Slide 1

Slide 1 text

SECDEVOPS: CREATING CULTURAL CHANGE TO BRIDGE BETWEEN SECURITY AND DEVOPS? 1 — @benjammingh for DevOpsDaysPDX!

Slide 2

Slide 2 text

WHO'S THIS CLOWN? 2 > Infrastructure security at Etsy. > Operations engineer at Puppet Labs. > Worked at some startups and some not so startups. > Owns a lot of black t-shirts. 2 https://twitter.com/skullmandible/status/411281851131523072 2 — @benjammingh for DevOpsDaysPDX!

Slide 3

Slide 3 text

ETSY? 99 Dachshund Queen by poordogfarm 3 — @benjammingh for DevOpsDaysPDX!

Slide 4

Slide 4 text

ETSY! > Global marketplace of amazing handmade and vintage goods. > Offices in Brooklyn, San Francisco, Toronto, Berlin, Paris, Dublin, soon the moon. > Over 40m members, over 1m active sellers. > Black Friday is coming up soon. Please buy things! (: 4 — @benjammingh for DevOpsDaysPDX!

Slide 5

Slide 5 text

DEVSECOPS? (WHAT? I DIDN'T NAME IT) 5 — @benjammingh for DevOpsDaysPDX!

Slide 6

Slide 6 text

DEVOPS (WHY IS NEVER OPSDEV?) 6 — @benjammingh for DevOpsDaysPDX!

Slide 7

Slide 7 text

DEVOPS CLUB? 7 — @benjammingh for DevOpsDaysPDX!

Slide 8

Slide 8 text

SECURI-WHO? 8 — @benjammingh for DevOpsDaysPDX!

Slide 9

Slide 9 text

3 with thanks to the ever wonderful swanographer Pete Cheslock 9 — @benjammingh for DevOpsDaysPDX!

Slide 10

Slide 10 text

10 — @benjammingh for DevOpsDaysPDX!

Slide 11

Slide 11 text

(STABILITY. IT'S HARD TO FIND AN IMAGE FOR THAT) 11 — @benjammingh for DevOpsDaysPDX!

Slide 12

Slide 12 text

12 — @benjammingh for DevOpsDaysPDX!

Slide 13

Slide 13 text

SECURITY IS TRADITIONALLY A BLOCKER 13 — @benjammingh for DevOpsDaysPDX!

Slide 14

Slide 14 text

The Net interprets censorship as damage and routes around it. -- John Gilmore 14 — @benjammingh for DevOpsDaysPDX!

Slide 15

Slide 15 text

15 — @benjammingh for DevOpsDaysPDX!

Slide 16

Slide 16 text

A security team that is left out of the process, is worse than no security team at all. — Ben Hughes, just now. 16 — @benjammingh for DevOpsDaysPDX!

Slide 17

Slide 17 text

"That's great Ben, what does this have to do with DevOps?" 17 — @benjammingh for DevOpsDaysPDX!

Slide 18

Slide 18 text

ADD A SECURITY IN EARLY 18 — @benjammingh for DevOpsDaysPDX!

Slide 19

Slide 19 text

HOW EARLY? 19 — @benjammingh for DevOpsDaysPDX!

Slide 20

Slide 20 text

SCALING A SECURITY PERSON BEING IN EVERY SINGLE MEETING 20 — @benjammingh for DevOpsDaysPDX!

Slide 21

Slide 21 text

THE DEVOPS PYRAMID > 10 Developers. > 1 Operations person. 21 — @benjammingh for DevOpsDaysPDX!

Slide 22

Slide 22 text

THE DEVSECOPS PYRAMID > 100 Developers. > 10 Operations people. > 1 Security person. 22 — @benjammingh for DevOpsDaysPDX!

Slide 23

Slide 23 text

4 @JordannGross https://twitter.com/JordannGross/status/718457587218399233 23 — @benjammingh for DevOpsDaysPDX!

Slide 24

Slide 24 text

CHAMPIONS OUR PEOPLE ON THE INSIDE! 24 — @benjammingh for DevOpsDaysPDX!

Slide 25

Slide 25 text

SECURITY BOOTCAMPS ONE OF US, ONE OF US! (FOR A LIMITED TIME ONLY) 25 — @benjammingh for DevOpsDaysPDX!

Slide 26

Slide 26 text

THIS IS AWESOME. 26 — @benjammingh for DevOpsDaysPDX!

Slide 27

Slide 27 text

1> It builds relationships early. 27 — @benjammingh for DevOpsDaysPDX!

Slide 28

Slide 28 text

2> This makes security approachable from the start. 28 — @benjammingh for DevOpsDaysPDX!

Slide 29

Slide 29 text

3> They take back that which they learned and share it with their team. 29 — @benjammingh for DevOpsDaysPDX!

Slide 30

Slide 30 text

THINGS TO DO WITH YOUR CHAMPIONS > have them in your Slack/IRC/chat medium of choice. > take them to conferences you attend BlackHat, DefCon, SummerCon > get them front row seats at in house security events. Sophia D’Antoine – Modern Application Security for iOS 30 — @benjammingh for DevOpsDaysPDX!

Slide 31

Slide 31 text

SENIOR ROTATIONS 31 — @benjammingh for DevOpsDaysPDX!

Slide 32

Slide 32 text

DESIGNATED HACKERS 32 — @benjammingh for DevOpsDaysPDX!

Slide 33

Slide 33 text

DESIGNATED, NOT DEDICATED 33 — @benjammingh for DevOpsDaysPDX!

Slide 34

Slide 34 text

WHY DO ALL THIS? 34 — @benjammingh for DevOpsDaysPDX!

