Tweet
Tweet

Slide 1

Slide 1 text

Where Does Security fit in DevOps? @jasonhand | @wicke0

Slide 2

Slide 2 text

The DevSecOps View: Build It, Secure It, Run It, @jasonhand | @wicke0

Slide 3

Slide 3 text

Agenda @jasonhand | @wicke0

Slide 4

Slide 4 text

Where Have We Been? @jasonhand | @wicke0

Slide 5

Slide 5 text

How Are We Doing Things Today? @jasonhand | @wicke0

Slide 6

Slide 6 text

Industry Movement That DevOps thing you keep hearing about @jasonhand | @wicke0

Slide 7

Slide 7 text

Two Shi(s + Adapta&on @jasonhand | @wicke0

Slide 8

Slide 8 text

Security Shi$s Le$ ! ... earlier into the development cycle @jasonhand | @wicke0

Slide 9

Slide 9 text

Security Shi$s Right ! ... integra*ng with opera*ons @jasonhand | @wicke0

Slide 10

Slide 10 text

Security Adapts ! ... to enable app and service owners to respond faster to threats @jasonhand | @wicke0

Slide 11

Slide 11 text

(Adaptation == Continuous Improvement) @jasonhand | @wicke0

Slide 12

Slide 12 text

Con$nuous Improvement @jasonhand | @wicke0

Slide 13

Slide 13 text

DevOps @jasonhand | @wicke0

Slide 14

Slide 14 text

DevOps An approach to our work where we con.nuously look for methods to evaluate and improve the technology, process, and people as they relate to building, deploying, opera.ng, securing, and suppor.ng the value our organiza.on provides. @jasonhand | @wicke0

Slide 15

Slide 15 text

Jason Hand @jasonhand VictorOps @jasonhand | @wicke0

Slide 16

Slide 16 text

@jasonhand | @wicke0

Slide 17

Slide 17 text

James Wicke& @wicke' Signal Sciences @jasonhand | @wicke0

Slide 18

Slide 18 text

"Many security teams work with a worldview where their goal is to inhibit change as much as possible." @jasonhand | @wicke0

Slide 19

Slide 19 text

Companies are spending a great deal on security, but we read of massive computer-related a9acks... @jasonhand | @wicke0

Slide 20

Slide 20 text

Clearly something is wrong. The root of the problem is twofold: we’re protec'ng the wrong things, and we’re hur'ng produc'vity in the process. — Steven M. Bellovin @jasonhand | @wicke0

Slide 21

Slide 21 text

The Past Embrace Secrecy Build a Wall Test when Done Certainty Tes:ng @jasonhand | @wicke0

Slide 22

Slide 22 text

The best way to predict the future is to invent it @jasonhand | @wicke0

Slide 23

Slide 23 text

The Future Embrace Feedback Loops Zero Trust Networks Shi9 Le9 Adversity Tes=ng @jasonhand | @wicke0

Slide 24

Slide 24 text

@jasonhand | @wicke0

Slide 25

Slide 25 text

New Challenges @jasonhand | @wicke0

Slide 26

Slide 26 text

What is Security’s new place in the delivery pipeline? @jasonhand | @wicke0

Slide 27

Slide 27 text

How? @jasonhand | @wicke0

Slide 28

Slide 28 text

Integrated & Collabora've @jasonhand | @wicke0

Slide 29

Slide 29 text

Conversa)ons About Security Earlier @jasonhand | @wicke0

Slide 30

Slide 30 text

Build It @jasonhand | @wicke0

Slide 31

Slide 31 text

SDLC Shi$s @jasonhand | @wicke0

Slide 32

Slide 32 text

Something New @jasonhand | @wicke0

Slide 33

Slide 33 text

Instrumenta*on @jasonhand | @wicke0

Slide 34

Slide 34 text

Monitoring & Aler%ng @jasonhand | @wicke0

Slide 35

Slide 35 text

Does security affect the reliability of a service? @jasonhand | @wicke0

Slide 36

Slide 36 text

Site Reliability Engineering @jasonhand | @wicke0

Slide 37

Slide 37 text

GDPR General Data Protec-on Regula-on Enforcement Begins: May 25th, 2018 @jasonhand | @wicke0

Slide 38

Slide 38 text

Secure It @jasonhand | @wicke0

Slide 39

Slide 39 text

Shi$s le$ ... earlier into the development cycle @jasonhand | @wicke0

Slide 40

Slide 40 text

3 Shi&s le& Design Inheritance Tes.ng @jasonhand | @wicke0

Slide 41

Slide 41 text

Design for the Bad Guys Use Evil User Stories and have security tests being wri7en with other unit tests or whatever tes8ng pa7erns you use: TDD, BDD, ATDD, … @jasonhand | @wicke0

Slide 42

Slide 42 text

New School Security Design Mozilla Rapid Risk Assessment link OWASP App Threat Modeling Cheat Sheet link @jasonhand | @wicke0

