Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps: Build It, Secure It, Run It

Avatar for j.hand j.hand
May 01, 2018
Technology
0
180

DevSecOps: Build It, Secure It, Run It

Where Does Security Belong in DevOps?

Modern architectures and design patterns challenge developers, security, and operations in a whole new way. Instead of developers building and handing to security for testing, today’s developers are a key part of the security team - and vice versa.

In this Modern Security Series episode, we look at how security:

Shifts left - earlier into the development cycle
Shifts right - integrating with operations
Adapts to enable app and service owners to respond faster to threats
Avatar for j.hand

j.hand

May 01, 2018
Tweet

More Decks by j.hand

See All by j.hand
Suffer Better
Avatar for j.hand jasonhand
0
200
IGNITE - Scrutinizing the Scrutiny
Avatar for j.hand jasonhand
0
320
Beyond The Mean Time To Recover (MTTR)
Avatar for j.hand jasonhand
1
410
Cognitive Bias & Its Impact on Continuous Improvement
Avatar for j.hand jasonhand
0
100
The Unrealized Role of Monitoring & Alerting ( All Day DevOps edition)
Avatar for j.hand jasonhand
2
310
The Benefit of a Systems Lens: Viewing Feedback from a "Systems Thinking" model
Avatar for j.hand jasonhand
0
420
DevOps Organizational Journey
Avatar for j.hand jasonhand
1
500
ChatOps: Infrastructure As Conversation
Avatar for j.hand jasonhand
1
940
Understanding Cognitive Bias Found in Judgement & Choice
Avatar for j.hand jasonhand
0
540

Other Decks in Technology

See All in Technology
データベース04: SQL (1/3) 単純質問 & 集約演算
Avatar for Y. Yamamoto trycycle
PRO
0
720
AndroidアプリエンジニアもMCPを触ろう
Avatar for Shinnosuke Kugimiya kgmyshin
2
610
正式リリースされた Semantic Kernel の Agent Framework 全部紹介!
Avatar for Kazuki okazuki
1
780
ペアーズにおける評価ドリブンな AI Agent 開発のご紹介
Avatar for fukubaka0825 fukubaka0825
9
2.3k
コスト最適重視でAurora PostgreSQLのログ分析基盤を作ってみた #jawsug_tokyo
Avatar for のんピ non97
2
890
Azure & DevSecOps
Avatar for KAMEGAWA Kazushi kkamegawa
2
160
エンジニアリングで組織のアウトカムを最速で最大化する!
Avatar for ham ham0215
1
290
Previewでもここまで追える! Azure AI Foundryで始めるLLMトレース
Avatar for Tomodo_ysys tomodo_ysys
2
420
AIとSREで「今」できること
Avatar for HonMarkHunt honmarkhunt
3
710
Winning at PHP in Production in 2025
Avatar for Benjamin Eberlei beberlei
1
270
Oracle Cloud Infrastructure:2025年4月度サービス・アップデート
Avatar for oracle4engineer oracle4engineer
PRO
0
380
AOAI で AI アプリを開発する時にまず考えたいこと
Avatar for Yuji Masaoka | まっぴぃ mappie_kochi
1
450

Featured

See All Featured
Navigating Team Friction
Avatar for Lara Hogan lara
185
15k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.3k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
129
19k
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
271
27k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
523
40k
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.2k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
40
7.2k
The Success of Rails: Ensuring Growth for the Next 100 Years
Avatar for Eileen M. Uchitelle eileencodes
45
7.2k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
34
2.9k
Gamification - CAS2011
Avatar for David Bonilla davidbonilla
81
5.3k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
26k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k

Transcript

  1. Where Does Security fit in DevOps? @jasonhand | @wicke0

  2. The DevSecOps View: Build It, Secure It, Run It, @jasonhand

    | @wicke0

  3. Agenda @jasonhand | @wicke0

  4. Where Have We Been? @jasonhand | @wicke0

  5. How Are We Doing Things Today? @jasonhand | @wicke0

  6. Industry Movement That DevOps thing you keep hearing about @jasonhand

    | @wicke0

  7. Two Shi(s + Adapta&on @jasonhand | @wicke0

  8. Security Shi$s Le$ ! ... earlier into the development cycle

    @jasonhand | @wicke0

  9. Security Shi$s Right ! ... integra*ng with opera*ons @jasonhand |

    @wicke0

  10. Security Adapts ! ... to enable app and service owners

    to respond faster to threats @jasonhand | @wicke0

  11. (Adaptation == Continuous Improvement) @jasonhand | @wicke0

  12. Con$nuous Improvement @jasonhand | @wicke0

  13. DevOps @jasonhand | @wicke0

  14. DevOps An approach to our work where we con.nuously look

    for methods to evaluate and improve the technology, process, and people as they relate to building, deploying, opera.ng, securing, and suppor.ng the value our organiza.on provides. @jasonhand | @wicke0

  15. Jason Hand @jasonhand VictorOps @jasonhand | @wicke0

  16. @jasonhand | @wicke0

  17. James Wicke& @wicke' Signal Sciences @jasonhand | @wicke0

  18. "Many security teams work with a worldview where their goal

    is to inhibit change as much as possible." @jasonhand | @wicke0

  19. Companies are spending a great deal on security, but we

    read of massive computer-related a9acks... @jasonhand | @wicke0

  20. Clearly something is wrong. The root of the problem is

    twofold: we’re protec'ng the wrong things, and we’re hur'ng produc'vity in the process. — Steven M. Bellovin @jasonhand | @wicke0

