Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps: Build It, Secure It, Run It

j.hand
May 01, 2018
Technology
0
170

DevSecOps: Build It, Secure It, Run It

Where Does Security Belong in DevOps?

Modern architectures and design patterns challenge developers, security, and operations in a whole new way. Instead of developers building and handing to security for testing, today’s developers are a key part of the security team - and vice versa.

In this Modern Security Series episode, we look at how security:

Shifts left - earlier into the development cycle
Shifts right - integrating with operations
Adapts to enable app and service owners to respond faster to threats

j.hand

May 01, 2018
Tweet

More Decks by j.hand

See All by j.hand
Suffer Better
jasonhand
0
200
IGNITE - Scrutinizing the Scrutiny
jasonhand
0
280
Beyond The Mean Time To Recover (MTTR)
jasonhand
1
390
Cognitive Bias & Its Impact on Continuous Improvement
jasonhand
0
82
The Unrealized Role of Monitoring & Alerting ( All Day DevOps edition)
jasonhand
2
300
The Benefit of a Systems Lens: Viewing Feedback from a "Systems Thinking" model
jasonhand
0
410
DevOps Organizational Journey
jasonhand
1
490
ChatOps: Infrastructure As Conversation
jasonhand
1
900
Understanding Cognitive Bias Found in Judgement & Choice
jasonhand
0
540

Other Decks in Technology

See All in Technology
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
170
社内で最大の技術的負債のリファクタリングに取り組んだお話し
kidooonn
1
550
OCI Vault 概要
oracle4engineer
PRO
0
9.7k
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
370
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350
Lambdaと地方とコミュニティ
miu_crescent
2
370
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
170
隣接領域をBeyondするFinatextのエンジニア組織設計 / beyond-engineering-areas
stajima
1
270
ドメイン名の終活について - JPAAWG 7th -
mikit
33
20k
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
2
510
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170

Featured

See All Featured
It's Worth the Effort
3n
183
27k
The Language of Interfaces
destraynor
154
24k
GitHub's CSS Performance
jonrohan
1030
460k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
Being A Developer After 40
akosma
86
590k
Designing the Hi-DPI Web
ddemaree
280
34k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
Product Roadmaps are Hard
iamctodd
PRO
49
11k
We Have a Design System, Now What?
morganepeng
50
7.2k
A Philosophy of Restraint
colly
203
16k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k

Transcript

  1. Where Does Security fit in DevOps? @jasonhand | @wicke0

  2. The DevSecOps View: Build It, Secure It, Run It, @jasonhand

    | @wicke0

  3. Agenda @jasonhand | @wicke0

  4. Where Have We Been? @jasonhand | @wicke0

  5. How Are We Doing Things Today? @jasonhand | @wicke0

  6. Industry Movement That DevOps thing you keep hearing about @jasonhand

    | @wicke0

  7. Two Shi(s + Adapta&on @jasonhand | @wicke0

  8. Security Shi$s Le$ ! ... earlier into the development cycle

    @jasonhand | @wicke0

  9. Security Shi$s Right ! ... integra*ng with opera*ons @jasonhand |

    @wicke0

  10. Security Adapts ! ... to enable app and service owners

    to respond faster to threats @jasonhand | @wicke0

  11. (Adaptation == Continuous Improvement) @jasonhand | @wicke0

  12. Con$nuous Improvement @jasonhand | @wicke0

  13. DevOps @jasonhand | @wicke0

  14. DevOps An approach to our work where we con.nuously look

    for methods to evaluate and improve the technology, process, and people as they relate to building, deploying, opera.ng, securing, and suppor.ng the value our organiza.on provides. @jasonhand | @wicke0

  15. Jason Hand @jasonhand VictorOps @jasonhand | @wicke0

  16. @jasonhand | @wicke0

  17. James Wicke& @wicke' Signal Sciences @jasonhand | @wicke0

  18. "Many security teams work with a worldview where their goal

    is to inhibit change as much as possible." @jasonhand | @wicke0

  19. Companies are spending a great deal on security, but we

    read of massive computer-related a9acks... @jasonhand | @wicke0

  20. Clearly something is wrong. The root of the problem is

    twofold: we’re protec'ng the wrong things, and we’re hur'ng produc'vity in the process. — Steven M. Bellovin @jasonhand | @wicke0

