pipeline analytics: the foundation of devsecops

© 2 0 2 1 S P L U N K I N C .

Pipeline Analytics: The foundation of DevSecOps

© 2020 SPLUNK INC.

© 2020 SPLUNK INC.

Chris RileySr Tech Advocate | Developer Relations@HoardingInfo

© 2020 SPLUNK INC.

Developers

Visibility Silos

Quality Engineers

DevOps Engineers

SRE & Ops

Developers

Plan/CODE BUILD TEST RELEASE DEPLOY OPERATE MONITOR RESPOND

End dev insights

End quality insights

Endprod insights

InfoSec

© 2020 SPLUNK INC.

© 2020 SPLUNK INC.

Build more secure applications

Secure the application factory

Secure applications in production

The use cases of DevSecOps

© 2020 SPLUNK INC.

Characteristics of DevSecOpsIntegrated Using

AutomationShift Security Left At DevOps Speed

TestCode Build Release Operate

© 2020 SPLUNK INC.

Site Reliability Engineers(SRE)Security

Secure apps in prodSecure the app factory

DevOps EngineersSite Reliability Engineers(SRE)

Security

CIO, CTO, CISO

Make your DevSecOps practice visible

DevelopersQuality EngineersDevOps Engineers

Build more secure apps

The practice is not one-size-fits-all

© 2020 SPLUNK INC.

SIEMObservability

Incident Response

Secure apps in prodSecure the app factory

Pipeline AnalyticsSIEM

Pipeline Analytics

Make your DevSecOps practice visible

Pipeline Analytics

Build more secure apps

The practice is not one-size-fits-all

© 2020 SPLUNK INC.

© 2020 SPLUNK INC.

Which Means it should be:• Operable

• Securable

• Measurable

© 2020 SPLUNK INC.

Infrastructure

Infrastructure

APM / Infrastructure

APM

DEM / APM

DEM

Infrastructure

Networking

Application Infrastructure

Backend

API

Front End

Application Logic

APM / Infrastructure

Security - SIEM

Delivery Chain – Pipeline Analytics

© 2020 SPLUNK INC.

Why - pipeline analytics• If the delivery chain is down, no code ships

• Your SDLC is part of your attack surface

• Speaking the same language saves time

• On going reduction of tech debt

• Can’t Shift-Left without it

© 2020 SPLUNK INC.

What - pipeline analytics

• Monitor your SDLC

• Create Value Stream and Team Level KPIs

• Audit and Secure your SDLC

© 2020 SPLUNK INC.

Measure – Know the meaning of good• Choosing your measurement• Is it measurable?

• Meet DORA• Deployment Frequency (DF)• Lead Time for Changes (MLT)• Change Failure Rate (CFR)• Time to Recover/Restore (MTTR)

• And the others:• Work in Progress (WIP)• Cost of Downtime• Amount of un-planned work• Activity by Repo/Artifact• Branch aging summary

© 2020 SPLUNK INC.

How - pipeline analytics

• Gather metrics and logs from your tool chain

• Correlate data across tools & teams

• Observe

© 2020 SPLUNK INC.

Monitor – Meet your SLO• Infra Metrics: Memory, CPU, Disk, Network IO

• Status Up/Down

• RED – Rate, Error, Duration

• USE – Utilization, Saturation, Error

© 2020 SPLUNK INC.

Audit & Secure – Stop bad actors• SDLC Data:• Secrets• Code

• Deploy:• Artifact Scanning• Repo Activity

• Access:• Requests by policy/entity• Auth by type/method• Request by IP• Request by URI• Request/Auth Denials

© 2020 SPLUNK INC.

© 2 0 2 1 S P L U N K I N C .

Thank You!