2016 - safely removing the last roadblock to continuous delivery
TRANSCRIPT
![Page 1: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/1.jpg)
1 Intuit Confidential and Proprietary1
Safely Removing the Last Roadblock to Continuous Delivery
Shannon LietzDirector DevSecOps, Intuit@devsecops
![Page 2: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/2.jpg)
2
Thanks to Henrik Kniberg
When will you solve my problem?!! Can we discuss my feedback?
(Uh - seatbelts?)
A Traditional Supply Chain
![Page 3: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/3.jpg)
3
Thanks to Henrik Kniberg
Awesome!When can I bring my kids with me?Does it come in Red?
Can this be motorizedto go faster and for longer trips?
Better than walking, for sure…but not by much...
A Customer Centric Supply Chain
Shifting left solves problems faster…
![Page 4: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/4.jpg)
4
Google Trends• Several years after the Agile
Manifesto, DevOps.com was registered (2004)
• Google searches for “DevOps” started to rise in 2010
• Major influences:– Saving your Infrastructure
from DevOps / Chicago Tribune
– DevOps: A Culture Shift, Not a Technology / Information Week
– DevOps: A Sharder’s Tale from Etsy
– DevOps.com articles• RuggedSoftware.org
was registered in 2010https://www.google.com/trends/
DEVOPS ROCKS!!!
![Page 5: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/5.jpg)
5
Business strategy is achieved with the collaboration of all departments and
providers in service to the customer who requires better, faster, cheaper, secure
products and services.
What’s the Business benefit?
DID YOU SAY SECURE ??!!!
![Page 6: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/6.jpg)
6
1. Manual processes & meeting culture2. Point in time assessments3. Friction for friction’s sake4. Contextual misunderstandings5. Decisions being made outside of value creation6. Late constraints and requirements7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration10. Management and political interference (approvals, exceptions)...
So what hinders “secure” innovation @ speed & scale?
SECURITY IS LAST MINUTE
UNPLANNED, UNSCHEDULED
WORK… BUMMER!!!!
![Page 7: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/7.jpg)
7
“This is the End of Security as We Know It...”
- Josh Corman
7
![Page 8: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/8.jpg)
8
Traditional Security
Security isEveryone’s
Responsibility
DEVSECOPS
It’s time to Culture Hack…
![Page 9: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/9.jpg)
9
Com
plia
nce
Ope
ratio
ns
Secu
rity
Ope
ratio
ns Security
Science
Security
Engineering
OPSSECDEV
AppSec
How do we get started?
![Page 10: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/10.jpg)
10
Secure Software Supply Chain 1. Gating processes are not Deming-like2. Security is a design constraint3. Decisions made by engineering teams
4. It’s hard to avoid business catastrophes by applying one-size-fits-all strategies
5. Security defects is more like a security “recall”
design build deploy operate
How do I secure my app?
What component is secure enough?
How do I secure secrets
for the app?
Is my app getting attacked? How?
Typical gates for security
checks & balances
Mistakes and drift often happen after design and build phases that
result in weaknesses and potentially exploits
Most costly mistakesHappen during design
Faster security feedback loop
![Page 11: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/11.jpg)
11
Staffing Models
Typical Traditional Supply Chain Ratio DevOps Staffing
100 Dev10 Ops1 Sec
15 Teams+
Governance
![Page 12: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/12.jpg)
12
• Everyone knows Maslow…• If you can remember 5 things,
remember these ->
“Apps & data are as safe as where you put it, what’s in it, how you inspect it, who talks to it, and how its protected…”
Simplifying Security for the Masses
![Page 13: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/13.jpg)
13
Reasonable Security was recently defined for California within the 2016 California Data Breach Report.
“The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
Why Governance?
![Page 14: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/14.jpg)
14
Migrating Security to the Left…
design build deploy operate
How do I secure my app?
What component is secure enough?
How do I secure secrets
for the app?
Is my app getting attacked? How?
Typical gates for security
checks & balances
Mistakes and drift often happen after design and build phases that
result in weaknesses and potentially exploits
Most costly mistakesHappen during design
Faster security feedback loop
Security is a Design Constraint
![Page 15: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/15.jpg)
15
Monitor & Inspect Everything
insightssecuritysciencesecurity
tools & data
Cloud accounts
S3
Glacier
EC2
CloudTrail
ingestion
threat intel
SPEED MATTERS
security feedback loop continuous response
oper
ate
![Page 16: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/16.jpg)
16
depl
oy
Safe Continuous Deployment
Clo
ud P
rovi
der N
etw
ork
Backbone
Backbone
Cloud Platform (Orchestration)
Network Compute Storage
Internet
Clo
ud A
ccou
nt(s
)
Load Balancers
ComputeInstances
VPCs
Block Storage
Object Storage
RelationalDatabases
NoSQLDatabases
Containers
ContentAcceleration
Messaging Email
Utilities
Key Management
API/Templates
Certificate Management
PartnerPlatform
Deployment Bundles
In S3
Artifacts
In S3
safe deployment process secured accounts & services
![Page 17: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/17.jpg)
17
build
Fanatical Security Testing
dynamic run-timestatic
UX & Interfaces
Micro Services
Web ServicesCode
CFnTemplates
BuildArtifacts
DeploymentPackages
Resources
Patterns &Baselines
SecurityGroups
AccountConfiguration
Real-Time Updates
Patterns &Baselines
![Page 18: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/18.jpg)
18
desi
gn
Secure Baselines & Patterns
templates resourcespatterns services
Security Monitoring
Egress Proxy CFn Template
Bastion CFn Template
Secure VPC CFn Template
CloudTrail CFn Template
SecretsBundle
MarketPlace
![Page 19: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/19.jpg)
19
What’s this look like in practice?
![Page 20: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/20.jpg)
20
Red Team, Security Operations & Science
API KEY EXPOSURE -> 8 HRS
DEFAULT CONFIGS ->
24 HRS
SECURITY GROUPS ->
24 HRS
ESCALATION OF PRIVS ->
5 D
KNOWN VULN ->
8 HRS
![Page 21: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/21.jpg)
21
Compliance Operations as Continuous Improvement
https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf
![Page 22: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/22.jpg)
22
Security Decision Support
![Page 23: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/23.jpg)
23
This could be your MTTR…
MTT
R
Days… 6 months
![Page 24: 2016 - Safely Removing the Last Roadblock to Continuous Delivery](https://reader036.vdocument.in/reader036/viewer/2022062503/58eee9bf1a28ab88678b456d/html5/thumbnails/24.jpg)
24
Get Involved and Join the Community
• devsecops.org• @devsecops on Twitter• DevSecOps on LinkedIn• DevSecOps on Github• RuggedSoftware.org• Compliance at Velocity