DevSecOps: Build It, Secure It, Run It

Where Does Security
ﬁt in DevOps?
@jasonhand | @wicke0

View Slide

The DevSecOps View:
Build It, Secure It, Run It,

View Slide

Agenda

View Slide

Where Have We Been?

View Slide

How Are We Doing Things Today?

View Slide

Industry Movement
That DevOps thing you keep hearing about

View Slide

Two Shi(s +
Adapta&on

View Slide

Security
Shi$s Le$
!
... earlier into the development cycle

View Slide

Security
Shi$s Right
!
... integra*ng with opera*ons

View Slide

Security
Adapts
!
... to enable app and service owners to respond
faster to threats

View Slide

(Adaptation == Continuous Improvement)

View Slide

Con$nuous
Improvement

View Slide

DevOps

View Slide

DevOps
An approach to our work where we con.nuously
look for methods to evaluate and improve the
technology, process, and people as they relate to
building, deploying, opera.ng, securing, and
suppor.ng the value our organiza.on provides.

View Slide

Jason
Hand
@jasonhand
VictorOps

View Slide


View Slide

James
Wicke&
@wicke'
Signal Sciences

View Slide

"Many security teams work with a
worldview where their goal is to
inhibit change as much as
possible."

View Slide

Companies are spending a great deal on security,
but we read of massive computer-related
a9acks...

View Slide

Clearly something is wrong. The root of the
problem is twofold: we’re protec'ng the wrong
things, and we’re hur'ng produc'vity in the
process.
— Steven M. Bellovin

View Slide

The Past
Embrace Secrecy
Build a Wall
Test when Done
Certainty Tes:ng

View Slide

The best way to predict
the future
is to invent it

View Slide

The Future
Embrace Feedback Loops
Zero Trust Networks
Shi9 Le9
Adversity Tes=ng

View Slide


View Slide

New Challenges

View Slide

What is
Security’s
new place in the delivery pipeline?

View Slide

How?

View Slide

Integrated
&
Collabora've

View Slide

Conversa)ons
About Security Earlier

View Slide

Build
It

View Slide

SDLC
Shi$s

View Slide

Something New

View Slide

Instrumenta*on

View Slide

Monitoring
&
Aler%ng

View Slide

Does security aﬀect the reliability of a service?

View Slide

Site Reliability Engineering

View Slide

GDPR
General Data Protec-on Regula-on
Enforcement Begins: May 25th, 2018

View Slide

Secure
It

View Slide

Shi$s le$
... earlier into the development cycle

View Slide

3 Shi&s le&
Design
Inheritance
Tes.ng

View Slide

Design for the Bad Guys
Use Evil User Stories and have security tests
being wri7en with other unit tests or whatever
tes8ng pa7erns you use: TDD, BDD, ATDD, …

View Slide

New School Security
Design
Mozilla Rapid Risk Assessment link
OWASP App Threat Modeling Cheat Sheet link

View Slide

We Inherit
our
Problems
Heartbleed, shellshock, ...
We forget our real LOC

View Slide

Toolchain for
Inheritance tes0ng
OWASP Dependency Checker
Re3re.js link
Publish a BOM
Git-secrets from awslabs link

View Slide

Security Tes,ng for
Developers
Code Standards and security tooling runs on
developer laptops and systems, but also veriﬁed
by CI system.

View Slide

The goal should be to come up
with a set of automated tests that
probe and check security
conﬁgura9ons and run9me
system behavior for security
features that will execute every
9me the system is built and every
9me it is deployed.

View Slide


View Slide

Gauntlt
Framework with Security tes2ng wri5en in a
natural language that developers, security and
opera2ons can understand.

View Slide


View Slide

Gauntlt
Gauntlt wraps security tes0ng tools to be part of
the CI/CD pipeline
Open source, MIT License,
gauntlt.org

View Slide

We have saved millions of
dollars using Gauntlt for the
largest healthcare industry
project.
— Aaron Rinehart, UnitedHealthCare

View Slide

Lynda.com
Security Tes,ng Course
link

View Slide

Shi$s right
... integra*ng with opera*ons

View Slide

Run
It

View Slide

What Keeps You Up At Night?

View Slide

Reducing
Unknown Unknown

View Slide

Observability
Asking Ques+ons

View Slide

Can you answer
the following ques/on:

View Slide

Am I under
ac#ve a'ack
right now?

View Slide


View Slide

Much less,
are a%ackers having
success?

View Slide

Detect What Ma*ers
Account takeover a-empts
Areas of the site under a-ack
Most likely vectors of a-ack
Business logic ﬂows
Abuse and Misuse

View Slide

Threat

View Slide

Proac&ve
&
Inten&onal about
Learning

View Slide

Post-Incident
Reviews

View Slide

Cross-Func*onal
&
Highly Collabora-ve
Teams

View Slide

ChatOps

View Slide

Audit Trail

View Slide

SRE
Culture of Reliability

View Slide

Chaos Engineering
& Game Days

View Slide

Value Stream
Maps

View Slide

How Does
Security Aﬀect
Outcomes?

View Slide

IT Performance Metrics
Deployment Frequency
Lead Time For Changes
MTTR
Change Failure Rate
Cycle Time

View Slide

Compliance
vs
Governance

View Slide

Done

View Slide


View Slide

Where Does Security
ﬁt in DevOps?

View Slide

Takeaways
Shi$s & Adapta-ons
Proac-ve
Observability
Collabora-ve

View Slide

Takeaways
Learning
Performance Metrics
Governance
Con4nuous

View Slide

Thank
You

View Slide

jhand.co/SREBook
jhand.co/PIRBook
jhand.co/ChatOpsBook

View Slide

info.signalsciences.com/appsec-
defense-needs-top-ﬁve

View Slide

Lynda.com
h"ps:/
/www.lynda.com/So2ware-Development-
tutorials/[email protected] | @wicke0

View Slide

DevSecOps: Build It, Secure It, Run It

DevSecOps: Build It, Secure It, Run It

j.hand

More Decks by j.hand

Other Decks in Technology

Featured

Transcript