buzz? killing the #devopsec - rochester security summitdevops: × everyone can access everything so...
TRANSCRIPT
![Page 1: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/1.jpg)
#DevOpSec - Killing the buzz?
![Page 2: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/2.jpg)
Hello!i’m a security consultant at NCC Group.
you can find me:
× on twitter as @rossja× pretty much everywhere else as algorythm
![Page 3: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/3.jpg)
A special note about this presentation!
anytime i include a “buzzword” in a slide...
i will also include this:
![Page 4: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/4.jpg)
Agendasetting the stage
× blue team× red team× fight!
tricks are for script kiddies× techniques× tools
wrapup
![Page 5: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/5.jpg)
![Page 6: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/6.jpg)
devops
![Page 7: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/7.jpg)
stresses communications, collaboration, integration,
automation and measurement of cooperation between
software developers and other IT professionals
![Page 8: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/8.jpg)
devops goals?
1. rapid development2. continuous deployment3. quick scaling4. instant rollback
![Page 9: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/9.jpg)
devops methods?continuous (delivery | deployment | measurement)
× orchestration & automation× infrastructure as code× feedback loops from users/production
virtualization× cloud× containers
revision control× git (is anyone using anything else at this point?)
![Page 10: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/10.jpg)
so basically…devops wants to set you free!
![Page 11: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/11.jpg)
![Page 12: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/12.jpg)
Security
![Page 13: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/13.jpg)
the processes and methodologies involved with
keeping information confidential, available, and
assuring its integrity.
![Page 14: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/14.jpg)
security goals?
to “serve and protect” × hosts & data× the business× end-users
![Page 15: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/15.jpg)
“continuous annoyment”?policy
× creation× enforcement
audit× compliance testing× log management & review
simulation× penetration test× phishing | social engineering
![Page 16: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/16.jpg)
so basically…security wants to bust your kneecaps!
![Page 17: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/17.jpg)
thus we get this.
![Page 18: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/18.jpg)
can we even?
![Page 19: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/19.jpg)
no more of that
![Page 20: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/20.jpg)
common conflicts
devops: × everyone can access
everything so things get done
infosec: × least-privilege,
separation of duties
devops:× rapid, constant
update - often in prod
infosec:× strict review, isolated
env
devops:× we need to be able
to do whatever we want...
infosec:you can only do what we let you...
access control process flow culture / mindset
![Page 21: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/21.jpg)
ultimately different goals?
dev - build cool thingsops - run cool thingssec - break all the things
nod to @codesoda
![Page 22: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/22.jpg)
![Page 23: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/23.jpg)
get over it & move
on
![Page 24: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/24.jpg)
“I wish developers would get security involved sooner”
- every security pro ever
![Page 25: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/25.jpg)
“I wish security would stop getting
in our way at the last minute”
- every devops pro ever
![Page 26: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/26.jpg)
![Page 27: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/27.jpg)
devopsec is a
thing!
![Page 28: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/28.jpg)
Also known as...
(look how friendly it is!) ---->>
![Page 29: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/29.jpg)
dev & ops & sec work together in all phases
× design × development× deployment× maintenance
image taken shamelessly fromhttps://newrelic.com/devops/lifecycle
![Page 30: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/30.jpg)
how does this help security?
continuous security delivery× use the pipeline to meet compliance & audit objectives× CD/CI lends itself well to rapid patching
continuous monitoring× use feedback loops from prod to feed ‘attack-driven defense’
improves security awareness× everyone is involved
![Page 31: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/31.jpg)
× inject code analysis tools into the dev process× enforce fixes prior to deployment
× automate attacks against pre-prod code× prevent vulnerable code from reaching prod
× implement “compliance as code” strategies
some suggestions:
![Page 32: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/32.jpg)
compliance as code?
make security part of the pipeline× setup requires time and effort× may involve learning new ways of working× it is worth it (really…)
![Page 33: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/33.jpg)
the devopsec
cycle
![Page 34: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/34.jpg)
sourcerepo
binaryrepo
production repo
precommit
continuous integration
acceptance
production
● static analysis● security unit testing● alert on high-risk
changes
● dynamic analysis● automated fuzzing● pen testing (oob)
● red teaming● bug bounty● incident response
● threat model● ide checks● peer review
![Page 35: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/35.jpg)
![Page 36: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/36.jpg)
× OWASP Proactive Controls (shift security left!)
code peer review tools:× Gerrit× Phabricator× Atlassian Crucible
precommit tools
![Page 37: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/37.jpg)
![Page 38: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/38.jpg)
chef vaultkeywhizlib/deps checkers:× OWASP Dependency Check× Retire.js× Bundler Audit × SourceClear (commercial)
commit tools
![Page 39: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/39.jpg)
![Page 40: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/40.jpg)
× hardening.io× dynamic scanning tools (nessus, etc.)× OWASP ZAP× Jenkins ZAP plugin× Mittn× Gauntlt× BDD-Security
acceptance tools
![Page 41: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/41.jpg)
![Page 42: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/42.jpg)
ansible | chef | puppet | salt | dockerdynamic scanning tools (nessus, etc.)bugcrowdsimian armyaws inspectorscout2
production tools
(NCC Group tool)
![Page 43: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/43.jpg)
next-gen waf
Some interesting new devopsec tech is coming out in the WAF market (like SignalSciences)
Chaim will be talking more about WAF stuff in his talk, up next.
![Page 44: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/44.jpg)
wrapup
![Page 45: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/45.jpg)
integrating the two requires culture shiftthere will be lots to work outit can be awesome when it’s done rightlook to industry leaders like AWS/Netflix
devops + security is cool
![Page 46: buzz? Killing the #DevOpSec - Rochester Security Summitdevops: × everyone can access everything so things get done infosec: × least-privilege, separation of duties devops: × rapid,](https://reader036.vdocument.in/reader036/viewer/2022070107/602338145a7d1f6f0053ca0a/html5/thumbnails/46.jpg)
say devopsec one more time...