continuous security nl.linkedin.com/kimvanwilgen · devops microservices and serverless...
TRANSCRIPT
![Page 1: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/1.jpg)
Continuous securityKim van Wilgen | Schuberg Philis
nl.linkedin.com/kimvanwilgen
www.kimvanwilgen.com
@kimvanwilgen
![Page 2: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/2.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Customer director Schuberg Philis20
18
Head of software development ANVA
2017
Head of IT KlaverbladVerzekeringen
2014
Hello world1980
![Page 3: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/3.jpg)
Schuberg Philis
3
Mission criticaldigital transformations
Financiallyindependent
Started in2001
300team members (Dec 2018)
EUR 60mrevenue
Market Quality leaderin Business Critical IT Outsourcing
Single KPI100% customer satisfaction
![Page 4: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/4.jpg)
Our customers
4
![Page 5: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/5.jpg)
6
![Page 6: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/6.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Why focus on security?
![Page 7: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/7.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Agile
Continuous
delivery
Containers
Immutable
infrastructuresPipelines
Test automationT shaped
peopleYou build it
You run it
DevOps
Microservices and
serverless architectures
Self-
organization
War for talent
Exploration and rapid
protoyping
Emerging architectures
![Page 8: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/8.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Focus shifted to speed…and nothing else
![Page 9: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/9.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Shifting panels
![Page 10: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/10.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Autonomy, self organization and key shaped people
![Page 11: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/11.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Source: State of the cybersecurity report 2017
![Page 12: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/12.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Security roleplay
![Page 13: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/13.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Security all-in
![Page 14: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/14.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Security should support delivery of value
![Page 15: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/15.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
“I never once spoke with the security team at Google. Not because they weren’t doingtheir job, but exactly because they weredoing their job. They encoded theirexpertise into self-service tools andlibraries, and we just used them ourselves”
Randy Shoup, WeWork
![Page 16: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/16.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
XContinuous Delivery (CD) is a set of practices and principles in software engineering aimed at building, testing and releasing software faster and more frequently. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.
Wikipedia, 2017
![Page 17: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/17.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
XContinuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering integrity, availability and confidentiality to applications in production. Continuous security is essential for delivering Continuous Delivery.
![Page 18: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/18.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Let’s play!
![Page 19: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/19.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Have security champions
Don’t eliminate all risk
Driven by DevOps teams
Identify and remove first
Context adaption
Eliminate known vulnerabilities
Immutable infrastructure
Detection of changes
Security tests are source code
Train for the basics
Gartner DevSecOps Top 10
![Page 20: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/20.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#1: Have security champions
![Page 21: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/21.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
SecLeads and SecBuddies
Source: Rooske Eerden (de Tekenaar)
![Page 22: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/22.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Security Satellite team
5 dev(1 architect2 devs2 testers)
3 ops
![Page 23: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/23.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#2: Don’t eliminate all risk
![Page 24: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/24.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Risk and cost based securitySecurity is Confidentiality, Integrity and Availability
![Page 25: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/25.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Alignment of security and business value
![Page 26: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/26.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Integration in the pipeline
#3:DevOps driven
![Page 27: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/27.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
![Page 28: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/28.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Shift left on security
VS
![Page 29: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/29.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
DevSecOps, SecDevOps, DevOpS
![Page 30: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/30.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Automate first
• SAST
• DAST
• Proxy tools
• Dependency checks
• Custom scripts
Integration in the pipelines
![Page 31: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/31.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
SAST: sourcecode testing for security vulnerabilities
Leaders: Checkmarx, Veracode, Appscan, fortify, PT application inspector, covarity
We use SonarQube and Jfrog XRAY
+ Find problems early in lifecycle, detailed feedback, scalable
- Limited scope, configuration out of scope, false positives & negatives
SASTStatic Analyses Security Testing
![Page 32: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/32.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
DAST: running state security testing, simulates attacks against an application or system (typically web-enabled applications and services), analyzes results and, thus, determines whether it is vulnerable.
Leaders: Fortify, AppScan, ZAP, Qualys, Rapid7
We use ZAP
+ Tests the application at runtime, realistic view
- More complex, harder to track, needs a running instance (late feedback, limitedly scalable, slow)
DASTDynamic Application Security Testing
![Page 33: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/33.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Security by design
![Page 34: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/34.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#4: Identify and remove: start small
![Page 35: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/35.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
I’ve added over a 100 security rules in SonarQube and sent the top X screwups to theteam. They are more aware and will solve theirown issues.
