From Zero To a DevSecOps Hero

Transcript

1. None

2. whoami Marcus Maxwell is a Principal Consultant at Contino. He

   has spent the last 5 years helping large enterprises with building out their Kubernetes clusters, migrating to cloud and most recently with the cloud security programmes. Marcus has given talks before at AWS Loft, DevSecOps - London Gathering, Docker London and more. https://twitter.com/mindful_monk https://www.mindfulnewsletter.com/ [email protected]

3. 360+ People The deepest pool of DevOps, data & cloud

   transformation talent in the industry 6 Global offices We can scale rapidly to support diverse client requirements across the globe 300+ Engagements More DevOps transformation executed than any other professional services firm 150+ Customers Specialising in helping the world's leading brands accelerate digital transformation About Contino Contino is a leading transformation consultancy that helps large, heavily-regulated enterprises to become fast, agile and competitive. 3
4. None

5. Agenda 1. What are your goals? 2. Where to start

   on your learning journey 3. Common myths about learning 4. What certifications and learning platforms are the best? 5. How to keep up to date 6. Tips to bring others on the DevSecOps learning journey 7. Common problems with education in the enterprise

6. What are your goals?

7. What are your goals? There are many reasons you might

   here today, if any of the below describes you then we are off to a good start! • Looking for a new job or moving up inside of your current organization • Get better at what you do • Developing an education programme in your organization • Curious on how to learn effectively • Interested in getting certified, but not sure which cert to go for • Can’t decide which learning platform to get a subscription for • You are here for the memes, cat gifs and a good time

8. What is DevSecOps?

9. What is DevSecOps?

10. Or is this?

11. Where to start on your learning journey

12. None

13. Where to start • Where are you currently? Assess your

    skills • Pick an area you are interested in(there are so many app, network, cloud, cloud native) • Decide how much time per week you can spare • Do some research on the area you will study, who are the experts, what are the topics in the area, what kind of work you will have to be doing on the ground • Join a community(like this one!)

14. Common myths about learning

15. Common myths about learning • Learning styles are nonsense(this is

    particularly worrisome as it might stop you from using other methods to learn) - VARK • Re-reading and highlighting • Left brain / right brain • 10% of the brain • 10,000 hour rule. Yeah, no. • Don’t praise intelligence, praise hard work. You deal with smart people when something doesn’t come naturally to them they give up. • The learning pyramid - 10 of what they read, 20% of what they hear. • Brain games - those apps don’t work • Figuring it out yourself is better than having it explained - this is also a very expensive way to learn

16. What works?

17. What works • Sleep • Quiz yourself after reading a

    chapter • Space out your learning • Retrieval practice • Forgetting is important in learning - retrieval strengthens the knowledge • We freaking love stories • Learn in multiple ways(read, watch a video, try it out) • Sleep • Study in small increments, often • Pre-test - my favourite for exam sitting, do a mock exam to fail • Rephrase instead of memorizing

18. The Three Paths

19. The Three Paths • Red Team - pentesting • Blue

    Team - defending • Audit Team - auditing

20. What are the best certs?

21. None

22. Best Certs List Red Team: • OSCP • GSE •

    CREST • NCSC Certified Cyber Professional (CCP) Blue Team: • Cloud Certs • BTL1 • CISSP/CISM Audit Team: • ISACA CRISC(Certified in Risk and Information Systems Control) • Certified ISO 27001 ISMS Lead Auditor

23. Why OSCP? The exam worth the bragging rights. 24 hour

    exam, followed by 24 hours of report writing. One of the most difficult exams in the industry. https://www.netsecfocus.com/oscp/2021/05/06/The_Journey_to_Try_Harder-_T Jnull-s_Preparation_Guide_for_PEN-200_PWK_OSCP_2.0.html

24. Why GSE? GIAC(Global Information Assurance Certification) Security Expert - is

    the most difficult, most expensive and most prestigious certification right now in the industry. Only 258 people in the world have it https://www.giac.org/certified-professionals/directory/gse GSE Pre-requisites: • GSEC, GCIH, GCIA with two Gold • GSEC, GCIH, GCIA with one Gold and one substitute* • GSEC, GCIH, GCIA with no Gold and two substitutes* • GCWN, GCUX, GCIH, GCIA with one Gold • GCWN, GCUX, GCIH, GCIA with no Gold and one substitute* GSE pre-requisite baseline is: GSEC, GCIH, GCIA with two Gold certifications. The GSEC pre-requisite is unique because of dual Windows and Unix coverage.

