The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications

Transcript

1. Platform and Security Engineering join forces to build more secure

   and robust applications. The death of #security as we know it Christoph Hartmann @chri_hartmann

2. Hi, I am Chris. I am CTO at Mondoo -

   leader in Security Posture Management What is your background? Y I co-created the open source security projects DevSec Project and InSpec, Co-Founded Vulcano Security (acquired by Chef Software) and was Director of Engineering at Chef Software @chri_hartmann

3. What is the problem? @chri_hartmann

4. 4 Hackers used to look like this

5. 5 Ransomware is a business Name Name Words words Sales

   Quotas Playbooks Customer Support Affiliate Programs

6. 6 Average of 20% increase of YoY CVE publication

7. Vulnerability Discovery 0⃣ 0-Day Exploit 💥 Vulnerability discovered 📢 CVE

   published 🏗 Patch by vendor 📝 CVE assigned 0⃣ Exploit ~25% of CVEs have known exploits 14% exploits published before the patches 23% exploits published in the first week after CVE 50% exploits were published in the first month after CVE

8. Patch Rollout 🎟 Tickets created 🐌 Rollout Slow 🏗 Fixed

   in dev 🔎 Identify in dev 🛑 Report created According to NTT Application Security average time to fix high severity vulnerabilities is about 246 days

9. 9 🔥 Yearly increase of 20% of known vulnerabilities 🏎

   Hackers use full automation to discover and hack targets, about 90% of exploits are available within the first month after the CVE has been published 🐌 Rollout of fixes is way too slow Issues outpace the fix

10. 10 Independent survey of 1100 IT and security professionals

11. 11 Hardening of Infrastructure (Cloud, Servers, Workstation) Patch Management 01

    02 Main Problems: Why Hackers are so successful? The same root causes are also corroborated in the Cyber Signals Report by Microsoft that revealed 80% of attacks can be attributed to outdated software and misconfiguration.

12. Why is it so difficult? @chri_hartmann

13. 13 Software delivery Local Development Source Control CI/CD Pre-Production Production

14. 14 Use Case: Ensure that Cloud Storage Buckets have a

    uniform bucket level access enabled

15. 15 Ensure that Cloud Storage Buckets have a uniform bucket

    level access enabled Security Engineers focus on attack paths

16. 16 Ensure that Cloud Storage Buckets have a uniform bucket

    level access enabled Platform Engineers focus on automation

17. 17 Software delivery Local Development Source Control CI/CD Pre-Production Production

18. 18 Leads to frustration

19. 19 Security Therapy

20. Interviewed and worked with 100+ Sec/DevOps Leaders Theme In their

    words…... More organized threats Software is eating the world so hackers are having a feast Wait days/weeks to data Coordinating over 30+ security tools to answer if we have the vulnerability and then waiting for verification it’s been fixed Security owns all the tools DevOps don’t have consistent access to what security uses, just their outputs aka a giant spreadsheet Security vendors are slow Their product roadmap is the same every year, so we hacked a solution to dump into Splunk Unclear on the right priority for the business The trade off between shipping new features vs fixing what security wants us to fix. Re-enforces good practices I need my teams to have a way continuous improve our posture and for management to recognize the effort

21. Security is Hard

22. What is the solution? @chri_hartmann

23. Cloud Services Cluster Nodes Workloads (Deployments / Pods) Cluster Configuration

    Application Containers Unified View Tech Stack

24. Cloud Services Cluster Nodes Workloads (Deployments / Pods) Cluster Configuration

    Application Containers Application Delivery Pipeline Local Development Source Control CI/CD

25. 25 Ensure that Cloud Storage Buckets have a uniform bucket

    level access enabled Reach the next level: Focus on Problem

26. 26 Software delivery Local Development Source Control CI/CD Pre-Production Production

27. 27 What are successful security engineers using Access: Every developer

    and security engineer has access to the same tooling Coverage: security tooling that supports build and runtime Automation: security tooling that works hand-in-hand with automation Extensible: security tooling that has open source foundation, not hard-coded rules 1 2 3 4

28. 28 open source security https://cnquery.io Asset Inventory, search and gather

    information about your infrastructure https://cnspec.io Security Scanner, scan for vulnerabilities and misconfiguration

29. 29 Amazon S3 buckets do not allow public read access

    S3 Buckets are configured with 'Block public access' Easily ask questions with GraphQL-based MQL

30. 30 Use Security as Code to define requirements

31. 31 Discover Security Content Security Registry mondoo.com/registry Security Policies github.com/mondoohq/cnspec-policies

    Inventory and Incident Response Query Packs github.com/mondoohq/cnquery-packs

32. 32 We can be more secure! Local Development Source Control

    CI/CD Pre-Production Production

33. We built a platform we are using we worked at

    Soo Choi CEO Dominik Richter CPO Christoph Hartmann CTO Patrick Münch CISO

34. Christoph Hartmann 🐦 @chri_hartmann ✉ [email protected] 🏠 mondoo.com Thank you