© 2 0 2 1 S P L U N K I N C .
Pipeline Analytics: The foundation of DevSecOps
© 2020 SPLUNK INC.
© 2020 SPLUNK INC.
Chris RileySr Tech Advocate | Developer Relations@HoardingInfo
© 2020 SPLUNK INC.
Developers
Visibility Silos
Quality Engineers
DevOps Engineers
SRE & Ops
Developers
Plan/CODE BUILD TEST RELEASE DEPLOY OPERATE MONITOR RESPOND
End dev insights
End quality insights
Endprod insights
InfoSec
© 2020 SPLUNK INC.
© 2020 SPLUNK INC.
Build more secure applications
Secure the application factory
Secure applications in production
The use cases of DevSecOps
© 2020 SPLUNK INC.
Characteristics of DevSecOpsIntegrated Using
AutomationShift Security Left At DevOps Speed
TestCode Build Release Operate
© 2020 SPLUNK INC.
Site Reliability Engineers(SRE)Security
Secure apps in prodSecure the app factory
DevOps EngineersSite Reliability Engineers(SRE)
Security
CIO, CTO, CISO
Make your DevSecOps practice visible
DevelopersQuality EngineersDevOps Engineers
Build more secure apps
The practice is not one-size-fits-all
© 2020 SPLUNK INC.
SIEMObservability
Incident Response
Secure apps in prodSecure the app factory
Pipeline AnalyticsSIEM
Pipeline Analytics
Make your DevSecOps practice visible
Pipeline Analytics
Build more secure apps
The practice is not one-size-fits-all
© 2020 SPLUNK INC.
© 2020 SPLUNK INC.
Which Means it should be:• Operable
• Securable
• Measurable
© 2020 SPLUNK INC.
Infrastructure
Infrastructure
APM / Infrastructure
APM
DEM / APM
DEM
Infrastructure
Networking
Application Infrastructure
Backend
API
Front End
Application Logic
APM / Infrastructure
Security - SIEM
Delivery Chain – Pipeline Analytics
© 2020 SPLUNK INC.
Why - pipeline analytics• If the delivery chain is down, no code ships
• Your SDLC is part of your attack surface
• Speaking the same language saves time
• On going reduction of tech debt
• Can’t Shift-Left without it
© 2020 SPLUNK INC.
What - pipeline analytics
• Monitor your SDLC
• Create Value Stream and Team Level KPIs
• Audit and Secure your SDLC
© 2020 SPLUNK INC.
Measure – Know the meaning of good• Choosing your measurement• Is it measurable?
• Meet DORA• Deployment Frequency (DF)• Lead Time for Changes (MLT)• Change Failure Rate (CFR)• Time to Recover/Restore (MTTR)
• And the others:• Work in Progress (WIP)• Cost of Downtime• Amount of un-planned work• Activity by Repo/Artifact• Branch aging summary
© 2020 SPLUNK INC.
How - pipeline analytics
• Gather metrics and logs from your tool chain
• Correlate data across tools & teams
• Observe
© 2020 SPLUNK INC.
Monitor – Meet your SLO• Infra Metrics: Memory, CPU, Disk, Network IO
• Status Up/Down
• RED – Rate, Error, Duration
• USE – Utilization, Saturation, Error
© 2020 SPLUNK INC.
Audit & Secure – Stop bad actors• SDLC Data:• Secrets• Code
• Deploy:• Artifact Scanning• Repo Activity
• Access:• Requests by policy/entity• Auth by type/method• Request by IP• Request by URI• Request/Auth Denials
© 2020 SPLUNK INC.
© 2 0 2 1 S P L U N K I N C .
Thank You!