Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications

Christoph Hartmann
March 18, 2023
Technology
0
10

The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications

Fully automated attacks take companies into insolvency. The attackers use the latest automation technology to break into your company, making it nearly impossible to prevent an attack. The only question left: when will it happen?

While the tech industry has advanced in the last decade towards platform engineering and multiple releases per hour, security tooling and culture have yet to catch up. Working with the most advanced companies with high security and privacy requirements, we observed a shift in how those teams collaborate.

This talk shares the learnings from hundreds of discussions and how companies use new approaches to build and ship more robust application delivery with platform and security engineering.

Christoph Hartmann

March 18, 2023
Tweet

More Decks by Christoph Hartmann

See All by Christoph Hartmann
Testing Cloud Provisioning with Terraform and InSpec
chrisrock
2
580
DevSec: Continuous Patch and Security Assessment with InSpec
chrisrock
0
190
Chef Summit London: InSpec Keynote
chrisrock
0
230
AllDayDevOps 2017: Continuous Patch and Security Assessment with InSpec
chrisrock
0
130
DevSecCon London: Christoph Hartmann - DevSec: continuous compliance
chrisrock
0
180
ChefConf 2017 InSpec 2 Announcement
chrisrock
0
120
Compliance-Driven Infrastructure
chrisrock
0
130
Infrastructure and Security Testing with InSpec
chrisrock
0
190

Other Decks in Technology

See All in Technology
オブジェクト指向に基づいた ユニットテストのメリット#PHPerKaigi2023
mako5656
0
110
Tackle the infodemic of misinformation from LINE
line_developers_tw
PRO
0
150
未来の開発者へ負債を残さないために取り組んだこと
hayatokudou
0
260
可能な限り確実にmkdirを成功させるには / Make mkdir
oogfranz
PRO
0
110
TSN(Time-Sensitive Networking)を環境構築して遊んでみた
iotengineer22
0
760
レコメンドコンペ入門
t88
0
220
赤裸々図解!新卒3年目でマネジメントもこなすフルスタックエンジニアになるまで
mizunohiroaki
7
4.4k
ZOZOTOWNの裏側に迫る! Javaで作られたBFFの開発事例を紹介
yutaro527
0
360
ZOZOTOWNの検索APIにキャッシュを導入、実装時の工夫や効果について
sattosan
0
350
チームで導入する Jetpack Compose あの素晴らしいLTをもう一度.ver
kako351
1
170
ChatGPTをプロダクトに入れる開発が"毎日がAfter GPT"だった件/ChatGPT LT Link and Motivation
lmi
1
3.1k
新卒入社から1500人規模のCTOに: エンジニアが圧倒的に成長する3つのコツ / 技育祭2023春
carta_engineering
1
800

Featured

See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
396
64k
Code Review Best Practice
trishagee
50
12k
Making Projects Easy
brettharned
102
4.9k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
7
670
GraphQLの誤解/rethinking-graphql
sonatard
39
8k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
38
3.7k
A Modern Web Designer's Workflow
chriscoyier
689
180k
How to name files
jennybc
48
76k
Art, The Web, and Tiny UX
lynnandtonic
284
18k
Unsuck your backbone
ammeep
660
56k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
31
20k
KATA
mclloyd
12
10k

Transcript

  1. Platform and Security Engineering join forces to
    build more secure and robust applications.
    The death of #security
    as we know it
    Christoph Hartmann
    @chri_hartmann

    View Slide

  2. Hi, I am Chris. I am CTO
    at Mondoo - leader in
    Security Posture
    Management
    What is your
    background?
    Y
    I co-created the open source
    security projects DevSec Project
    and InSpec, Co-Founded
    Vulcano Security (acquired by
    Chef Software) and was Director
    of Engineering at Chef Software
    @chri_hartmann

    View Slide

  3. What is the
    problem?
    @chri_hartmann

    View Slide

  4. 4
    Hackers used to look like this

    View Slide

  5. 5
    Ransomware is a business
    Name Name
    Words words
    Sales Quotas
    Playbooks
    Customer
    Support
    Affiliate
    Programs

    View Slide

  6. 6
    Average of 20% increase
    of YoY CVE publication

    View Slide

  7. Vulnerability Discovery
    0⃣
    0-Day
    Exploit
    💥
    Vulnerability
    discovered
    📢
    CVE
    published
    🏗
    Patch
    by vendor
    📝
    CVE
    assigned
    0⃣
    Exploit
    ~25% of CVEs have known exploits
    14% exploits published before the patches
    23% exploits published in the first week after CVE
    50% exploits were published in the first month after CVE

    View Slide

  8. Patch Rollout
    🎟
    Tickets
    created
    🐌
    Rollout
    Slow
    🏗
    Fixed
    in dev
    🔎
    Identify
    in dev
    🛑
    Report
    created
    According to NTT Application Security
    average time to fix high severity
    vulnerabilities is about 246 days

