Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SecDevOps: Creating cultural change to bridge between security and DevOps?

Bea Hughes
April 25, 2016
600

SecDevOps: Creating cultural change to bridge between security and DevOps?

Delivery of Things world 2016 in Berlin. April 25/26th. #DoTClan

Bea Hughes

April 25, 2016
Tweet

Transcript

  1. SecDevOps: Creating cultural change
    to bridge between security and DevOps?
    1 — @benjammingh for Delivery of Things World

    View full-size slide

  2. Who's this clown? 2
    · Infrastructure security at Etsy.
    · Operations engineer at Puppet.
    · Worked at some startups and some not so
    startups.
    · Owns a lot of black t-shirts.
    · Has a 5 day streak on DuoLingo in German!!!
    2 https://twitter.com/skullmandible/status/411281851131523072
    2 — @benjammingh for Delivery of Things World

    View full-size slide

  3. Etsy?
    99 Dachshund Queen by poordogfarm
    3 — @benjammingh for Delivery of Things World

    View full-size slide

  4. Etsy!
    · Global marketplace of amazing handmade and
    vintage goods.
    · Offices in Brooklyn, San Francisco, Toronto,
    Berlin, Paris, Dublin, soon the moon.
    · Over 40m members, over 1m active sellers.
    · Umm, Christmas is coming up? Buy things!
    4 — @benjammingh for Delivery of Things World

    View full-size slide

  5. Devsecops?
    (What? I didn't name it)
    5 — @benjammingh for Delivery of Things World

    View full-size slide

  6. DevOps
    (Why is never OpsDev?)
    6 — @benjammingh for Delivery of Things World

    View full-size slide

  7. DevOps club?
    7 — @benjammingh for Delivery of Things World

    View full-size slide

  8. Securi-who?
    8 — @benjammingh for Delivery of Things World

    View full-size slide

  9. 3 with thanks to the ever wonderful swanographer Pete Cheslock
    9 — @benjammingh for Delivery of Things World

    View full-size slide

  10. 10 — @benjammingh for Delivery of Things World

    View full-size slide

  11. (Stability. It's hard to find an image for that)
    11 — @benjammingh for Delivery of Things World

    View full-size slide

  12. 12 — @benjammingh for Delivery of Things World

    View full-size slide

  13. Security is traditionally
    a blocker
    13 — @benjammingh for Delivery of Things World

    View full-size slide

  14. The Net interprets censorship as damage and
    routes around it.
    -- John Gilmore
    14 — @benjammingh for Delivery of Things World

    View full-size slide

  15. — Rich Smith - Kiwicon 8
    15 — @benjammingh for Delivery of Things World

    View full-size slide

  16. A security team that is left out of
    the process, is worse than no
    security team at all.
    — Ben Hughes, just now.
    16 — @benjammingh for Delivery of Things World

    View full-size slide

  17. "That's great Ben, what does this have to do with
    DevOps?"
    17 — @benjammingh for Delivery of Things World

    View full-size slide

  18. Add a security in early
    18 — @benjammingh for Delivery of Things World

    View full-size slide

  19. How early?
    19 — @benjammingh for Delivery of Things World

    View full-size slide

  20. Scaling a security person
    being in every single
    meeting
    20 — @benjammingh for Delivery of Things World

    View full-size slide

  21. The DevOps Pyramid
    · 10 Developers.
    · 1 Operations person.
    21 — @benjammingh for Delivery of Things World

    View full-size slide

  22. The DevSecOps Pyramid
    · 100 Developers.
    · 10 Operations people.
    · 1 Security person.
    22 — @benjammingh for Delivery of Things World

    View full-size slide

  23. 4 @JordannGross https://twitter.com/JordannGross/status/718457587218399233
    23 — @benjammingh for Delivery of Things World

    View full-size slide

  24. Champions
    Our people on the inside!
    24 — @benjammingh for Delivery of Things World

    View full-size slide

  25. Security bootcamps
    One of us, one of us!
    (for a limited time only)
    25 — @benjammingh for Delivery of Things World

    View full-size slide

  26. This is awesome.
    26 — @benjammingh for Delivery of Things World

    View full-size slide

  27. 1> It builds relationships early.
    27 — @benjammingh for Delivery of Things World

    View full-size slide

  28. 2> This makes security approachable from the
    start.
    28 — @benjammingh for Delivery of Things World

    View full-size slide

  29. 3> They take back that which they learned and
    share it with their team.
    29 — @benjammingh for Delivery of Things World

    View full-size slide

  30. Things to do with your Champions
    · have them in your Slack/IRC/chat medium of
    choice.
    · take them to conferences you attend BlackHat,
    DefCon, SummerCon
    · get them front row seats at in house security
    events. Sophia D’Antoine – Modern Application
    Security for iOS
    30 — @benjammingh for Delivery of Things World

    View full-size slide

  31. Senior rotations
    31 — @benjammingh for Delivery of Things World

    View full-size slide

  32. Why do all this?
    32 — @benjammingh for Delivery of Things World

    View full-size slide

  33. "Oh hey, I saw this weird thing, is
    this anything...?"
    — Your most valuable security professional, Claire from finance.
    33 — @benjammingh for Delivery of Things World

