1 Intuit Confidential and Proprietary1

Safely Removing the Last Roadblock to Continuous Delivery

Shannon LietzDirector DevSecOps, Intuit@devsecops

2

Thanks to Henrik Kniberg

When will you solve my problem?!! Can we discuss my feedback?

(Uh - seatbelts?)

A Traditional Supply Chain

3

Thanks to Henrik Kniberg

Awesome!When can I bring my kids with me?Does it come in Red?

Can this be motorizedto go faster and for longer trips?

Better than walking, for sure…but not by much...

A Customer Centric Supply Chain

Shifting left solves problems faster…

4

Google Trends• Several years after the Agile

Manifesto, DevOps.com was registered (2004)

• Google searches for “DevOps” started to rise in 2010

• Major influences:– Saving your Infrastructure

from DevOps / Chicago Tribune

– DevOps: A Culture Shift, Not a Technology / Information Week

– DevOps: A Sharder’s Tale from Etsy

– DevOps.com articles• RuggedSoftware.org

was registered in 2010https://www.google.com/trends/

DEVOPS ROCKS!!!

5

Business strategy is achieved with the collaboration of all departments and

providers in service to the customer who requires better, faster, cheaper, secure

products and services.

What’s the Business benefit?

DID YOU SAY SECURE ??!!!

6

1. Manual processes & meeting culture2. Point in time assessments3. Friction for friction’s sake4. Contextual misunderstandings5. Decisions being made outside of value creation6. Late constraints and requirements7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration10. Management and political interference (approvals, exceptions)...

So what hinders “secure” innovation @ speed & scale?

SECURITY IS LAST MINUTE

UNPLANNED, UNSCHEDULED

WORK… BUMMER!!!!

7

“This is the End of Security as We Know It...”

- Josh Corman

7

8

Traditional Security

Security isEveryone’s

Responsibility

DEVSECOPS

It’s time to Culture Hack…

9

Com

plia

nce

Ope

ratio

ns

Secu

rity

Ope

ratio

ns Securi

ty Scie

nce

Security

Engineerin

g

OPSSECDEV

AppSec

How do we get started?

10

Secure Software Supply Chain 1. Gating processes are not Deming-like2. Security is a design constraint3. Decisions made by engineering teams

4. It’s hard to avoid business catastrophes by applying one-size-fits-all strategies

5. Security defects is more like a security “recall”

design build deploy operate

How do I secure my app?

What component is secure enough?

How do I secure secrets

for the app?

Is my app getting attacked? How?

Typical gates for security

checks & balances

Mistakes and drift often happen after design and build phases that

result in weaknesses and potentially exploits

Most costly mistakesHappen during design

Faster security feedback loop

11

Staffing Models

Typical Traditional Supply Chain Ratio DevOps Staffing

100 Dev10 Ops1 Sec

15 Teams+

Governance

12

• Everyone knows Maslow…• If you can remember 5 things,

remember these ->

“Apps & data are as safe as where you put it, what’s in it, how you inspect it, who talks to it, and how its protected…”

Simplifying Security for the Masses

13

Reasonable Security was recently defined for California within the 2016 California Data Breach Report.

“The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

Why Governance?

14

Migrating Security to the Left…

design build deploy operate

How do I secure my app?

What component is secure enough?

How do I secure secrets

for the app?

Is my app getting attacked? How?

Typical gates for security

checks & balances

Mistakes and drift often happen after design and build phases that

result in weaknesses and potentially exploits

Most costly mistakesHappen during design

Faster security feedback loop

Security is a Design Constraint

15

Monitor & Inspect Everything

insightssecuritysciencesecurity

tools & data

Cloud accounts

S3

Glacier

EC2

CloudTrail

ingestion

threat intel

SPEED MATTERS

security feedback loop continuous response

oper

ate

16

depl

oy

Safe Continuous Deployment

Clo

ud P

rovi

der N

etw

ork

Backbone

Backbone

Cloud Platform (Orchestration)

Network Compute Storage

Internet

Clo

ud A

ccou

nt(s

)

Load Balancers

ComputeInstances

VPCs

Block Storage

Object Storage

RelationalDatabases

NoSQLDatabases

Containers

ContentAcceleration

Messaging Email

Utilities

Key Management

API/Templates

Certificate Management

PartnerPlatform

Deployment Bundles

In S3

Artifacts

In Nexus/S3

safe deployment process secured accounts & services

17

build

Fanatical Security Testing

dynamic run-timestatic

UX & Interfaces

Micro Services

Web ServicesCode

CFnTemplates

BuildArtifacts

DeploymentPackages

Resources

Patterns &Baselines

SecurityGroups

AccountConfiguration

Real-Time Updates

Patterns &Baselines

18

desi

gn

Secure Baselines & Patterns

templates resourcespatterns services

Security Monitoring

Egress Proxy CFn Template

Bastion CFn Template

Secure VPC CFn Template

CloudTrail CFn Template

SecretsBundle

MarketPlace

19

What’s this look like in practice?

20

Red Team, Security Operations & Science

API KEY EXPOSURE ->

8 HRS

DEFAULT CONFIGS ->

24 HRS

SECURITY GROUPS -> 24 HRS

ESCALATION OF PRIVS ->

5 D

KNOWN VULN ->

8 HRS

21

Compliance Operations as Continuous Improvement

https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf

22

Security Decision Support

23

This could be your MTTR…

MTT

R

Days… 6 months

24

Get Involved and Join the Community

• devsecops.org• @devsecops on Twitter• DevSecOps on LinkedIn• DevSecOps on Github• RuggedSoftware.org• Compliance at Velocity