How to create a constructive force field between DevOps engineers and hackers?
NOTE: Slide 4 ('Vision on IT Security') has been altered in hindsight.
For questions, please contact me directly: +316 457 61 857
3. Freek Kauffmann
• Nerd
• DevOps Engineer
• Security Consultant
• Business Developer
• Senior Coach
• Business Unit Manager
4. Vision on IT security
Defense Offence
Bolt on
Integrate
d
Role Team
Awareness DNA
5. ”Hackers” defined
• There are many definitions.
• “Hacking” defined for this presentation:
”Technical security specialists who are hired
to apply their offensive mind-set to improve
digital resilience.”
6. Hackers & DevOps Engineers:
similar
Animals of the same type:
• Highly skilled
• Highly creative
• Allergic to doing the same thing trice, hence,
lazy.
• Love complex problems
7. 50% 30% 15% 5%
Testing
User
acceptance
Development
Production
8. Intrinsically improving
security
50% 30% 15% 5%
Testing
User
acceptance
Developmen
t
Production
Non-stop pentesting (infrastructure &
application)
9. Intrinsically improving
security
50% 10% 9% 1% 30%
Testing
User
acceptan
ce
Developmen
t
Production
Non-stop pentesting
(infrastructure & application)
10. Intrinsically improving
security
50% 10% 9% 1%
Testing
User
acceptan
ce
Developmen
t
Production
Non-stop pentesting
(infrastructure & application)
Architecture
review
Code
review
DevOps
30%
11. Non-stop
Offensive Security
Monitoring
• Adding new tests continuously.
• Non-stop verification of
previous findings.
• Executing security tests
automatically at every commit.
• Integrated in continuous
delivery tooling & processes.
12. Less time spent on:
• Pre-sales from external
suppliers
• Initiating projects
• Infrastructure pentesting
• Doing (boring) stuff manually
13. Allows for:
• More time for fun creative work
• More time for application
pentesting
• More time for automating
security testing
• Saving cost
• Lowering operational risk
14. Hackers & DevOps
Engineers:
Similar, yet different
DevOps Team Red Team
15. Red Team
• Build to break
• Independent
• Hack to destroy
• Specialists (security)
• Outward focus (monitoring
trends)
• Want root
16. DevOps Team
• Build to last
• Interdependent
• Hack to create
• Generalists
• Inward focus (getting changes
to production)
• Are root
18. Think out of the box…
DevOps engineer
Out of
the box
thinking
19. Think out of the box…
DevOps engineer
Out of
the box
thinking
20. Think out of the box…
DevOps engineer
Out of
the box
thinking
21. Think out of the box…
DevOps engineer
Out of
the box
thinking
Back in
the box
22. But stay in the box!
• Technology
– Using same tooling
• Processes
– Seamlessly joining in existing
processes
• People
– Close cooperation between builders
& breakers