Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps: Build It, Secure It, Run It

DevSecOps: Build It, Secure It, Run It

Where Does Security Belong in DevOps?

Modern architectures and design patterns challenge developers, security, and operations in a whole new way. Instead of developers building and handing to security for testing, today’s developers are a key part of the security team - and vice versa.

In this Modern Security Series episode, we look at how security:

Shifts left - earlier into the development cycle
Shifts right - integrating with operations
Adapts to enable app and service owners to respond faster to threats

j.hand

May 01, 2018
Tweet

More Decks by j.hand

Other Decks in Technology

Transcript

  1. Where Does Security
    fit in DevOps?
    @jasonhand | @wicke0

    View full-size slide

  2. The DevSecOps View:
    Build It, Secure It, Run It,
    @jasonhand | @wicke0

    View full-size slide

  3. Agenda
    @jasonhand | @wicke0

    View full-size slide

  4. Where Have We Been?
    @jasonhand | @wicke0

    View full-size slide

  5. How Are We Doing Things Today?
    @jasonhand | @wicke0

    View full-size slide

  6. Industry Movement
    That DevOps thing you keep hearing about
    @jasonhand | @wicke0

    View full-size slide

  7. Two Shi(s +
    Adapta&on
    @jasonhand | @wicke0

    View full-size slide

  8. Security
    Shi$s Le$
    !
    ... earlier into the development cycle
    @jasonhand | @wicke0

    View full-size slide

  9. Security
    Shi$s Right
    !
    ... integra*ng with opera*ons
    @jasonhand | @wicke0

    View full-size slide

  10. Security
    Adapts
    !
    ... to enable app and service owners to respond
    faster to threats
    @jasonhand | @wicke0

    View full-size slide

  11. (Adaptation == Continuous Improvement)
    @jasonhand | @wicke0

    View full-size slide

  12. Con$nuous
    Improvement
    @jasonhand | @wicke0

    View full-size slide

  13. DevOps
    @jasonhand | @wicke0

    View full-size slide

  14. DevOps
    An approach to our work where we con.nuously
    look for methods to evaluate and improve the
    technology, process, and people as they relate to
    building, deploying, opera.ng, securing, and
    suppor.ng the value our organiza.on provides.
    @jasonhand | @wicke0

    View full-size slide

  15. Jason
    Hand
    @jasonhand
    VictorOps
    @jasonhand | @wicke0

    View full-size slide

  16. @jasonhand | @wicke0

    View full-size slide

  17. James
    Wicke&
    @wicke'
    Signal Sciences
    @jasonhand | @wicke0

    View full-size slide

  18. "Many security teams work with a
    worldview where their goal is to
    inhibit change as much as
    possible."
    @jasonhand | @wicke0

    View full-size slide

  19. Companies are spending a great deal on security,
    but we read of massive computer-related
    a9acks...
    @jasonhand | @wicke0

    View full-size slide

  20. Clearly something is wrong. The root of the
    problem is twofold: we’re protec'ng the wrong
    things, and we’re hur'ng produc'vity in the
    process.
    — Steven M. Bellovin
    @jasonhand | @wicke0

    View full-size slide

  21. The Past
    Embrace Secrecy
    Build a Wall
    Test when Done
    Certainty Tes:ng
    @jasonhand | @wicke0

    View full-size slide

  22. The best way to predict
    the future
    is to invent it
    @jasonhand | @wicke0

    View full-size slide

  23. The Future
    Embrace Feedback Loops
    Zero Trust Networks
    Shi9 Le9
    Adversity Tes=ng
    @jasonhand | @wicke0

    View full-size slide

  24. @jasonhand | @wicke0

    View full-size slide

  25. New Challenges
    @jasonhand | @wicke0

    View full-size slide

  26. What is
    Security’s
    new place in the delivery pipeline?
    @jasonhand | @wicke0

    View full-size slide

  27. How?
    @jasonhand | @wicke0

    View full-size slide

  28. Integrated
    &
    Collabora've
    @jasonhand | @wicke0

    View full-size slide

  29. Conversa)ons
    About Security Earlier
    @jasonhand | @wicke0

    View full-size slide

  30. Build
    It
    @jasonhand | @wicke0

    View full-size slide

  31. SDLC
    Shi$s
    @jasonhand | @wicke0

    View full-size slide

  32. Something New
    @jasonhand | @wicke0

    View full-size slide

  33. Instrumenta*on
    @jasonhand | @wicke0

    View full-size slide

  34. Monitoring
    &
    Aler%ng
    @jasonhand | @wicke0

    View full-size slide

  35. Does security affect the reliability of a service?
    @jasonhand | @wicke0

    View full-size slide

  36. Site Reliability Engineering
    @jasonhand | @wicke0

    View full-size slide

  37. GDPR
    General Data Protec-on Regula-on
    Enforcement Begins: May 25th, 2018
    @jasonhand | @wicke0

    View full-size slide

  38. Secure
    It
    @jasonhand | @wicke0

    View full-size slide

  39. Shi$s le$
    ... earlier into the development cycle
    @jasonhand | @wicke0

    View full-size slide

  40. 3 Shi&s le&
    Design
    Inheritance
    Tes.ng
    @jasonhand | @wicke0

    View full-size slide

  41. Design for the Bad Guys
    Use Evil User Stories and have security tests
    being wri7en with other unit tests or whatever
    tes8ng pa7erns you use: TDD, BDD, ATDD, …
    @jasonhand | @wicke0

