Join the conversation #devseccon

Security is Shifting Left

Shannon Lietz@devsecops

Take Responsibility.Give Credit.

@seniorstoryteller

<me />1984 1989 1996 2001 2011

DEVELOPER

OPERATIONS“DEVSECOPS”

“RUGGED”

SECURITY

PRESENT

-- FOUNDER --

SAFER SOFTWARE

SOONER

https://www.flickr.com/photos/mjhagen/2973212926

Unicorns suck!!!!

What is happening

in the world?

Software is eating the world!!!

http://www.wsj.com/articles/SB10001424053111903480904576512250915629460

-Mark Andreessen, 2011

DevOps is eating the world!!!• Imagine solving the world’s

problems faster by collaborating and taking responsibility.

• In connection with Cloud Computing, DevOps is the cultural enabler needed to scale creativity and innovation.

• With the goal of solving customer problems faster, no wonder DevOps is taking over.

~1500% increase In 2 years

Cloud is eating the world!!!• Public Cloud adoption is

accelerating at a rapid pace…• Software defined

environments allow scale to happen and more decisions to be made daily…

• More people can experiment, learn and fail at a rapid pace to solve for customer demand….

• Creativity is the next frontier…

http://www.geekwire.com/2016/study-aws-45-share-public-cloud-infrastructure-market-microsoft-google-ibm-combined/

Security is blocking the world!!! <- Say What???

“THIS IS THE END OF SECURITY AS WE KNOW IT… AND ISN’T IT A GOOD THING!”-Josh Corman

@petecheslock

Where is Security headed?

How do we change to avoid extinction?

Traditional Security

Security isEveryone’s

Responsibility

DEVSECOPS

No really, here’s what is happening…

evolution

value

compliance

genesis

customer

custom-built

product(+rental)

commodity(+utility)

devsecops

visible

invisible compute

cloud

compliance as code

informational website

domain names

devopscontinuous deployment

continuous integration

transparent security

rugged software

fewer better suppliers

security as code

agile

mobile

customer-driveninnovation

traditionalSDLC

traditionalsecurity

web appsearch engine

red team

penetrationtesting

commodity boundgrowthemerging

Catching up takes commitment

What is DevSecOps?

IS• A Mindset and Holistic Approach• A Collection of Processes & Tools• A Means of Building Security and

Compliance into Software• A Community Driven Effort• A Strategy Driven by Learning and

Experiments

IS NOT• A One-Size-Fits-All Approach• A Single Tool or Method• Just a means of adding Security into Continuous

Delivery• Invented by Vendors• A Strategy Driven by Perfection and Compliance

DevSecOps is the practice of developing safer software sooner by involving all needed parties in the creative process and practicing continuous improvement from high fidelity actionable feedback with context.

Shares concepts with Rugged Software, Rugged DevOps, SecDevOps, DevOpsSec, DevOps

How does DevSecOps operate?

DevSecOps

Security Engineering

Experiment, Automate, Test

Security Operations

Hunt, Detect, Contain

Compliance Operations

Respond, Manage, Train

Security Science

Learn, Measure, Forecast

How hard could it be?

SourceCode CI Server Artifacts MonitoringDeployTest & Scan

DevOps Code - Creating Value & Availability

DevSecOps Code - Creating Trust & Confidence

15

What type of skills are required?

Dev Sec Ops Dev Sec Ops Dev Sec Ops

Developer Sys Admin Security Engineer

competencyneeded skill; functional

Is everyone bought in? • Management has some

firm requirements due to financial commitments and reporting

• DevOps and Innovation can easily live in 3 out of 4 boxes but hardly like Control

• Security practitioners tend to write policies and distrust everyone not them; rightfully so, 1% insider threat is a lot!

CONTROLCOLLABORATION

CULTIVATION COMPETENCE

people company

reality

possibility

Is there a playbook?

• Determine defect and feature flows for Security to funnel to distributed teams

• Inventory work processes, guidelines, policies, experiments, data and tools

• Identify groups, roles and skills required to support processes

• Identify friction and measure speed of MTTR

• Identify types of decisions• Identify metrics for measuring

experiments and adapting processes

• Implement Code & Infrastructure Guidelines• Implement Rules Engineering Processes• Implement Security Defect Reporting • Implement Consulting and Requests Process• Implement Infrastructure Templates• Implement Red Team & SOC Processes• Implement Manual Staging Processes• Implement a Decisions Process • Implement an Escalation Process with clear

stakeholders

• All systems should be run with API inspection available via a Security Fabric. (Systems without inspection require manual intervention.)

• Implement Security Portal for feedback consolidation across security processes

• Implement Case Management for Requests, Defects, and Incidents

• Implement Testing framework• Implement Correlation engine• Implement foundational security controls• Integrate with core organizational systems

Operating Model Processes Tooling

n number of experiments to refine processes and automate where possible

• Identified opportunities to develop capacity without increasing risk to too high a level

• Inventory provides information for Decisions board to help with risk decisions

outcomes

• Decisions board with clear escalation path by type of decision

• Ability to Communicate and Train on initial processes

• Consistent Ins/Outs of Dynamic Work with standard templates

• SDE helps with reducing manual efforts• Ability to build up capacity for Stage Two

Expected Issues: Communication changes, adaptation of skills, decisions processes, expectations, audits and risk guidelines mismatch

Can you give me an example of the difference?

API KEY EXPOSURE -> 8 HRS

DEFAULT CONFIGS -> 24 HRS

SECURITY GROUPS -> 24 HRS

ESCALATION OF PRIVS -> 5 D

KNOWN VULN -> 8 HRS

What’s the best way to organize around it?

Is there a way to simplify this to shift left?

Everyone knows Maslow…If you can remember 5 things, remember these ->

“Apps & data are as safe as where you put it, what’s in it, how you inspect it, who talks to it, and how its protected…”

21

Experiments and heroes are welcome!

• Experiments and sharing have the ability to help everyone in the community

• There are many heroes popping up in DevSecOps

• It’s our time to change what none of us liked before.

• There may never be a better time in the next 20+ years to achieve safer software sooner…

A. Member superman vs. egg @ Pickit

22

Isn’t it time to upgrade our ”cats” too?

P. Svangren @ Pickithttps://www.flickr.com/photos/mjhagen/2973212926

23

With everyone participating, we can change the world!

Stock Unlimited 1515599 @ Pickit

Join the conversation #devseccon

Join us…

24

• Get involved.• Write an article.• Give and take feedback.• Contribute to Open Source.• Give feedback.• Volunteer.