Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps: Build It, Secure It, Run It

DevSecOps: Build It, Secure It, Run It

Where Does Security Belong in DevOps?

Modern architectures and design patterns challenge developers, security, and operations in a whole new way. Instead of developers building and handing to security for testing, today’s developers are a key part of the security team - and vice versa.

In this Modern Security Series episode, we look at how security:

Shifts left - earlier into the development cycle
Shifts right - integrating with operations
Adapts to enable app and service owners to respond faster to threats

516fcd20ab7b946f50090ce1d557638c?s=128

j.hand

May 01, 2018
Tweet

Transcript

  1. Where Does Security fit in DevOps? @jasonhand | @wicke0

  2. The DevSecOps View: Build It, Secure It, Run It, @jasonhand

    | @wicke0
  3. Agenda @jasonhand | @wicke0

  4. Where Have We Been? @jasonhand | @wicke0

  5. How Are We Doing Things Today? @jasonhand | @wicke0

  6. Industry Movement That DevOps thing you keep hearing about @jasonhand

    | @wicke0
  7. Two Shi(s + Adapta&on @jasonhand | @wicke0

  8. Security Shi$s Le$ ! ... earlier into the development cycle

    @jasonhand | @wicke0
  9. Security Shi$s Right ! ... integra*ng with opera*ons @jasonhand |

    @wicke0
  10. Security Adapts ! ... to enable app and service owners

    to respond faster to threats @jasonhand | @wicke0
  11. (Adaptation == Continuous Improvement) @jasonhand | @wicke0

  12. Con$nuous Improvement @jasonhand | @wicke0

  13. DevOps @jasonhand | @wicke0

  14. DevOps An approach to our work where we con.nuously look

    for methods to evaluate and improve the technology, process, and people as they relate to building, deploying, opera.ng, securing, and suppor.ng the value our organiza.on provides. @jasonhand | @wicke0
  15. Jason Hand @jasonhand VictorOps @jasonhand | @wicke0

  16. @jasonhand | @wicke0

  17. James Wicke& @wicke' Signal Sciences @jasonhand | @wicke0

  18. "Many security teams work with a worldview where their goal

    is to inhibit change as much as possible." @jasonhand | @wicke0
  19. Companies are spending a great deal on security, but we

    read of massive computer-related a9acks... @jasonhand | @wicke0
  20. Clearly something is wrong. The root of the problem is

    twofold: we’re protec'ng the wrong things, and we’re hur'ng produc'vity in the process. — Steven M. Bellovin @jasonhand | @wicke0
  21. The Past Embrace Secrecy Build a Wall Test when Done

    Certainty Tes:ng @jasonhand | @wicke0
  22. The best way to predict the future is to invent

    it @jasonhand | @wicke0
  23. The Future Embrace Feedback Loops Zero Trust Networks Shi9 Le9

    Adversity Tes=ng @jasonhand | @wicke0
  24. @jasonhand | @wicke0

  25. New Challenges @jasonhand | @wicke0

  26. What is Security’s new place in the delivery pipeline? @jasonhand

    | @wicke0
  27. How? @jasonhand | @wicke0

  28. Integrated & Collabora've @jasonhand | @wicke0

  29. Conversa)ons About Security Earlier @jasonhand | @wicke0

  30. Build It @jasonhand | @wicke0

  31. SDLC Shi$s @jasonhand | @wicke0

  32. Something New @jasonhand | @wicke0

  33. Instrumenta*on @jasonhand | @wicke0

  34. Monitoring & Aler%ng @jasonhand | @wicke0

  35. Does security affect the reliability of a service? @jasonhand |

    @wicke0
  36. Site Reliability Engineering @jasonhand | @wicke0

  37. GDPR General Data Protec-on Regula-on Enforcement Begins: May 25th, 2018

    @jasonhand | @wicke0
  38. Secure It @jasonhand | @wicke0

  39. Shi$s le$ ... earlier into the development cycle @jasonhand |

    @wicke0
  40. 3 Shi&s le& Design Inheritance Tes.ng @jasonhand | @wicke0

  41. Design for the Bad Guys Use Evil User Stories and

    have security tests being wri7en with other unit tests or whatever tes8ng pa7erns you use: TDD, BDD, ATDD, … @jasonhand | @wicke0
  42. New School Security Design Mozilla Rapid Risk Assessment link OWASP

