Something, something DevSecOps

Slide 1

Slide 1 text

Something, something DevSecOps Fraser Scott @zeroXten

Slide 2

Slide 2 text

cat < about.txt * Senior Cloud SecOps Engineer at Capital One * NOC engineer -> Build engineer -> Sysadmin -> “DevOps” -> Cloud Security * 13+ years of this stuff * Bash / Perl / PHP / Python / Ruby / Go + other * https://pki.io and http://threatspec.org * aka zeroXten pretty much everywhere EOF

Slide 3

Slide 3 text

DevOps = Dev + Ops

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

https://sg.ﬁnance.yahoo.com/news/5-kinds-credit-card-fraud-160000625.html

Slide 6

Slide 6 text

Culture Automation Lean Measurement Sharing

Slide 7

Slide 7 text

A view from InfoSec

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

http://www.orcaconﬁg.com/devops-security-change-control/

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

Regulation Compliance Audits http://www.doggyofﬁce.com/daycare/

Slide 13

Slide 13 text

•Defense in depth •Principle of least privilege •Separation of duty •Whitelists (or why signatures suck) •Weakest link

Slide 14

Slide 14 text

DevOps + Security aka DevOpsSec DevOpSec SecDevOps Rugged DevOps /(?=.sec)(?=.dev)(?=.ops)/i

Slide 15

Slide 15 text

Where we want to be http://www.heapsoffun.com/cats-and-dogs-helping-each-other_1594.html

Slide 16

Slide 16 text

Where DevOps and Security clash • DevOps can be like coffee - do stupid things faster • Features vs Availability vs Vulnerability • Most InfoSec tools don’t scale • Manual all the things

Slide 17

Slide 17 text

What DevOps can bring to Security • Reliability and consistency • Fast deployments => Fast patching • Documentation • Continuous .*

Slide 18

Slide 18 text

Doing Security • Hardening • Continuous security testing (BDD-Security) • Threat Modelling (Irius Risk, ThreatSpec)

Slide 19

Slide 19 text

Code Build Deploy SCM Peer review Lint Unit tests Integration tests Asset repo Dependency management IaaS PaaS Monitoring Threat modelling Static analysis Continuous security testing Code signing Supply chain Fuzzing Patching Hardening Cloud Security Forensics Security monitoring

Slide 20

Slide 20 text

Help security help you

Slide 21

Slide 21 text

$ git init

Slide 22

Slide 22 text

Threat Modelling • Read Threat Modeling: Designing for Security by Adam Shostack • Talk to your security team early in the project lifecycle • Talk to your security team early in the project lifecycle .. seriously —-—^ • Document design decisions and their security implications • Ask your security team to peer review security critical code changes

Slide 23

Slide 23 text

Loss of availability is a best case scenario for a security incident

Slide 24

Slide 24 text

CI / CD / CS?

Slide 25

Slide 25 text

Conclusion

Slide 26

Slide 26 text

Do something today • Chat with security • Harden something • Read something different tomorrow