Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Why won’t my DevOps team talk to my Security team?

Bea Hughes
August 10, 2016

Why won’t my DevOps team talk to my Security team?

DevOpsDays Portland August 2016.

Similar (very) to my SecDevOps talk, ahem https://speakerdeck.com/barnbarn/secdevops-creating-cultural-change-to-bridge-between-security-and-devops

Bea Hughes

August 10, 2016
Tweet

More Decks by Bea Hughes

Other Decks in Technology

Transcript

  1. SECDEVOPS: CREATING CULTURAL CHANGE
    TO BRIDGE BETWEEN SECURITY AND DEVOPS?
    1 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  2. WHO'S THIS CLOWN? 2
    > Infrastructure security at Etsy.
    > Operations engineer at Puppet Labs.
    > Worked at some startups and some not so startups.
    > Owns a lot of black t-shirts.
    2 https://twitter.com/skullmandible/status/411281851131523072
    2 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  3. ETSY?
    99 Dachshund Queen by poordogfarm
    3 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  4. ETSY!
    > Global marketplace of amazing handmade and vintage
    goods.
    > Offices in Brooklyn, San Francisco, Toronto, Berlin, Paris,
    Dublin, soon the moon.
    > Over 40m members, over 1m active sellers.
    > Black Friday is coming up soon. Please buy things! (:
    4 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  5. DEVSECOPS?
    (WHAT? I DIDN'T NAME IT)
    5 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  6. DEVOPS
    (WHY IS NEVER OPSDEV?)
    6 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  7. DEVOPS CLUB?
    7 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  8. SECURI-WHO?
    8 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  9. 3 with thanks to the ever wonderful swanographer Pete Cheslock
    9 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  10. 10 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  11. (STABILITY. IT'S HARD TO FIND AN IMAGE FOR THAT)
    11 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  12. 12 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  13. SECURITY IS
    TRADITIONALLY
    A BLOCKER
    13 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  14. The Net interprets censorship as damage and routes
    around it.
    -- John Gilmore
    14 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  15. 15 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  16. A security team that is left out
    of the process, is worse than no
    security team at all.
    — Ben Hughes, just now.
    16 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  17. "That's great Ben, what does this have to do with DevOps?"
    17 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  18. ADD A
    SECURITY IN
    EARLY
    18 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  19. HOW EARLY?
    19 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  20. SCALING A SECURITY
    PERSON BEING IN EVERY
    SINGLE MEETING
    20 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  21. THE DEVOPS PYRAMID
    > 10 Developers.
    > 1 Operations person.
    21 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  22. THE DEVSECOPS PYRAMID
    > 100 Developers.
    > 10 Operations people.
    > 1 Security person.
    22 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  23. 4 @JordannGross https://twitter.com/JordannGross/status/718457587218399233
    23 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  24. CHAMPIONS
    OUR PEOPLE ON THE INSIDE!
    24 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  25. SECURITY
    BOOTCAMPS
    ONE OF US, ONE OF US!
    (FOR A LIMITED TIME ONLY)
    25 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  26. THIS IS
    AWESOME.
    26 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  27. 1> It builds relationships early.
    27 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  28. 2> This makes security approachable from the start.
    28 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  29. 3> They take back that which they learned and share it
    with their team.
    29 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  30. THINGS TO DO WITH YOUR CHAMPIONS
    > have them in your Slack/IRC/chat medium of choice.
    > take them to conferences you attend BlackHat, DefCon,
    SummerCon
    > get them front row seats at in house security events.
    Sophia D’Antoine – Modern Application Security for iOS
    30 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  31. SENIOR
    ROTATIONS
    31 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  32. DESIGNATED
    HACKERS
    32 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  33. DESIGNATED,
    NOT DEDICATED
    33 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  34. WHY DO ALL
    THIS?
    34 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  35. "Oh hey, I saw this weird thing, is
