Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps: Build It, Secure It, Run It

j.hand
May 01, 2018
Technology
0
160

DevSecOps: Build It, Secure It, Run It

Where Does Security Belong in DevOps?

Modern architectures and design patterns challenge developers, security, and operations in a whole new way. Instead of developers building and handing to security for testing, today’s developers are a key part of the security team - and vice versa.

In this Modern Security Series episode, we look at how security:

Shifts left - earlier into the development cycle
Shifts right - integrating with operations
Adapts to enable app and service owners to respond faster to threats

j.hand

May 01, 2018
Tweet

More Decks by j.hand

See All by j.hand
Suffer Better
jasonhand
0
190
IGNITE - Scrutinizing the Scrutiny
jasonhand
0
260
Beyond The Mean Time To Recover (MTTR)
jasonhand
1
370
Cognitive Bias & Its Impact on Continuous Improvement
jasonhand
0
74
The Unrealized Role of Monitoring & Alerting ( All Day DevOps edition)
jasonhand
2
280
The Benefit of a Systems Lens: Viewing Feedback from a "Systems Thinking" model
jasonhand
0
400
DevOps Organizational Journey
jasonhand
1
480
ChatOps: Infrastructure As Conversation
jasonhand
1
820
Understanding Cognitive Bias Found in Judgement & Choice
jasonhand
0
530

Other Decks in Technology

See All in Technology
いつか使うかも貯金してたらめちゃめちゃ機能が増えてた話
riyaamemiya
0
450
2024春 注目のWeb系 OSS & SaaS 3選
makies
0
110
MixIT 2024 - Pulumi : Gérer son infra avec son langage de programmation préféré
ju_hnny5
0
110
開発生産性大幅アップ!Postman VS Code拡張機能
nagix
2
500
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
2
190
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
110
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
320
【SORACOM UG 東海】あらゆるモノがつながる社会へ、IoT と SORACOM
soracom
PRO
1
100
20240418_Google ColabにLLMが搭載されたようなのでPython x データ分析の勉強方法を考えてみる
doradora09
0
150
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
140
Azureの基本的な権限管理の勉強会
yhana
0
1.3k
ルーターでプレゼンする
puhitaku
0
1.6k

Featured

See All Featured
Design by the Numbers
sachag
274
18k
Agile that works and the tools we love
rasmusluckow
325
20k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
357
22k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
Music & Morning Musume
bryan
41
5.6k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
659
120k
Building Better People: How to give real-time feedback that sticks.
wjessup
355
18k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
322
20k
Ruby is Unlike a Banana
tanoku
96
10k
Typedesign – Prime Four
hannesfritz
36
2.1k
KATA
mclloyd
15
12k
How to train your dragon (web standard)
notwaldorf
73
5.2k

Transcript

  1. Where Does Security fit in DevOps? @jasonhand | @wicke0

  2. The DevSecOps View: Build It, Secure It, Run It, @jasonhand

    | @wicke0

  3. Agenda @jasonhand | @wicke0

  4. Where Have We Been? @jasonhand | @wicke0

  5. How Are We Doing Things Today? @jasonhand | @wicke0

  6. Industry Movement That DevOps thing you keep hearing about @jasonhand

    | @wicke0

  7. Two Shi(s + Adapta&on @jasonhand | @wicke0

  8. Security Shi$s Le$ ! ... earlier into the development cycle

    @jasonhand | @wicke0

  9. Security Shi$s Right ! ... integra*ng with opera*ons @jasonhand |

    @wicke0

  10. Security Adapts ! ... to enable app and service owners

    to respond faster to threats @jasonhand | @wicke0

  11. (Adaptation == Continuous Improvement) @jasonhand | @wicke0

  12. Con$nuous Improvement @jasonhand | @wicke0

  13. DevOps @jasonhand | @wicke0

  14. DevOps An approach to our work where we con.nuously look

    for methods to evaluate and improve the technology, process, and people as they relate to building, deploying, opera.ng, securing, and suppor.ng the value our organiza.on provides. @jasonhand | @wicke0

  15. Jason Hand @jasonhand VictorOps @jasonhand | @wicke0

  16. @jasonhand | @wicke0

  17. James Wicke& @wicke' Signal Sciences @jasonhand | @wicke0

  18. "Many security teams work with a worldview where their goal

    is to inhibit change as much as possible." @jasonhand | @wicke0

  19. Companies are spending a great deal on security, but we

    read of massive computer-related a9acks... @jasonhand | @wicke0

  20. Clearly something is wrong. The root of the problem is

    twofold: we’re protec'ng the wrong things, and we’re hur'ng produc'vity in the process. — Steven M. Bellovin @jasonhand | @wicke0