Slide 35

Slide 35 text

"Oh hey, I saw this weird thing, is this anything...?" — Your most valuable security professional, Claire from finance. 35 — @benjammingh for DevOpsDaysPDX!

Slide 36

Slide 36 text

OUTREACH == EVERYONE IN YOUR ORGANISATION NOW WORKS ON SECURITY. 36 — @benjammingh for DevOpsDaysPDX!

Slide 37

Slide 37 text

APPROACHABLE "Should I bother sending them this weird looking email? Nah, they were rude last time." — Someone who's about to run "DefinitelyNotMalware.exe" in most orgs. 37 — @benjammingh for DevOpsDaysPDX!

Slide 38

Slide 38 text

HUMILITY 38 — @benjammingh for DevOpsDaysPDX!

Slide 39

Slide 39 text

39 — @benjammingh for DevOpsDaysPDX!

Slide 40

Slide 40 text

BLAME(-LESS) 40 — @benjammingh for DevOpsDaysPDX!

Slide 41

Slide 41 text

BLAMING PEOPLE WON'T MAKE THEM NOT DO THINGS (THEY JUST WON'T TELL YOU) 41 — @benjammingh for DevOpsDaysPDX!

Slide 42

Slide 42 text

YOU TELL PEOPLE NOT TO OPEN RANDOM FILES FROM PEOPLE THEY DON'T KNOW. YOU ALSO HAVE A RECRUITING TEAM. 42 — @benjammingh for DevOpsDaysPDX!

Slide 43

Slide 43 text

43 — @benjammingh for DevOpsDaysPDX!

Slide 44

Slide 44 text

THIS BUG EXPLOITS UX 44 — @benjammingh for DevOpsDaysPDX!

Slide 45

Slide 45 text

45 — @benjammingh for DevOpsDaysPDX!

Slide 46

Slide 46 text

THIS IS NOT THE USER'S FAULT. 46 — @benjammingh for DevOpsDaysPDX!

Slide 47

Slide 47 text

WE HAVE MADE BAD TOOLS AND WE SHOULD FEEL BAD. 47 — @benjammingh for DevOpsDaysPDX!

Slide 48

Slide 48 text

WOULD YOU RATHER? 48 — @benjammingh for DevOpsDaysPDX!

Slide 49

Slide 49 text

HAVE 95% OF PEOPLE NOT FALL FOR PHISHING. 49 — @benjammingh for DevOpsDaysPDX!

Slide 50

Slide 50 text

OR 10% OF PEOPLE TELL YOU THEY DID. 50 — @benjammingh for DevOpsDaysPDX!

Slide 51

Slide 51 text

(IF YOU PICKED 'A' YOU ARE WRONG) (: 51 — @benjammingh for DevOpsDaysPDX!

Slide 52

Slide 52 text

MAKING SECURITY THE DEFAULT 52 — @benjammingh for DevOpsDaysPDX!

Slide 53

Slide 53 text

IF YOU MAKE SECURITY HARD, PEOPLE WON'T DO IT. 53 — @benjammingh for DevOpsDaysPDX!

Slide 54

Slide 54 text

% gpg --help gpg (GnuPG/MacGPG2) 2.0.28 libgcrypt 1.6.3 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA, RSA, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Syntax: gpg [options] [files] Sign, check, encrypt or decrypt Default operation depends on the input data Commands: -s, --sign make a signature --clearsign make a clear text signature -b, --detach-sign make a detached signature -e, --encrypt encrypt data -c, --symmetric encryption only with symmetric cipher -d, --decrypt decrypt data (default) --verify verify a signature -k, --list-keys list keys --list-sigs list keys and signatures --check-sigs list and check key signatures --fingerprint list keys and fingerprints -K, --list-secret-keys list secret keys ... 54 — @benjammingh for DevOpsDaysPDX!

Slide 55

Slide 55 text

55 — @benjammingh for DevOpsDaysPDX!

Slide 56

Slide 56 text

WhatsApp just made all their instant messaging end to end encrypted. The user has to do nothing to make this happen. Guess how many users are now doing this? (spoiler: all of them) 56 — @benjammingh for DevOpsDaysPDX!

Slide 57

Slide 57 text

COMPARE WHATSAPP USAGE TO GPG (GPG/PGP HAS BEEN AROUND SINCE THE 90S, SO SHOULD BE LARGER, NO?) 57 — @benjammingh for DevOpsDaysPDX!

Slide 58

Slide 58 text

CONCLUSION TIME! (YES YOU GET LUNCH) (EVEN BETTER, YOU GET JENNIFER!) 58 — @benjammingh for DevOpsDaysPDX!

Slide 59

Slide 59 text

SECURITY PEOPLE, BE > be approachable > be transparent > be humble > stop blaming users, work with them > then people will come to you 59 — @benjammingh for DevOpsDaysPDX!

Slide 60

Slide 60 text

THE REST OF THE ORGANISATION > don't be afraid of your security team > if you are, get a new security team > get everyone to be "part of" your security team > bake security in by default and early 60 — @benjammingh for DevOpsDaysPDX!

Slide 61

Slide 61 text

CONTROVERSIAL LAST SLIDE! DEVSECOPS ISN'T A REAL THING. YOU SHOULD JUST TALK TO ALL YOUR TEAMS, STOP IGNORING QA, DBS, HELPDESK, RECRUITING, ETC... 61 — @benjammingh for DevOpsDaysPDX!

Slide 62

Slide 62 text

THANK YOU > Twidder: @benjammingh > LinkedIn: lnkdin.me/p/benyeah > JitHub: github.com/barn > SpeakerDeck: speakerdeck.com/barnbarn > Etsy: Careers <--- CodeAsCraft <--- our blog 62 — @benjammingh for DevOpsDaysPDX!