devsecops - building rugged software
TRANSCRIPT
1
DevSecOpsBUILD ING RUGGED SOFTWARE
SHANNONLIETZ
Copyright ©DevSecOpsFoundation 2015-2016
2 Copyright ©DevSecOpsFoundation 2015-2016
What’sHappeningintheWorld?
• DEVOPS• PUBLICCLOUD• AGILE• SCRUM• LEAN• LOW-CODE• NO-CODE• NOOPS• …
https://www.google.com/trends/
3 Copyright ©DevSecOpsFoundation 2015-2016
AHistoryLesson– GoogleTrendsResearch
• SeveralyearsaftertheAgileManifesto,DevOps.comwasregisteredin2004• Googlesearchesfor“DevOps”startedtorisein2010• Majorinfluences:
• SavingyourInfrastructure fromDevOps/ChicagoTribune• DevOps:ACultureShift,NotaTechnology/InformationWeek• DevOps:ASharder’s TalefromEtsy• DevOps.com articles
• RuggedSoftware.org wasregisteredin2010• Asof2013, DevSecOps isonthemap…
4 Copyright ©DevSecOpsFoundation 2015-2016
Who’sdoingEnterpriseDevOps?
…
5 Copyright ©DevSecOpsFoundation 2015-2016
What’sthebusinessbenefit?
Businessstrategyisachievedwiththecollaboration ofalldepartmentsand
providersinservicetothecustomer whorequiresbetter,faster,cheaper,secure
productsandservices.
6 Copyright ©DevSecOpsFoundation 2015-2016
WhatHindersSecureInnovation?
1. Manualprocesses&meetingculture
2. Pointintimeassessments
3. Frictionforfriction’ssake
4. Contextualmisunderstandings
5. Decisionsbeingmadeoutsideofvaluecreation
6. Lateconstraintsandrequirements
7. Bigcommitments,bigteams,andbigfailures
8. Fearoffailure,lackoflearning
9. Lackofinspiration
10. Managementandpoliticalinterference(approvals,exceptions)
...
7 Copyright ©DevSecOpsFoundation 2015-2016
SayWhat??!!
http://donsmaps.com/images22/mutta1200.jpg
8 Copyright ©DevSecOpsFoundation 2015-2016
• Innovation isacompetitiveadvantage• Cloud hasleveledtheplayingfield• DemandforCustomercentricproductdevelopment• Continuousdeliveryoffeaturesandchanges• Newgenerationofworkersdesirecollaboration• Speedandscalearenecessarytohandledemand• Integration overinventiontospeedupresults• Securitybreachesareontherise• Peopledesiretoworkwithgreaterautonomy...• ContinuousLearning...HowcanIdobetter?&better?
TheNeedforChange
commons.wikimedia.org
9 Copyright ©DevSecOpsFoundation 2015-2016
CultureHacking
Traditional Security
Security isEveryone’s
Responsibility
DEVSECOPS
10 Copyright ©DevSecOpsFoundation 2015-2016
TheArtofDevSecOps
DevSecOps
SecurityEngineering
Experiment,Automate,Test
SecurityOperations
Hunt,Detect,Contain
ComplianceOperations
Respond,Manage,Train
SecurityScience
Learn,Measure,Forecast
11
TheSecureSoftwareSupplyChain• GatingprocessesarenotDeming-like• Securityisadesignconstraint• Decisionsmadebyengineeringteams
• Hardtoavoidbusinesscatastrophesbyapplyingone-size-fits-allstrategies
• Securitydefectsismorelikeasecurity“recall”
design build deploy operate
Howdo Isecuremyapp?
Whatcomponentissecureenough?
Howdo Isecuresecretsforthe
app?
Ismyappgettingattacked?How?
Typicalgatesforsecurity
checks&balances
Mistakesanddriftoftenhappenafterdesignandbuild phases that
resultinweaknesses andpotentiallyexploits
MostcostlymistakesHappenduringdesign
Fastersecurityfeedbackloop
Copyright ©DevSecOpsFoundation 2015-2016
12 Copyright ©DevSecOpsFoundation 2015-2016
FromaTraditionalSupplyChain…
Whenwillyousolvemyproblem?!! Canwediscussmyfeedback?Didwepassthe98point inspection?
