Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications

The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications

Fully automated attacks take companies into insolvency. The attackers use the latest automation technology to break into your company, making it nearly impossible to prevent an attack. The only question left: when will it happen?

While the tech industry has advanced in the last decade towards platform engineering and multiple releases per hour, security tooling and culture have yet to catch up. Working with the most advanced companies with high security and privacy requirements, we observed a shift in how those teams collaborate.

This talk shares the learnings from hundreds of discussions and how companies use new approaches to build and ship more robust application delivery with platform and security engineering.

Christoph Hartmann

March 18, 2023
Tweet

More Decks by Christoph Hartmann

Other Decks in Technology

Transcript

  1. Platform and Security Engineering join forces to
    build more secure and robust applications.
    The death of #security
    as we know it
    Christoph Hartmann
    @chri_hartmann

    View Slide

  2. Hi, I am Chris. I am CTO
    at Mondoo - leader in
    Security Posture
    Management
    What is your
    background?
    Y
    I co-created the open source
    security projects DevSec Project
    and InSpec, Co-Founded
    Vulcano Security (acquired by
    Chef Software) and was Director
    of Engineering at Chef Software
    @chri_hartmann

    View Slide

  3. What is the
    problem?
    @chri_hartmann

    View Slide

  4. 4
    Hackers used to look like this

    View Slide

  5. 5
    Ransomware is a business
    Name Name
    Words words
    Sales Quotas
    Playbooks
    Customer
    Support
    Affiliate
    Programs

    View Slide

  6. 6
    Average of 20% increase
    of YoY CVE publication

    View Slide

  7. Vulnerability Discovery
    0⃣
    0-Day
    Exploit
    💥
    Vulnerability
    discovered
    📢
    CVE
    published
    🏗
    Patch
    by vendor
    📝
    CVE
    assigned
    0⃣
    Exploit
    ~25% of CVEs have known exploits
    14% exploits published before the patches
    23% exploits published in the first week after CVE
    50% exploits were published in the first month after CVE

    View Slide

  8. Patch Rollout
    🎟
    Tickets
    created
    🐌
    Rollout
    Slow
    🏗
    Fixed
    in dev
    🔎
    Identify
    in dev
    🛑
    Report
    created
    According to NTT Application Security
    average time to fix high severity
    vulnerabilities is about 246 days

    View Slide

  9. 9
    🔥
    Yearly increase of 20% of known vulnerabilities
    🏎
    Hackers use full automation to discover and hack targets, about 90% of exploits are
    available within the first month after the CVE has been published
    🐌
    Rollout of fixes is way too slow
    Issues outpace the fix

    View Slide

  10. 10
    Independent survey of
    1100 IT and security professionals

    View Slide

  11. 11
    Hardening of
    Infrastructure
    (Cloud, Servers,
    Workstation)
    Patch
    Management
    01 02
    Main Problems:
    Why Hackers are so successful?
    The same root causes are also corroborated in the Cyber Signals Report by
    Microsoft that revealed 80% of attacks can be attributed to outdated
    software and misconfiguration.

    View Slide

  12. Why is it so
    difficult?
    @chri_hartmann

    View Slide

  13. 13
    Software delivery
    Local
    Development
    Source Control CI/CD Pre-Production Production

    View Slide

  14. 14
    Use Case:
    Ensure that Cloud Storage Buckets
    have a uniform bucket level access
    enabled

    View Slide

  15. 15
    Ensure that Cloud Storage Buckets
    have a uniform bucket level access
    enabled
    Security Engineers focus on attack paths

    View Slide

  16. 16
    Ensure that Cloud Storage Buckets
    have a uniform bucket level access
    enabled
    Platform Engineers focus on automation

    View Slide

  17. 17
    Software delivery
    Local
    Development
    Source Control CI/CD Pre-Production Production

    View Slide

  18. 18
    Leads to frustration

    View Slide

  19. 19
    Security Therapy

    View Slide

  20. Interviewed and worked
    with 100+ Sec/DevOps Leaders
    Theme In their words…...
    More organized threats Software is eating the world so hackers are having a feast
    Wait days/weeks to data Coordinating over 30+ security tools to answer if we have the vulnerability and then waiting
    for verification it’s been fixed
    Security owns all the tools DevOps don’t have consistent access to what security uses, just their outputs aka a giant
    spreadsheet
    Security vendors are slow Their product roadmap is the same every year, so we hacked a solution to dump into Splunk
    Unclear on the right priority for the business The trade off between shipping new features vs fixing what security wants us to fix.
    Re-enforces good practices I need my teams to have a way continuous improve our posture and for management to
    recognize the effort

    View Slide

  21. Security is Hard

    View Slide

  22. What is the
    solution?
    @chri_hartmann

    View Slide

  23. Cloud Services
    Cluster Nodes
    Workloads
    (Deployments / Pods)
    Cluster Configuration
    Application Containers
    Unified
    View
    Tech Stack

    View Slide

  24. Cloud Services
    Cluster Nodes
    Workloads
    (Deployments / Pods)
    Cluster Configuration
    Application Containers
    Application Delivery Pipeline
    Local
    Development
    Source Control CI/CD

    View Slide

  25. 25
    Ensure that Cloud Storage Buckets have a
    uniform bucket level access enabled
    Reach the next level:
    Focus on Problem

    View Slide

  26. 26
    Software delivery
    Local
    Development
    Source Control CI/CD Pre-Production Production

    View Slide

  27. 27
    What are successful
    security engineers using
    Access: Every
    developer and
    security engineer has
    access to the same
    tooling
    Coverage: security
    tooling that supports
    build and runtime
    Automation: security
    tooling that works
    hand-in-hand with
    automation
    Extensible: security
    tooling that has open
    source foundation,
    not hard-coded rules
    1 2
    3 4

    View Slide

  28. 28
    open source security
    https://cnquery.io
    Asset Inventory, search and gather
    information about your
    infrastructure
    https://cnspec.io
    Security Scanner, scan for
    vulnerabilities and
    misconfiguration

    View Slide

  29. 29
    Amazon S3 buckets do not allow public read access
    S3 Buckets are configured with 'Block public access'
    Easily ask questions with
    GraphQL-based MQL

    View Slide

  30. 30
    Use Security as Code to
    define requirements

    View Slide

  31. 31
    Discover Security Content
    Security Registry
    mondoo.com/registry
    Security Policies
    github.com/mondoohq/cnspec-policies
    Inventory and Incident Response Query Packs
    github.com/mondoohq/cnquery-packs

    View Slide

  32. 32
    We can be more secure!
    Local
    Development
    Source Control CI/CD Pre-Production Production

    View Slide

  33. We built a platform we are using
    we worked at
    Soo
    Choi
    CEO
    Dominik
    Richter
    CPO
    Christoph
    Hartmann
    CTO
    Patrick
    Münch
    CISO

    View Slide

  34. Christoph Hartmann
    🐦 @chri_hartmann
    [email protected]
    🏠 mondoo.com
    Thank you

    View Slide