  21. The Past Embrace Secrecy Build a Wall Test when Done

    Certainty Tes:ng @jasonhand | @wicke0

  22. The best way to predict the future is to invent

    it @jasonhand | @wicke0

  23. The Future Embrace Feedback Loops Zero Trust Networks Shi9 Le9

    Adversity Tes=ng @jasonhand | @wicke0

  24. @jasonhand | @wicke0

  25. New Challenges @jasonhand | @wicke0

  26. What is Security’s new place in the delivery pipeline? @jasonhand

    | @wicke0

  27. How? @jasonhand | @wicke0

  28. Integrated & Collabora've @jasonhand | @wicke0

  29. Conversa)ons About Security Earlier @jasonhand | @wicke0

  30. Build It @jasonhand | @wicke0

  31. SDLC Shi$s @jasonhand | @wicke0

  32. Something New @jasonhand | @wicke0

  33. Instrumenta*on @jasonhand | @wicke0

  34. Monitoring & Aler%ng @jasonhand | @wicke0

  35. Does security affect the reliability of a service? @jasonhand |

    @wicke0

  36. Site Reliability Engineering @jasonhand | @wicke0

  37. GDPR General Data Protec-on Regula-on Enforcement Begins: May 25th, 2018

    @jasonhand | @wicke0

  38. Secure It @jasonhand | @wicke0

  39. Shi$s le$ ... earlier into the development cycle @jasonhand |

    @wicke0

  40. 3 Shi&s le& Design Inheritance Tes.ng @jasonhand | @wicke0

  41. Design for the Bad Guys Use Evil User Stories and

    have security tests being wri7en with other unit tests or whatever tes8ng pa7erns you use: TDD, BDD, ATDD, … @jasonhand | @wicke0

  42. New School Security Design Mozilla Rapid Risk Assessment link OWASP

    App Threat Modeling Cheat Sheet link @jasonhand | @wicke0

  43. We Inherit our Problems Heartbleed, shellshock, ... We forget our

    real LOC @jasonhand | @wicke0

  44. Toolchain for Inheritance tes0ng OWASP Dependency Checker Re3re.js link Publish

    a BOM Git-secrets from awslabs link @jasonhand | @wicke0

  45. Security Tes,ng for Developers Code Standards and security tooling runs

    on developer laptops and systems, but also verified by CI system. @jasonhand | @wicke0

  46. The goal should be to come up with a set

    of automated tests that probe and check security configura9ons and run9me system behavior for security features that will execute every 9me the system is built and every 9me it is deployed. @jasonhand | @wicke0

  47. @jasonhand | @wicke0

  48. Gauntlt Framework with Security tes2ng wri5en in a natural language

    that developers, security and opera2ons can understand. @jasonhand | @wicke0

  49. @jasonhand | @wicke0

  50. Gauntlt Gauntlt wraps security tes0ng tools to be part of

    the CI/CD pipeline Open source, MIT License, gauntlt.org @jasonhand | @wicke0

  51. We have saved millions of dollars using Gauntlt for the

    largest healthcare industry project. — Aaron Rinehart, UnitedHealthCare @jasonhand | @wicke0

  52. Lynda.com Security Tes,ng Course link @jasonhand | @wicke0

  53. Shi$s right ... integra*ng with opera*ons @jasonhand | @wicke0

  54. Run It @jasonhand | @wicke0

  55. What Keeps You Up At Night? @jasonhand | @wicke0

  56. Reducing Unknown Unknown @jasonhand | @wicke0

  57. Observability Asking Ques+ons @jasonhand | @wicke0

  58. Can you answer the following ques/on: @jasonhand | @wicke0

  59. Am I under ac#ve a'ack right now? @jasonhand | @wicke0

  60. @jasonhand | @wicke0

  61. Much less, are a%ackers having success? @jasonhand | @wicke0

  62. Detect What Ma*ers Account takeover a-empts Areas of the site

    under a-ack Most likely vectors of a-ack Business logic flows Abuse and Misuse @jasonhand | @wicke0

  63. Threat @jasonhand | @wicke0

  64. Proac&ve & Inten&onal about Learning @jasonhand | @wicke0

  65. Post-Incident Reviews @jasonhand | @wicke0

  66. Cross-Func*onal & Highly Collabora-ve Teams @jasonhand | @wicke0

  67. ChatOps @jasonhand | @wicke0

  68. Audit Trail @jasonhand | @wicke0

  69. SRE Culture of Reliability @jasonhand | @wicke0

  70. Chaos Engineering & Game Days @jasonhand | @wicke0

  71. Value Stream Maps @jasonhand | @wicke0

  72. How Does Security Affect Outcomes? @jasonhand | @wicke0

  73. IT Performance Metrics Deployment Frequency Lead Time For Changes MTTR

    Change Failure Rate Cycle Time @jasonhand | @wicke0

  74. Compliance vs Governance @jasonhand | @wicke0

  75. Done @jasonhand | @wicke0

  76. @jasonhand | @wicke0

  77. Where Does Security fit in DevOps? @jasonhand | @wicke0

  78. Takeaways Shi$s & Adapta-ons Proac-ve Observability Collabora-ve @jasonhand | @wicke0

  79. Takeaways Learning Performance Metrics Governance Con4nuous @jasonhand | @wicke0

  80. Thank You @jasonhand | @wicke0

  81. jhand.co/SREBook jhand.co/PIRBook jhand.co/ChatOpsBook @jasonhand | @wicke0

  82. info.signalsciences.com/appsec- defense-needs-top-five @jasonhand | @wicke0

  83. Lynda.com h"ps:/ /www.lynda.com/So2ware-Development- tutorials/Security-Tes<ng/667367-2.html @jasonhand | @wicke0