Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SecDevOps: Creating cultural change to bridge between security and DevOps?

C7bf554286ede7cb2786b5b19649c19b?s=47 Bea Hughes
April 25, 2016
3
430

SecDevOps: Creating cultural change to bridge between security and DevOps?

Delivery of Things world 2016 in Berlin. April 25/26th. #DoTClan

C7bf554286ede7cb2786b5b19649c19b?s=128

Bea Hughes

April 25, 2016
Tweet

More Decks by Bea Hughes

See All by Bea Hughes
C7bf554286ede7cb2786b5b19649c19b?s=48 barnbarn
1
280
C7bf554286ede7cb2786b5b19649c19b?s=48 barnbarn
0
440
C7bf554286ede7cb2786b5b19649c19b?s=48 barnbarn
2
700
C7bf554286ede7cb2786b5b19649c19b?s=48 barnbarn
2
1.4k
C7bf554286ede7cb2786b5b19649c19b?s=48 barnbarn
7
4.7k
C7bf554286ede7cb2786b5b19649c19b?s=48 barnbarn
3
320
C7bf554286ede7cb2786b5b19649c19b?s=48 barnbarn
4
490
C7bf554286ede7cb2786b5b19649c19b?s=48 barnbarn
5
1.3k
C7bf554286ede7cb2786b5b19649c19b?s=48 barnbarn
2
230

Featured

See All Featured
Aebc2d07a50011e2a30d38435fde564a?s=48 jrom
120
7.4k
B6a8f005f39d23ffc930508ac9da68b9?s=48 vanstee
122
5.1k
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
6
940
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
364
63k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
496
110k
7edec06b5435e0dac07a353b2cc26253?s=48 geeforr
336
30k
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
224
15k
7559f6cff1f5efc2d210965febd4d71c?s=48 bermonpainter
348
27k
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
342
16k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
105
11k
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
335
16k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
99
15k

Transcript

  1. SecDevOps: Creating cultural change to bridge between security and DevOps?

    1 — @benjammingh for Delivery of Things World

  2. Who's this clown? 2 · Infrastructure security at Etsy. ·

    Operations engineer at Puppet. · Worked at some startups and some not so startups. · Owns a lot of black t-shirts. · Has a 5 day streak on DuoLingo in German!!! 2 https://twitter.com/skullmandible/status/411281851131523072 2 — @benjammingh for Delivery of Things World

  3. Etsy? 99 Dachshund Queen by poordogfarm 3 — @benjammingh for

    Delivery of Things World

  4. Etsy! · Global marketplace of amazing handmade and vintage goods.

    · Offices in Brooklyn, San Francisco, Toronto, Berlin, Paris, Dublin, soon the moon. · Over 40m members, over 1m active sellers. · Umm, Christmas is coming up? Buy things! 4 — @benjammingh for Delivery of Things World

  5. Devsecops? (What? I didn't name it) 5 — @benjammingh for

    Delivery of Things World

  6. DevOps (Why is never OpsDev?) 6 — @benjammingh for Delivery

    of Things World

  7. DevOps club? 7 — @benjammingh for Delivery of Things World

  8. Securi-who? 8 — @benjammingh for Delivery of Things World

  9. 3 with thanks to the ever wonderful swanographer Pete Cheslock

    9 — @benjammingh for Delivery of Things World

  10. 10 — @benjammingh for Delivery of Things World

  11. (Stability. It's hard to find an image for that) 11

    — @benjammingh for Delivery of Things World

  12. 12 — @benjammingh for Delivery of Things World

  13. Security is traditionally a blocker 13 — @benjammingh for Delivery

    of Things World

  14. The Net interprets censorship as damage and routes around it.

    -- John Gilmore 14 — @benjammingh for Delivery of Things World

  15. — Rich Smith - Kiwicon 8 15 — @benjammingh for

    Delivery of Things World

  16. A security team that is left out of the process,

    is worse than no security team at all. — Ben Hughes, just now. 16 — @benjammingh for Delivery of Things World

  17. "That's great Ben, what does this have to do with

    DevOps?" 17 — @benjammingh for Delivery of Things World

  18. Add a security in early 18 — @benjammingh for Delivery

    of Things World

  19. How early? 19 — @benjammingh for Delivery of Things World

  20. Scaling a security person being in every single meeting 20

    — @benjammingh for Delivery of Things World

  21. The DevOps Pyramid · 10 Developers. · 1 Operations person.

    21 — @benjammingh for Delivery of Things World

  22. The DevSecOps Pyramid · 100 Developers. · 10 Operations people.

    · 1 Security person. 22 — @benjammingh for Delivery of Things World

  23. 4 @JordannGross https://twitter.com/JordannGross/status/718457587218399233 23 — @benjammingh for Delivery of Things