Slide 43

Slide 43 text

We Inherit our Problems Heartbleed, shellshock, ... We forget our real LOC @jasonhand | @wicke0

Slide 44

Slide 44 text

Toolchain for Inheritance tes0ng OWASP Dependency Checker Re3re.js link Publish a BOM Git-secrets from awslabs link @jasonhand | @wicke0

Slide 45

Slide 45 text

Security Tes,ng for Developers Code Standards and security tooling runs on developer laptops and systems, but also verified by CI system. @jasonhand | @wicke0

Slide 46

Slide 46 text

The goal should be to come up with a set of automated tests that probe and check security configura9ons and run9me system behavior for security features that will execute every 9me the system is built and every 9me it is deployed. @jasonhand | @wicke0

Slide 47

Slide 47 text

@jasonhand | @wicke0

Slide 48

Slide 48 text

Gauntlt Framework with Security tes2ng wri5en in a natural language that developers, security and opera2ons can understand. @jasonhand | @wicke0

Slide 49

Slide 49 text

@jasonhand | @wicke0

Slide 50

Slide 50 text

Gauntlt Gauntlt wraps security tes0ng tools to be part of the CI/CD pipeline Open source, MIT License, gauntlt.org @jasonhand | @wicke0

Slide 51

Slide 51 text

We have saved millions of dollars using Gauntlt for the largest healthcare industry project. — Aaron Rinehart, UnitedHealthCare @jasonhand | @wicke0

Slide 52

Slide 52 text

Lynda.com Security Tes,ng Course link @jasonhand | @wicke0

Slide 53

Slide 53 text

Shi$s right ... integra*ng with opera*ons @jasonhand | @wicke0

Slide 54

Slide 54 text

Run It @jasonhand | @wicke0

Slide 55

Slide 55 text

What Keeps You Up At Night? @jasonhand | @wicke0

Slide 56

Slide 56 text

Reducing Unknown Unknown @jasonhand | @wicke0

Slide 57

Slide 57 text

Observability Asking Ques+ons @jasonhand | @wicke0

Slide 58

Slide 58 text

Can you answer the following ques/on: @jasonhand | @wicke0

Slide 59

Slide 59 text

Am I under ac#ve a'ack right now? @jasonhand | @wicke0

Slide 60

Slide 60 text

@jasonhand | @wicke0

Slide 61

Slide 61 text

Much less, are a%ackers having success? @jasonhand | @wicke0

Slide 62

Slide 62 text

Detect What Ma*ers Account takeover a-empts Areas of the site under a-ack Most likely vectors of a-ack Business logic flows Abuse and Misuse @jasonhand | @wicke0

Slide 63

Slide 63 text

Threat @jasonhand | @wicke0

Slide 64

Slide 64 text

Proac&ve & Inten&onal about Learning @jasonhand | @wicke0

Slide 65

Slide 65 text

Post-Incident Reviews @jasonhand | @wicke0

Slide 66

Slide 66 text

Cross-Func*onal & Highly Collabora-ve Teams @jasonhand | @wicke0

Slide 67

Slide 67 text

ChatOps @jasonhand | @wicke0

Slide 68

Slide 68 text

Audit Trail @jasonhand | @wicke0

Slide 69

Slide 69 text

SRE Culture of Reliability @jasonhand | @wicke0

Slide 70

Slide 70 text

Chaos Engineering & Game Days @jasonhand | @wicke0

Slide 71

Slide 71 text

Value Stream Maps @jasonhand | @wicke0

Slide 72

Slide 72 text

How Does Security Affect Outcomes? @jasonhand | @wicke0

Slide 73

Slide 73 text

IT Performance Metrics Deployment Frequency Lead Time For Changes MTTR Change Failure Rate Cycle Time @jasonhand | @wicke0

Slide 74

Slide 74 text

Compliance vs Governance @jasonhand | @wicke0

Slide 75

Slide 75 text

Done @jasonhand | @wicke0

Slide 76

Slide 76 text

@jasonhand | @wicke0

Slide 77

Slide 77 text

Where Does Security fit in DevOps? @jasonhand | @wicke0

Slide 78

Slide 78 text

Takeaways Shi$s & Adapta-ons Proac-ve Observability Collabora-ve @jasonhand | @wicke0

Slide 79

Slide 79 text

Takeaways Learning Performance Metrics Governance Con4nuous @jasonhand | @wicke0

Slide 80

Slide 80 text

Thank You @jasonhand | @wicke0

Slide 81

Slide 81 text

jhand.co/SREBook jhand.co/PIRBook jhand.co/ChatOpsBook @jasonhand | @wicke0

Slide 82

Slide 82 text

info.signalsciences.com/appsec- defense-needs-top-five @jasonhand | @wicke0

Slide 83

Slide 83 text

Lynda.com h"ps:/ /www.lynda.com/So2ware-Development- tutorials/Security-Tes