Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security vs. Dev Experience: Threat … or Opportunity?

Security vs. Dev Experience: Threat … or Opportunity?

As companies grow, they face the challenge of balancing security and developer experience (DX) while building platforms. There is often a conflict of priorities between developers and security. While platform engineers focus on building a secure foundation for future work, product engineers are closer to customer-facing deadlines and feel the need to cut corners on things like testing and security to meet deadlines. This can negatively impact the application, platform or business security.

We will look at how modern security teams implement a culture of a continuous approach to security, integrate with development, and achieve better results than traditional methods.

Striking a balance between engineering and security requirements is crucial to the long-term viability of a software product, and everyone should work together to achieve this balance.


Christoph Hartmann

July 07, 2023

More Decks by Christoph Hartmann

Other Decks in Technology


  1. Hi, I am Chris. I am CTO at Mondoo What

    is your background? Y I co-created the open source security projects Dev-Sec.io and InSpec, Co-Founded Vulcano Security and was Director of Engineering at Chef Software @chri_hartmann
  2. is a security, risk and compliance platform that identifies vulnerabilities

    and misconfiguration from build to runtime. 3 Asset Intelligence Security Risk Detection Instant Compliance Find answers to complex questions at every layer through “Google Search” for Security Posture Management Improve your overall posture by proactively identify, prioritize, remediate risks Reduce compliance completion times with real-time compliance assessments and evidence across build and runtime
  3. @chri_hartmann Here’s what AI thinks the stereotypical roles for DevOps

    looks like 5 Stereotypes are just simplified assumptions and do not depict an accurate representation of all individuals. Generated with ChatGPT and Midjourney.
  4. @chri_hartmann Software Developer ChatGPT thinks: Software Developers are often stereotyped

    as introverted, highly detail-oriented individuals who spend long hours in front of a computer screen coding, with a deep passion for technology and problem-solving, often lacking strong interpersonal or communication skills. 6
  5. @chri_hartmann DevOps Engineer ChatGPT thinks: DevOps Engineers are frequently stereotyped

    as versatile "Jack of All Trades" who are always on call, acting as gatekeepers of software deployment and go-to problem solvers, expert communicators, and often struggle with maintaining a work-life balance. 7
  6. @chri_hartmann Test Engineer ChatGPT thinks: Test Engineers are often stereotyped

    as detail-oriented perfectionists, constantly finding faults and focusing on what could go wrong, with a propensity for rigorous organization and systematic testing, sometimes viewed as slowing down the development process due to their meticulousness. 8
  7. @chri_hartmann System Administrator ChatGPT thinks: System Administrators are often stereotyped

    as the behind-the-scenes troubleshooters, working at odd hours, who are always ready to resolve technical issues and keep the systems running, but often underappreciated until something goes wrong. 9
  8. @chri_hartmann Product Managers ChatGPT thinks: Product Managers are often stereotyped

    as multitasking jugglers who have to balance various stakeholders' needs, have an understanding of both business and technology, often caught in a tug-of-war between teams, and are expected to have a vision for the product that aligns with market trends and user demands. 10
  9. @chri_hartmann Security Engineer ChatGPT thinks: Security Engineers are often stereotyped

    as highly meticulous individuals who are constantly vigilant and somewhat paranoid about potential threats, with a tendency to prioritize security protocols over usability or convenience. 11
  10. @chri_hartmann DEVELOP BUILD RUNTIME Developers + Platform Engineers Operations +

    Security Why do we need to deploy insecurely just to figure out what needs to be done differently? 1. Deploy Software 2. Expensive Security Software runs 3. Super long red report 4. 1000s of security tickets, all critical 5. DevOps team frustrated 6. Security team frustrated
  11. @chri_hartmann Illustration of how the tension between DevOps and Security

    feels. 13 Tension between DevOps and Security • Speed vs Security • Change vs Stability • Automation vs Manual Oversight • Shared Responsibility vs Siloed Functions
  12. 15 1. Hacking become a business Name Name Words words

    Sales Quotas Playbooks Customer Support Affiliate Programs Past Today
  13. 3. Exploit vs Patch Time 💣 0-Day Exploit 💥 Vulnerability

    📢 CVE 🏗 Patch 📝 CVE 💣 Exploit 🎟 Tickets created 🐌 Rollout Slow 🏗 Fixed in dev 🔎 Identify in dev 🛑 Report created • 50% of exploits are published within 30 days after CVE • average time to fix high severity is 246 days
  14. 19 ISO27001:2022 A8.9 Configuration management Configurations, including security configurations, of

    hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. BSI IT-Grundschutz-Compendium SYS.1.1.A6 Disabling Unnecessary Services All unnecessary services and applications—particularly network services—MUST be disabled or uninstalled…. Cyber Risk Insurance questionnaire Questions for companies starting with 50.000.00 € revenue. Hardening is the first questions in sector "basics". Are there guidelines for the secure configuration of servers and endpoints? 5. Compliance Regulation PCI-DSS PCI Requirement 2 Apply Secure Configurations to All System Components HIPAA 164.308 Administrative Safeguards 164.312 Technical safeguards SOC2 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
  15. 21 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME
  16. 22 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME Cloud Code / IaC
  17. 23 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME Cloud Buckets are not public Security Engineers focus on attack paths
  18. 24 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME Platform Engineers focus on automation Code / IaC Buckets are not public
  19. 25 DEVELOP BUILD RUNTIME Secure the Development Workflow Developers +

    Platform Engineers Operations + Security The development workflow is riddled with security gaps and toolsprawl. Lack of collaboration between development and security destroys productivity and increases risks.
  20. 28 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME You can be more secure today!
  21. 29 cnspec Overview Runtime Go, single-binary Query Engine Extended GraphQL

    (MQL) Operating System Local, SSH, SSH for Windows, WinRM, EC2 Instance Connect, EC2 SSM, Agentless Scanning Cloud AWS, Azure, GCP, VMware vsphere, OCI Kubernetes & Container AKS, EKS, GKE, OpenShift, Container Registries, Container Images SaaS Okta, Slack, Google Workspace, Microsoft 365, Github, Gitlab IaC Kubernetes Manifest, Terraform HCL, Terraform Plan, Terraform State
  22. 30 Anatomy of a Policy cnspec Policy Policy specifies what

    should be assessed. Typically this is a security benchmark. Group defines the checks and queries that define how to assess and report on asset security. Typically those are chapters in a security benchmark. Check defines an individual requirement with metadata. MQL is inquiry that requests information about an asset.
  23. 32 Terraform: Amazon S3 buckets do not allow public read

    access Easily ask questions with GraphQL-based MQL AWS: S3 Buckets are configured with 'Block public access'
  24. 34 Use Policy as Code to define technical requirements Use

    Compliance as Code to define compliance controls
  25. 35 Graph-based asset inventory github.com/mondoohq/cnquery Secure everything from development to

    production github.com/mondoohq/cnspec Extensible and Open Security
  26. 36 Discover Security Content Security Registry mondoo.com/registry Security Policies github.com/mondoohq/cnspec-policies

    Inventory and Incident Response Query Packs github.com/mondoohq/cnquery-packs
  27. Christoph Hartmann 🐦 @chri_hartmann ✉ [email protected] 🏠 mondoo.com Thank you

    Secure everything from development to production github.com/mondoohq/cnspec @chri_hartmann