Why DevOps != the Wild West and How Embracing it Can Improve Security
Dan Cundiff (@pmotch)Target Corporation
A true story about saying NO to DevOps
Empathizing with the wild west POV
Us vs them&
The Local Optima problem
Dev incentive: speed of shippingOps incentive: availability
Ops thinks actions by Dev to↑ speed of shippingmeans availability ↓
Dev thinks actions by Ops to↑ availability
means speed of shipping ↓
Security thinks actions by Dev to↑ speed of shipping
means security ↓
Dev thinks actions by Security to↑ security
means speed of shipping ↓
“A system of local optimums is not an optimum system at all; it is a very
inefficient system.”
So how can we have both?
Dev + Ops + SecOps = DevOpsSec
Examples across CALMS spectrum:Culture
AutomationLean
MeasurementSharing
continuous integration+
code scanning
continuous integration+
vulnerability scanning
CI encourages smaller changes, making it easier to spot security issues
Social coding=
Who changed what, when, and why;git blame + pull request commentary
Social coding=
A pull request is a code review
Social coding=
PRs seeking +1s from security partners
Social coding=
Ability to ask questions on any line of code
Security documentation as code
Security team’s processes and tools need to be responsive to CI/CD
(e.g. FIM configurable continuously vs quarterly)
Give security access to your backlogs;tag commits with issue IDs
ChatOps, conversation-driven development, stitching in security events, security teams listening and talking, etc.
Dev and Ops sharing metrics/logs
Better coverage; melds silos of responsibility
Blameless post mortems, even for security
https://codeascraft.com/2012/05/22/blameless-postmortems/
Infrastructure-as-code=
fast testable mass patches
Infrastructure-as-code=
knowing if a security change broke the app
Infrastructure-as-code=
clear state of security config
We need APIs to security vendor products
http://devops.com/blogs/devops-a-wake-up-call-to-security-vendors/
Auditors like it.*
Reduced human involvement.
Share what you’re learning and doing inside and outside of the company.
Leaders, think Kaisen. Value all employee’s ideas across Dev and Sec/Ops.
Leaders, find the risk takers pioneering this, and protect them.
Pioneers, find your forward-thinking security partners and bring them along
with you.
Thanks!
Dan Cundiff (@pmotch)Target Corporation