devsecops - building rugged software
TRANSCRIPT
![Page 1: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/1.jpg)
1
DevSecOpsBUILD ING RUGGED SOFTWARE
SHANNONLIETZ
Copyright ©DevSecOpsFoundation 2015-2016
![Page 2: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/2.jpg)
2 Copyright ©DevSecOpsFoundation 2015-2016
What’sHappeningintheWorld?
• DEVOPS• PUBLICCLOUD• AGILE• SCRUM• LEAN• LOW-CODE• NO-CODE• NOOPS• …
https://www.google.com/trends/
![Page 3: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/3.jpg)
3 Copyright ©DevSecOpsFoundation 2015-2016
AHistoryLesson– GoogleTrendsResearch
• SeveralyearsaftertheAgileManifesto,DevOps.comwasregisteredin2004• Googlesearchesfor“DevOps”startedtorisein2010• Majorinfluences:
• SavingyourInfrastructure fromDevOps/ChicagoTribune• DevOps:ACultureShift,NotaTechnology/InformationWeek• DevOps:ASharder’s TalefromEtsy• DevOps.com articles
• RuggedSoftware.org wasregisteredin2010• Asof2013, DevSecOps isonthemap…
![Page 4: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/4.jpg)
4 Copyright ©DevSecOpsFoundation 2015-2016
Who’sdoingEnterpriseDevOps?
…
![Page 5: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/5.jpg)
5 Copyright ©DevSecOpsFoundation 2015-2016
What’sthebusinessbenefit?
Businessstrategyisachievedwiththecollaboration ofalldepartmentsand
providersinservicetothecustomer whorequiresbetter,faster,cheaper,secure
productsandservices.
![Page 6: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/6.jpg)
6 Copyright ©DevSecOpsFoundation 2015-2016
WhatHindersSecureInnovation?
1. Manualprocesses&meetingculture
2. Pointintimeassessments
3. Frictionforfriction’ssake
4. Contextualmisunderstandings
5. Decisionsbeingmadeoutsideofvaluecreation
6. Lateconstraintsandrequirements
7. Bigcommitments,bigteams,andbigfailures
8. Fearoffailure,lackoflearning
9. Lackofinspiration
10. Managementandpoliticalinterference(approvals,exceptions)
...
![Page 7: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/7.jpg)
7 Copyright ©DevSecOpsFoundation 2015-2016
SayWhat??!!
http://donsmaps.com/images22/mutta1200.jpg
![Page 8: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/8.jpg)
8 Copyright ©DevSecOpsFoundation 2015-2016
• Innovation isacompetitiveadvantage• Cloud hasleveledtheplayingfield• DemandforCustomercentricproductdevelopment• Continuousdeliveryoffeaturesandchanges• Newgenerationofworkersdesirecollaboration• Speedandscalearenecessarytohandledemand• Integration overinventiontospeedupresults• Securitybreachesareontherise• Peopledesiretoworkwithgreaterautonomy...• ContinuousLearning...HowcanIdobetter?&better?
TheNeedforChange
commons.wikimedia.org
![Page 9: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/9.jpg)
9 Copyright ©DevSecOpsFoundation 2015-2016
CultureHacking
Traditional Security
Security isEveryone’s
Responsibility
DEVSECOPS
![Page 10: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/10.jpg)
10 Copyright ©DevSecOpsFoundation 2015-2016
TheArtofDevSecOps
DevSecOps
SecurityEngineering
Experiment,Automate,Test
SecurityOperations
Hunt,Detect,Contain
ComplianceOperations
Respond,Manage,Train
SecurityScience
Learn,Measure,Forecast
![Page 11: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/11.jpg)
11
TheSecureSoftwareSupplyChain• GatingprocessesarenotDeming-like• Securityisadesignconstraint• Decisionsmadebyengineeringteams
• Hardtoavoidbusinesscatastrophesbyapplyingone-size-fits-allstrategies
• Securitydefectsismorelikeasecurity“recall”
design build deploy operate
Howdo Isecuremyapp?
Whatcomponentissecureenough?
Howdo Isecuresecretsforthe
app?
Ismyappgettingattacked?How?
Typicalgatesforsecurity
checks&balances
Mistakesanddriftoftenhappenafterdesignandbuild phases that
resultinweaknesses andpotentiallyexploits
MostcostlymistakesHappenduringdesign
Fastersecurityfeedbackloop
Copyright ©DevSecOpsFoundation 2015-2016
![Page 12: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/12.jpg)
12 Copyright ©DevSecOpsFoundation 2015-2016
FromaTraditionalSupplyChain…
Whenwillyousolvemyproblem?!! Canwediscussmyfeedback?Didwepassthe98point inspection?
