Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Traditional Security is Dead! - NYC-Sep2018

Ashish
September 09, 2018
Technology
0
38

Traditional Security is Dead! - NYC-Sep2018

This is the 15min version of the DevSecOps introduction presentation.

These slides were presented at the NY Information Security Meetup in Manhattan New York on 9th September,2018 by Ashish Rajan to a cybersecurity professional crowd of about 200 attendees.

Linkedin: https://www.linkedin.com/in/ashishrajan

Ashish

September 09, 2018
Tweet

More Decks by Ashish

See All by Ashish
Automated Detection and Remediation in AWS
hashishrajan
0
70
Long living creds in Cloud?
hashishrajan
0
56
DevSecOps Meetup - Security Challenges in DevOps - Wynand Viljoen
hashishrajan
0
170
GuardDuty - the non AWS version - Feb2018
hashishrajan
0
80
Security in the world of Cloud and Chaos Engineering
hashishrajan
0
69
Convincing security to let you deploy in AWS
hashishrajan
0
73
Walkthrough of a compromised AWS Account - AWS Meetup Nov2016
hashishrajan
0
96
Walkthrough of a compromised AWS Account-InfraCoder-MeetupNov2016
hashishrajan
0
98

Other Decks in Technology

See All in Technology
Google Cloud の AI を支える裏側のインフラを垣間見る!
maroon1st
0
340
Janus
bkuhlmann
1
490
DevOpsメトリクスとアウトカムの接続にトライ!開発プロセスを通して計測できるメトリクスの活用方法
ham0215
2
230
JAWS-UG Bedrock Claude Night
yamahiro
3
540
Kernel MemoryでAzure OpenAI Serviceとお手軽データソース連携
mitsuzono
1
180
On Your Data を超えていく!
hirotomotaguchi
2
650
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
280
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
1k
20分で完全に理解するGrafanaダッシュボード
hamadakoji
1
180
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
760
コードを書く隙間を見つけて生きていく技術/Findy 思考の現在地
fujiwara3
27
5.8k
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.7k

Featured

See All Featured
YesSQL, Process and Tooling at Scale
rocio
164
13k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
357
22k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
990
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
Code Review Best Practice
trishagee
55
15k
Side Projects
sachag
451
41k
BBQ
matthewcrist
80
8.8k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
2
3.4k

Transcript

  1. Traditional Security is dead! Ashish Rajan NYC Information Security -

    September,2018

  2. Who am I? •Masters in Information Security •Offensive turned Defensive

    Security guy •Helping bridge Security and DevOps for large enterprises through Versent. •OWASP Melbourne Chapter Lead •DevSecOps Evangelist •Largest DevSecOps community in Australia & New Zealand •Public Speaker for security in the modern world •Global DevSecOps workshops

  3. WaterFall Security Traditional Security

  4. Waterfall Landscape Contractors Data Centers Company issued Assets

  5. Evolution of Hackers 80s - 90s Present Day

  6. Evolution of White Hat 80s - 90s Present Day

  7. Problem Effectiveness Agility Scalability

  8. Agile + DevOps

  9. Current Landscape Infrastructure as code Shared Risk SaaS Cloud

  10. Traditional Security is being disrupted • Infrastructure • Identity &

    Access Management • Software Development Lifecycle • Security Assessment • Governance

  11. Traditional Security is being disrupted • Infrastructure • Identity &

    Access Management • Software Development Lifecycle • Security Assessment • Governance • Feedback

  12. Infrastructure (Waterfall) • Strong Public Facing Perimeter • Project delays

    – Security Hardware • Every server is a “pet” • OS and Security updates – slower

  13. Infrastructure (Current) • Corporate assets hosted in Cloud, SaaS •

    Infrastructure as Code - CI/CD Pipeline • Every server “will be” a “cattle” • Automated Infrastructure Vulnerability Mgmt • Vulnerability Patching, SSL Certs • Guardrails - Detective & Preventive controls “Security has high visibility and velocity to respond to threat.”

  14. Feedback (WaterFall) • Security Audit • ”Periodic” PenTesting • Logs

    • Reports • Production Incidents - SOC Team

  15. Feedback (Current) • Testing • Chaos Engineering • DOS Testing

    done more frequently - Blue/Green Deployments • Smarter PenTesting - Bug Bounty • Incidents - DevOps + SOC • Continuous Feedback on above “Business gets more value for testing, when low hanging fruits have been tackled earlier in SDLC”

  16. “If your solution to a problem threat cannot scale then

    it’s a patch not a solution” - Ashish Rajan

  17. Automated, Measurable, Collaborative and Repeatable!

  18. Things that helped in achieving this • Security as a

    service • Trust and but Verify • Learning coding – security tools and libraries for others • Attending Standups • Security Training

  19. Take Away • Traditional Security is mutating in the world

    of DevOps • Automating security makes your enterprise more secure – no Human error • Security Metrics makes the value add of the security more visible • Security as a Service for the whole organization • Terms to lookout for - deception_ops, ML, no_ops

  20. Question