Dominik, member of the ANVA security satellite team
![Page 36: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/36.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
I enabled the dependency check. We had hundreds of vulnerabilities. We solved them within a day with critical upgrades and the removal of obsolete dependencies.
Dominik, member of the ANVA security satellite team
![Page 37: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/37.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
I ran Docker Bench. We found privileges were too high and corrected them.
Dominik, member of the ANVA security satellite team
![Page 38: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/38.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
I’ve set up our internal learning platform with webgoat. We can now practice attacks and grow awareness and knowledge of defences.
Michiel, member of the ANVA security satellite team
![Page 39: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/39.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#5: Context adaption
![Page 40: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/40.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Learn and adapt first before you break the build
![Page 41: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/41.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Application Security Verification Standard
Unrelevant / Sast / Dast / RAST / other
Train for risks we can’tautomate
![Page 42: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/42.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Evil user stories
As a Malicious Hacker, I want to gain
access to this web application’s Cloud
Hosting account so that I can lock out
the legitimate owners and delete the
servers and their backups, to destroy
their entire business.
![Page 43: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/43.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#6: Fix your vulnerabilities
![Page 44: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/44.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Owasp dependency checkEliminate known vulnerabilities
62
550 vulnerabilities
![Page 45: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/45.jpg)
![Page 46: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/46.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#7: Immutable infrastructure
![Page 47: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/47.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
XOne of the benefits of using containers, especially in microservices-based applications, is they make it easier to secure applications via runtime immutability—or never-changing—and applying least-privilege principles that limit what a container can do.
Tsvi Korren - Chief Solutions Architect at Aqua Security
![Page 48: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/48.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
• Patches are code changes and follow the pipeline
• Use systematic workload re-provisioning – difficult to persist across
rebuilds
• Scan infrastructure security scripts against the security policy
• Apply pervasive visibility
Immutable infrastructure mindset
Source: Gartner report on cloud security
![Page 49: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/49.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#8: Detection of changes
![Page 50: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/50.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#9: Treat security tests as source code
![Page 51: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/51.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#10: Train for the basics
![Page 52: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/52.jpg)
Automate security
features and scan against
bugs and vulnerabilities
Check for logical flaws
manually, educate and
raise context awareness
![Page 53: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/53.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Infrastructure alone won’t keep you safe
10.6% of passwords
is a top 20 password
![Page 54: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/54.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Security bootcamps
![Page 55: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/55.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Context awareness
![Page 56: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/56.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Hack yourself first too
Chaos Engineering: make rare
events regular
![Page 57: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/57.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
“Think as an offender will show the real threats of your application and grow awareness from finding out how easy it is.”
Troy Hunt, MVP for developer
security and creator of ‘Have I
been PWNED”
![Page 58: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/58.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Red teaming
“Did you check the cake for hard and sharp
objects before bringing this inside?”
![Page 59: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/59.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Have security champions
Don’t eliminate all risk
Driven by DevOps teams
Identify and remove first
Context adaption
Eliminate known vulnerabilities
Immutable infrastructure
Detection of changes
Security tests are source code
Train for the basics
Gartner DevSecOps Top 10
![Page 60: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/60.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
@kimvanwilgen | www.kimvanwilgen.com
References and questions
www.kimvanwilgen.com
@kimvanwilgen
![Page 61: Continuous security nl.linkedin.com/kimvanwilgen · DevOps Microservices and serverless architectures Self-organization War for talent Exploration and rapid ... running state security](https://reader033.vdocuments.mx/reader033/viewer/2022042309/5ed646f30c1f140c715b6313/html5/thumbnails/61.jpg)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/
https://cybersecurity.isaca.org/static-assets/documents/State-of-Cybersecurity-part-
2-infographic_res_eng_0517.pdf
https://www.sans.org/reading-room/whitepapers/critical/continuous-security-
implementing-critical-controls-devops-environment-36552
10 Things to Get Right for SuccessfulDevSecOps, Gartner, 2017, IDG00341371
https://www.gartner.com/doc/reprints?id=1-4TI72Y2&ct=180320&st=sb
https://www.thoughtworks.com/radar/techniques
https://www.mmc.com/content/dam/mmc-web/Global-Risk-Center/Files/MMC-
Cyber-Handbook_2016-web-final.pdf
Reimagining Security and IT Resilience for a Cloud-Native DevSecOps World,
Gartner, 2018
Sources