    View Slide

  9. 9
    🔥
    Yearly increase of 20% of known vulnerabilities
    🏎
    Hackers use full automation to discover and hack targets, about 90% of exploits are
    available within the first month after the CVE has been published
    🐌
    Rollout of fixes is way too slow
    Issues outpace the fix

    View Slide

  10. 10
    Independent survey of
    1100 IT and security professionals

    View Slide

  11. 11
    Hardening of
    Infrastructure
    (Cloud, Servers,
    Workstation)
    Patch
    Management
    01 02
    Main Problems:
    Why Hackers are so successful?
    The same root causes are also corroborated in the Cyber Signals Report by
    Microsoft that revealed 80% of attacks can be attributed to outdated
    software and misconfiguration.

    View Slide

  12. Why is it so
    difficult?
    @chri_hartmann

    View Slide

  13. 13
    Software delivery
    Local
    Development
    Source Control CI/CD Pre-Production Production

    View Slide

  14. 14
    Use Case:
    Ensure that Cloud Storage Buckets
    have a uniform bucket level access
    enabled

    View Slide

  15. 15
    Ensure that Cloud Storage Buckets
    have a uniform bucket level access
    enabled
    Security Engineers focus on attack paths

    View Slide

  16. 16
    Ensure that Cloud Storage Buckets
    have a uniform bucket level access
    enabled
    Platform Engineers focus on automation

    View Slide

  17. 17
    Software delivery
    Local
    Development
    Source Control CI/CD Pre-Production Production

    View Slide

  18. 18
    Leads to frustration

    View Slide

  19. 19
    Security Therapy

    View Slide

  20. Interviewed and worked
    with 100+ Sec/DevOps Leaders
    Theme In their words…...
    More organized threats Software is eating the world so hackers are having a feast
    Wait days/weeks to data Coordinating over 30+ security tools to answer if we have the vulnerability and then waiting
    for verification it’s been fixed
    Security owns all the tools DevOps don’t have consistent access to what security uses, just their outputs aka a giant
    spreadsheet
    Security vendors are slow Their product roadmap is the same every year, so we hacked a solution to dump into Splunk
    Unclear on the right priority for the business The trade off between shipping new features vs fixing what security wants us to fix.
    Re-enforces good practices I need my teams to have a way continuous improve our posture and for management to
    recognize the effort

    View Slide

  21. Security is Hard

    View Slide

  22. What is the
    solution?
    @chri_hartmann

    View Slide

  23. Cloud Services
    Cluster Nodes
    Workloads
    (Deployments / Pods)
    Cluster Configuration
    Application Containers
    Unified
    View
    Tech Stack

    View Slide

  24. Cloud Services
    Cluster Nodes
    Workloads
    (Deployments / Pods)
    Cluster Configuration
    Application Containers
    Application Delivery Pipeline
    Local
    Development
    Source Control CI/CD

    View Slide

  25. 25
    Ensure that Cloud Storage Buckets have a
    uniform bucket level access enabled
    Reach the next level:
    Focus on Problem

    View Slide

  26. 26
    Software delivery
    Local
    Development
    Source Control CI/CD Pre-Production Production

    View Slide

  27. 27
    What are successful
    security engineers using
    Access: Every
    developer and
    security engineer has
    access to the same
    tooling
    Coverage: security
    tooling that supports
    build and runtime
    Automation: security
    tooling that works
    hand-in-hand with
    automation
    Extensible: security
    tooling that has open
    source foundation,
    not hard-coded rules
    1 2
    3 4

    View Slide

  28. 28
    open source security
    https://cnquery.io
    Asset Inventory, search and gather
    information about your
    infrastructure
    https://cnspec.io
    Security Scanner, scan for
    vulnerabilities and
    misconfiguration

    View Slide

  29. 29
    Amazon S3 buckets do not allow public read access
    S3 Buckets are configured with 'Block public access'
    Easily ask questions with
    GraphQL-based MQL

    View Slide

  30. 30
    Use Security as Code to
    define requirements

    View Slide

  31. 31
    Discover Security Content
    Security Registry
    mondoo.com/registry
    Security Policies
    github.com/mondoohq/cnspec-policies
    Inventory and Incident Response Query Packs
    github.com/mondoohq/cnquery-packs

    View Slide

  32. 32
    We can be more secure!
    Local
    Development
    Source Control CI/CD Pre-Production Production

    View Slide

  33. We built a platform we are using
    we worked at
    Soo
    Choi
    CEO
    Dominik
    Richter
    CPO
    Christoph
    Hartmann
    CTO
    Patrick
    Münch
    CISO

    View Slide

  34. Christoph Hartmann
    🐦 @chri_hartmann
    [email protected]
    🏠 mondoo.com
    Thank you

    View Slide