Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security vs. Dev Experience: Threat … or Opportunity?

Christoph Hartmann
July 07, 2023
Technology
0
11

Security vs. Dev Experience: Threat … or Opportunity?

As companies grow, they face the challenge of balancing security and developer experience (DX) while building platforms. There is often a conflict of priorities between developers and security. While platform engineers focus on building a secure foundation for future work, product engineers are closer to customer-facing deadlines and feel the need to cut corners on things like testing and security to meet deadlines. This can negatively impact the application, platform or business security.

We will look at how modern security teams implement a culture of a continuous approach to security, integrate with development, and achieve better results than traditional methods.

Striking a balance between engineering and security requirements is crucial to the long-term viability of a software product, and everyone should work together to achieve this balance.

https://devopsdays.org/events/2023-amsterdam/program

Christoph Hartmann

July 07, 2023
Tweet

More Decks by Christoph Hartmann

See All by Christoph Hartmann
The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications
chrisrock
0
52
Testing Cloud Provisioning with Terraform and InSpec
chrisrock
2
670
DevSec: Continuous Patch and Security Assessment with InSpec
chrisrock
0
250
Chef Summit London: InSpec Keynote
chrisrock
0
290
AllDayDevOps 2017: Continuous Patch and Security Assessment with InSpec
chrisrock
0
170
DevSecCon London: Christoph Hartmann - DevSec: continuous compliance
chrisrock
0
260
ChefConf 2017 InSpec 2 Announcement
chrisrock
0
180
Compliance-Driven Infrastructure
chrisrock
0
210
Infrastructure and Security Testing with InSpec
chrisrock
0
190

Other Decks in Technology

See All in Technology
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
710
成長をサポートするピープルマネジメントのやり方
sioncojp
8
900
AWSに詳しくない人でも始められるコスト最適化ガイド
yuhta28
2
280
ルーターでプレゼンする
puhitaku
1
3.2k
Azure犬駆動開発の記録/GlobalAzureFukuoka2024_20240420
nina01
1
240
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
2
590
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
1k
競技としてのKaggle、役に立つKaggle
yu4u
6
2.3k
コードファーストの考え方。 Amplify Gen2から学ぶAWS次世代のWeb開発体験
yoshiitaka
1
290
アクセス制御にまつわる改善 / Improving access control
itkq
0
590
Babylon.js JAPAN活動紹介 (2024/4)
limes2018
1
110
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
1
610

Featured

See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
228
16k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
660
120k
Clear Off the Table
cherdarchuk
85
310k
Teambox: Starting and Learning
jrom
128
8.4k
The Pragmatic Product Professional
lauravandoore
26
5.8k
KATA
mclloyd
16
12k
Building Your Own Lightsaber
phodgson
100
5.7k
Designing for humans not robots
tammielis
248
25k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Agile that works and the tools we love
rasmusluckow
325
20k

Transcript

  1. Security vs. Dev Experience: Threat … or Opportunity?

  2. Hi, I am Chris. I am CTO at Mondoo What

    is your background? Y I co-created the open source security projects Dev-Sec.io and InSpec, Co-Founded Vulcano Security and was Director of Engineering at Chef Software @chri_hartmann

  3. is a security, risk and compliance platform that identifies vulnerabilities

    and misconfiguration from build to runtime. 3 Asset Intelligence Security Risk Detection Instant Compliance Find answers to complex questions at every layer through “Google Search” for Security Posture Management Improve your overall posture by proactively identify, prioritize, remediate risks Reduce compliance completion times with real-time compliance assessments and evidence across build and runtime

  4. @chri_hartmann 4

  5. @chri_hartmann Here’s what AI thinks the stereotypical roles for DevOps

    looks like 5 Stereotypes are just simplified assumptions and do not depict an accurate representation of all individuals. Generated with ChatGPT and Midjourney.

  6. @chri_hartmann Software Developer ChatGPT thinks: Software Developers are often stereotyped

    as introverted, highly detail-oriented individuals who spend long hours in front of a computer screen coding, with a deep passion for technology and problem-solving, often lacking strong interpersonal or communication skills. 6

  7. @chri_hartmann DevOps Engineer ChatGPT thinks: DevOps Engineers are frequently stereotyped

    as versatile "Jack of All Trades" who are always on call, acting as gatekeepers of software deployment and go-to problem solvers, expert communicators, and often struggle with maintaining a work-life balance. 7

  8. @chri_hartmann Test Engineer ChatGPT thinks: Test Engineers are often stereotyped

    as detail-oriented perfectionists, constantly finding faults and focusing on what could go wrong, with a propensity for rigorous organization and systematic testing, sometimes viewed as slowing down the development process due to their meticulousness. 8

  9. @chri_hartmann System Administrator ChatGPT thinks: System Administrators are often stereotyped

    as the behind-the-scenes troubleshooters, working at odd hours, who are always ready to resolve technical issues and keep the systems running, but often underappreciated until something goes wrong. 9

