Save 37% off PRO during our Black Friday Sale! »

Security Is Everybody's Job ... Literally. – Tanya Janca

Security Is Everybody's Job ... Literally. – Tanya Janca

In a DevOps world everyone performs security work, whether they like it or not. With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody’s job.

027edc76bf9f9c030820807f87c5dbdc?s=128

DevOpsDays Zurich

May 02, 2018
Tweet

Transcript

  1. @SheHacksPurple

  2. @SheHacksPurple

  3. @SheHacksPurple

  4. @SheHacksPurple

  5. @SheHacksPurple Slide Credit: Pete Cheslock

  6. @SheHacksPurple Slide Credit: DevSecCon

  7. This is me. I’m Tanya Janca. @SheHacksPurple AKA: @SheHacksPurple

  8. This is me. I’m a Senior Cloud Developer Advocate at:

    What does THAT mean? @SheHacksPurple
  9. This is me. I’m a Senior Cloud Developer Advocate I

    work to make security features easier to use. I help developers use our products more securely. I provide feedback to internal teams so they can make our products more secure. @SheHacksPurple I do security research and share it with the community. Security research, such as this presentation, OWASP DevSlop, and much more.
  10. This is me. Application Security Evangelist @SheHacksPurple

  11. This is me. Application Security Evangelist @SheHacksPurple

  12. This is me. Ethical hacker I want to know how

    things work. @SheHacksPurple
  13. This is me. I’m obsessed with OWASP! @SheHacksPurple Open Web

    Application Security Project An international non-profit that operates chapters, projects and conferences all over the globe, in efforts to help everyone create more secure software.
  14. This is me. OWASP Ottawa Chapter Leader @SheHacksPurple

  15. This is me. OWASP DevSlop Project Leader @SheHacksPurple

  16. @SheHacksPurple This is me. Software Developer (since the late 90’s)

    That’s over 20 years! AHHHHHHHHHHHH! @SheHacksPurple
  17. This is me. Goal: to change the way we make

    software so that the easiest way to do something is also the most secure way. @SheHacksPurple Photo: DevSecCon, Singapore, 2018
  18. Let’s do this. @SheHacksPurple

  19. @SheHacksPurple

  20. @SheHacksPurple

  21. Verizon Data Breach Investigation Report (DBIR) for 2017 and 2016.

    @SheHacksPurple
  22. @SheHacksPurple

  23. @SheHacksPurple Photo: #WOCTechChat

  24. @SheHacksPurple 100 / 10 / 1

  25. @SheHacksPurple Photo: Winged Beast

  26. @SheHacksPurple

  27. @SheHacksPurple

  28. @SheHacksPurple

  29. @SheHacksPurple

  30. @SheHacksPurple

  31. @SheHacksPurple

  32. @SheHacksPurple

  33. @SheHacksPurple The Three Ways

  34. Left -> Right = speed @SheHacksPurple

  35. @SheHacksPurple Requirements Design Code Testing Release

  36. @SheHacksPurple Photo: #WOCTechChat

  37. • Assisting in tuning SAST and DAST tools • Reusing

    known good code • Using up-to-date images • Using the Security Pipeline • Making negative unit tests • Severe security bugs break the build • We cannot do it without them on board @SheHacksPurple
  38. @SheHacksPurple Photo: #WOCTechChat Ensure Dev and Ops are not waiting

    on you. We CANNOT be a bottleneck. Make processes that WORK.
  39. @SheHacksPurple Photo: #WOCTechChat Breaking security activities into smaller pieces

  40. • Ensure Dev & Ops are not waiting on you

    • Tuning security tools so they do not produce false positives • Breaking security activities into smaller pieces so that they fit into the “sprints” • Make processes that work , and match pace • Providing secure templates and code samples that a known-secure (sec code library) @SheHacksPurple
  41. @SheHacksPurple Photo: #WOCTechChat Create a security pipeline. For more in-

    depth testing.
  42. @SheHacksPurple Photo: #WOCTechChat Write your own code libraries, for your

    business’ specific needs.
  43. • Create a security pipeline • Buy licenses for dev

    and ops for sec tools • This does not mean doing 100% of the work yourself, it means making it possible for Dev & Ops to perform security as part of their daily work. • Writing your own tools and libraries, see RepoKid from Netflix • Enable Dev and Ops, in every way you can. @SheHacksPurple
  44. @SheHacksPurple

  45. @SheHacksPurple Requirements Design Code Testing Release

  46. Fixing costs of quality & security issues rises significantly as

    the development cycle advances CODING PRODUCTION QA & SECURITY BUILD Source: Ponemon Institute Research $80/defect $240/defect $960/defect $7,600/defect @SheHacksPurple
  47. @SheHacksPurple Photo: #WOCTechChat Providing feedback to the security team what

    they are concerned about. The security team listening and taking action. Participating in security activities.
  48. @SheHacksPurple Photo: #WOCTechChat Providing feedback earlier, and more often. Pushing

    Left
  49. @SheHacksPurple

  50. @SheHacksPurple Photo: #WOCTechChat

  51. • Automate as much as humanly possible, then teach dev

    and ops to understand the results • Tune the tools, so they don’t waste anyone’s time • Add security into each phrase of the SDLC, including requirements and design • Insist that the build breaks if a large security vulnerability is introduced, security is a part of quality • Rename functions you want to phase out • Check out Netflix’s RepoKid! @SheHacksPurple
  52. @SheHacksPurple Photo: #WOCTechChat Positive testing determines that your application works

    as expected. If an error is encountered during positive testing, the test fails. Negative testing ensures that your application can gracefully handle invalid input or unexpected user behavior.
  53. @SheHacksPurple Photo: #WOCTechChat Inviting Dev and Ops to participate in

    Security Activities. Incidents Threat Modelling Security Sprints Etc.
  54. @SheHacksPurple Photo: #WOCTechChat Use Metrics to track trends Create unit

    tests out of PenTest Results
  55. • If a PenTest is done, check all apps for

    those vulns • Use tools like OWASP DefectDojo to provide feedback on metrics and trends to Dev & Ops • Invite Dev & Ops to participate in Security activities, for feedback and teaching • Don’t be afraid to try new things and get creative, writing your own tools likely is to provide your best results. • Add negative use cases as unit tests, not just positive use cases (Morgan Roman, @Hackimedes) @SheHacksPurple
  56. @SheHacksPurple

  57. @SheHacksPurple Photo: #WOCTechChat

  58. @SheHacksPurple Photo: #WOCTechChat

  59. @SheHacksPurple Photo: #WOCTechChat

  60. • Offer security training to Dev & Ops. Pay for

    it. • Share information widely when you fix or find new security issues, • Run Security Exercises or Incident Simulations • Provide and analyze metrics from security testing, look for patterns or systemic issues • Checkout Netflix Chaos Monkey • Never forget that your focus is to enable Dev and Ops to get their jobs done, securely. @SheHacksPurple
  61. @SheHacksPurple Photo: #WOCTechChat

  62. @SheHacksPurple Photo: #WOCTechChat

  63. • Share information widely when you fix something • EVERYTHING

    goes into a knowledge base. * • Ensure you perform blameless post mortems • Talk about security incidents after they are over • Teaching developers and ops what the output from security tools actually mean • Create formal lessons and learning opportunities, if at all possible (lunch and learns, white papers, formal training, job shadowing) @SheHacksPurple
  64. Culture Change @SheHacksPurple

  65. @SheHacksPurple Photo: #WOCTechChat

  66. @SheHacksPurple Photo: #WOCTechChat

  67. @SheHacksPurple Photo: #WOCTechChat

  68. @SheHacksPurple Photo: #WOCTechChat

  69. @SheHacksPurple Photo: #WOCTechChat

  70. @SheHacksPurple

  71. @SheHacksPurple https://stories.visualstudio.com/

  72. @SheHacksPurple https://www.owasp.org/index.php/OWASP_DevSlop_Project

  73. @SheHacksPurple https://aka.ms/GettingStartedWithAppSec

  74. @SheHacksPurple

  75. @SheHacksPurple Twitter: @SheHacksPurple https://medium.com/@SheHacksPurple https://www.slideshare.net/TanyaJanca https://DevSlop.co

  76. @SheHacksPurple

  77. @SheHacksPurple

  78. @SheHacksPurple Thank You Cloud Developer Advocate, Microsoft OWASP Ottawa Chapter

    Leader OWASP DevSlop Project Leader Tanya Janca Tanya.Janca@Microsoft.com Tanya.Janca@owasp.org @SheHacksPurple