the rise of devsecops - fabian lim - devsecopssg
TRANSCRIPT
The Rise of
Fabian Lim
/about• DevSecOps Engineer
– 1.5 years– Culture Hacking– Passion in Infrastructure and Operations
• Carnegie Mellon University– MSc Information Security Policy and Management
• Singapore Management University– BSc Information Systems
• Gym, Krav Maga enthusiast
/journey1. DevSecOps Engineer2. Open-Source Projects3. Red Team4. Culture Hacking5. Security Defect Reporting & Metrics
https://s-media-cache-ak0.pinimg.com/originals/f6/36/0d/f6360df9be90fa7b03cb7f4e7b5a6dc6.jpg
/peek• A Peek into My Everyday
– Development and maintenance of in house tools using experiments
– Security knowledge is essential to identify security flaws
– Operations know-how of our own infrastructure so it is resilient
• Red Team Monday is awesome!• Blue Team All-Day is cool too!
/mindset• Collaboration Focus• Open and Transparent• Prefer Shiteration over Perfection• (Actively) “Hunting” mode over Reactive mode• What keeps you up at night?
/how• Everyone – needs to get their hands dirty at code• Can-do Agile Attitude – Fail Fast, Crawl Walk Run• Culture - Everyone is responsible for Security• Red Teaming – Crucial to move the ‘urgency’ needle• Metrics – to report, show trends
/why• Passion• Revolutionary Way of Doing Security• Works and Improves the Security Posture of the
Company• I Want to be Worked WITH Rather Than AGAINST
/open_source_projects• GOAL: Get developers to be involved and
contribute your security tools
• EFFECT: Working together
• RESULT: Secure Company-Wide Projects
• TRADITION: Security Team v.s Development Team• GOAL: We are all one – there is no ‘them’ and ‘us’
• METHOD: Security Understands Developers and Helps to Solve Security Issues Together, not Blaming
• RESULT: Shared Sense of Responsibility
/culture
/red_team• TARGET: Low-Hanging Fruit
• EFFECT: A Method to Convince Management
• RESULT: Increases Focus and Resources on Security
/security_defect_reporting• GOAL: Measure State of Security
• EFFECT: Management sees resources used effectively
• RESULT: Significantly improve Visibility on Security Performance
/references• devsecops.org• github.com/devsecops/bootcamp
• @3jmaster• http://www.devsecops.org/blog?tag=DevSecOps+Explained
/gracias