Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Shifting Left Securely - DevOpsDays Denver 2017...

Matt Stratton
April 12, 2017
Technology
0
780

Shifting Left Securely - DevOpsDays Denver 2017 Edition

I gave this talk at DevOpsDays Denver in 2017

Matt Stratton

April 12, 2017
Tweet

More Decks by Matt Stratton

See All by Matt Stratton
Talk Selection As Mockumentary Film Editing
mattstratton
0
50
How Do You Infect Your Organization With Humane Ops?
mattstratton
0
140
Incidents and Accidents
mattstratton
0
170
Everything Is A Product - How To Apply Product Management Practices to Technology Services
mattstratton
0
720
The Handwaver's Guide to Contributing To Open Source - ChefConf 2017
mattstratton
0
500
Shifting Left Securely
mattstratton
0
200
Making Infrastructure S'mores With Chef (ThatConference edition)
mattstratton
0
440
Making Infrastructure S'mores With Chef (KC DevOps edition)
mattstratton
0
75
The Five Love Languages of DevOps
mattstratton
2
160

Other Decks in Technology

See All in Technology
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
7
800
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
470
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
300
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
130
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
2
520
Lambdaと地方とコミュニティ
miu_crescent
2
370
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.6k
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
430
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
120
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
110
Lexical Analysis
shigashiyama
1
150

Featured

See All Featured
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Faster Mobile Websites
deanohume
305
30k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Designing for humans not robots
tammielis
250
25k
RailsConf 2023
tenderlove
29
900
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
BBQ
matthewcrist
85
9.3k
GitHub's CSS Performance
jonrohan
1030
460k
What's new in Ruby 2.0
geeforr
343
31k
The Cost Of JavaScript in 2023
addyosmani
45
6.7k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k

Transcript

  1. Shifting Left Securely @mattstratton

  2. whoami @mattstratton @mattstratton

  3. @mattstratton

  4. None

  5. @mattstratton

  6. @mattstratton

  7. @mattstratton

  8. @mattstratton

  9. None

  10. @mattstratton

  11. @mattstratton

  12. @mattstratton

  13. How does this help me with security? @mattstratton

  14. @mattstratton

  15. @mattstratton

  16. @mattstratton

  17. @mattstratton

  18. » If you spend time keeping people from doing x,

    y, or z » They will instead do a, b, or c to get the outcome they want @mattstratton

  19. @mattstratton

  20. Problem with distributed configuration management » Developer reads on Stack

    Overflow that disabling selinux will make his Node app work better. » Developer updates his cookbook to disable selinux » Sysadmins get fired because of 3viL haxx0rz @mattstratton

  21. The better way » Developer reads on Stack Overflow that

    disabling selinux will make his Node app work better. » Developer updates his cookbook to disable selinux » Developer runs local tests which include compliance checks » Compliance checks test for state of selinux » Tests fail. Developer says "Welp, I guess I can't do that." @mattstratton

  22. What if the developers don't run those local tests? The

    pipeline catches them. They'll do better next time.

  23. If you truly care about a thing, you care enough

    to write a test @mattstratton

  24. @mattstratton

  25. @mattstratton

  26. @mattstratton

  27. > grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' 2 vs

    control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq 2 } end end @mattstratton

  28. @mattstratton

  29. To Review » Treat your pipeline as code » Trust

    (but verify) your domain experts » Focus on the what, not the how. Outcomes, outcomes, outcomes. » Use your production audit tests in your pipeline » Did I mention test? @mattstratton

  30. Questions? @mattstratton

  31. resources » Sidney Dekker - Field Guide to Human Error

    » github.com/mattstratton/speaking » twitter.com/mattstratton » speakerdeck.com/mattstratton » arresteddevops.com @mattstratton