Mike Fraser
VP & Field CTO of DevSecOps @ Sophos
Incline Village, Nevada, United States
Actions
Mike Fraser is currently VP & Field CTO of DevSecOps at Sophos after his startup Refactr was acquired; at Refactr he was co-founder, CEO and chief architect. Mike started his career in the United States Air Force working on F-15 fighter jets weapon systems and later as a cybersecurity engineer. Mike has founded multiple tech companies and is a regular speaker at numerous industry events, including Hashiconf, AnsibleFest, ChefCon, KubeSec, and All Day DevOps. Mike earned a bachelor's degree in application development from North Seattle College and has a master's degree in computer science from Seattle University.
Area of Expertise
Topics
A Whole New World: Building Security into Containerized Apps
As organizations race to cloud-native, while many organizations have the technical know-how to build and deploy containers including Kubernetes, managing the entire container environment such as compliance and security requirements is challenging. While several tools are available to help, Progress Chef provides an essential element through InSpec's ability to extend security and compliance efforts to cloud-native resources including Kubernetes and public cloud services.
Join Emily Rodiguez, Software Engineer from MITRE SAF (Security Automation Framework) how Chef InSpec and other tooling can help address the challenges and solutions of an increasingly containerized world via automation. We'll provide security guidance for containers using Vulcan and community examples using Sophos Factory to publish MITRE SAF containers, address container scanning considerations (for both interactive and non-interactive runtimes) using container-aware InSpec scanning and discuss the future needs for container security.
How Sophos Expanded Internal Use with Consul & Vault to Enabling Credentials in Sophos Central
Sophos will discuss the expansion from in-house use of Consul and Vault to global support through Credential Manager feature in Sophos Central. Sophos cut development to <6 months from 12-18, scaling users from hundreds of internal users to tens of thousands of customers. In this talk we will discuss Consult and Vault integration with Credential Manager, use of Sophos Factory with MDR response actions as first use case in Sophos Central and DevSecOps integration strategy with Credential Manager.
Modern Solution Delivery: IT as Code
The next generation of intelligent IT solutions delivery starts with a cloud-first, security centric approach. Everything is being pushed toward programmatic delivery, a.k.a. “IT as Code”. IT teams need to connect APIs, build cloud templates, adopt DevOps methods, & enforce security controls.
Everything is being pushed toward programmatic delivery, a.k.a. “IT as Code”. This IT teams to know how to connect together APIs, build cloud native templates, use developer-focused tools, and adopt DevOps methodologies for delivering solutions to their stakeholders. Nirvana world would be to fill in the missing link: the ability to provide repeatable solution blueprints that can be adapted to their ongoing business requirements with security builtin.
In this session you will learn how to build a solution blueprint cloud native templates, configuration management, API integrations and leveraging job management. We will have multiple solution software-defined blueprints to build that will have security products and service offering on AWS and Azure.
We will then discuss best practices for applying cloud security controls with every cloud service, automation task and API integration. We will discuss using open source security tools, e.g. OpenSCAP, Inspec for automating compliance requirements.
To wrap up the session, we will go over the entire lifecycle of solution delivery adding in to the blueprints, with cloud services and other API integrations connect everything together to show own to intelligently deliver end-to-end solution blueprints and how to manage the configuration of the state of the environment over time.
This session will cover Infrastructure-as-Code, Configuration Management, API Integrations, Job Management, and Security Automation.
How Remote Work is Driving the Need for DevSecOps
With remote work here to stay and more employees utilizing apps in the cloud more than ever, fully realizing DevSecOps needs to be part of every organization’s strategy in 2021. DevSecOps requires cybersecurity teams to collaborate with DevOps to stay multiple steps ahead of adversaries. The year 2020 proved that increasing an organization’s agility requires operationalizing security through DevSecOps pipelines.
