PowerPoint Presentation

DevSecOps - The of Security ScienceScott C. Kennedy - Security ScientistCloud Security Team - Intuit

LONDON 2015Join the conversation #devseccon

With DevSecOps, a Security Science mindset is a key component in being able to cut through the Fear, Uncertainty, and Doubt of security decisions and provide a science based method to uncover insights, guide development, and develop policies that measurably change the over security posture of your organization.1

What is Tao? ?Not a name for a thingAn underlying natural order of the universeHard to grasp, easy to see.

= Radical (go forward/walk/walking) + (head)

Loosely understood as a concept ofA road, way, path, or routeThe way one goes somewhereOr a doctrine, principleThe way one does or believes something

All quotes used in this text box are from The Complete Tao Te Ching Translated by Gia-fu Feng and Jane English, Vintage Books, 1989

Tao or Dao a Chinese concept signifying 'way', 'path', 'route', or sometimes more loosely, 'doctrine' or 'principle'. Within the context of traditional Chinese philosophy and religion, The Tao is the intuitive knowing of "life" that of which cannot be grasped full-heartedly as just a concept but known nonetheless through actual living experience of one's everyday being.

[Dao] means a road, path, way; and hence, the way in which one does something; method, doctrine, principle

2

Examples of TaoNature does not hurry, yet everything is accomplished. - Lao Tzu

What does that mean?Its like growing olderEveryone does it.Its hard to understand how it happensYet it feels natural

3In dealing with others, be gentle and kind. In speech, be true. In ruling, be just. In daily life, be competent. In action, be aware of the time and the season. No fight: No blame. - Tao Te Ching (chapter 48)

How to relate to IT/Security?

The world is ruled by letting things take their course, it cannot be ruled by interfering. - Tao Te Ching (chapter 48)

Which works better? DevSecOps

Nothing is more soft and yielding than water, yet for attacking the solid and the strong, nothing is better. - Tao Te Ching (chapter 78)

5

The Innovation Race

Start-upsEnterprises

Security: did you see something fly by?Security: if only theyd engage us soonerSighby the time I get to the finish line, I have to start all over againHope nothing catches up with us

The softest thing in the universe, Overcomes the hardest thing in the universe. - Tao Te Ching (chapter 43)

The Arts/Wushu of DevSecOpsEmpty yourself of everything. Let the mind become still. The ten thousand things rise and fall while the Self watches their return. They grow and flourish and then return to the source. - Tao Te Ching (chapter 78)

[Shannon]

7

Security Science?From F.U.D. to factsScience is a fact-based examinationTheories establishedTestable against real dataRevised and retested as the landscape changes

Question -> Hypotheses -> Experiment -> Analyze -> Repeat

Answers simple questionsKnowing ignorance is strength; ignoring knowledge is sickness. - Tao Te Ching (chapter 71)

8

Examples of Security ScienceWhat is your Password policy?With an attacker with a budget of $10,000, we ought to set our minimum length to 12 characters if we rotate our passwords every 90 days.How frequently do you need to patch/restack?With the Amazon RHEL image, its every 5.3 days.With our base RHEL image, its 10.5 days.Minimum Length of password vs. algorithm used?MD-5 = 19 charactersSHA-512 = 11 charactersBcrypt= 8 charactersThe truly great man dwells on what is real and not what is on the surface. - Tao Te Ching (chapter 38)

6,500

"

9

How to start Security Science?Look at your company.What questions need answers?Theorize a solutionHow do you think to solve this?Gather data to investigate.What sources do you need?What are you missing? How to get it?Analyze data to confirm/dispute Was your assumption, correct?

Perseverance is a sign of will power. He who stays where he is endures. - Tao Te Ching (chapter 33)

10

Phishing ourselves taught usWe phished our own security team at Intuit.Had a very well crafted phish to mimic internal processesAchieved a 54% click through rateWomen are 25% more likely than men to click1/3 tested will click on a link, access a site and enter details even when they suspect it is suspiciousExisting security awareness/phishing training campaigns did not prevent thisIn caring for others and serving heaven, There is nothing like using restraint. Restraint begins with giving up one's own ideas. - Tao Te Ching (chapter 59)

Where can we use more Science?

Knowing others is wisdom; Knowing the self is enlightenment. Mastering others requires force; Mastering the self needs strength. He who knows he has enough is rich. - Tao Te Ching (chapter 33)

12

Ways to move the needleScoring/Grades are powerful motivatorsAllows the Dev leader to drill down to answerWhy am I failing?Where am I using that?

Note: This is an A level grade not GCSE. A man is born gentle and weak; at his death he is hard and stiff. Green plants are tender and filled with sap; at their death they are withered and dry. Therefore, the stiff and unbending is a disciple of death; the gentle and yielding is a disciple of life. - Tao Te Ching (chapter 76)

13

Use Models to improve othersHow to the decisions I make affect my grading scores?How frequently do I have to restack?What is the impact of package choices?Ruby or Python?MySQL or Postgres?Apache or Nginx?

The farther you go, the less you know. Thus the sage knows without traveling; He sees without looking; He works without doing. - Tao Te Ching (chapter 47)

14

The Innovation Race redux

Start-upsEnterprises

Woah what happened to my advantage?

If I have even just a little sense, I will walk on the main road and my only fear will be of straying from it. - Tao Te Ching (chapter 53)

Woohoo!!! Now were innovating at speed!!

15

Thank you.

For more informationDevSecOps.orglinkedin.com/grp/home?gid=6817408github.com/devsecopstwitter.com/devsecops

terebess.hu/english/tao/gia.html

LONDON 2015Join the conversation #devseccon