  10. @chri_hartmann Product Managers ChatGPT thinks: Product Managers are often stereotyped

    as multitasking jugglers who have to balance various stakeholders' needs, have an understanding of both business and technology, often caught in a tug-of-war between teams, and are expected to have a vision for the product that aligns with market trends and user demands. 10

  11. @chri_hartmann Security Engineer ChatGPT thinks: Security Engineers are often stereotyped

    as highly meticulous individuals who are constantly vigilant and somewhat paranoid about potential threats, with a tendency to prioritize security protocols over usability or convenience. 11

  12. @chri_hartmann DEVELOP BUILD RUNTIME Developers + Platform Engineers Operations +

    Security Why do we need to deploy insecurely just to figure out what needs to be done differently? 1. Deploy Software 2. Expensive Security Software runs 3. Super long red report 4. 1000s of security tickets, all critical 5. DevOps team frustrated 6. Security team frustrated

  13. @chri_hartmann Illustration of how the tension between DevOps and Security

    feels. 13 Tension between DevOps and Security • Speed vs Security • Change vs Stability • Automation vs Manual Oversight • Shared Responsibility vs Siloed Functions

  14. Why is Security so difficult? @chri_hartmann

  15. 15 1. Hacking become a business Name Name Words words

    Sales Quotas Playbooks Customer Support Affiliate Programs Past Today

  16. 16 2. 20% YoY increase of CVE

  17. 3. Exploit vs Patch Time 💣 0-Day Exploit 💥 Vulnerability

    📢 CVE 🏗 Patch 📝 CVE 💣 Exploit 🎟 Tickets created 🐌 Rollout Slow 🏗 Fixed in dev 🔎 Identify in dev 🛑 Report created • 50% of exploits are published within 30 days after CVE • average time to fix high severity is 246 days

  18. 18 4. Automated Attacks

  19. 19 ISO27001:2022 A8.9 Configuration management Configurations, including security configurations, of

    hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. BSI IT-Grundschutz-Compendium SYS.1.1.A6 Disabling Unnecessary Services All unnecessary services and applications—particularly network services—MUST be disabled or uninstalled…. Cyber Risk Insurance questionnaire Questions for companies starting with 50.000.00 € revenue. Hardening is the first questions in sector "basics". Are there guidelines for the secure configuration of servers and endpoints? 5. Compliance Regulation PCI-DSS PCI Requirement 2 Apply Secure Configurations to All System Components HIPAA 164.308 Administrative Safeguards 164.312 Technical safeguards SOC2 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

  20. Example Ensure that Cloud Storage Buckets are not public @chri_hartmann

  21. 21 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME

  22. 22 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME Cloud Code / IaC

  23. 23 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME Cloud Buckets are not public Security Engineers focus on attack paths

  24. 24 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME Platform Engineers focus on automation Code / IaC Buckets are not public

  25. 25 DEVELOP BUILD RUNTIME Secure the Development Workflow Developers +

    Platform Engineers Operations + Security The development workflow is riddled with security gaps and toolsprawl. Lack of collaboration between development and security destroys productivity and increases risks.

  26. @chri_hartmann We need to think holistically about security

  27. What can we do NOW? @chri_hartmann

  28. 28 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME You can be more secure today!

  29. 29 cnspec Overview Runtime Go, single-binary Query Engine Extended GraphQL

    (MQL) Operating System Local, SSH, SSH for Windows, WinRM, EC2 Instance Connect, EC2 SSM, Agentless Scanning Cloud AWS, Azure, GCP, VMware vsphere, OCI Kubernetes & Container AKS, EKS, GKE, OpenShift, Container Registries, Container Images SaaS Okta, Slack, Google Workspace, Microsoft 365, Github, Gitlab IaC Kubernetes Manifest, Terraform HCL, Terraform Plan, Terraform State

  30. 30 Anatomy of a Policy cnspec Policy Policy specifies what

    should be assessed. Typically this is a security benchmark. Group defines the checks and queries that define how to assess and report on asset security. Typically those are chapters in a security benchmark. Check defines an individual requirement with metadata. MQL is inquiry that requests information about an asset.

  31. 31 Anatomy of a Policy

  32. 32 Terraform: Amazon S3 buckets do not allow public read

    access Easily ask questions with GraphQL-based MQL AWS: S3 Buckets are configured with 'Block public access'

  33. 33 Use Policy as Code to define technical requirements

  34. 34 Use Policy as Code to define technical requirements Use

    Compliance as Code to define compliance controls

  35. 35 Graph-based asset inventory github.com/mondoohq/cnquery Secure everything from development to

    production github.com/mondoohq/cnspec Extensible and Open Security

  36. 36 Discover Security Content Security Registry mondoo.com/registry Security Policies github.com/mondoohq/cnspec-policies

    Inventory and Incident Response Query Packs github.com/mondoohq/cnquery-packs

  37. @chri_hartmann Embracing Change and Working Together to build a better

    world 37

  38. Christoph Hartmann 🐦 @chri_hartmann ✉ [email protected] 🏠 mondoo.com Thank you

    Secure everything from development to production github.com/mondoohq/cnspec @chri_hartmann