Take Responsibility.Give Credit.
@seniorstoryteller
<me />1984 1989 1996 2001 2011
DEVELOPER
OPERATIONS“DEVSECOPS”
“RUGGED”
SECURITY
PRESENT
-- FOUNDER --
SAFER SOFTWARE
SOONER
Software is eating the world!!!
http://www.wsj.com/articles/SB10001424053111903480904576512250915629460
-Mark Andreessen, 2011
DevOps is eating the world!!!• Imagine solving the world’s
problems faster by collaborating and taking responsibility.
• In connection with Cloud Computing, DevOps is the cultural enabler needed to scale creativity and innovation.
• With the goal of solving customer problems faster, no wonder DevOps is taking over.
~1500% increase In 2 years
Cloud is eating the world!!!• Public Cloud adoption is
accelerating at a rapid pace…• Software defined
environments allow scale to happen and more decisions to be made daily…
• More people can experiment, learn and fail at a rapid pace to solve for customer demand….
• Creativity is the next frontier…
http://www.geekwire.com/2016/study-aws-45-share-public-cloud-infrastructure-market-microsoft-google-ibm-combined/
Security is blocking the world!!! <- Say What???
“THIS IS THE END OF SECURITY AS WE KNOW IT… AND ISN’T IT A GOOD THING!”-Josh Corman
@petecheslock
How do we change to avoid extinction?
Traditional Security
Security isEveryone’s
Responsibility
DEVSECOPS
No really, here’s what is happening…
evolution
value
compliance
genesis
customer
custom-built
product(+rental)
commodity(+utility)
devsecops
visible
invisible compute
cloud
compliance as code
informational website
domain names
devopscontinuous deployment
continuous integration
transparent security
rugged software
fewer better suppliers
security as code
agile
mobile
customer-driveninnovation
traditionalSDLC
traditionalsecurity
web appsearch engine
red team
penetrationtesting
commodity boundgrowthemerging
Catching up takes commitment
What is DevSecOps?
IS• A Mindset and Holistic Approach• A Collection of Processes & Tools• A Means of Building Security and
Compliance into Software• A Community Driven Effort• A Strategy Driven by Learning and
Experiments
IS NOT• A One-Size-Fits-All Approach• A Single Tool or Method• Just a means of adding Security into Continuous
Delivery• Invented by Vendors• A Strategy Driven by Perfection and Compliance
DevSecOps is the practice of developing safer software sooner by involving all needed parties in the creative process and practicing continuous improvement from high fidelity actionable feedback with context.
Shares concepts with Rugged Software, Rugged DevOps, SecDevOps, DevOpsSec, DevOps
How does DevSecOps operate?
DevSecOps
Security Engineering
Experiment, Automate, Test
Security Operations
Hunt, Detect, Contain
Compliance Operations
Respond, Manage, Train
Security Science
Learn, Measure, Forecast
How hard could it be?
SourceCode CI Server Artifacts MonitoringDeployTest & Scan
DevOps Code - Creating Value & Availability
DevSecOps Code - Creating Trust & Confidence
15
What type of skills are required?
Dev Sec Ops Dev Sec Ops Dev Sec Ops
Developer Sys Admin Security Engineer
competencyneeded skill; functional
Is everyone bought in? • Management has some
firm requirements due to financial commitments and reporting
• DevOps and Innovation can easily live in 3 out of 4 boxes but hardly like Control
• Security practitioners tend to write policies and distrust everyone not them; rightfully so, 1% insider threat is a lot!
CONTROLCOLLABORATION
CULTIVATION COMPETENCE
people company
reality
possibility
Is there a playbook?
• Determine defect and feature flows for Security to funnel to distributed teams
• Inventory work processes, guidelines, policies, experiments, data and tools
• Identify groups, roles and skills required to support processes
• Identify friction and measure speed of MTTR
• Identify types of decisions• Identify metrics for measuring
experiments and adapting processes
• Implement Code & Infrastructure Guidelines• Implement Rules Engineering Processes• Implement Security Defect Reporting • Implement Consulting and Requests Process• Implement Infrastructure Templates• Implement Red Team & SOC Processes• Implement Manual Staging Processes• Implement a Decisions Process • Implement an Escalation Process with clear
stakeholders
• All systems should be run with API inspection available via a Security Fabric. (Systems without inspection require manual intervention.)
• Implement Security Portal for feedback consolidation across security processes
• Implement Case Management for Requests, Defects, and Incidents
• Implement Testing framework• Implement Correlation engine• Implement foundational security controls• Integrate with core organizational systems
Operating Model Processes Tooling
n number of experiments to refine processes and automate where possible
• Identified opportunities to develop capacity without increasing risk to too high a level
• Inventory provides information for Decisions board to help with risk decisions
outcomes
• Decisions board with clear escalation path by type of decision
• Ability to Communicate and Train on initial processes
• Consistent Ins/Outs of Dynamic Work with standard templates
• SDE helps with reducing manual efforts• Ability to build up capacity for Stage Two
Expected Issues: Communication changes, adaptation of skills, decisions processes, expectations, audits and risk guidelines mismatch
Can you give me an example of the difference?
API KEY EXPOSURE -> 8 HRS
DEFAULT CONFIGS -> 24 HRS
SECURITY GROUPS -> 24 HRS
ESCALATION OF PRIVS -> 5 D
KNOWN VULN -> 8 HRS
Is there a way to simplify this to shift left?
Everyone knows Maslow…If you can remember 5 things, remember these ->
“Apps & data are as safe as where you put it, what’s in it, how you inspect it, who talks to it, and how its protected…”
21
Experiments and heroes are welcome!
• Experiments and sharing have the ability to help everyone in the community
• There are many heroes popping up in DevSecOps
• It’s our time to change what none of us liked before.
• There may never be a better time in the next 20+ years to achieve safer software sooner…
A. Member superman vs. egg @ Pickit
22
Isn’t it time to upgrade our ”cats” too?
P. Svangren @ Pickithttps://www.flickr.com/photos/mjhagen/2973212926