SecDevOps: Creating cultural change to bridge between security and DevOps?

SecDevOps: Creating cultural change to bridge between security and DevOps?
1 — @benjammingh for Delivery of Things World

Who's this clown? 2 · Infrastructure security at Etsy. ·
Operations engineer at Puppet. · Worked at some startups and some not so startups. · Owns a lot of black t-shirts. · Has a 5 day streak on DuoLingo in German!!! 2 https://twitter.com/skullmandible/status/411281851131523072 2 — @benjammingh for Delivery of Things World

Etsy? 99 Dachshund Queen by poordogfarm 3 — @benjammingh for
Delivery of Things World

Etsy! · Global marketplace of amazing handmade and vintage goods.
· Oﬀices in Brooklyn, San Francisco, Toronto, Berlin, Paris, Dublin, soon the moon. · Over 40m members, over 1m active sellers. · Umm, Christmas is coming up? Buy things! 4 — @benjammingh for Delivery of Things World

Devsecops? (What? I didn't name it) 5 — @benjammingh for

DevOps (Why is never OpsDev?) 6 — @benjammingh for Delivery
of Things World

DevOps club? 7 — @benjammingh for Delivery of Things World

Securi-who? 8 — @benjammingh for Delivery of Things World

3 with thanks to the ever wonderful swanographer Pete Cheslock

(Stability. It's hard to find an image for that) 11
— @benjammingh for Delivery of Things World

Security is traditionally a blocker 13 — @benjammingh for Delivery
of Things World

The Net interprets censorship as damage and routes around it.
-- John Gilmore 14 — @benjammingh for Delivery of Things World

— Rich Smith - Kiwicon 8 15 — @benjammingh for

A security team that is left out of the process,
is worse than no security team at all. — Ben Hughes, just now. 16 — @benjammingh for Delivery of Things World

"That's great Ben, what does this have to do with
DevOps?" 17 — @benjammingh for Delivery of Things World

Add a security in early 18 — @benjammingh for Delivery
of Things World

How early? 19 — @benjammingh for Delivery of Things World

Scaling a security person being in every single meeting 20

The DevOps Pyramid · 10 Developers. · 1 Operations person.

The DevSecOps Pyramid · 100 Developers. · 10 Operations people.
· 1 Security person. 22 — @benjammingh for Delivery of Things World

4 @JordannGross https://twitter.com/JordannGross/status/718457587218399233 23 — @benjammingh for Delivery of Things
World

Champions Our people on the inside! 24 — @benjammingh for

Security bootcamps One of us, one of us! (for a
limited time only) 25 — @benjammingh for Delivery of Things World

This is awesome. 26 — @benjammingh for Delivery of Things
World

1> It builds relationships early. 27 — @benjammingh for Delivery
of Things World

2> This makes security approachable from the start. 28 —
@benjammingh for Delivery of Things World

3> They take back that which they learned and share
it with their team. 29 — @benjammingh for Delivery of Things World

Things to do with your Champions · have them in
your Slack/IRC/chat medium of choice. · take them to conferences you attend BlackHat, DefCon, SummerCon · get them front row seats at in house security events. Sophia D’Antoine – Modern Application Security for iOS 30 — @benjammingh for Delivery of Things World

Senior rotations 31 — @benjammingh for Delivery of Things World

Why do all this? 32 — @benjammingh for Delivery of
Things World

"Oh hey, I saw this weird thing, is this anything...?"
— Your most valuable security professional, Claire from finance. 33 — @benjammingh for Delivery of Things World

Outreach == everyone in your organisation now works on security.

Approachable "Should I bother sending them this weird looking email?
Nah, they were rude last time." — Someone who's about to run "DefinitelyNotMalware.exe" in most orgs. 35 — @benjammingh for Delivery of Things World

Humility 36 — @benjammingh for Delivery of Things World

Blame(-less) 38 — @benjammingh for Delivery of Things World

Blaming people won't make them not do things (They just
won't tell you) 39 — @benjammingh for Delivery of Things World

You tell people not to open random files from people
they don't know. You also have a recruiting team. 40 — @benjammingh for Delivery of Things World

This bug exploits UX 42 — @benjammingh for Delivery of
Things World

This is not the user's fault. 44 — @benjammingh for

We have made bad tools and we should feel bad.

Would you rather? 46 — @benjammingh for Delivery of Things
World

Have 95% of people not fall for phishing. 47 —

or 10% of people tell you they did. 48 —

(if you picked 'A' you are wrong) (: 49 —

Making security the default 50 — @benjammingh for Delivery of
Things World

If you make security hard, people won't do it. 51

% gpg --help gpg (GnuPG/MacGPG2) 2.0.28 libgcrypt 1.6.3 Copyright (C)
2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA, RSA, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Syntax: gpg [options] [files] Sign, check, encrypt or decrypt Default operation depends on the input data Commands: -s, --sign make a signature --clearsign make a clear text signature -b, --detach-sign make a detached signature -e, --encrypt encrypt data -c, --symmetric encryption only with symmetric cipher -d, --decrypt decrypt data (default) --verify verify a signature -k, --list-keys list keys --list-sigs list keys and signatures --check-sigs list and check key signatures --fingerprint list keys and fingerprints -K, --list-secret-keys list secret keys ... 52 — @benjammingh for Delivery of Things World

WhatsApp just made all their instant messaging end to end
encrypted. The user has to do nothing to make this happen. Guess how many users are now doing this? (spoiler: all of them) 53 — @benjammingh for Delivery of Things World

Compare Whatsapp usage to GPG (GPG/PGP has been around since
the 90s, so should be larger, no?) 54 — @benjammingh for Delivery of Things World

Conclusion time! (yes you get lunch) 55 — @benjammingh for

Security people, be · be approachable · be transparent ·
be humble · stop blaming users, work with them · then people will come to you 56 — @benjammingh for Delivery of Things World

The rest of the organisation · don't be afraid of
your security team · if you are, get a new security team · get everyone to be "part of" your security team · bake security in by default and early 57 — @benjammingh for Delivery of Things World

Controversial last slide! DevSecOps isn't a real thing. You should
just talk to all your teams, stop ignoring QA, DBs, helpdesk, recruiting, etc... 58 — @benjammingh for Delivery of Things World

Thank you · Twidder: @benjammingh · LinkedIn: lnkdin.me/p/benyeah · JitHub:
github.com/barn · SpeakerDeck: speakerdeck.com/barnbarn · Etsy: Careers <--- CodeAsCra! <--- our blog 59 — @benjammingh for Delivery of Things World

SecDevOps: Creating cultural change to bridge between security and DevOps?

SecDevOps: Creating cultural change to bridge between security and DevOps?

More Decks by Bea Hughes

Featured

Transcript