1
00:00:00,240 --> 00:00:02,210
<v ->DevSecOps.</v>

2
00:00:02,210 --> 00:00:05,320
In this lesson, we're going to talk about DevSecOps.

3
00:00:05,320 --> 00:00:06,330
But before we do that,

4
00:00:06,330 --> 00:00:09,360
we really have to take a step back and talk about DevOps.

5
00:00:09,360 --> 00:00:11,900
Now, DevOps was created to speed up the development

6
00:00:11,900 --> 00:00:14,210
and get things into production faster.

7
00:00:14,210 --> 00:00:16,450
As I mentioned, DevOps really relies

8
00:00:16,450 --> 00:00:18,750
on the concepts of continuous integration

9
00:00:18,750 --> 00:00:20,960
so that we all can be working together on the same thing

10
00:00:20,960 --> 00:00:23,700
and make sure we don't have big divergent changes.

11
00:00:23,700 --> 00:00:25,190
Now, when we talk about DevOps,

12
00:00:25,190 --> 00:00:27,390
this is an organizational culture shift

13
00:00:27,390 --> 00:00:29,140
that's going to combine the software development

14
00:00:29,140 --> 00:00:32,280
and the systems operations people into one team.

15
00:00:32,280 --> 00:00:34,030
This is basically the practice of integrating

16
00:00:34,030 --> 00:00:36,410
these two disciplines within a company.

17
00:00:36,410 --> 00:00:39,750
So, often, especially if you worked 10 or 15 years ago,

18
00:00:39,750 --> 00:00:41,530
you would see this type of a paradigm

19
00:00:41,530 --> 00:00:43,440
where you have development all in one area

20
00:00:43,440 --> 00:00:44,480
and they all work together.

21
00:00:44,480 --> 00:00:45,960
And then, you have all the operations folks

22
00:00:45,960 --> 00:00:47,590
who have to operate and maintain these systems

23
00:00:47,590 --> 00:00:49,140
and they'd be off in another area.

24
00:00:49,140 --> 00:00:51,350
And so, development would code something

25
00:00:51,350 --> 00:00:52,650
and then throw it over the wall

26
00:00:52,650 --> 00:00:55,210
and then operations has to live with it and support it.

27
00:00:55,210 --> 00:00:58,200
Now, this is a problem because this led to developers

28
00:00:58,200 --> 00:01:00,120
not doing their best work.

29
00:01:00,120 --> 00:01:01,627
And what I mean by that is there was a lot of security bugs.

30
00:01:01,627 --> 00:01:03,680
There was a lot of feature bugs

31
00:01:03,680 --> 00:01:05,350
and a lot of things just didn't work right.

32
00:01:05,350 --> 00:01:07,210
And so, somebody had the great idea

33
00:01:07,210 --> 00:01:10,350
about 10 or 15 or 20 years ago to create DevOps

34
00:01:10,350 --> 00:01:12,410
which was let's take some of these operations folks

35
00:01:12,410 --> 00:01:13,930
and put them in with developers

36
00:01:13,930 --> 00:01:14,980
and some of these developer folks

37
00:01:14,980 --> 00:01:16,470
and put them in with operations

38
00:01:16,470 --> 00:01:19,130
as we make these smaller teams where they work together.

39
00:01:19,130 --> 00:01:21,310
This way, when a developer creates something,

40
00:01:21,310 --> 00:01:23,200
the operations team can support it.

41
00:01:23,200 --> 00:01:25,480
By putting operations and developers together,

42
00:01:25,480 --> 00:01:28,480
you can build, test, and release software faster

43
00:01:28,480 --> 00:01:31,400
and more reliably because the people who are building it

44
00:01:31,400 --> 00:01:33,740
are also the people who are supporting it, right?

45
00:01:33,740 --> 00:01:35,550
Now, one of the problems with this, though,

46
00:01:35,550 --> 00:01:38,280
was a lot of things were getting very quick into operations.

47
00:01:38,280 --> 00:01:39,907
And then security came along and said,

48
00:01:39,907 --> 00:01:41,470
"Oh, this isn't secure.