    View full-size slide

  42. New School Security
    Design
    Mozilla Rapid Risk Assessment link
    OWASP App Threat Modeling Cheat Sheet link
    @jasonhand | @wicke0

    View full-size slide

  43. We Inherit
    our
    Problems
    Heartbleed, shellshock, ...
    We forget our real LOC
    @jasonhand | @wicke0

    View full-size slide

  44. Toolchain for
    Inheritance tes0ng
    OWASP Dependency Checker
    Re3re.js link
    Publish a BOM
    Git-secrets from awslabs link
    @jasonhand | @wicke0

    View full-size slide

  45. Security Tes,ng for
    Developers
    Code Standards and security tooling runs on
    developer laptops and systems, but also verified
    by CI system.
    @jasonhand | @wicke0

    View full-size slide

  46. The goal should be to come up
    with a set of automated tests that
    probe and check security
    configura9ons and run9me
    system behavior for security
    features that will execute every
    9me the system is built and every
    9me it is deployed.
    @jasonhand | @wicke0

    View full-size slide

  47. @jasonhand | @wicke0

    View full-size slide

  48. Gauntlt
    Framework with Security tes2ng wri5en in a
    natural language that developers, security and
    opera2ons can understand.
    @jasonhand | @wicke0

    View full-size slide

  49. @jasonhand | @wicke0

    View full-size slide

  50. Gauntlt
    Gauntlt wraps security tes0ng tools to be part of
    the CI/CD pipeline
    Open source, MIT License,
    gauntlt.org
    @jasonhand | @wicke0

    View full-size slide

  51. We have saved millions of
    dollars using Gauntlt for the
    largest healthcare industry
    project.
    — Aaron Rinehart, UnitedHealthCare
    @jasonhand | @wicke0

    View full-size slide

  52. Lynda.com
    Security Tes,ng Course
    link
    @jasonhand | @wicke0

    View full-size slide

  53. Shi$s right
    ... integra*ng with opera*ons
    @jasonhand | @wicke0

    View full-size slide

  54. Run
    It
    @jasonhand | @wicke0

    View full-size slide

  55. What Keeps You Up At Night?
    @jasonhand | @wicke0

    View full-size slide

  56. Reducing
    Unknown Unknown
    @jasonhand | @wicke0

    View full-size slide

  57. Observability
    Asking Ques+ons
    @jasonhand | @wicke0

    View full-size slide

  58. Can you answer
    the following ques/on:
    @jasonhand | @wicke0

    View full-size slide

  59. Am I under
    ac#ve a'ack
    right now?
    @jasonhand | @wicke0

    View full-size slide

  60. @jasonhand | @wicke0

    View full-size slide

  61. Much less,
    are a%ackers having
    success?
    @jasonhand | @wicke0

    View full-size slide

  62. Detect What Ma*ers
    Account takeover a-empts
    Areas of the site under a-ack
    Most likely vectors of a-ack
    Business logic flows
    Abuse and Misuse
    @jasonhand | @wicke0

    View full-size slide

  63. Threat
    @jasonhand | @wicke0

    View full-size slide

  64. Proac&ve
    &
    Inten&onal about
    Learning
    @jasonhand | @wicke0

    View full-size slide

  65. Post-Incident
    Reviews
    @jasonhand | @wicke0

    View full-size slide

  66. Cross-Func*onal
    &
    Highly Collabora-ve
    Teams
    @jasonhand | @wicke0

    View full-size slide

  67. ChatOps
    @jasonhand | @wicke0

    View full-size slide

  68. Audit Trail
    @jasonhand | @wicke0

    View full-size slide

  69. SRE
    Culture of Reliability
    @jasonhand | @wicke0

    View full-size slide

  70. Chaos Engineering
    & Game Days
    @jasonhand | @wicke0

    View full-size slide

  71. Value Stream
    Maps
    @jasonhand | @wicke0

    View full-size slide

  72. How Does
    Security Affect
    Outcomes?
    @jasonhand | @wicke0

    View full-size slide

  73. IT Performance Metrics
    Deployment Frequency
    Lead Time For Changes
    MTTR
    Change Failure Rate
    Cycle Time
    @jasonhand | @wicke0

    View full-size slide

  74. Compliance
    vs
    Governance
    @jasonhand | @wicke0

    View full-size slide

  75. Done
    @jasonhand | @wicke0

    View full-size slide

  76. @jasonhand | @wicke0

    View full-size slide

  77. Where Does Security
    fit in DevOps?
    @jasonhand | @wicke0

    View full-size slide

  78. Takeaways
    Shi$s & Adapta-ons
    Proac-ve
    Observability
    Collabora-ve
    @jasonhand | @wicke0

    View full-size slide

  79. Takeaways
    Learning
    Performance Metrics
    Governance
    Con4nuous
    @jasonhand | @wicke0

    View full-size slide

  80. Thank
    You
    @jasonhand | @wicke0

    View full-size slide

  81. jhand.co/SREBook
    jhand.co/PIRBook
    jhand.co/ChatOpsBook
    @jasonhand | @wicke0

    View full-size slide

  82. info.signalsciences.com/appsec-
    defense-needs-top-five
    @jasonhand | @wicke0

    View full-size slide

  83. Lynda.com
    h"ps:/
    /www.lynda.com/So2ware-Development-
    tutorials/Security-Tes@jasonhand | @wicke0

    View full-size slide