Something, something DevSecOps

498c20b8d93ee0ff7b071340f2a8fc90?s=47 zeroXten
August 03, 2016

Something, something DevSecOps

Ask 3 people what DevOps is and you'll get 10 answers. Ask them what DevSecOps is and you'll get 100 answers. Or perhaps a blank stare. In this talk we take a practical look at how Security fits into the DevOps world, and how you can help Security adapt and work with you rather than against you.

498c20b8d93ee0ff7b071340f2a8fc90?s=128

zeroXten

August 03, 2016
Tweet

Transcript

  1. 2.

    cat <<EOF > about.txt * Senior Cloud SecOps Engineer at

    Capital One * NOC engineer -> Build engineer -> Sysadmin -> “DevOps” -> Cloud Security * 13+ years of this stuff * Bash / Perl / PHP / Python / Ruby / Go + other * https://pki.io and http://threatspec.org * aka zeroXten pretty much everywhere EOF
  2. 4.
  3. 8.
  4. 9.
  5. 11.
  6. 13.

    •Defense in depth •Principle of least privilege •Separation of duty

    •Whitelists (or why signatures suck) •Weakest link
  7. 16.

    Where DevOps and Security clash • DevOps can be like

    coffee - do stupid things faster • Features vs Availability vs Vulnerability • Most InfoSec tools don’t scale • Manual all the things
  8. 17.

    What DevOps can bring to Security • Reliability and consistency

    • Fast deployments => Fast patching • Documentation • Continuous .*
  9. 19.

    Code Build Deploy SCM Peer review Lint Unit tests Integration

    tests Asset repo Dependency management IaaS PaaS Monitoring Threat modelling Static analysis Continuous security testing Code signing Supply chain Fuzzing Patching Hardening Cloud Security Forensics Security monitoring
  10. 22.

    Threat Modelling • Read Threat Modeling: Designing for Security by

    Adam Shostack • Talk to your security team early in the project lifecycle • Talk to your security team early in the project lifecycle .. seriously —-—^ • Document design decisions and their security implications • Ask your security team to peer review security critical code changes
  11. 26.