SlideShare a Scribd company logo

DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann

Download as PPTX, PDF
Freek Kauffmann
Freek Kauffmann

How to create a constructive force field between DevOps engineers and hackers? NOTE: Slide 4 ('Vision on IT Security') has been altered in hindsight. For questions, please contact me directly: +316 457 61 857

Technology
1 of 23
Lazy hackers who think out of the box, but stay in the box... Freek Kauffmann Security Consultant ITQ S-Unit
Lazy hackers who think out of the box, but stay in the box...
Freek Kauffmann • Nerd • DevOps Engineer • Security Consultant • Business Developer • Senior Coach • Business Unit Manager
Vision on IT security Defense Offence Bolt on Integrate d Role Team Awareness DNA
”Hackers” defined • There are many definitions. • “Hacking” defined for this presentation: ”Technical security specialists who are hired to apply their offensive mind-set to improve digital resilience.”
Hackers & DevOps Engineers: similar Animals of the same type: • Highly skilled • Highly creative • Allergic to doing the same thing trice, hence, lazy. • Love complex problems
50% 30% 15% 5% Testing User acceptance Development Production
Intrinsically improving security 50% 30% 15% 5% Testing User acceptance Developmen t Production Non-stop pentesting (infrastructure & application)
Intrinsically improving security 50% 10% 9% 1% 30% Testing User acceptan ce Developmen t Production Non-stop pentesting (infrastructure & application)
Intrinsically improving security 50% 10% 9% 1% Testing User acceptan ce Developmen t Production Non-stop pentesting (infrastructure & application) Architecture review Code review DevOps 30%
Non-stop Offensive Security Monitoring • Adding new tests continuously. • Non-stop verification of previous findings. • Executing security tests automatically at every commit. • Integrated in continuous delivery tooling & processes.
Less time spent on: • Pre-sales from external suppliers • Initiating projects • Infrastructure pentesting • Doing (boring) stuff manually
Allows for: • More time for fun creative work • More time for application pentesting • More time for automating security testing • Saving cost • Lowering operational risk
Hackers & DevOps Engineers: Similar, yet different DevOps Team Red Team
Red Team • Build to break • Independent • Hack to destroy • Specialists (security) • Outward focus (monitoring trends) • Want root
DevOps Team • Build to last • Interdependent • Hack to create • Generalists • Inward focus (getting changes to production) • Are root
Think inside the box… DevOps engineer
Think out of the box… DevOps engineer Out of the box thinking
Think out of the box… DevOps engineer Out of the box thinking
Think out of the box… DevOps engineer Out of the box thinking
Think out of the box… DevOps engineer Out of the box thinking Back in the box
But stay in the box! • Technology – Using same tooling • Processes – Seamlessly joining in existing processes • People – Close cooperation between builders & breakers
Questions? FreekKauffmann ITQ S-Unit +316 457 61 857

Recommended

Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConStephen de Vries
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
Introduction To Continuous Integration
Introduction To Continuous IntegrationIntroduction To Continuous Integration
Introduction To Continuous IntegrationChristopher Read
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailShifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailDevSecCon
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
Continuous Integration and Builds
Continuous Integration and BuildsContinuous Integration and Builds
Continuous Integration and BuildsBhavin Javia
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 

Recommended

Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConStephen de Vries
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
Introduction To Continuous Integration
Introduction To Continuous IntegrationIntroduction To Continuous Integration
Introduction To Continuous IntegrationChristopher Read
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailShifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailDevSecCon
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
Continuous Integration and Builds
Continuous Integration and BuildsContinuous Integration and Builds
Continuous Integration and BuildsBhavin Javia
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Debugging distributed systems
Debugging distributed systemsDebugging distributed systems
Debugging distributed systemsBert Jan Schrijver
 
From monitoring to automated testing, Jesse Reynolds, Puppet
From monitoring to automated testing, Jesse Reynolds, PuppetFrom monitoring to automated testing, Jesse Reynolds, Puppet
From monitoring to automated testing, Jesse Reynolds, PuppetPuppet
 