  21. The Past Embrace Secrecy Build a Wall Test when Done

    Certainty Tes:ng @jasonhand | @wicke0

  22. The best way to predict the future is to invent

    it @jasonhand | @wicke0

  23. The Future Embrace Feedback Loops Zero Trust Networks Shi9 Le9

    Adversity Tes=ng @jasonhand | @wicke0

  24. @jasonhand | @wicke0

  25. New Challenges @jasonhand | @wicke0

  26. What is Security’s new place in the delivery pipeline? @jasonhand

    | @wicke0

  27. How? @jasonhand | @wicke0

  28. Integrated & Collabora've @jasonhand | @wicke0

  29. Conversa)ons About Security Earlier @jasonhand | @wicke0

  30. Build It @jasonhand | @wicke0

  31. SDLC Shi$s @jasonhand | @wicke0

  32. Something New @jasonhand | @wicke0

  33. Instrumenta*on @jasonhand | @wicke0

  34. Monitoring & Aler%ng @jasonhand | @wicke0

  35. Does security affect the reliability of a service? @jasonhand |

    @wicke0

  36. Site Reliability Engineering @jasonhand | @wicke0

  37. GDPR General Data Protec-on Regula-on Enforcement Begins: May 25th, 2018

    @jasonhand | @wicke0

  38. Secure It @jasonhand | @wicke0

  39. Shi$s le$ ... earlier into the development cycle @jasonhand |

    @wicke0

  40. 3 Shi&s le& Design Inheritance Tes.ng @jasonhand | @wicke0

  41. Design for the Bad Guys Use Evil User Stories and

    have security tests being wri7en with other unit tests or whatever tes8ng pa7erns you use: TDD, BDD, ATDD, … @jasonhand | @wicke0

  42. New School Security Design Mozilla Rapid Risk Assessment link OWASP

    App Threat Modeling Cheat Sheet link @jasonhand | @wicke0

  43. We Inherit our Problems Heartbleed, shellshock, ... We forget our

    real LOC @jasonhand | @wicke0

  44. Toolchain for Inheritance tes0ng OWASP Dependency Checker Re3re.js link Publish

    a BOM Git-secrets from awslabs link @jasonhand | @wicke0

  45. Security Tes,ng for Developers Code Standards and security tooling runs

    on developer laptops and systems, but also verified by CI system. @jasonhand | @wicke0

  46. The goal should be to come up with a set

    of automated tests that probe and check security configura9ons and run9me system behavior for security features that will execute every 9me the system is built and every 9me it is deployed. @jasonhand | @wicke0

  47. @jasonhand | @wicke0

  48. Gauntlt Framework with Security tes2ng wri5en in a natural language

    that developers, security and opera2ons can understand. @jasonhand | @wicke0

  49. @jasonhand | @wicke0

  50. Gauntlt Gauntlt wraps security tes0ng tools to be part of

    the CI/CD pipeline Open source, MIT License, gauntlt.org @jasonhand | @wicke0

  51. We have saved millions of dollars using Gauntlt for the

    largest healthcare industry project. — Aaron Rinehart, UnitedHealthCare @jasonhand | @wicke0

  52. Lynda.com Security Tes,ng Course link @jasonhand | @wicke0

  53. Shi$s right ... integra*ng with opera*ons @jasonhand | @wicke0

  54. Run It @jasonhand | @wicke0

  55. What Keeps You Up At Night? @jasonhand | @wicke0

  56. Reducing Unknown Unknown @jasonhand | @wicke0

  57. Observability Asking Ques+ons @jasonhand | @wicke0

  58. Can you answer the following ques/on: @jasonhand | @wicke0

  59. Am I under ac#ve a'ack right now? @jasonhand | @wicke0

  60. @jasonhand | @wicke0

  61. Much less, are a%ackers having success? @jasonhand | @wicke0

  62. Detect What Ma*ers Account takeover a-empts Areas of the site

    under a-ack Most likely vectors of a-ack Business logic flows Abuse and Misuse @jasonhand | @wicke0

  63. Threat @jasonhand | @wicke0

  64. Proac&ve & Inten&onal about Learning @jasonhand | @wicke0

  65. Post-Incident Reviews @jasonhand | @wicke0

  66. Cross-Func*onal & Highly Collabora-ve Teams @jasonhand | @wicke0

  67. ChatOps @jasonhand | @wicke0

  68. Audit Trail @jasonhand | @wicke0

  69. SRE Culture of Reliability @jasonhand | @wicke0

  70. Chaos Engineering & Game Days @jasonhand | @wicke0

  71. Value Stream Maps @jasonhand | @wicke0

  72. How Does Security Affect Outcomes? @jasonhand | @wicke0

  73. IT Performance Metrics Deployment Frequency Lead Time For Changes MTTR

    Change Failure Rate Cycle Time @jasonhand | @wicke0

  74. Compliance vs Governance @jasonhand | @wicke0

  75. Done @jasonhand | @wicke0

  76. @jasonhand | @wicke0

  77. Where Does Security fit in DevOps? @jasonhand | @wicke0

  78. Takeaways Shi$s & Adapta-ons Proac-ve Observability Collabora-ve @jasonhand | @wicke0

  79. Takeaways Learning Performance Metrics Governance Con4nuous @jasonhand | @wicke0

  80. Thank You @jasonhand | @wicke0

  81. jhand.co/SREBook jhand.co/PIRBook jhand.co/ChatOpsBook @jasonhand | @wicke0

  82. info.signalsciences.com/appsec- defense-needs-top-five @jasonhand | @wicke0

  83. Lynda.com h"ps:/ /www.lynda.com/So2ware-Development- tutorials/Security-Tes<ng/667367-2.html @jasonhand | @wicke0