    View full-size slide

  34. Outreach == everyone in
    your organisation now
    works on security.
    34 — @benjammingh for Delivery of Things World

    View full-size slide

  35. Approachable
    "Should I bother sending them this weird looking
    email? Nah, they were rude last time."
    — Someone who's about to run "DefinitelyNotMalware.exe" in most
    orgs.
    35 — @benjammingh for Delivery of Things World

    View full-size slide

  36. Humility
    36 — @benjammingh for Delivery of Things World

    View full-size slide

  37. 37 — @benjammingh for Delivery of Things World

    View full-size slide

  38. Blame(-less)
    38 — @benjammingh for Delivery of Things World

    View full-size slide

  39. Blaming people won't
    make them not do things
    (They just won't tell you)
    39 — @benjammingh for Delivery of Things World

    View full-size slide

  40. You tell people not to open
    random files from people they
    don't know.
    You also have a recruiting team.
    40 — @benjammingh for Delivery of Things World

    View full-size slide

  41. 41 — @benjammingh for Delivery of Things World

    View full-size slide

  42. This bug exploits UX
    42 — @benjammingh for Delivery of Things World

    View full-size slide

  43. 43 — @benjammingh for Delivery of Things World

    View full-size slide

  44. This is not the user's
    fault.
    44 — @benjammingh for Delivery of Things World

    View full-size slide

  45. We have made bad tools
    and we should feel bad.
    45 — @benjammingh for Delivery of Things World

    View full-size slide

  46. Would you rather?
    46 — @benjammingh for Delivery of Things World

    View full-size slide

  47. Have 95% of people not
    fall for phishing.
    47 — @benjammingh for Delivery of Things World

    View full-size slide

  48. or 10% of people tell you
    they did.
    48 — @benjammingh for Delivery of Things World

    View full-size slide

  49. (if you picked 'A'
    you are wrong)
    (:
    49 — @benjammingh for Delivery of Things World

    View full-size slide

  50. Making security the
    default
    50 — @benjammingh for Delivery of Things World

    View full-size slide

  51. If you make security hard,
    people won't do it.
    51 — @benjammingh for Delivery of Things World

    View full-size slide

  52. % gpg --help
    gpg (GnuPG/MacGPG2) 2.0.28
    libgcrypt 1.6.3
    Copyright (C) 2015 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    Home: ~/.gnupg
    Supported algorithms:
    Pubkey: RSA, RSA, RSA, ELG, DSA
    Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
    CAMELLIA128, CAMELLIA192, CAMELLIA256
    Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
    Compression: Uncompressed, ZIP, ZLIB, BZIP2
    Syntax: gpg [options] [files]
    Sign, check, encrypt or decrypt
    Default operation depends on the input data
    Commands:
    -s, --sign make a signature
    --clearsign make a clear text signature
    -b, --detach-sign make a detached signature
    -e, --encrypt encrypt data
    -c, --symmetric encryption only with symmetric cipher
    -d, --decrypt decrypt data (default)
    --verify verify a signature
    -k, --list-keys list keys
    --list-sigs list keys and signatures
    --check-sigs list and check key signatures
    --fingerprint list keys and fingerprints
    -K, --list-secret-keys list secret keys
    ...
    52 — @benjammingh for Delivery of Things World

    View full-size slide

  53. WhatsApp just made all their instant messaging
    end to end encrypted.
    The user has to do nothing to make this happen.
    Guess how many users are now doing this?
    (spoiler: all of them)
    53 — @benjammingh for Delivery of Things World

    View full-size slide

  54. Compare Whatsapp usage
    to GPG
    (GPG/PGP has been around since the
    90s, so should be larger, no?)
    54 — @benjammingh for Delivery of Things World

    View full-size slide

  55. Conclusion time!
    (yes you get lunch)
    55 — @benjammingh for Delivery of Things World

    View full-size slide

  56. Security people, be
    · be approachable
    · be transparent
    · be humble
    · stop blaming users, work with them
    · then people will come to you
    56 — @benjammingh for Delivery of Things World

    View full-size slide

  57. The rest of the organisation
    · don't be afraid of your security team
    · if you are, get a new security team
    · get everyone to be "part of" your security team
    · bake security in by default and early
    57 — @benjammingh for Delivery of Things World

    View full-size slide

  58. Controversial last slide!
    DevSecOps isn't a real thing.
    You should just talk to all your teams,
    stop ignoring QA, DBs, helpdesk,
    recruiting, etc...
    58 — @benjammingh for Delivery of Things World

    View full-size slide

  59. Thank you
    · Twidder: @benjammingh
    · LinkedIn: lnkdin.me/p/benyeah
    · JitHub: github.com/barn
    · SpeakerDeck: speakerdeck.com/barnbarn
    · Etsy: Careers <--- CodeAsCra! <--- our blog
    59 — @benjammingh for Delivery of Things World

    View full-size slide