the journey to devsecops
TRANSCRIPT
![Page 1: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/1.jpg)
Shannon Lietz
The Journey to DevSecOps^RUGGED
@devsecops
![Page 2: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/2.jpg)
Always an Early Adopter
Google Trends• DevOps.com was bought in
2004• Google searches for “DevOps”
started to rise in 2010• Major influences:
– Saving your Infrastructure from DevOps / Chicago Tribune
– DevOps: A Culture Shift, Not a Technology / Information Week
– DevOps: A Sharder’s Tale from Etsy
– DevOps.com articles
• RuggedSoftware.org was bought in 2010
https://www.google.com/trends/
![Page 3: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/3.jpg)
Chasing Innovation…
![Page 4: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/4.jpg)
Which means, spending most of your career doing this…
BangHead Here
![Page 5: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/5.jpg)
This is the End of Security as We Know It…
Say what?!??!
6+ years later, it’s hard to believe we’re still shocked by this quote!
This talk will provide you with a path forward…
And a survival kit...
-Josh Corman
![Page 6: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/6.jpg)
An Ugly Little Secret
• DevOps teams make security decisions… several times, everyday!
• Hackers find security issues and exploit them... several times, everday!
• Security teams hardly ever make security decisions... and really only when risks need to be officially authorized!
https://www.flickr.com/photos/denise_rowlands
![Page 7: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/7.jpg)
In a Deming World…• Most decisions are made within the
software supply chain by engineering teams
• Security decisions are usually made as a result of attempting to balance design constraints
• Gating processes are not Deming-like; but
it is hard to avoid business catastrophes by applying measure ahead strategies for security
• Most security defects are identified during a major event triggering the equivalent of a security “recall”
design build deploy operate
How do I secure my
app?
What component is
secure enough?
How do I secure
secrets for the app?
Is my app getting
attacked? How?
Typical gates for security checks & balances
Mistakes and drift often happen after design and build phases
Most costly mistakesHappen during design
Missing and much-needed feedback loop
![Page 8: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/8.jpg)
Hackers have lots of opportunities…
People
• Susceptible to phishing and email scams• Can be social engineered
Process
• Humans make mistakes, because they are human (6 Sigma)• Process gaps provide room for fraud
Technology
• Software complexity increases with reusable components• Technology providers have to do their part, or everyone fails!
![Page 9: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/9.jpg)
Get Grounded in Reality• Secure business is the new black! KTLO!• Everyone must be responsible for security!• Perfection is over-rated… Mistakes are
inevitable.• Reacting can be costly… build security in.• Compliance is important but it’s not security!• A blaming culture is dangerous, avoid it!• Continuously test, detect, measure and
incrementally improve.7
PRINCIPLES
![Page 10: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/10.jpg)
Keep The Lights On!
• Keeping the Lights on includes Security…
• 66% of companies adopting DevOps
• DevOps teams need guardrails and guidelines to move fast
• Security decisions that haven’t been made before likely require escalation
https://www.flickr.com/photos/darwinbell
http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2015-state-cloud-survey
![Page 11: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/11.jpg)
Enlist Everyone!
• Common ratio for Dev, Ops and Sec => 100, 10, 1
• Numbers matter against attackers!
• Skills help, but anyone can identify an anomaly.
• Everyone needs to help with security; everyone has a role to play. And this is hard to find...
![Page 12: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/12.jpg)
Mistakes happen…
• DevOps utilize customer-driven development processes with incremental changes…Mistakes just happen.
• But because of frequent changes, teams have more opportunities to correct defects, on average 30x more
• Teams need help deciphering how to self-correct
https://www.flickr.com/photos/doobybrain
![Page 13: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/13.jpg)
Protection is ideal; Detection is a must!
• The faster a defect is discovered, the faster it can be dealt with.
• DevOps has 50% faster MTTR• Transforming security events
into incidents and problems helps with resolution rates
https://www.flickr.com/photos/daoro
![Page 14: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/14.jpg)
Compliance Programs won’t stop a breach
• Point in time assessments don’t go far enough
• 0 companies (in 10 years) have been found compliant after a breach
• Compliance needs to be paired with rugged security
http://www.slideshare.net/VerizonEnterpriseSolutions/webinar-new-insights-to-simplify-pci-compliance-and-manage-risk
![Page 15: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/15.jpg)
High Performing is where it’s at!
• High performing teams that focus on a blameless culture improve on average 50% better
• Blaming cultures create less engagement, 30% less efficient
• MTTR is 5x faster in blameless teams that focus on opportunities first
#1
![Page 16: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/16.jpg)
Continuous Improvement• Continuous improvement has been a
goal for an endless amount of years• Teams that focus on testing, early
detection, and measuring progress have 30% fewer defects in production
• Tests are often added to continuous delivery to achieve better results throughout the continuous delivery pipeline
https://www.flickr.com/photos/deniscollette
![Page 17: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/17.jpg)
Great! What does this look like in practice for a security professional?
Leaning in over Always Saying “No”Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only RequirementsConsumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp SecurityRed & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an IncidentShared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
![Page 18: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/18.jpg)
Use Security Skills to Build Tools
![Page 19: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/19.jpg)
Migrate to Security as Code
![Page 20: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/20.jpg)
Get Involved and Join the Community
• devsecops.org• @devsecops on Twitter• DevSecOps on LinkedIn• DevSecOps on Github• RuggedSoftware.org• Compliance at Velocity• Join Us !!!• Spread the word!!!
![Page 21: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/21.jpg)
#RuggedDevOps
If you see something cool…
![Page 22: The Journey to DevSecOps](https://reader030.vdocument.in/reader030/viewer/2022020119/586fd97c1a28ab18428b5a4d/html5/thumbnails/22.jpg)
Thank You to Our Sponsors