Shift Testability
Shift TestabilityShift Testability
Shift TestabilityAsh Winter
 
Continuous integration, delivery & deployment
Continuous integration, delivery & deploymentContinuous integration, delivery & deployment
Continuous integration, delivery & deploymentMartijn van der Kamp
 
The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Skills Matter DevSecOps eXchange Forum 2022 - Software architecture in a DevO...
Skills Matter DevSecOps eXchange Forum 2022 - Software architecture in a DevO...Skills Matter DevSecOps eXchange Forum 2022 - Software architecture in a DevO...
Skills Matter DevSecOps eXchange Forum 2022 - Software architecture in a DevO...Bert Jan Schrijver
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon
 
Continuous Deployment of Rails Applications
Continuous Deployment of Rails ApplicationsContinuous Deployment of Rails Applications
Continuous Deployment of Rails ApplicationsDiane Cessna
 
Being a Professional Software Developer
Being a Professional Software DeveloperBeing a Professional Software Developer
Being a Professional Software DeveloperAnton Keks
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
 
JavaLand 2022 - Debugging distributed systems
JavaLand 2022 - Debugging distributed systemsJavaLand 2022 - Debugging distributed systems
JavaLand 2022 - Debugging distributed systemsBert Jan Schrijver
 
Software architecture in a DevOps world
Software architecture in a DevOps worldSoftware architecture in a DevOps world
Software architecture in a DevOps worldBert Jan Schrijver
 
TDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOps
TDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOpsTDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOps
TDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOpsBert Jan Schrijver
 
Continuous Deployment
Continuous DeploymentContinuous Deployment
Continuous DeploymentTimothy Fitz
 
Continuous Integration, the minimum viable product
Continuous Integration, the minimum viable productContinuous Integration, the minimum viable product
Continuous Integration, the minimum viable productJulian Simpson
 
Driving application development through behavior driven development
Driving application development through behavior driven developmentDriving application development through behavior driven development
Driving application development through behavior driven developmentEinar Ingebrigtsen
 
NYC MeetUp 10.9
NYC MeetUp 10.9NYC MeetUp 10.9
NYC MeetUp 10.9Solano Labs
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Continuous Integration at T3CON08
Continuous Integration at T3CON08Continuous Integration at T3CON08
Continuous Integration at T3CON08Sebastian Kurfürst
 
Software architecture in a DevOps world
Software architecture in a DevOps worldSoftware architecture in a DevOps world
Software architecture in a DevOps worldBert Jan Schrijver
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Testing and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedTesting and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedLB Denker
 

More Related Content

What's hot

From monitoring to automated testing, Jesse Reynolds, Puppet
From monitoring to automated testing, Jesse Reynolds, PuppetFrom monitoring to automated testing, Jesse Reynolds, Puppet
From monitoring to automated testing, Jesse Reynolds, PuppetPuppet
 
Shift Testability
Shift TestabilityShift Testability
Shift TestabilityAsh Winter
 
Continuous integration, delivery & deployment
Continuous integration, delivery & deploymentContinuous integration, delivery & deployment
Continuous integration, delivery & deploymentMartijn van der Kamp
 
Skills Matter DevSecOps eXchange Forum 2022 - Software architecture in a DevO...
Skills Matter DevSecOps eXchange Forum 2022 - Software architecture in a DevO...Skills Matter DevSecOps eXchange Forum 2022 - Software architecture in a DevO...
Skills Matter DevSecOps eXchange Forum 2022 - Software architecture in a DevO...Bert Jan Schrijver
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon
 
Continuous Deployment of Rails Applications
Continuous Deployment of Rails ApplicationsContinuous Deployment of Rails Applications
Continuous Deployment of Rails ApplicationsDiane Cessna
 
Being a Professional Software Developer
Being a Professional Software DeveloperBeing a Professional Software Developer
Being a Professional Software DeveloperAnton Keks
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
 
JavaLand 2022 - Debugging distributed systems
JavaLand 2022 - Debugging distributed systemsJavaLand 2022 - Debugging distributed systems
JavaLand 2022 - Debugging distributed systemsBert Jan Schrijver
 
Software architecture in a DevOps world
Software architecture in a DevOps worldSoftware architecture in a DevOps world
Software architecture in a DevOps worldBert Jan Schrijver
 
TDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOps
TDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOpsTDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOps
TDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOpsBert Jan Schrijver
 
Continuous Deployment
Continuous DeploymentContinuous Deployment
Continuous DeploymentTimothy Fitz
 
Continuous Integration, the minimum viable product
Continuous Integration, the minimum viable productContinuous Integration, the minimum viable product
Continuous Integration, the minimum viable productJulian Simpson
 
Driving application development through behavior driven development
Driving application development through behavior driven developmentDriving application development through behavior driven development
Driving application development through behavior driven developmentEinar Ingebrigtsen
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Continuous Integration at T3CON08
Continuous Integration at T3CON08Continuous Integration at T3CON08
Continuous Integration at T3CON08Sebastian Kurfürst
 
Software architecture in a DevOps world
Software architecture in a DevOps worldSoftware architecture in a DevOps world
Software architecture in a DevOps worldBert Jan Schrijver
 

What's hot (20)

Debugging distributed systems
Debugging distributed systemsDebugging distributed systems
Debugging distributed systems
 
From monitoring to automated testing, Jesse Reynolds, Puppet
From monitoring to automated testing, Jesse Reynolds, PuppetFrom monitoring to automated testing, Jesse Reynolds, Puppet
From monitoring to automated testing, Jesse Reynolds, Puppet
 
Shift Testability
Shift TestabilityShift Testability
Shift Testability
 
Continuous integration, delivery & deployment
Continuous integration, delivery & deploymentContinuous integration, delivery & deployment
Continuous integration, delivery & deployment
 
The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?
 
Skills Matter DevSecOps eXchange Forum 2022 - Software architecture in a DevO...
Skills Matter DevSecOps eXchange Forum 2022 - Software architecture in a DevO...Skills Matter DevSecOps eXchange Forum 2022 - Software architecture in a DevO...
Skills Matter DevSecOps eXchange Forum 2022 - Software architecture in a DevO...
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
 
Continuous Deployment of Rails Applications
Continuous Deployment of Rails ApplicationsContinuous Deployment of Rails Applications
Continuous Deployment of Rails Applications
 
Being a Professional Software Developer
Being a Professional Software DeveloperBeing a Professional Software Developer
Being a Professional Software Developer
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...
 
JavaLand 2022 - Debugging distributed systems
JavaLand 2022 - Debugging distributed systemsJavaLand 2022 - Debugging distributed systems
JavaLand 2022 - Debugging distributed systems
 
Software architecture in a DevOps world
Software architecture in a DevOps worldSoftware architecture in a DevOps world
Software architecture in a DevOps world
 
TDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOps
TDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOpsTDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOps
TDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOps
 
Continuous Deployment
Continuous DeploymentContinuous Deployment
Continuous Deployment
 
Continuous Integration, the minimum viable product
Continuous Integration, the minimum viable productContinuous Integration, the minimum viable product
Continuous Integration, the minimum viable product
 
Driving application development through behavior driven development
Driving application development through behavior driven developmentDriving application development through behavior driven development
Driving application development through behavior driven development
 
NYC MeetUp 10.9
NYC MeetUp 10.9NYC MeetUp 10.9
NYC MeetUp 10.9
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
 
Continuous Integration at T3CON08
Continuous Integration at T3CON08Continuous Integration at T3CON08
Continuous Integration at T3CON08
 
Software architecture in a DevOps world
Software architecture in a DevOps worldSoftware architecture in a DevOps world
Software architecture in a DevOps world
 

Similar to DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann

ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Testing and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedTesting and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedLB Denker
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
ShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfSteven Carlson
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Continuous delivery is more than dev ops
Continuous delivery is more than dev opsContinuous delivery is more than dev ops
Continuous delivery is more than dev opsAgile Montréal
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
DevoxxUK 2019 - Better software, faster.
DevoxxUK 2019 - Better software, faster.DevoxxUK 2019 - Better software, faster.
DevoxxUK 2019 - Better software, faster.Bert Jan Schrijver
 
Devoxx Belgium 2019 - Better software, faster: Principles of Continuous Deliv...
Devoxx Belgium 2019 - Better software, faster: Principles of Continuous Deliv...Devoxx Belgium 2019 - Better software, faster: Principles of Continuous Deliv...
Devoxx Belgium 2019 - Better software, faster: Principles of Continuous Deliv...Bert Jan Schrijver
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 

