those passwords because we managed to crack them all."