Slide 1
Slide 1 text
Shifting Left
Securely
@mattstratton
Slide 2
Slide 2 text
whoami
@mattstratton
@mattstratton
Slide 3
Slide 3 text
@mattstratton
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
@mattstratton
Slide 6
Slide 6 text
@mattstratton
Slide 7
Slide 7 text
@mattstratton
Slide 8
Slide 8 text
@mattstratton
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
@mattstratton
Slide 11
Slide 11 text
@mattstratton
Slide 12
Slide 12 text
@mattstratton
Slide 13
Slide 13 text
How does this help
me with security?
@mattstratton
Slide 14
Slide 14 text
@mattstratton
Slide 15
Slide 15 text
@mattstratton
Slide 16
Slide 16 text
@mattstratton
Slide 17
Slide 17 text
@mattstratton
Slide 18
Slide 18 text
» If you spend time keeping
people from doing x, y, or
z
» They will instead do a, b,
or c to get the outcome
they want
@mattstratton
Slide 19
Slide 19 text
@mattstratton
Slide 20
Slide 20 text
Problem with distributed
configuration management
» Developer reads on Stack Overflow that disabling
selinux will make his Node app work better.
» Developer updates his cookbook to disable selinux
» Sysadmins get fired because of 3viL haxx0rz
@mattstratton
Slide 21
Slide 21 text
The better way
» Developer reads on Stack Overflow that disabling
selinux will make his Node app work better.
» Developer updates his cookbook to disable selinux
» Developer runs local tests which include
compliance checks
» Compliance checks test for state of selinux
» Tests fail. Developer says "Welp, I guess I can't
do that."
@mattstratton
Slide 22
Slide 22 text
What if the
developers
don't run those
local tests?
The pipeline catches them.
They'll do better next time.
Slide 23
Slide 23 text
If you truly care about a thing, you
care enough to write a test
@mattstratton
Slide 24
Slide 24 text
@mattstratton
Slide 25
Slide 25 text
@mattstratton
Slide 26
Slide 26 text
@mattstratton
Slide 27
Slide 27 text
> grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
2
vs
control 'ssh-1234' do
impact 1.0
title 'Server: Set protocol version to SSHv2'
desc "
Set the SSH protocol version to 2. Don't use legacy
insecure SSHv1 connections anymore...
"
describe sshd_config do
its('Protocol') { should eq 2 }
end
end
@mattstratton
Slide 28
Slide 28 text
@mattstratton
Slide 29
Slide 29 text
To Review
» Treat your pipeline as code
» Trust (but verify) your domain experts
» Focus on the what, not the how. Outcomes,
outcomes, outcomes.
» Use your production audit tests in your pipeline
» Did I mention test?
@mattstratton
Slide 30
Slide 30 text
Questions?
@mattstratton
Slide 31
Slide 31 text
resources
» Sidney Dekker - Field Guide to Human Error
» github.com/mattstratton/speaking
» twitter.com/mattstratton
» speakerdeck.com/mattstratton
» arresteddevops.com
@mattstratton