  21. The Past Embrace Secrecy Build a Wall Test when Done

    Certainty Tes:ng @jasonhand | @wicke0

  22. The best way to predict the future is to invent

    it @jasonhand | @wicke0

  23. The Future Embrace Feedback Loops Zero Trust Networks Shi9 Le9

    Adversity Tes=ng @jasonhand | @wicke0

  24. @jasonhand | @wicke0

  25. New Challenges @jasonhand | @wicke0

  26. What is Security’s new place in the delivery pipeline? @jasonhand

    | @wicke0

  27. How? @jasonhand | @wicke0

  28. Integrated & Collabora've @jasonhand | @wicke0

  29. Conversa)ons About Security Earlier @jasonhand | @wicke0

  30. Build It @jasonhand | @wicke0

  31. SDLC Shi$s @jasonhand | @wicke0

  32. Something New @jasonhand | @wicke0

  33. Instrumenta*on @jasonhand | @wicke0

  34. Monitoring & Aler%ng @jasonhand | @wicke0

  35. Does security affect the reliability of a service? @jasonhand |

    @wicke0

  36. Site Reliability Engineering @jasonhand | @wicke0

  37. GDPR General Data Protec-on Regula-on Enforcement Begins: May 25th, 2018

    @jasonhand | @wicke0

  38. Secure It @jasonhand | @wicke0

  39. Shi$s le$ ... earlier into the development cycle @jasonhand |

    @wicke0

  40. 3 Shi&s le& Design Inheritance Tes.ng @jasonhand | @wicke0

  41. Design for the Bad Guys Use Evil User Stories and

    have security tests being wri7en with other unit tests or whatever tes8ng pa7erns you use: TDD, BDD, ATDD, … @jasonhand | @wicke0

  42. New School Security Design Mozilla Rapid Risk Assessment link OWASP

    App Threat Modeling Cheat Sheet link @jasonhand | @wicke0

  43. We Inherit our Problems Heartbleed, shellshock, ... We forget our

    real LOC @jasonhand | @wicke0

  44. Toolchain for Inheritance tes0ng OWASP Dependency Checker Re3re.js link Publish

    a BOM Git-secrets from awslabs link @jasonhand | @wicke0

  45. Security Tes,ng for Developers Code Standards and security tooling runs

    on developer laptops and systems, but also verified by CI system. @jasonhand | @wicke0

  46. The goal should be to come up with a set

    of automated tests that probe and check security configura9ons and run9me system behavior for security features that will execute every 9me the system is built and every 9me it is deployed. @jasonhand | @wicke0

  47. @jasonhand | @wicke0

  48. Gauntlt Framework with Security tes2ng wri5en in a natural language

    that developers, security and opera2ons can understand. @jasonhand | @wicke0

  49. @jasonhand | @wicke0

  50. Gauntlt Gauntlt wraps security tes0ng tools to be part of

    the CI/CD pipeline Open source, MIT License, gauntlt.org @jasonhand | @wicke0

  51. We have saved millions of dollars using Gauntlt for the

    largest healthcare industry project. — Aaron Rinehart, UnitedHealthCare @jasonhand | @wicke0

  52. Lynda.com Security Tes,ng Course link @jasonhand | @wicke0

  53. Shi$s right ... integra*ng with opera*ons @jasonhand | @wicke0

  54. Run It @jasonhand | @wicke0

  55. What Keeps You Up At Night? @jasonhand | @wicke0

  56. Reducing Unknown Unknown @jasonhand | @wicke0

  57. Observability Asking Ques+ons @jasonhand | @wicke0

  58. Can you answer the following ques/on: @jasonhand | @wicke0

  59. Am I under ac#ve a'ack right now? @jasonhand | @wicke0

  60. @jasonhand | @wicke0

  61. Much less, are a%ackers having success? @jasonhand | @wicke0

  62. Detect What Ma*ers Account takeover a-empts Areas of the site

    under a-ack Most likely vectors of a-ack Business logic flows Abuse and Misuse @jasonhand | @wicke0

  63. Threat @jasonhand | @wicke0

  64. Proac&ve & Inten&onal about Learning @jasonhand | @wicke0

  65. Post-Incident Reviews @jasonhand | @wicke0

  66. Cross-Func*onal & Highly Collabora-ve Teams @jasonhand | @wicke0

  67. ChatOps @jasonhand | @wicke0

  68. Audit Trail @jasonhand | @wicke0

  69. SRE Culture of Reliability @jasonhand | @wicke0

  70. Chaos Engineering & Game Days @jasonhand | @wicke0

  71. Value Stream Maps @jasonhand | @wicke0

  72. How Does Security Affect Outcomes? @jasonhand | @wicke0

  73. IT Performance Metrics Deployment Frequency Lead Time For Changes MTTR

    Change Failure Rate Cycle Time @jasonhand | @wicke0

  74. Compliance vs Governance @jasonhand | @wicke0

  75. Done @jasonhand | @wicke0

  76. @jasonhand | @wicke0

  77. Where Does Security fit in DevOps? @jasonhand | @wicke0

  78. Takeaways Shi$s & Adapta-ons Proac-ve Observability Collabora-ve @jasonhand | @wicke0

  79. Takeaways Learning Performance Metrics Governance Con4nuous @jasonhand | @wicke0

  80. Thank You @jasonhand | @wicke0

  81. jhand.co/SREBook jhand.co/PIRBook jhand.co/ChatOpsBook @jasonhand | @wicke0

  82. info.signalsciences.com/appsec- defense-needs-top-five @jasonhand | @wicke0

  83. Lynda.com h"ps:/ /www.lynda.com/So2ware-Development- tutorials/Security-Tes<ng/667367-2.html @jasonhand | @wicke0