    this anything...?"
    — Your most valuable security professional, Claire from
    finance.
    35 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  36. OUTREACH == EVERYONE
    IN YOUR ORGANISATION
    NOW WORKS ON
    SECURITY.
    36 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  37. APPROACHABLE
    "Should I bother sending them this weird looking email?
    Nah, they were rude last time."
    — Someone who's about to run "DefinitelyNotMalware.exe"
    in most orgs.
    37 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  38. HUMILITY
    38 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  39. 39 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  40. BLAME(-LESS)
    40 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  41. BLAMING PEOPLE WON'T
    MAKE THEM NOT DO
    THINGS
    (THEY JUST WON'T TELL YOU)
    41 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  42. YOU TELL PEOPLE NOT TO OPEN
    RANDOM FILES FROM PEOPLE THEY
    DON'T KNOW.
    YOU ALSO HAVE A RECRUITING TEAM.
    42 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  43. 43 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  44. THIS BUG EXPLOITS UX
    44 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  45. 45 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  46. THIS IS NOT THE USER'S
    FAULT.
    46 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  47. WE HAVE MADE BAD
    TOOLS AND WE SHOULD
    FEEL BAD.
    47 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  48. WOULD YOU RATHER?
    48 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  49. HAVE 95% OF PEOPLE NOT
    FALL FOR PHISHING.
    49 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  50. OR 10% OF PEOPLE TELL
    YOU THEY DID.
    50 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  51. (IF YOU PICKED 'A'
    YOU ARE WRONG)
    (:
    51 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  52. MAKING SECURITY THE
    DEFAULT
    52 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  53. IF YOU MAKE SECURITY
    HARD, PEOPLE WON'T DO
    IT.
    53 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  54. % gpg --help
    gpg (GnuPG/MacGPG2) 2.0.28
    libgcrypt 1.6.3
    Copyright (C) 2015 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    Home: ~/.gnupg
    Supported algorithms:
    Pubkey: RSA, RSA, RSA, ELG, DSA
    Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
    CAMELLIA128, CAMELLIA192, CAMELLIA256
    Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
    Compression: Uncompressed, ZIP, ZLIB, BZIP2
    Syntax: gpg [options] [files]
    Sign, check, encrypt or decrypt
    Default operation depends on the input data
    Commands:
    -s, --sign make a signature
    --clearsign make a clear text signature
    -b, --detach-sign make a detached signature
    -e, --encrypt encrypt data
    -c, --symmetric encryption only with symmetric cipher
    -d, --decrypt decrypt data (default)
    --verify verify a signature
    -k, --list-keys list keys
    --list-sigs list keys and signatures
    --check-sigs list and check key signatures
    --fingerprint list keys and fingerprints
    -K, --list-secret-keys list secret keys
    ...
    54 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  55. 55 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  56. WhatsApp just made all their instant messaging end to
    end encrypted.
    The user has to do nothing to make this happen.
    Guess how many users are now doing this? (spoiler: all of
    them)
    56 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  57. COMPARE WHATSAPP
    USAGE TO GPG
    (GPG/PGP HAS BEEN AROUND SINCE
    THE 90S, SO SHOULD BE LARGER, NO?)
    57 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  58. CONCLUSION TIME!
    (YES YOU GET LUNCH)
    (EVEN BETTER, YOU GET JENNIFER!)
    58 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  59. SECURITY PEOPLE, BE
    > be approachable
    > be transparent
    > be humble
    > stop blaming users, work with them
    > then people will come to you
    59 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  60. THE REST OF THE ORGANISATION
    > don't be afraid of your security team
    > if you are, get a new security team
    > get everyone to be "part of" your security team
    > bake security in by default and early
    60 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  61. CONTROVERSIAL LAST
    SLIDE!
    DEVSECOPS ISN'T A REAL THING.
    YOU SHOULD JUST TALK TO ALL YOUR
    TEAMS, STOP IGNORING QA, DBS,
    HELPDESK, RECRUITING, ETC...
    61 — @benjammingh for DevOpsDaysPDX!

    View full-size slide

  62. THANK YOU
    > Twidder: @benjammingh
    > LinkedIn: lnkdin.me/p/benyeah
    > JitHub: github.com/barn
    > SpeakerDeck: speakerdeck.com/barnbarn
    > Etsy: Careers <--- CodeAsCraft <--- our blog
    62 — @benjammingh for DevOpsDaysPDX!

    View full-size slide