49
00:01:41,470 --> 00:01:42,670
There's problems here.

50
00:01:42,670 --> 00:01:44,380
We need to fix all these vulnerabilities.

51
00:01:44,380 --> 00:01:47,480
And you didn't do this within compliance for HIPAA or GLBA

52
00:01:47,480 --> 00:01:49,450
or Sarbanes-Oxley or whatever."

53
00:01:49,450 --> 00:01:51,430
And so, this was another problem.

54
00:01:51,430 --> 00:01:52,263
So, they said,

55
00:01:52,263 --> 00:01:55,160
"Well, if putting dev and ops was good together,

56
00:01:55,160 --> 00:01:56,260
giving us DevOps,

57
00:01:56,260 --> 00:01:58,150
well, why don't we just add security in there too?"

58
00:01:58,150 --> 00:01:59,530
And that's essentially what they did

59
00:01:59,530 --> 00:02:01,600
and they call it DevSecOps.

60
00:02:01,600 --> 00:02:04,070
Now, this is development, security, and operations,

61
00:02:04,070 --> 00:02:06,180
and it's a combination of software development,

62
00:02:06,180 --> 00:02:09,270
security operations, and systems operations by integrating

63
00:02:09,270 --> 00:02:11,970
with all those disciplines together in one team.

64
00:02:11,970 --> 00:02:13,520
Now, this is a great way of doing things

65
00:02:13,520 --> 00:02:15,450
because when you're using DevSecOps,

66
00:02:15,450 --> 00:02:18,050
this is going to utilize a shift-left mindset.

67
00:02:18,050 --> 00:02:20,650
Now, what do I mean by shift-left mindset?

68
00:02:20,650 --> 00:02:21,570
Now, we haven't really talked

69
00:02:21,570 --> 00:02:23,330
about what shift-left is in this course,

70
00:02:23,330 --> 00:02:24,920
because it's really not a concept

71
00:02:24,920 --> 00:02:26,740
that's focused on security.

72
00:02:26,740 --> 00:02:27,950
When we talk about shift-left,

73
00:02:27,950 --> 00:02:29,970
it actually comes from the information technology

74
00:02:29,970 --> 00:02:31,550
service management world.

75
00:02:31,550 --> 00:02:34,150
When we talk about shift-left, think about it like this.

76
00:02:34,150 --> 00:02:36,710
You have a series of steps that needs to be done.

77
00:02:36,710 --> 00:02:37,543
And for instance,

78
00:02:37,543 --> 00:02:38,840
if I talk about the software development lifecycle,

79
00:02:38,840 --> 00:02:40,530
we could use that as our example.

80
00:02:40,530 --> 00:02:41,830
You're going to have some kind of a plan.

81
00:02:41,830 --> 00:02:43,010
You're going to design something.

82
00:02:43,010 --> 00:02:44,240
You're then going to build it.

83
00:02:44,240 --> 00:02:45,150
You're going to integrate it.

84
00:02:45,150 --> 00:02:47,200
You're going to put it into staging, put it into production.

85
00:02:47,200 --> 00:02:49,810
And it goes through all these different series of steps.

86
00:02:49,810 --> 00:02:51,880
Well, if you notice that eight-step methodology

87
00:02:51,880 --> 00:02:53,280
in the waterfall method,

88
00:02:53,280 --> 00:02:54,990
around step four or five or six

89
00:02:54,990 --> 00:02:56,990
is when we can actually start testing things.

90
00:02:56,990 --> 00:02:58,970
And then you start thinking about security towards the end.

91
00:02:58,970 --> 00:03:01,680
Well, with shift-left, we're trying to shift it left

92
00:03:01,680 --> 00:03:03,660
or earlier in the lifecycle.

93
00:03:03,660 --> 00:03:06,640
So, the idea with DevSecOps is take security,

94
00:03:06,640 --> 00:03:08,600
which used to be the last thing that happened,

95
00:03:08,600 --> 00:03:10,440
and put it all the way back in the beginning

96
00:03:10,440 --> 00:03:11,273
with the developers

97
00:03:11,273 --> 00:03:13,160
so we can think about it from the beginning.

