Opening up security

Opening up security

Talk from Infosecurity World all the parallels between the emergence of devops over the past 10 years and the state of security today.

98234c645fe8c935edc0fec0186d28b8?s=128

Gareth Rushgrove

June 09, 2016
Tweet

Transcript

  1. (without introducing more risk) Opening up Security Puppet Gareth Rushgrove

    Following in the footsteps of devops
  2. (without introducing more risk) Gareth Rushgrove @garethr

  3. (without introducing more risk) Gareth Rushgrove

  4. (without introducing more risk) Introduction What to expect

  5. - The security stereotype - A story of the devops

    movement - A brief economics interlude - Opportunities for openness Gareth Rushgrove
  6. (without introducing more risk) The Security Stereotype A barrier to

    entry
  7. A widely held but fixed and oversimplified image or idea

    of a particular type of person or thing. Gareth Rushgrove stereotype noun plural noun: stereotypes
  8. Security says “no” Gareth Rushgrove

  9. Gareth Rushgrove

  10. Insider lingo resists collaboration Gareth Rushgrove

  11. The language and speech, especially the jargon, slang or argot,

    of a particular field, group or individual Gareth Rushgrove lingo noun plural noun: lingoes
  12. Threat model, risk, cyber, mitigation, control, kill chain, threat intelligence,

    assurance, … Gareth Rushgrove
  13. APT, GPG, CERT, SOC, IDP, NCSC, IL3, EUD, PCI, RAT,

    … Gareth Rushgrove
  14. Perceived as an exclusive club Gareth Rushgrove

  15. Most security events are for security people Gareth Rushgrove

  16. Few security people attend or speak at developer conferences Gareth

    Rushgrove
  17. Gareth Rushgrove Security is a silo

  18. (without introducing more risk) The Story of Infrastructure Parallels for

    security?
  19. Gareth Rushgrove Ops used to be a silo*

  20. a fictional rogue systems administrator who takes out his anger

    on users and others who pester him with computer problems Gareth Rushgrove BOFH Bastard Operator from Hell
  21. Gareth Rushgrove

  22. Infrastructure as code Gareth Rushgrove

  23. 1993 Gareth Rushgrove Mark Burgess is from the future

  24. Gareth Rushgrove 2005

  25. Infrastructure as a service Gareth Rushgrove

  26. 2006 Gareth Rushgrove

  27. Devops practices Gareth Rushgrove

  28. 2008 Gareth Rushgrove

  29. 2009 Gareth Rushgrove

  30. 2016 Gareth Rushgrove

  31. Container platforms Gareth Rushgrove

  32. Gareth Rushgrove 2013-

  33. Content, not just software Gareth Rushgrove

  34. Gareth Rushgrove Puppet Forge

  35. Gareth Rushgrove Docker Hub

  36. Gareth Rushgrove Public incident reports

  37. (without introducing more risk) Platforms and Network Effects Economic advantages

  38. Gareth Rushgrove

  39. Open source exhibits a classic network effect Gareth Rushgrove

  40. Two-sided markets, are economic platforms having two distinct user groups

    that provide each other with network benefits Gareth Rushgrove
  41. (without introducing more risk) Opportunities in Security? Embracing openness

  42. Security policy is still often just a stack of paper

    Gareth Rushgrove
  43. Limited examples of transformative open source security software Gareth Rushgrove

  44. Where are the security platforms? Gareth Rushgrove

  45. The emergence of interesting tooling Gareth Rushgrove

  46. Gareth Rushgrove BDD Security

  47. Gareth Rushgrove Sysdig

  48. Gareth Rushgrove osquery

  49. Shared content not just tools Gareth Rushgrove

  50. Gareth Rushgrove Hardening Framework

  51. Gareth Rushgrove SIMP from the NSA

  52. Gareth Rushgrove End User Device Guides

  53. Events that emphasise crossover with developers and operations Gareth Rushgrove

  54. Gareth Rushgrove DevSecCon

  55. What would we mean by - Open source security? -

    Security as a service? - Security as code? - Ruby on Rails for security? Gareth Rushgrove
  56. (without introducing more risk) Why Openness for Security is Hard

    Challenges and assumptions
  57. Popular wisdom is that secrecy equals security Gareth Rushgrove Bruce

    Schneier “ ”
  58. Security through obscurity Gareth Rushgrove

  59. Gareth Rushgrove

  60. This guidance takes the view that no one particular type

    of software is inherently more, or less, secure than the other and does not favour one type over the other Gareth Rushgrove GPG38, UK Government ” “
  61. Helping attackers Gareth Rushgrove

  62. Attackers are using network effects against you Gareth Rushgrove

  63. Marketplaces that sell: - DDOS attacks for $5 an hour

    - 300,000 airline points for $90 - American Express Cards for $30 - French driver’s license for $238 Gareth Rushgrove From SecureWorks 2016 Underground Hacker Markets Annual Report
  64. Products available like: - ATM skimming devices for $400 -

    Exploit Kits from $100 - RATs for as little as $5 - DDOS online tutorials from $20 Gareth Rushgrove From SecureWorks 2016 Underground Hacker Markets Annual Report
  65. Liability Gareth Rushgrove

  66. Overzealous open source advocates Gareth Rushgrove

  67. Fear, uncertainty and doubt Gareth Rushgrove

  68. (without introducing more risk) Conclusions What can we do to

    make things better
  69. Gareth Rushgrove 1 Understand the importance of tools which leverage

    network effects
  70. Look out for and back emerging platforms Gareth Rushgrove 1

  71. Appreciate the importance of service design for security Gareth Rushgrove

    2
  72. Gareth Rushgrove 2 Read Designing Delivery

  73. Start sharing across communities Gareth Rushgrove 3

  74. Attend and speak at a developer or operations focused event

    Gareth Rushgrove 3
  75. (without introducing more risk) Questions And thanks for listening