    App Threat Modeling Cheat Sheet link @jasonhand | @wicke0
  43. We Inherit our Problems Heartbleed, shellshock, ... We forget our

    real LOC @jasonhand | @wicke0
  44. Toolchain for Inheritance tes0ng OWASP Dependency Checker Re3re.js link Publish

    a BOM Git-secrets from awslabs link @jasonhand | @wicke0
  45. Security Tes,ng for Developers Code Standards and security tooling runs

    on developer laptops and systems, but also verified by CI system. @jasonhand | @wicke0
  46. The goal should be to come up with a set

    of automated tests that probe and check security configura9ons and run9me system behavior for security features that will execute every 9me the system is built and every 9me it is deployed. @jasonhand | @wicke0
  47. @jasonhand | @wicke0

  48. Gauntlt Framework with Security tes2ng wri5en in a natural language

    that developers, security and opera2ons can understand. @jasonhand | @wicke0
  49. @jasonhand | @wicke0

  50. Gauntlt Gauntlt wraps security tes0ng tools to be part of

    the CI/CD pipeline Open source, MIT License, gauntlt.org @jasonhand | @wicke0
  51. We have saved millions of dollars using Gauntlt for the

    largest healthcare industry project. — Aaron Rinehart, UnitedHealthCare @jasonhand | @wicke0
  52. Lynda.com Security Tes,ng Course link @jasonhand | @wicke0

  53. Shi$s right ... integra*ng with opera*ons @jasonhand | @wicke0

  54. Run It @jasonhand | @wicke0

  55. What Keeps You Up At Night? @jasonhand | @wicke0

  56. Reducing Unknown Unknown @jasonhand | @wicke0

  57. Observability Asking Ques+ons @jasonhand | @wicke0

  58. Can you answer the following ques/on: @jasonhand | @wicke0

  59. Am I under ac#ve a'ack right now? @jasonhand | @wicke0

  60. @jasonhand | @wicke0

  61. Much less, are a%ackers having success? @jasonhand | @wicke0

  62. Detect What Ma*ers Account takeover a-empts Areas of the site

    under a-ack Most likely vectors of a-ack Business logic flows Abuse and Misuse @jasonhand | @wicke0
  63. Threat @jasonhand | @wicke0

  64. Proac&ve & Inten&onal about Learning @jasonhand | @wicke0

  65. Post-Incident Reviews @jasonhand | @wicke0

  66. Cross-Func*onal & Highly Collabora-ve Teams @jasonhand | @wicke0

  67. ChatOps @jasonhand | @wicke0

  68. Audit Trail @jasonhand | @wicke0

  69. SRE Culture of Reliability @jasonhand | @wicke0

  70. Chaos Engineering & Game Days @jasonhand | @wicke0

  71. Value Stream Maps @jasonhand | @wicke0

  72. How Does Security Affect Outcomes? @jasonhand | @wicke0

  73. IT Performance Metrics Deployment Frequency Lead Time For Changes MTTR

    Change Failure Rate Cycle Time @jasonhand | @wicke0
  74. Compliance vs Governance @jasonhand | @wicke0

  75. Done @jasonhand | @wicke0

  76. @jasonhand | @wicke0

  77. Where Does Security fit in DevOps? @jasonhand | @wicke0

  78. Takeaways Shi$s & Adapta-ons Proac-ve Observability Collabora-ve @jasonhand | @wicke0

  79. Takeaways Learning Performance Metrics Governance Con4nuous @jasonhand | @wicke0

  80. Thank You @jasonhand | @wicke0

  81. jhand.co/SREBook jhand.co/PIRBook jhand.co/ChatOpsBook @jasonhand | @wicke0

  82. info.signalsciences.com/appsec- defense-needs-top-five @jasonhand | @wicke0

  83. Lynda.com h"ps:/ /www.lynda.com/So2ware-Development- tutorials/Security-Tes<ng/667367-2.html @jasonhand | @wicke0