devops security coffee - lazy hackers who think out of the box, but stay in the box... - freek...
DESCRIPTION
How to create a constructive force field between DevOps engineers and hackers? NOTE: Slide 4 ('Vision on IT Security') has been altered in hindsight. For questions, please contact me directly: +316 457 61 857TRANSCRIPT
![Page 1: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/1.jpg)
Lazy hackers who think out of the box, but stay in the box...
Freek KauffmannSecurity Consultant ITQ S-Unit
![Page 2: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/2.jpg)
Lazy hackers who think out of the box, but stay
in the box...
![Page 3: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/3.jpg)
Freek Kauffmann
• Nerd• DevOps Engineer• Security Consultant• Business Developer• Senior Coach• Business Unit Manager
![Page 4: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/4.jpg)
Defense Offence
Bolt on Integrated
Role Team
Awareness DNA
Vision on IT security
![Page 5: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/5.jpg)
”Hackers” defined
• There are many definitions.• “Hacking” defined for this
presentation:
”Technical security specialists who are hired to apply their offensive mind-set to improve digital resilience.”
![Page 6: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/6.jpg)
Hackers & DevOps Engineers:similarAnimals of the same type:• Highly skilled• Highly creative• Allergic to doing the same thing trice,
hence, lazy.• Love complex problems
![Page 7: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/7.jpg)
Testing
User acceptance
Development
Production
50% 30% 15% 5%
![Page 8: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/8.jpg)
Intrinsically improving security
Testing
User acceptance
Development
Production
Non-stop pentesting (infrastructure & application)
50% 30% 15% 5%
![Page 9: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/9.jpg)
Intrinsically improving security
Testing
User acceptan
ce
Development
Production
Non-stop pentesting (infrastructure & application)
50% 10% 9% 1% 30%
![Page 10: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/10.jpg)
Intrinsically improving security
Testing
User acceptan
ce
Development
Production
Non-stop pentesting (infrastructure & application)
50% 10% 9% 1%
Code review
Architecture review
DevOps
30%
![Page 11: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/11.jpg)
Non-stop Offensive Security
Monitoring• Adding new tests continuously.• Non-stop verification of previous
findings.• Executing security tests
automatically at every commit.• Integrated in continuous delivery
tooling & processes.
![Page 12: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/12.jpg)
Less time spent on:
• Pre-sales from external suppliers• Initiating projects• Infrastructure pentesting• Doing (boring) stuff manually
![Page 13: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/13.jpg)
Allows for:
• More time for fun creative work• More time for application pentesting• More time for automating security
testing
• Saving cost• Lowering operational risk
![Page 14: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/14.jpg)
Hackers & DevOps Engineers:
Similar, yet different
DevOps Team Red Team
![Page 15: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/15.jpg)
Red Team
• Build to break• Independent• Hack to destroy• Specialists (security)• Outward focus (monitoring trends)• Want root
![Page 16: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/16.jpg)
DevOps Team
• Build to last• Interdependent• Hack to create• Generalists • Inward focus (getting changes to
production)• Are root
![Page 17: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/17.jpg)
Think inside the box…
DevOps engineer
![Page 18: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/18.jpg)
Think out of the box…
DevOps engineer
Out of the box thinking
![Page 19: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/19.jpg)
Think out of the box…
DevOps engineer
Out of the box thinking
![Page 20: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/20.jpg)
Think out of the box…
DevOps engineer
Out of the box thinking
![Page 21: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/21.jpg)
Think out of the box…
DevOps engineer
Out of the box thinking
Back in the box
![Page 22: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/22.jpg)
But stay in the box!
• Technology– Using same tooling
• Processes– Seamlessly joining in existing processes
• People– Close cooperation between builders &
breakers
![Page 23: DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann](https://reader036.vdocuments.net/reader036/viewer/2022062514/558c221dd8b42ab12e8b461b/html5/thumbnails/23.jpg)
Questions?
Freek KauffmannITQ S-Unit
+316 457 61 857