Is it possible for DevOps and security practitioners to collaborate and build DevSecOps pipelines? In this session, I will cover the current challenges in integrating security tools into DevSecOps pipelines. An example tool would be Center for Internet Security’s CIS-CAT assessor, which was never built to be used in CI/CD. I will demonstrate how it can be used to scan infrastructure after it is built with a Terraform configuration and uses Vault for credential management to authenticate CIS-CAT to enable the CIS Benchmark assessment.
Session overview:
- How remote work is driving the need for DevSecOps
- Challenges that DevOps face trying to collaborate with cybersecurity teams
- How to create real-world DevSecOps pipelines
- Demo of example DevSecOps pipeline with security baked in at each step
How Cybersecurity Practitioners Can Modernize and Upskill
Automation for DevOps teams has made leaps and bounds, however cybersecurity teams are still cobbling together make-shift solutions, completing routine jobs manually or, worse, eschewing security best practices altogether in the name of efficiency. But cybersecurity teams are eager to get into the cloud, grow agile, and become intimately involved with the development process.
The goal of my session is to help attendees understand why it’s important to update the roles and resources of cybersecurity teams. Attendees of my talk will walk away with a renewed interest and excitement around how cybersecurity can be better implemented with DevOps to meet shared business goals; shaping a fresh perspective on security teams as an enabler instead of a blocker. They will also walk away with immediate next steps for modernizing the workflows of cybersecurity practitioners, so not only are cybersecurity practitioners equipped to succeed, but also optimally placed within an organization’s structure.
In my session, I will talk in general terms about the challenges of modernizing cybersecurity practitioners to-date, such as a lack of time, unavailability of tools and DevOps blockers. Then, I will cover how to create an organizational culture around elevating security, and then introduce education resources and CI/CD tools that help bring cybersecurity practices into the next era of IT-as-Code, where software defines everything we do. My talk will review the DoD’s Level Up Platform One initiative, which is leveraging CI/CD to help empower their cybersecurity warfighters internally. I’ll conclude by emphasizing a cultural shift, which begets modernization itself.
Achieve Continuous DevSecOps Pipelines Through Collaboration
DevSecOps is a holistic automation approach to enable collaboration between cybersecurity and DevOps. Enterprise is looking for answers when it comes to modern solution delivery where everything is software-defined IT-as-Code.
The problem is that while DevSecOps is an inclusive term, most security teams argue they remain left out of the effort to automate deployment processes. While DevOps teams and their tools are progressing along the automation curve, security teams are left to manual and repetitive workflows. As a result, DevOps and security teams are not collaborating.
Most enterprise want to be able to continue to use their existing IT investments and modernize with automation. This requires looking at the ability to leverage security tools in a CI/CD pipelines to achieve realistic DevSecOps.
To start this requires looking at manual handoffs from DevOps to cybersecurity, and figuring out how to incorporate their use cases and automate with their tools. Center for Internet Security benchmark assessments for compliance related use cases are a great place to start.
In this session I will cover how to incorporate security tools like Center for Internet Security’s CIS-CAT assessor into existing CI/CD processes to start building end-to-end DevSecOps pipelines that enable DevOps and cybersecurity to collaborate through automation. This includes shifting left and starting at the beginning of the pipeline process. I will introduce a few security products that can automate routine security tasks such as scanning infrastructure-as-code for Kubernetes deployments, scanning infrastructure for CIS benchmark assessment against Kubernetes, and even performing remediation with open-source tools in continuous DevSecvOps pipelines.
Session overview:
- What is DevSecOps?
- Security challenges every enterprise faces
- How to start adding security to CI/CD pipelines
- Demo end-to-end Kubernetes DevSecOps Pipelines and Q+A
Can Cybersecurity and DevOps Collaborate to Achieve DevSecOps in a Cloud-Native World?
DevSecOps is an inclusive term yet most security teams argue they remain left out of the effort to automate deployment processes. While DevOps teams and their tools are progressing along the automation curve, security teams are left to manual hand-offs from DevOps. As a result, DevOps and security teams struggle to collaborate as their organizations modernize and adopt cloud-native technologies.
