Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Something, something DevSecOps

zeroXten
August 03, 2016
Technology
1
500

Something, something DevSecOps

Ask 3 people what DevOps is and you'll get 10 answers. Ask them what DevSecOps is and you'll get 100 answers. Or perhaps a blank stare. In this talk we take a practical look at how Security fits into the DevOps world, and how you can help Security adapt and work with you rather than against you.

zeroXten

August 03, 2016
Tweet

More Decks by zeroXten

See All by zeroXten
Threat Modeling: The Ultimate DevSecOps
zeroxten
0
3k
Cloudy with a chance of threat models
zeroxten
0
570
Epic Battle: DevOps vs Security
zeroxten
0
1k
An experiment in Agile Threat Modelling
zeroxten
0
380
Privacy Through Choice
zeroxten
0
250

Other Decks in Technology

See All in Technology
20250116_JAWS_Osaka
takuyay0ne
2
200
Accessibility Inspectorを活用した アプリのアクセシビリティ向上方法
hinakko
0
180
今から、 今だからこそ始める Terraform で Azure 管理 / Managing Azure with Terraform: The Perfect Time to Start
nnstt1
0
220
CDKのコードレビューを楽にするパッケージcdk-mentorを作ってみた/cdk-mentor
tomoki10
0
210
なぜfreeeはハブ・アンド・スポーク型の データメッシュアーキテクチャにチャレンジするのか?
shinichiro_joya
2
440
Evolving Architecture
rainerhahnekamp
3
250
完全自律型AIエージェントとAgentic Workflow〜ワークフロー構築という現実解
pharma_x_tech
0
340
Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024
tkmru
0
850
【NGK2025S】動物園(PINTO_model_zoo)に遊びに行こう
kazuhitotakahashi
0
220
データ基盤におけるIaCの重要性とその運用
mtpooh
4
490
新しいスケーリング則と学習理論
taiji_suzuki
10
3.8k
PaaSの歴史と、 アプリケーションプラットフォームのこれから
jacopen
7
1.4k

Featured

See All Featured
No one is an island. Learnings from fostering a developers community.
thoeni
19
3.1k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
Building Applications with DynamoDB
mza
93
6.2k
Facilitating Awesome Meetings
lara
51
6.2k
Learning to Love Humans: Emotional Interface Design
aarron
274
40k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
192
16k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
127
18k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
28
4.5k
Fireside Chat
paigeccino
34
3.1k
RailsConf 2023
tenderlove
29
970
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
1.2k

Transcript

  1. Something, something DevSecOps Fraser Scott @zeroXten

  2. cat <<EOF > about.txt * Senior Cloud SecOps Engineer at

    Capital One * NOC engineer -> Build engineer -> Sysadmin -> “DevOps” -> Cloud Security * 13+ years of this stuff * Bash / Perl / PHP / Python / Ruby / Go + other * https://pki.io and http://threatspec.org * aka zeroXten pretty much everywhere EOF

  3. DevOps = Dev + Ops

  4. None

  5. https://sg.finance.yahoo.com/news/5-kinds-credit-card-fraud-160000625.html

  6. Culture Automation Lean Measurement Sharing

  7. A view from InfoSec

  8. None
  9. None

  10. http://www.orcaconfig.com/devops-security-change-control/

  11. None

  12. Regulation Compliance Audits http://www.doggyoffice.com/daycare/

  13. •Defense in depth •Principle of least privilege •Separation of duty

    •Whitelists (or why signatures suck) •Weakest link

  14. DevOps + Security aka DevOpsSec DevOpSec SecDevOps Rugged DevOps /(?=.sec)(?=.dev)(?=.ops)/i

  15. Where we want to be http://www.heapsoffun.com/cats-and-dogs-helping-each-other_1594.html

  16. Where DevOps and Security clash • DevOps can be like

    coffee - do stupid things faster • Features vs Availability vs Vulnerability • Most InfoSec tools don’t scale • Manual all the things

  17. What DevOps can bring to Security • Reliability and consistency

    • Fast deployments => Fast patching • Documentation • Continuous .*

  18. Doing Security • Hardening • Continuous security testing (BDD-Security) •

    Threat Modelling (Irius Risk, ThreatSpec)

  19. Code Build Deploy SCM Peer review Lint Unit tests Integration

    tests Asset repo Dependency management IaaS PaaS Monitoring Threat modelling Static analysis Continuous security testing Code signing Supply chain Fuzzing Patching Hardening Cloud Security Forensics Security monitoring

  20. Help security help you

  21. $ git init

  22. Threat Modelling • Read Threat Modeling: Designing for Security by

    Adam Shostack • Talk to your security team early in the project lifecycle • Talk to your security team early in the project lifecycle .. seriously —-—^ • Document design decisions and their security implications • Ask your security team to peer review security critical code changes

  23. Loss of availability is a best case scenario for a

    security incident

  24. CI / CD / CS?

  25. Conclusion

  26. Do something today • Chat with security • Harden something

    • Read something different tomorrow