ThankstoHenrikKniberg
13 Copyright ©DevSecOpsFoundation 2015-2016
ToaCustomerCentricSupplyChain
ThankstoHenrikKniberg
Awesome!WhencanIbringmykidswithme?DoesitcomeinRed?
Canthisbemotorizedtogofasterandforlongertrips?
Betterthanwalking,forsure…butnotbymuch...
SecuritymustshiftleftwithaScienceMindsetlikeallotherOps…
14 Copyright ©DevSecOpsFoundation 2015-2016
ShiftingSecuritytotheLeftmeansbuilt-in
design build deploy operate
Howdo Isecuremyapp?
Whatcomponentissecureenough?
Howdo Isecuresecretsforthe
app?
Ismyappgettingattacked?How?
Typicalgatesforsecurity
checks&balances
Mistakesanddriftoftenhappenafterdesignandbuild phases that
resultinweaknesses andpotentiallyexploits
MostcostlymistakesHappenduringdesign
Fastersecurityfeedbackloop
SecurityisaDesignConstraint
15
• EveryoneknowsMaslow…• Ifyoucanremember5things,rememberthese->
“Apps&dataareassafeaswhereyouputit,what’sinit,howyouinspect it,whotalkstoit,andhowitsprotected…”
Copyright ©DevSecOpsFoundation 2015-2016
SecurityisandhasalwaysbeenaDesignConstraint…
16 Copyright ©DevSecOpsFoundation 2015-2016
ButPleaseNoChecklists&SavetheTrees!!
Page 3of 433Xdeforestation:https://www.flickr.com/photos/foreignoffice/3509228297
17
SecurityGovernanceTransparencyviaContinuousImprovement
https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf
18 Copyright ©DevSecOps Foundation 2015-2016
SecurityasCode/EverythingasCode
• Paper-residentpoliciesdonotstanduptoconstantcloudevolutionandlessonslearned.
• Translationfrompapertocodeandbackcanleadtoseriousmistakes.
• Traditionalsecuritypoliciesdonot1:1translatetoFullStackdeployments.
DataCe
nter
Clou
dProvider
Network
• LOCKYOURDOORS• BADGEIN• AUTHORIZEDPERSONNELONLY• BACKGROUNDCHECKS
• CHOOSESTRONGPASSWORDS• USEMFA• ROTATEAPICREDENTIALS• CROSS-ACCOUNTACCESS
EVERYTHINGASCODE
Page 3of 433
19 Copyright ©DevSecOpsFoundation 2015-2016
ExampleofContinuousDelivery+Security
SourceCode CIServer Artifacts MonitoringDeployTest&Scan
DevOpsCode- CreatingValue&Availability
DevSecOps Code- CreatingTrust&Confidence
20 Copyright ©DevSecOpsFoundation 2015-2016
ContinuousFeedback
THEFEEDBACKHIGHWAY
PRODUCTSCRUMTEAM
THEINTELHIGHWAY
SECURITYTESTING&DATAPLATFORMSECURITYTEAM SECURITYCOMMUNITY
21 Copyright ©DevSecOpsFoundation 2015-2016
ContinuousSecurityEngineering&Science
Monitor&InspectEverything
insightssecuritysciencesecurity
tools&data
Cloudaccounts
S3
Glacier
EC2
CloudTrail
ingestion
threatintel
securityfeedbackloop continuous response
22
RedTeam,SecurityOperations&Science
APIKEY EXPOSURE ->8HRS
DEFAULT CONFIGS ->24HRS
SECURITY GROUPS ->24HRS
ESCALATION OF PRIVS ->5D
KNOWN VULN ->8HRS
Copyright ©DevSecOpsFoundation 2015-2016
23
SecurityDecisionSupport
Copyright ©DevSecOpsFoundation 2015-2016
24
ThisCouldBeYourMeanTimetoResolution…
Copyright ©DevSecOpsFoundation 2015-2016
MTTR
Days… 6months
25 Copyright ©DevSecOpsFoundation 2015-2016
GetInvolvedandJointheCommunity
• devsecops.org• @devsecopsonTwitter• DevSecOpsonLinkedIn• DevSecOpsonGithub• RuggedSoftware.org• ComplianceatVelocity