Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security vs. Dev Experience: Threat … or Opport...

Christoph Hartmann
July 07, 2023
Technology
0
28

Security vs. Dev Experience: Threat … or Opportunity?

As companies grow, they face the challenge of balancing security and developer experience (DX) while building platforms. There is often a conflict of priorities between developers and security. While platform engineers focus on building a secure foundation for future work, product engineers are closer to customer-facing deadlines and feel the need to cut corners on things like testing and security to meet deadlines. This can negatively impact the application, platform or business security.

We will look at how modern security teams implement a culture of a continuous approach to security, integrate with development, and achieve better results than traditional methods.

Striking a balance between engineering and security requirements is crucial to the long-term viability of a software product, and everyone should work together to achieve this balance.

https://devopsdays.org/events/2023-amsterdam/program

Christoph Hartmann

July 07, 2023
Tweet

More Decks by Christoph Hartmann

See All by Christoph Hartmann
The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications
chrisrock
0
64
Testing Cloud Provisioning with Terraform and InSpec
chrisrock
2
730
DevSec: Continuous Patch and Security Assessment with InSpec
chrisrock
0
270
Chef Summit London: InSpec Keynote
chrisrock
0
300
AllDayDevOps 2017: Continuous Patch and Security Assessment with InSpec
chrisrock
0
180
DevSecCon London: Christoph Hartmann - DevSec: continuous compliance
chrisrock
0
320
ChefConf 2017 InSpec 2 Announcement
chrisrock
0
200
Compliance-Driven Infrastructure
chrisrock
0
260
Infrastructure and Security Testing with InSpec
chrisrock
0
190

Other Decks in Technology

See All in Technology
組織に自動テストを書く文化を根付かせる戦略(2024冬版) / Building Automated Test Culture 2024 Winter Edition
twada
PRO
12
3.4k
2024年にチャレンジしたことを振り返るぞ
mitchan
0
130
コンテナセキュリティのためのLandlock入門
nullpo_head
2
320
KnowledgeBaseDocuments APIでベクトルインデックス管理を自動化する
iidaxs
1
250
複雑性の高いオブジェクト編集に向き合う: プラガブルなReactフォーム設計
righttouch
PRO
0
110
Storage Browser for Amazon S3
miu_crescent
1
130
プロダクト開発を加速させるためのQA文化の築き方 / How to build QA culture to accelerate product development
mii3king
1
260
DevOps視点でAWS re:invent2024の新サービス・アプデを振り返ってみた
oshanqq
0
180
生成AIをより賢く エンジニアのための RAG入門 - Oracle AI Jam Session #20
kutsushitaneko
4
210
私なりのAIのご紹介 [2024年版]
qt_luigi
1
120
ハイテク休憩
sat
PRO
2
120
[Ruby] Develop a Morse Code Learning Gem & Beep from Strings
oguressive
1
150

Featured

See All Featured
Optimising Largest Contentful Paint
csswizardry
33
3k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Become a Pro
speakerdeck
PRO
26
5k
Designing for humans not robots
tammielis
250
25k
Adopting Sorbet at Scale
ufuk
73
9.1k
Agile that works and the tools we love
rasmusluckow
328
21k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
28
900
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
0
94
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Building Flexible Design Systems
yeseniaperezcruz
327
38k

Transcript

  1. Security vs. Dev Experience: Threat … or Opportunity?

  2. Hi, I am Chris. I am CTO at Mondoo What

    is your background? Y I co-created the open source security projects Dev-Sec.io and InSpec, Co-Founded Vulcano Security and was Director of Engineering at Chef Software @chri_hartmann

  3. is a security, risk and compliance platform that identifies vulnerabilities

    and misconfiguration from build to runtime. 3 Asset Intelligence Security Risk Detection Instant Compliance Find answers to complex questions at every layer through “Google Search” for Security Posture Management Improve your overall posture by proactively identify, prioritize, remediate risks Reduce compliance completion times with real-time compliance assessments and evidence across build and runtime

  4. @chri_hartmann 4

  5. @chri_hartmann Here’s what AI thinks the stereotypical roles for DevOps

    looks like 5 Stereotypes are just simplified assumptions and do not depict an accurate representation of all individuals. Generated with ChatGPT and Midjourney.

  6. @chri_hartmann Software Developer ChatGPT thinks: Software Developers are often stereotyped

    as introverted, highly detail-oriented individuals who spend long hours in front of a computer screen coding, with a deep passion for technology and problem-solving, often lacking strong interpersonal or communication skills. 6

  7. @chri_hartmann DevOps Engineer ChatGPT thinks: DevOps Engineers are frequently stereotyped

    as versatile "Jack of All Trades" who are always on call, acting as gatekeepers of software deployment and go-to problem solvers, expert communicators, and often struggle with maintaining a work-life balance. 7

  8. @chri_hartmann Test Engineer ChatGPT thinks: Test Engineers are often stereotyped

    as detail-oriented perfectionists, constantly finding faults and focusing on what could go wrong, with a propensity for rigorous organization and systematic testing, sometimes viewed as slowing down the development process due to their meticulousness. 8

  9. @chri_hartmann System Administrator ChatGPT thinks: System Administrators are often stereotyped

    as the behind-the-scenes troubleshooters, working at odd hours, who are always ready to resolve technical issues and keep the systems running, but often underappreciated until something goes wrong. 9