ThankstoHenrikKniberg
![Page 13: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/13.jpg)
13 Copyright ©DevSecOpsFoundation 2015-2016
ToaCustomerCentricSupplyChain
ThankstoHenrikKniberg
Awesome!WhencanIbringmykidswithme?DoesitcomeinRed?
Canthisbemotorizedtogofasterandforlongertrips?
Betterthanwalking,forsure…butnotbymuch...
SecuritymustshiftleftwithaScienceMindsetlikeallotherOps…
![Page 14: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/14.jpg)
14 Copyright ©DevSecOpsFoundation 2015-2016
ShiftingSecuritytotheLeftmeansbuilt-in
design build deploy operate
Howdo Isecuremyapp?
Whatcomponentissecureenough?
Howdo Isecuresecretsforthe
app?
Ismyappgettingattacked?How?
Typicalgatesforsecurity
checks&balances
Mistakesanddriftoftenhappenafterdesignandbuild phases that
resultinweaknesses andpotentiallyexploits
MostcostlymistakesHappenduringdesign
Fastersecurityfeedbackloop
SecurityisaDesignConstraint
![Page 15: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/15.jpg)
15
• EveryoneknowsMaslow…• Ifyoucanremember5things,rememberthese->
“Apps&dataareassafeaswhereyouputit,what’sinit,howyouinspect it,whotalkstoit,andhowitsprotected…”
Copyright ©DevSecOpsFoundation 2015-2016
SecurityisandhasalwaysbeenaDesignConstraint…
![Page 16: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/16.jpg)
16 Copyright ©DevSecOpsFoundation 2015-2016
ButPleaseNoChecklists&SavetheTrees!!
Page 3of 433Xdeforestation:https://www.flickr.com/photos/foreignoffice/3509228297
![Page 17: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/17.jpg)
17
SecurityGovernanceTransparencyviaContinuousImprovement
https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf
![Page 18: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/18.jpg)
18 Copyright ©DevSecOps Foundation 2015-2016
SecurityasCode/EverythingasCode
• Paper-residentpoliciesdonotstanduptoconstantcloudevolutionandlessonslearned.
• Translationfrompapertocodeandbackcanleadtoseriousmistakes.
• Traditionalsecuritypoliciesdonot1:1translatetoFullStackdeployments.
DataCe
nter
Clou
dProvider
Network
• LOCKYOURDOORS• BADGEIN• AUTHORIZEDPERSONNELONLY• BACKGROUNDCHECKS
• CHOOSESTRONGPASSWORDS• USEMFA• ROTATEAPICREDENTIALS• CROSS-ACCOUNTACCESS
EVERYTHINGASCODE
Page 3of 433
![Page 19: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/19.jpg)
19 Copyright ©DevSecOpsFoundation 2015-2016
ExampleofContinuousDelivery+Security
SourceCode CIServer Artifacts MonitoringDeployTest&Scan
DevOpsCode- CreatingValue&Availability
DevSecOps Code- CreatingTrust&Confidence
![Page 20: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/20.jpg)
20 Copyright ©DevSecOpsFoundation 2015-2016
ContinuousFeedback
THEFEEDBACKHIGHWAY
PRODUCTSCRUMTEAM
THEINTELHIGHWAY
SECURITYTESTING&DATAPLATFORMSECURITYTEAM SECURITYCOMMUNITY
![Page 21: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/21.jpg)
21 Copyright ©DevSecOpsFoundation 2015-2016
ContinuousSecurityEngineering&Science
Monitor&InspectEverything
insightssecuritysciencesecurity
tools&data
Cloudaccounts
S3
Glacier
EC2
CloudTrail
ingestion
threatintel
securityfeedbackloop continuous response
![Page 22: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/22.jpg)
22
RedTeam,SecurityOperations&Science
APIKEY EXPOSURE ->8HRS
DEFAULT CONFIGS ->24HRS
SECURITY GROUPS ->24HRS
ESCALATION OF PRIVS ->5D
KNOWN VULN ->8HRS
Copyright ©DevSecOpsFoundation 2015-2016
![Page 23: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/23.jpg)
23
SecurityDecisionSupport
Copyright ©DevSecOpsFoundation 2015-2016
![Page 24: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/24.jpg)
24
ThisCouldBeYourMeanTimetoResolution…
Copyright ©DevSecOpsFoundation 2015-2016
MTTR
Days… 6months
![Page 25: DevSecOps - Building Rugged Software](https://reader034.vdocument.in/reader034/viewer/2022051123/587c5d131a28ab633c8b5019/html5/thumbnails/25.jpg)
25 Copyright ©DevSecOpsFoundation 2015-2016
GetInvolvedandJointheCommunity
• devsecops.org• @devsecopsonTwitter• DevSecOpsonLinkedIn• DevSecOpsonGithub• RuggedSoftware.org• ComplianceatVelocity