Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Shifting Left Securely - DevOpsDays Denver 2017...

Matt Stratton
April 12, 2017
Technology
0
770

Shifting Left Securely - DevOpsDays Denver 2017 Edition

I gave this talk at DevOpsDays Denver in 2017

Matt Stratton

April 12, 2017
Tweet

More Decks by Matt Stratton

See All by Matt Stratton
Talk Selection As Mockumentary Film Editing
mattstratton
0
48
How Do You Infect Your Organization With Humane Ops?
mattstratton
0
140
Incidents and Accidents
mattstratton
0
170
Everything Is A Product - How To Apply Product Management Practices to Technology Services
mattstratton
0
710
The Handwaver's Guide to Contributing To Open Source - ChefConf 2017
mattstratton
0
500
Shifting Left Securely
mattstratton
0
200
Making Infrastructure S'mores With Chef (ThatConference edition)
mattstratton
0
440
Making Infrastructure S'mores With Chef (KC DevOps edition)
mattstratton
0
75
The Five Love Languages of DevOps
mattstratton
2
160

Other Decks in Technology

See All in Technology
よくわからんサービスについての問い合わせが来たときの強い味方 Amazon Q について
kazzpapa3
0
220
Gradle: The Build System That Loves To Hate You
aurimas
2
150
ネット広告に未来はあるか?「3rd Party Cookie廃止とPrivacy Sandboxの効果検証の裏側」 / third-party-cookie-privacy
cyberagentdevelopers
PRO
1
130
チームを主語にしてみる / Making "Team" the Subject
ar_tama
4
310
VPC間の接続方法を整理してみた #自治体クラウド勉強会
non97
1
860
AWS CodePipelineでコンテナアプリをデプロイした際に、古いイメージを自動で削除する
smt7174
1
100
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
290k
なんで、私がAWS Heroに!? 〜社外の広い世界に一歩踏み出そう〜
minorun365
PRO
6
1.1k
独自ツール開発でスタジオ撮影をDX!「VLS(Virtual LED Studio)」 / dx-studio-vls
cyberagentdevelopers
PRO
1
180
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
9
120k
AIを駆使したゲーム開発戦略: 新設AI組織の取り組み / sge-ai-strategy
cyberagentdevelopers
PRO
1
130
事業者間調整の行間を読む 調整の具体事例
sugiim
0
1.5k

Featured

See All Featured
Designing Dashboards & Data Visualisations in Web Apps
destraynor
228
52k
Adopting Sorbet at Scale
ufuk
73
9k
RailsConf 2023
tenderlove
29
880
Intergalactic Javascript Robots from Outer Space
tanoku
268
27k
For a Future-Friendly Web
brad_frost
175
9.4k
The Art of Programming - Codeland 2020
erikaheidi
51
13k
How to Ace a Technical Interview
jacobian
275
23k
Ruby is Unlike a Banana
tanoku
96
11k
Rails Girls Zürich Keynote
gr2m
93
13k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Designing Experiences People Love
moore
138
23k

Transcript

  1. Shifting Left Securely @mattstratton

  2. whoami @mattstratton @mattstratton

  3. @mattstratton

  4. None

  5. @mattstratton

  6. @mattstratton

  7. @mattstratton

  8. @mattstratton

  9. None

  10. @mattstratton

  11. @mattstratton

  12. @mattstratton

  13. How does this help me with security? @mattstratton

  14. @mattstratton

  15. @mattstratton

  16. @mattstratton

  17. @mattstratton

  18. » If you spend time keeping people from doing x,

    y, or z » They will instead do a, b, or c to get the outcome they want @mattstratton

  19. @mattstratton

  20. Problem with distributed configuration management » Developer reads on Stack

    Overflow that disabling selinux will make his Node app work better. » Developer updates his cookbook to disable selinux » Sysadmins get fired because of 3viL haxx0rz @mattstratton

  21. The better way » Developer reads on Stack Overflow that

    disabling selinux will make his Node app work better. » Developer updates his cookbook to disable selinux » Developer runs local tests which include compliance checks » Compliance checks test for state of selinux » Tests fail. Developer says "Welp, I guess I can't do that." @mattstratton

  22. What if the developers don't run those local tests? The

    pipeline catches them. They'll do better next time.

  23. If you truly care about a thing, you care enough

    to write a test @mattstratton

  24. @mattstratton

  25. @mattstratton

  26. @mattstratton

  27. > grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' 2 vs

    control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq 2 } end end @mattstratton

  28. @mattstratton

  29. To Review » Treat your pipeline as code » Trust

    (but verify) your domain experts » Focus on the what, not the how. Outcomes, outcomes, outcomes. » Use your production audit tests in your pipeline » Did I mention test? @mattstratton

  30. Questions? @mattstratton

  31. resources » Sidney Dekker - Field Guide to Human Error

    » github.com/mattstratton/speaking » twitter.com/mattstratton » speakerdeck.com/mattstratton » arresteddevops.com @mattstratton