    World

  24. Champions Our people on the inside! 24 — @benjammingh for

    Delivery of Things World

  25. Security bootcamps One of us, one of us! (for a

    limited time only) 25 — @benjammingh for Delivery of Things World

  26. This is awesome. 26 — @benjammingh for Delivery of Things

    World

  27. 1> It builds relationships early. 27 — @benjammingh for Delivery

    of Things World

  28. 2> This makes security approachable from the start. 28 —

    @benjammingh for Delivery of Things World

  29. 3> They take back that which they learned and share

    it with their team. 29 — @benjammingh for Delivery of Things World

  30. Things to do with your Champions · have them in

    your Slack/IRC/chat medium of choice. · take them to conferences you attend BlackHat, DefCon, SummerCon · get them front row seats at in house security events. Sophia D’Antoine – Modern Application Security for iOS 30 — @benjammingh for Delivery of Things World

  31. Senior rotations 31 — @benjammingh for Delivery of Things World

  32. Why do all this? 32 — @benjammingh for Delivery of

    Things World

  33. "Oh hey, I saw this weird thing, is this anything...?"

    — Your most valuable security professional, Claire from finance. 33 — @benjammingh for Delivery of Things World

  34. Outreach == everyone in your organisation now works on security.

    34 — @benjammingh for Delivery of Things World

  35. Approachable "Should I bother sending them this weird looking email?

    Nah, they were rude last time." — Someone who's about to run "DefinitelyNotMalware.exe" in most orgs. 35 — @benjammingh for Delivery of Things World

  36. Humility 36 — @benjammingh for Delivery of Things World

  37. 37 — @benjammingh for Delivery of Things World

  38. Blame(-less) 38 — @benjammingh for Delivery of Things World

  39. Blaming people won't make them not do things (They just

    won't tell you) 39 — @benjammingh for Delivery of Things World

  40. You tell people not to open random files from people

    they don't know. You also have a recruiting team. 40 — @benjammingh for Delivery of Things World

  41. 41 — @benjammingh for Delivery of Things World

  42. This bug exploits UX 42 — @benjammingh for Delivery of

    Things World

  43. 43 — @benjammingh for Delivery of Things World

  44. This is not the user's fault. 44 — @benjammingh for

    Delivery of Things World

  45. We have made bad tools and we should feel bad.

    45 — @benjammingh for Delivery of Things World

  46. Would you rather? 46 — @benjammingh for Delivery of Things

    World

  47. Have 95% of people not fall for phishing. 47 —

    @benjammingh for Delivery of Things World

  48. or 10% of people tell you they did. 48 —

    @benjammingh for Delivery of Things World

  49. (if you picked 'A' you are wrong) (: 49 —

    @benjammingh for Delivery of Things World

  50. Making security the default 50 — @benjammingh for Delivery of

    Things World

  51. If you make security hard, people won't do it. 51

    — @benjammingh for Delivery of Things World

  52. % gpg --help gpg (GnuPG/MacGPG2) 2.0.28 libgcrypt 1.6.3 Copyright (C)

    2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA, RSA, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Syntax: gpg [options] [files] Sign, check, encrypt or decrypt Default operation depends on the input data Commands: -s, --sign make a signature --clearsign make a clear text signature -b, --detach-sign make a detached signature -e, --encrypt encrypt data -c, --symmetric encryption only with symmetric cipher -d, --decrypt decrypt data (default) --verify verify a signature -k, --list-keys list keys --list-sigs list keys and signatures --check-sigs list and check key signatures --fingerprint list keys and fingerprints -K, --list-secret-keys list secret keys ... 52 — @benjammingh for Delivery of Things World

  53. WhatsApp just made all their instant messaging end to end

    encrypted. The user has to do nothing to make this happen. Guess how many users are now doing this? (spoiler: all of them) 53 — @benjammingh for Delivery of Things World

  54. Compare Whatsapp usage to GPG (GPG/PGP has been around since

    the 90s, so should be larger, no?) 54 — @benjammingh for Delivery of Things World

  55. Conclusion time! (yes you get lunch) 55 — @benjammingh for

    Delivery of Things World

  56. Security people, be · be approachable · be transparent ·

    be humble · stop blaming users, work with them · then people will come to you 56 — @benjammingh for Delivery of Things World

  57. The rest of the organisation · don't be afraid of

    your security team · if you are, get a new security team · get everyone to be "part of" your security team · bake security in by default and early 57 — @benjammingh for Delivery of Things World

  58. Controversial last slide! DevSecOps isn't a real thing. You should

    just talk to all your teams, stop ignoring QA, DBs, helpdesk, recruiting, etc... 58 — @benjammingh for Delivery of Things World

  59. Thank you · Twidder: @benjammingh · LinkedIn: lnkdin.me/p/benyeah · JitHub:

    github.com/barn · SpeakerDeck: speakerdeck.com/barnbarn · Etsy: Careers <--- CodeAsCra! <--- our blog 59 — @benjammingh for Delivery of Things World