  10. @chri_hartmann Product Managers ChatGPT thinks: Product Managers are often stereotyped

    as multitasking jugglers who have to balance various stakeholders' needs, have an understanding of both business and technology, often caught in a tug-of-war between teams, and are expected to have a vision for the product that aligns with market trends and user demands. 10

  11. @chri_hartmann Security Engineer ChatGPT thinks: Security Engineers are often stereotyped

    as highly meticulous individuals who are constantly vigilant and somewhat paranoid about potential threats, with a tendency to prioritize security protocols over usability or convenience. 11

  12. @chri_hartmann DEVELOP BUILD RUNTIME Developers + Platform Engineers Operations +

    Security Why do we need to deploy insecurely just to figure out what needs to be done differently? 1. Deploy Software 2. Expensive Security Software runs 3. Super long red report 4. 1000s of security tickets, all critical 5. DevOps team frustrated 6. Security team frustrated

  13. @chri_hartmann Illustration of how the tension between DevOps and Security

    feels. 13 Tension between DevOps and Security • Speed vs Security • Change vs Stability • Automation vs Manual Oversight • Shared Responsibility vs Siloed Functions

  14. Why is Security so difficult? @chri_hartmann

  15. 15 1. Hacking become a business Name Name Words words

    Sales Quotas Playbooks Customer Support Affiliate Programs Past Today

  16. 16 2. 20% YoY increase of CVE

  17. 3. Exploit vs Patch Time 💣 0-Day Exploit 💥 Vulnerability

    📢 CVE 🏗 Patch 📝 CVE 💣 Exploit 🎟 Tickets created 🐌 Rollout Slow 🏗 Fixed in dev 🔎 Identify in dev 🛑 Report created • 50% of exploits are published within 30 days after CVE • average time to fix high severity is 246 days

  18. 18 4. Automated Attacks

  19. 19 ISO27001:2022 A8.9 Configuration management Configurations, including security configurations, of

    hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. BSI IT-Grundschutz-Compendium SYS.1.1.A6 Disabling Unnecessary Services All unnecessary services and applications—particularly network services—MUST be disabled or uninstalled…. Cyber Risk Insurance questionnaire Questions for companies starting with 50.000.00 € revenue. Hardening is the first questions in sector "basics". Are there guidelines for the secure configuration of servers and endpoints? 5. Compliance Regulation PCI-DSS PCI Requirement 2 Apply Secure Configurations to All System Components HIPAA 164.308 Administrative Safeguards 164.312 Technical safeguards SOC2 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

  20. Example Ensure that Cloud Storage Buckets are not public @chri_hartmann

  21. 21 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME

  22. 22 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME Cloud Code / IaC

  23. 23 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME Cloud Buckets are not public Security Engineers focus on attack paths

  24. 24 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME Platform Engineers focus on automation Code / IaC Buckets are not public

  25. 25 DEVELOP BUILD RUNTIME Secure the Development Workflow Developers +

    Platform Engineers Operations + Security The development workflow is riddled with security gaps and toolsprawl. Lack of collaboration between development and security destroys productivity and increases risks.

  26. @chri_hartmann We need to think holistically about security

  27. What can we do NOW? @chri_hartmann

  28. 28 Endpoint OS ChatOps Repository Code / IaC Pipeline Image

    Cloud Auth Kubernetes Datacenter Workloads Networking API/SaaS DEVELOP BUILD RUNTIME You can be more secure today!

  29. 29 cnspec Overview Runtime Go, single-binary Query Engine Extended GraphQL

    (MQL) Operating System Local, SSH, SSH for Windows, WinRM, EC2 Instance Connect, EC2 SSM, Agentless Scanning Cloud AWS, Azure, GCP, VMware vsphere, OCI Kubernetes & Container AKS, EKS, GKE, OpenShift, Container Registries, Container Images SaaS Okta, Slack, Google Workspace, Microsoft 365, Github, Gitlab IaC Kubernetes Manifest, Terraform HCL, Terraform Plan, Terraform State

  30. 30 Anatomy of a Policy cnspec Policy Policy specifies what

    should be assessed. Typically this is a security benchmark. Group defines the checks and queries that define how to assess and report on asset security. Typically those are chapters in a security benchmark. Check defines an individual requirement with metadata. MQL is inquiry that requests information about an asset.

  31. 31 Anatomy of a Policy

  32. 32 Terraform: Amazon S3 buckets do not allow public read

    access Easily ask questions with GraphQL-based MQL AWS: S3 Buckets are configured with 'Block public access'

  33. 33 Use Policy as Code to define technical requirements

  34. 34 Use Policy as Code to define technical requirements Use

    Compliance as Code to define compliance controls

  35. 35 Graph-based asset inventory github.com/mondoohq/cnquery Secure everything from development to

    production github.com/mondoohq/cnspec Extensible and Open Security

  36. 36 Discover Security Content Security Registry mondoo.com/registry Security Policies github.com/mondoohq/cnspec-policies

    Inventory and Incident Response Query Packs github.com/mondoohq/cnquery-packs

  37. @chri_hartmann Embracing Change and Working Together to build a better

    world 37

  38. Christoph Hartmann 🐦 @chri_hartmann ✉ [email protected] 🏠 mondoo.com Thank you

    Secure everything from development to production github.com/mondoohq/cnspec @chri_hartmann