A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


How I Stopped Worrying and Learned To Love InfraOps - Karthik Rangarajan Daniel Tobin Derbycon 2015 (Hacking Illustrated Series InfoSec Tutorial Videos)

How I Stopped Worrying and Learned To Love InfraOps
Karthik Rangarajan Daniel Tobin
Derbycon 2015

In the last two years, the ideal organization of security amongst other teams has been hotly debated. Many permutations have been presented: DevOps and SecOps should be married[1], SecOps is DevOps[2], DevOps includes security[3]. By contrast, others have raised questions about whether there can ever be a reconciliation between DevOps and SecOps[4], and the explored the security risks of having a fast paced DevOps environment[5]. Illustrating the importance of this interaction, the RSA Conference has an entire day dedicated to DevOpsSec, at which information security luminaries are presenting. Taken in sum, the crux is that Security is still an outsider looking in, and trying to find a seat at the table where Development, Operations, IT, and Product meet. While Security teams might not be considered exclusively naysayers, their differing priorities (compliance, different appetites for risk, etc.) make integration hardly facile. In this talk, we present a new paradigm that better aligns security with the needs of the full organization - InfraOps. This isnt merely a new name, but a novel, holistic approach to how we deal with operations. It encompasses not only how we deploy software or how we monitor our production environments - but rather permeates to all areas, including local networks and IT infrastructure. This presentation will focus on the tools, processes, and mechanisms Addepar has used to implement InfraOps, and demonstrate the value added since such implementation. In addition, we will be providing tools and hope to spur further conversation to encourage organizations of various sizes to implement the ideas provided, so as to give back to the community in general. [1] http://blog.evident.io/blog/2015/3/26/the-marriage-of-devops-secops http://www.devsecops.org/presentations/ [2] http://www.sonatype.org/nexus/2015/01/06/is-secops-devops/ [3] http://www.slideshare.net/KrisBuytaert/devops-secops-opsec-devsec-ops [4] http://businessinsights.bitdefender.com/devops-secops-impossible-conciliation [5] http://www.slideshare.net/chrisgates/lascon-2014-devooops

Karthik Rangarajan is an experienced security engineer with a focus on application and infrastructure security. Karthik has worked in various roles in the past, and has a unique perspective on both security, and attacking applications. Currently, Karthik works at Addepar, helping secure the next generation wealth management platform. Previously, Karthik worked as a senior principal consultant for a Fortune 500 company, heading large application assessment projects, penetration tests and vulnerability assessments. Karthik used to be a co-host of the InfoSec Daily Podcast, and is currently a frequent guest on another podcast, InfoSec Hot Button. Daniel Tobin has over ten years of experience in the creation and deployment of solutions protecting networks, systems and information assets with a focus on providing the best value from solutions deployed. He has a Masters of Science in Networking and Telecommunications from the University of Pennsylvania and is currently Director of InfrastructureOps at Addepar

@krangarajan
@dant24

Back to Derbycon 2015 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast