Opening up security

Transcript

1. (without introducing more risk) Opening up Security Puppet Gareth Rushgrove

   Following in the footsteps of devops

2. (without introducing more risk) Gareth Rushgrove @garethr

3. (without introducing more risk) Gareth Rushgrove

4. (without introducing more risk) Introduction What to expect

5. - The security stereotype - A story of the devops

   movement - A brief economics interlude - Opportunities for openness Gareth Rushgrove

6. (without introducing more risk) The Security Stereotype A barrier to

   entry

7. A widely held but fixed and oversimplified image or idea

   of a particular type of person or thing. Gareth Rushgrove stereotype noun plural noun: stereotypes

8. Security says “no” Gareth Rushgrove

9. Gareth Rushgrove

10. Insider lingo resists collaboration Gareth Rushgrove

11. The language and speech, especially the jargon, slang or argot,

    of a particular field, group or individual Gareth Rushgrove lingo noun plural noun: lingoes

12. Threat model, risk, cyber, mitigation, control, kill chain, threat intelligence,

    assurance, … Gareth Rushgrove

13. APT, GPG, CERT, SOC, IDP, NCSC, IL3, EUD, PCI, RAT,

    … Gareth Rushgrove

14. Perceived as an exclusive club Gareth Rushgrove

15. Most security events are for security people Gareth Rushgrove

16. Few security people attend or speak at developer conferences Gareth

    Rushgrove

17. Gareth Rushgrove Security is a silo

18. (without introducing more risk) The Story of Infrastructure Parallels for

    security?

19. Gareth Rushgrove Ops used to be a silo*

20. a fictional rogue systems administrator who takes out his anger

    on users and others who pester him with computer problems Gareth Rushgrove BOFH Bastard Operator from Hell

21. Gareth Rushgrove

22. Infrastructure as code Gareth Rushgrove

23. 1993 Gareth Rushgrove Mark Burgess is from the future

24. Gareth Rushgrove 2005

25. Infrastructure as a service Gareth Rushgrove

26. 2006 Gareth Rushgrove

27. Devops practices Gareth Rushgrove

28. 2008 Gareth Rushgrove

29. 2009 Gareth Rushgrove

30. 2016 Gareth Rushgrove

31. Container platforms Gareth Rushgrove

32. Gareth Rushgrove 2013-

33. Content, not just software Gareth Rushgrove

34. Gareth Rushgrove Puppet Forge

35. Gareth Rushgrove Docker Hub

36. Gareth Rushgrove Public incident reports

37. (without introducing more risk) Platforms and Network Effects Economic advantages

38. Gareth Rushgrove

39. Open source exhibits a classic network effect Gareth Rushgrove

40. Two-sided markets, are economic platforms having two distinct user groups

    that provide each other with network benefits Gareth Rushgrove

41. (without introducing more risk) Opportunities in Security? Embracing openness

42. Security policy is still often just a stack of paper

    Gareth Rushgrove

43. Limited examples of transformative open source security software Gareth Rushgrove

44. Where are the security platforms? Gareth Rushgrove

45. The emergence of interesting tooling Gareth Rushgrove

46. Gareth Rushgrove BDD Security

47. Gareth Rushgrove Sysdig

48. Gareth Rushgrove osquery

49. Shared content not just tools Gareth Rushgrove

50. Gareth Rushgrove Hardening Framework

51. Gareth Rushgrove SIMP from the NSA

52. Gareth Rushgrove End User Device Guides

53. Events that emphasise crossover with developers and operations Gareth Rushgrove

54. Gareth Rushgrove DevSecCon

55. What would we mean by - Open source security? -

    Security as a service? - Security as code? - Ruby on Rails for security? Gareth Rushgrove

56. (without introducing more risk) Why Openness for Security is Hard

    Challenges and assumptions

57. Popular wisdom is that secrecy equals security Gareth Rushgrove Bruce

    Schneier “ ”

58. Security through obscurity Gareth Rushgrove

59. Gareth Rushgrove

60. This guidance takes the view that no one particular type

    of software is inherently more, or less, secure than the other and does not favour one type over the other Gareth Rushgrove GPG38, UK Government ” “

61. Helping attackers Gareth Rushgrove

62. Attackers are using network effects against you Gareth Rushgrove

63. Marketplaces that sell: - DDOS attacks for $5 an hour

    - 300,000 airline points for $90 - American Express Cards for $30 - French driver’s license for $238 Gareth Rushgrove From SecureWorks 2016 Underground Hacker Markets Annual Report

64. Products available like: - ATM skimming devices for $400 -

    Exploit Kits from $100 - RATs for as little as $5 - DDOS online tutorials from $20 Gareth Rushgrove From SecureWorks 2016 Underground Hacker Markets Annual Report

65. Liability Gareth Rushgrove

66. Overzealous open source advocates Gareth Rushgrove

67. Fear, uncertainty and doubt Gareth Rushgrove

68. (without introducing more risk) Conclusions What can we do to

    make things better

69. Gareth Rushgrove 1 Understand the importance of tools which leverage

    network effects

70. Look out for and back emerging platforms Gareth Rushgrove 1

71. Appreciate the importance of service design for security Gareth Rushgrove

    2

72. Gareth Rushgrove 2 Read Designing Delivery

73. Start sharing across communities Gareth Rushgrove 3

74. Attend and speak at a developer or operations focused event

    Gareth Rushgrove 3

75. (without introducing more risk) Questions And thanks for listening