Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Shifting Left Securely - DevOpsDays Denver 2017 Edition

Matt Stratton
April 12, 2017
Technology
0
680

Shifting Left Securely - DevOpsDays Denver 2017 Edition

I gave this talk at DevOpsDays Denver in 2017

Matt Stratton

April 12, 2017
Tweet

More Decks by Matt Stratton

See All by Matt Stratton
Talk Selection As Mockumentary Film Editing
mattstratton
0
43
How Do You Infect Your Organization With Humane Ops?
mattstratton
0
140
Incidents and Accidents
mattstratton
0
140
Everything Is A Product - How To Apply Product Management Practices to Technology Services
mattstratton
0
620
The Handwaver's Guide to Contributing To Open Source - ChefConf 2017
mattstratton
0
430
Shifting Left Securely
mattstratton
0
190
Making Infrastructure S'mores With Chef (ThatConference edition)
mattstratton
0
370
Making Infrastructure S'mores With Chef (KC DevOps edition)
mattstratton
0
65
The Five Love Languages of DevOps
mattstratton
2
160

Other Decks in Technology

See All in Technology
PHPカンファレンス小田原2024
ysknsid25
3
660
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
130
少数チームで挑む: SwiftUI, TCA, KMPを用いた 新規動画配信アプリ 「ABEMA Live」の開発について
tomu28
0
540
Discord とビルダー&チャットボットの使い方 / How to use Discord and Builder & Chatbots
ks91
PRO
0
130
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
340
「共通基盤」を超えよ! 今、Platform Engineeringに取り組むべき理由
jacopen
25
5.9k
[2024年3月版] Databricksのシステムアーキテクチャ
databricksjapan
8
1.9k
"好き"との生活/Regularly update profile with GitHub Actions
judeeeee
0
150
クラウドサインにおけるプロダクトマネージャーの役割と開発プロセス / 20240410_cloudsign-PdM
bengo4com
1
680
HEXA OSINT CTF V3 作戦会議
meow_noisy
0
110
コンパウンドスタートアップのためのスケーラブルでセキュアなInfrastructure as Codeパイプラインを考える / Scalable and Secure Infrastructure as Code Pipeline for a Compound Startup
yuyatakeyama
3
2.8k
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
610

Featured

See All Featured
The Mythical Team-Month
searls
215
42k
How STYLIGHT went responsive
nonsquared
92
4.8k
Creatively Recalculating Your Daily Design Routine
revolveconf
209
11k
Gamification - CAS2011
davidbonilla
76
4.6k
Clear Off the Table
cherdarchuk
83
310k
Why You Should Never Use an ORM
jnunemaker
PRO
50
8.6k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
658
120k
Six Lessons from altMBA
skipperchong
20
3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
19
1.9k
How to train your dragon (web standard)
notwaldorf
72
5.1k
Raft: Consensus for Rubyists
vanstee
132
6.2k

Transcript

  1. Shifting Left Securely @mattstratton

  2. whoami @mattstratton @mattstratton

  3. @mattstratton

  4. None

  5. @mattstratton

  6. @mattstratton

  7. @mattstratton

  8. @mattstratton

  9. None

  10. @mattstratton

  11. @mattstratton

  12. @mattstratton

  13. How does this help me with security? @mattstratton

  14. @mattstratton

  15. @mattstratton

  16. @mattstratton

  17. @mattstratton

  18. » If you spend time keeping people from doing x,

    y, or z » They will instead do a, b, or c to get the outcome they want @mattstratton

  19. @mattstratton

  20. Problem with distributed configuration management » Developer reads on Stack

    Overflow that disabling selinux will make his Node app work better. » Developer updates his cookbook to disable selinux » Sysadmins get fired because of 3viL haxx0rz @mattstratton

  21. The better way » Developer reads on Stack Overflow that

    disabling selinux will make his Node app work better. » Developer updates his cookbook to disable selinux » Developer runs local tests which include compliance checks » Compliance checks test for state of selinux » Tests fail. Developer says "Welp, I guess I can't do that." @mattstratton

  22. What if the developers don't run those local tests? The

    pipeline catches them. They'll do better next time.

  23. If you truly care about a thing, you care enough

    to write a test @mattstratton

  24. @mattstratton

  25. @mattstratton

  26. @mattstratton

  27. > grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' 2 vs

    control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq 2 } end end @mattstratton

  28. @mattstratton

  29. To Review » Treat your pipeline as code » Trust

    (but verify) your domain experts » Focus on the what, not the how. Outcomes, outcomes, outcomes. » Use your production audit tests in your pipeline » Did I mention test? @mattstratton

  30. Questions? @mattstratton

  31. resources » Sidney Dekker - Field Guide to Human Error

    » github.com/mattstratton/speaking » twitter.com/mattstratton » speakerdeck.com/mattstratton » arresteddevops.com @mattstratton