98
00:03:13,160 --> 00:03:14,560
That's the idea of shifting left.

99
00:03:14,560 --> 00:03:16,810
It's moving things earlier in the lifecycle

100
00:03:16,810 --> 00:03:18,930
and to earlier people in the chain.

101
00:03:18,930 --> 00:03:20,840
And in this case, by doing DevSecOps

102
00:03:20,840 --> 00:03:22,290
and integrating a security person

103
00:03:22,290 --> 00:03:24,110
with the development and operations people,

104
00:03:24,110 --> 00:03:25,990
you can build more secure systems

105
00:03:25,990 --> 00:03:28,240
and get them fielded faster.

106
00:03:28,240 --> 00:03:31,330
Now, what are some big benefits of doing DevSecOps?

107
00:03:31,330 --> 00:03:33,350
Well, for one, you're going to integrate security

108
00:03:33,350 --> 00:03:34,610
from the beginning.

109
00:03:34,610 --> 00:03:36,070
This is always going to be a good thing

110
00:03:36,070 --> 00:03:38,680
because it's cheaper and easier to put security in

111
00:03:38,680 --> 00:03:41,260
from the beginning than to add it on later.

112
00:03:41,260 --> 00:03:42,093
Another thing you're going to do

113
00:03:42,093 --> 00:03:44,850
is you're going to test during and after development.

114
00:03:44,850 --> 00:03:47,050
So, we're not going to wait until step five or six

115
00:03:47,050 --> 00:03:47,910
to do our testing.

116
00:03:47,910 --> 00:03:49,510
No, we're going to write a block of code

117
00:03:49,510 --> 00:03:50,590
and we're going to test it.

118
00:03:50,590 --> 00:03:51,860
And then, we're going to integrate it back

119
00:03:51,860 --> 00:03:54,220
using continuous integration to the master code base.

120
00:03:54,220 --> 00:03:56,760
And this way, we can have 50 or 100 programmers

121
00:03:56,760 --> 00:03:58,280
working on something at once

122
00:03:58,280 --> 00:04:00,170
and not have a bunch of code conflicts

123
00:04:00,170 --> 00:04:02,400
because we're all getting things back in early.

124
00:04:02,400 --> 00:04:05,010
If we waited a week and then I had 50 changes to put in

125
00:04:05,010 --> 00:04:06,750
and you had 50 changes to put in,

126
00:04:06,750 --> 00:04:08,110
that can create a lot of conflicts,

127
00:04:08,110 --> 00:04:10,270
especially if we both change the same line.

128
00:04:10,270 --> 00:04:12,730
But, if we commit our changes very frequently,

129
00:04:12,730 --> 00:04:15,010
every couple of hours or even every day,

130
00:04:15,010 --> 00:04:17,270
that's going to have a lot less conflicts.

131
00:04:17,270 --> 00:04:18,170
And then the third area

132
00:04:18,170 --> 00:04:20,220
is we're going to automate our compliance checks.

133
00:04:20,220 --> 00:04:22,540
Now, this is another great thing about DevSecOps

134
00:04:22,540 --> 00:04:23,660
because we have developers

135
00:04:23,660 --> 00:04:25,800
and they can build things with code, right?

136
00:04:25,800 --> 00:04:27,920
And so, if they go through and code something,

137
00:04:27,920 --> 00:04:29,740
like automate compliance checks,

138
00:04:29,740 --> 00:04:31,930
we can have all these things that are scripted.

139
00:04:31,930 --> 00:04:33,150
So, when you create a piece of code

140
00:04:33,150 --> 00:04:35,630
and you happen to work in a hospital, well, guess what?

141
00:04:35,630 --> 00:04:37,670
We're going to run it against the HIPAA compliance checks

142
00:04:37,670 --> 00:04:39,930
and make sure everything is within compliance.

143
00:04:39,930 --> 00:04:41,650
This way, we could figure that out very early

144
00:04:41,650 --> 00:04:43,380
before we go into production.

145
00:04:43,380 --> 00:04:45,690
And that way, we can fix those issues faster

146
00:04:45,690 --> 00:04:47,540
and save us a lot of time and effort.