Something, something DevSecOps

Transcript

1. Something, something DevSecOps Fraser Scott @zeroXten

2. cat <<EOF > about.txt * Senior Cloud SecOps Engineer at

   Capital One * NOC engineer -> Build engineer -> Sysadmin -> “DevOps” -> Cloud Security * 13+ years of this stuff * Bash / Perl / PHP / Python / Ruby / Go + other * https://pki.io and http://threatspec.org * aka zeroXten pretty much everywhere EOF

3. DevOps = Dev + Ops

4. None

5. https://sg.finance.yahoo.com/news/5-kinds-credit-card-fraud-160000625.html

6. Culture Automation Lean Measurement Sharing

7. A view from InfoSec

8. None
9. None

10. http://www.orcaconfig.com/devops-security-change-control/

11. None

12. Regulation Compliance Audits http://www.doggyoffice.com/daycare/

13. •Defense in depth •Principle of least privilege •Separation of duty

    •Whitelists (or why signatures suck) •Weakest link

14. DevOps + Security aka DevOpsSec DevOpSec SecDevOps Rugged DevOps /(?=.sec)(?=.dev)(?=.ops)/i

15. Where we want to be http://www.heapsoffun.com/cats-and-dogs-helping-each-other_1594.html

16. Where DevOps and Security clash • DevOps can be like

    coffee - do stupid things faster • Features vs Availability vs Vulnerability • Most InfoSec tools don’t scale • Manual all the things

17. What DevOps can bring to Security • Reliability and consistency

    • Fast deployments => Fast patching • Documentation • Continuous .*

18. Doing Security • Hardening • Continuous security testing (BDD-Security) •

    Threat Modelling (Irius Risk, ThreatSpec)

19. Code Build Deploy SCM Peer review Lint Unit tests Integration

    tests Asset repo Dependency management IaaS PaaS Monitoring Threat modelling Static analysis Continuous security testing Code signing Supply chain Fuzzing Patching Hardening Cloud Security Forensics Security monitoring

20. Help security help you

21. $ git init

22. Threat Modelling • Read Threat Modeling: Designing for Security by

    Adam Shostack • Talk to your security team early in the project lifecycle • Talk to your security team early in the project lifecycle .. seriously —-—^ • Document design decisions and their security implications • Ask your security team to peer review security critical code changes

23. Loss of availability is a best case scenario for a

    security incident

24. CI / CD / CS?

25. Conclusion

26. Do something today • Chat with security • Harden something

    • Read something different tomorrow