Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Something, something DevSecOps

August 03, 2016

Something, something DevSecOps

Ask 3 people what DevOps is and you'll get 10 answers. Ask them what DevSecOps is and you'll get 100 answers. Or perhaps a blank stare. In this talk we take a practical look at how Security fits into the DevOps world, and how you can help Security adapt and work with you rather than against you.


August 03, 2016

More Decks by zeroXten

Other Decks in Technology


  1. Something, something DevSecOps Fraser Scott @zeroXten

  2. cat <<EOF > about.txt * Senior Cloud SecOps Engineer at

    Capital One * NOC engineer -> Build engineer -> Sysadmin -> “DevOps” -> Cloud Security * 13+ years of this stuff * Bash / Perl / PHP / Python / Ruby / Go + other * https://pki.io and http://threatspec.org * aka zeroXten pretty much everywhere EOF
  3. DevOps = Dev + Ops

  4. None
  5. https://sg.finance.yahoo.com/news/5-kinds-credit-card-fraud-160000625.html

  6. Culture Automation Lean Measurement Sharing

  7. A view from InfoSec

  8. None
  9. None
  10. http://www.orcaconfig.com/devops-security-change-control/

  11. None
  12. Regulation Compliance Audits http://www.doggyoffice.com/daycare/

  13. •Defense in depth •Principle of least privilege •Separation of duty

    •Whitelists (or why signatures suck) •Weakest link
  14. DevOps + Security aka DevOpsSec DevOpSec SecDevOps Rugged DevOps /(?=.sec)(?=.dev)(?=.ops)/i

  15. Where we want to be http://www.heapsoffun.com/cats-and-dogs-helping-each-other_1594.html

  16. Where DevOps and Security clash • DevOps can be like

    coffee - do stupid things faster • Features vs Availability vs Vulnerability • Most InfoSec tools don’t scale • Manual all the things
  17. What DevOps can bring to Security • Reliability and consistency

    • Fast deployments => Fast patching • Documentation • Continuous .*
  18. Doing Security • Hardening • Continuous security testing (BDD-Security) •

    Threat Modelling (Irius Risk, ThreatSpec)
  19. Code Build Deploy SCM Peer review Lint Unit tests Integration

    tests Asset repo Dependency management IaaS PaaS Monitoring Threat modelling Static analysis Continuous security testing Code signing Supply chain Fuzzing Patching Hardening Cloud Security Forensics Security monitoring
  20. Help security help you

  21. $ git init

  22. Threat Modelling • Read Threat Modeling: Designing for Security by

    Adam Shostack • Talk to your security team early in the project lifecycle • Talk to your security team early in the project lifecycle .. seriously —-—^ • Document design decisions and their security implications • Ask your security team to peer review security critical code changes
  23. Loss of availability is a best case scenario for a

    security incident
  24. CI / CD / CS?

  25. Conclusion

  26. Do something today • Chat with security • Harden something

    • Read something different tomorrow