25. A note on CISSP One of the most popular certs,

    particularly in the enterprise. It’s probably easier to just get it and be done with it. If you are looking for senior level jobs it is usually a prerequisite. Domains: • Domain 1. Security and Risk Management • Domain 2. Asset Security • Domain 3. Security Architecture and Engineering • Domain 4. Communication and Network Security • Domain 5. Identity and Access Management (IAM) • Domain 6. Security Assessment and Testing • Domain 7. Security Operations • Domain 8. Software Development Security Costs $749, between 100-150 questions, 3 hours. Alternatively go for CISM from ISACA https://www.isaca.org/credentialing/cism

26. Why Cloud Certs

27. CSA Certs

28. What platforms are the best?

29. Safari Books Online

30. Safari Books Online

31. ACloudGuru

32. Adrian Cantrill AWS Courses

33. TryHackMe

34. HackTheBox

35. How to keep up to date

36. How to keep up to date • Come to meetups

    - https://www.meetup.com/DevSecOps-London-Gathering • Subscribe to newsletters - https://www.mindfulnewsletter.com/ is great! ;) • Browse reddit and hackernews - https://www.reddit.com/r/netsec/ • Twitter - https://twitter.com/mindful_monk • Blogs - use https://feedly.com/ or https://netnewswire.com/ • Get on discord https://discord.gg/wwhf • Watch youtube https://www.youtube.com/channel/UCJ2U9Dq9NckqHMbcUupgF0A (Black Hills channel) • Listen to podcasts https://risky.biz/ https://securityweekly.com/ • Subscribe to some Twitch channels https://www.twitch.tv/nahamsec • Read books and track them on https://www.goodreads.com/

37. Common problems with education in the enterprise

38. Common problems If you ever do a questionnaire about education

    in the organization the following answers are most popular: • Lack of time - I’m too busy: ◦ Because I have sprint commitments ◦ Because I will still have to do the same amount of work ◦ Because I can’t spend time after work learning • Lack of clarity ◦ No learning paths ◦ No information on how to buy something ◦ No signposting ◦ No relevance This results in: • Training budgets going unspent • Training days not utilised

39. The Dilemma Train people well enough so they can leave,

    treat them well enough so they don't want to

40. Don’t do these things • Don’t require writing a business

    case to a manager to request training • Don’t create generic training content • Don’t re-use your mandatory training/HR platforms, they are probably not suitable • And whatever you do, don’t send people to day long workshops that are not relevant

41. Do these things • Talk to the engineers on how

    they currently learn and where they are struggling • Create learning paths based on what they have to do day to day at their jobs • Build communities/practices where engineers can go to learn and collaborate • Buy “Enteprise” or “Team” subscriptions to the major learning platforms(these come with the analytics you will want)

42. Bonus Tip - Evaluating Training Programmes

43. Tips to bring others on the DevSecOps learning journey

44. How we do it in Contino? • £5000 budget -

    available to everyone, not just engineers • 10 days per year for training/exams or conferences/events • Self-service • #practice-learning and other practice channels like #practice-security • We have Continis doing Oxford courses and getting their MBAs • We do ask to produce some collateral on any training you do or conference attended • A lot of of people still struggle for time though

45. Book Giveaway!

46. Book giveaway - Q1 Name one learning myth and why

    it’s a myth?

47. Book giveaway - Q2 Which cert is the most expensive

    one?

48. Thank You contino.io continohq contino London [email protected] New York [email protected]

    Melbourne [email protected] Sydney [email protected] Atlanta [email protected] Brisbane [email protected]