Similar to DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann (20)

ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Testing and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedTesting and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons Learned
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Kku2011
Kku2011Kku2011
Kku2011
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Kku2011
Kku2011Kku2011
Kku2011
 
DevOps intro
DevOps introDevOps intro
DevOps intro
 
Product Security
Product SecurityProduct Security
Product Security
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
ShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdf
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Continuous delivery is more than dev ops
Continuous delivery is more than dev opsContinuous delivery is more than dev ops
Continuous delivery is more than dev ops
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 
DevoxxUK 2019 - Better software, faster.
DevoxxUK 2019 - Better software, faster.DevoxxUK 2019 - Better software, faster.
DevoxxUK 2019 - Better software, faster.
 
Devoxx Belgium 2019 - Better software, faster: Principles of Continuous Deliv...
Devoxx Belgium 2019 - Better software, faster: Principles of Continuous Deliv...Devoxx Belgium 2019 - Better software, faster: Principles of Continuous Deliv...
Devoxx Belgium 2019 - Better software, faster: Principles of Continuous Deliv...
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 

Recently uploaded

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 

Recently uploaded (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

DevOps Security Coffee - Lazy hackers who think out of the box, but stay in the box... - Freek Kauffmann

  • 1. Lazy hackers who think out of the box, but stay in the box... Freek Kauffmann Security Consultant ITQ S-Unit
  • 2. Lazy hackers who think out of the box, but stay in the box...
  • 3. Freek Kauffmann • Nerd • DevOps Engineer • Security Consultant • Business Developer • Senior Coach • Business Unit Manager
  • 4. Vision on IT security Defense Offence Bolt on Integrate d Role Team Awareness DNA
  • 5. ”Hackers” defined • There are many definitions. • “Hacking” defined for this presentation: ”Technical security specialists who are hired to apply their offensive mind-set to improve digital resilience.”
  • 6. Hackers & DevOps Engineers: similar Animals of the same type: • Highly skilled • Highly creative • Allergic to doing the same thing trice, hence, lazy. • Love complex problems
  • 7. 50% 30% 15% 5% Testing User acceptance Development Production
  • 8. Intrinsically improving security 50% 30% 15% 5% Testing User acceptance Developmen t Production Non-stop pentesting (infrastructure & application)
  • 9. Intrinsically improving security 50% 10% 9% 1% 30% Testing User acceptan ce Developmen t Production Non-stop pentesting (infrastructure & application)
  • 10. Intrinsically improving security 50% 10% 9% 1% Testing User acceptan ce Developmen t Production Non-stop pentesting (infrastructure & application) Architecture review Code review DevOps 30%
  • 11. Non-stop Offensive Security Monitoring • Adding new tests continuously. • Non-stop verification of previous findings. • Executing security tests automatically at every commit. • Integrated in continuous delivery tooling & processes.
  • 12. Less time spent on: • Pre-sales from external suppliers • Initiating projects • Infrastructure pentesting • Doing (boring) stuff manually
  • 13. Allows for: • More time for fun creative work • More time for application pentesting • More time for automating security testing • Saving cost • Lowering operational risk
  • 14. Hackers & DevOps Engineers: Similar, yet different DevOps Team Red Team
  • 15. Red Team • Build to break • Independent • Hack to destroy • Specialists (security) • Outward focus (monitoring trends) • Want root
  • 16. DevOps Team • Build to last • Interdependent • Hack to create • Generalists • Inward focus (getting changes to production) • Are root
  • 17. Think inside the box… DevOps engineer
  • 18. Think out of the box… DevOps engineer Out of the box thinking
  • 19. Think out of the box… DevOps engineer Out of the box thinking
  • 20. Think out of the box… DevOps engineer Out of the box thinking
  • 21. Think out of the box… DevOps engineer Out of the box thinking Back in the box
  • 22. But stay in the box! • Technology – Using same tooling • Processes – Seamlessly joining in existing processes • People – Close cooperation between builders & breakers
  • 23. Questions? FreekKauffmann ITQ S-Unit +316 457 61 857