Using the resources we already possess, is it possible for cybersecurity to gather speed and collaborate with DevOps? In this session, I will cover the current automation challenges faced by cybersecurity, namely a lack in collaborative when it comes to automation with DevOps. I will show how security tools can be used in DevSecOps pipelines to automate routine security tasks including: adding infrastructure-as-code security scanning before deploying Kubernetes clusters, scanning Kubernetes deployed on cloud infrastructure against the CIS K8s benchmark , and even performing remediation with Kubernetes in real-world DevSecvOps pipelines.
Cybersecurity is a growing field but the gap between DevOps and cybersecurity is widening. The faster we make DevSecOps a reality, the quicker we can enable cybersecurity teams to truly contribute in a collaborative approach with DevOps with cloud-native technologies.
Session overview:
- What is DevSecOps?
- How Cybersecurity and DevOps collaborate
- Security challenges today for enterprises in a cloud-native world
- How to automate common cloud native security use cases in DevSecOps
- Demo real-world Cloud-Native DevSecOps pipelines and Q+A
CI/CD Pipelines for DevSecOps with Hybrid Cloud
The days of manually deploying infrastructure are over. IT teams need automation tools to modernize towards IT-as-Code. This is achieved through flexibility; IT teams must operate on a platform that accommodates CI/CD pipelines. The pipelines, in turn, must go beyond traditional DevOps and bring Security and Ops to truly take a holistic DevSecOps approach. The goal is to enable all tech teams including security and ops to use DevOps tools to integrate with ticketing systems, run security remediation playbooks, deploy Kubernetes with a security benchmark assessment, automate the creation of SSL certificates and even spin up virtual firewalls with an applied configuration in the cloud. All this with each team leveraging DevOps and security tools like Terraform, Vault, kubectl, Ansible, CIS-CAT Assessor and others.
Takeaways:
- What is DevSecOps and what are CI/CD pipelines
- How CI/CD Pipelines work for DevSecOps
- Why enterprises need hybrid CI/CD pipelines
- Real world use cases with Kubernetes, Terraform Vault, CIS-CAT Assessor
Real World Use Cases of CI/CD Pipelines for DevSecOps with Hybrid Cloud
Abstract: Leveraging CI / CD pipelines, organizations want to be able to securely automate in a hybrid cloud world, embedding security into everything, to truly realize what DevSecOps is all about, modernizing to IT as Code.
Tech teams need automation tools to move to the modernization of IT becoming IT as Code code including infrastructure and security both on-premise and in the public cloud.
In order to get to this future state, no one uses just one tool or one cloud, and the key is to have the flexibility to build tool-chains to have security, ops and DevOps teams collaborate to create CI / CD pipelines for DevSecOps that can run anywhere in a hybrid cloud approach.
Skout Cybersecurity did this internally to create integrations into ticketing systems, run security remediation playbooks, deploy Kubernetes with a security benchmark, and even harden on-premise sensors all with open source DevOps and security automation tools an empower internal tech teams to automate together.
This session will cover:
- Explain DevSecOps and IT as Code
- Explain Hybrid CI / CD pipelines
- CI / CD Pipelines for DevSecOps: How it works
- Why hybrid CI / CD pipelines are required
- Real-world use cases of Skout Cybersecurity using CI / CD Pipelines for DevSecOps with Hybrid Cloud
CI/CD Pipelines for DevSecOps with Multi-Cloud
Leveraging CI / CD pipelines with existing DevSecOps tools in a multi-cloud approach is challenging. This requires some understanding of the difference between each cloud provider's services, and also understanding cloud specific technology. The key is to know how to create Infrastructure-as-Code (IaC) pipelines that are cloud specific and the rest of your automation for configuration, security that you would apply to the IaC pipelines.
This session will cover:
- Explain what is DevSecOps
- Explain CI / CD pipelines
- CI / CD Pipelines for DevSecOps: How it works
- Why multi-cloud CI / CD pipelines are required for Enterprise
- Real-world use cases of Multi-Cloud CI / CD Pipelines for DevSecOps
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top