First presented at Cloud Security World in Boston on June 15th, 2016. Once upon a time, walls were erected between the Linux/UNIX crowd, Windows admins and the mainframers. Each architecture had its place and its experts, and they rarely mixed. This time around, we didn’t just get a new domain, we got a new way of doing IT and running businesses. Cloud has created new opportunities and DevOps has capitalized on them. The result of this combination is so unrecognizable that it isn’t uncommon to see IT organizations split down the middle by the new and old approaches. As DevOps continues to gain in popularity, the same split is occurring in the security workforce. Will the traditional security practitioner be in danger of becoming obsolete?

1. Cloud, DevOps and the New Security
Practitioner
15, June 2016
1:30PM
Adrian Sanabria
Senior Security Analyst
451 Research
To get a copy of these slides, send an
email to sawaba@zip.sh with CSW2016
in the subject line or scan this QR code

2. Slide 2
Why are we here?
 IT changes fast. Attackers change fast. Defenders don’t.
 IT is changing
 Attackers are adapting
 The security discipline is diverging

3. Slide 3
Understanding security’s role by
understanding IT
Traditional approach to security:
 Security is always a secondary or enabling layer
 Security must have direct knowledge and experience
with the underlying layer in order to be effective at
protecting it or recommending feasible solutions
 Direct experience in core technical disciplines goes a
long way in earning respect and cooperation
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
Layer
Ops

4. Slide 4
Understanding security’s role by
understanding IT
Issues with the traditional approach:
 Few security teams can ever be ‘well-rounded’ enough
 Security team isn’t qualified to advise much of IT
 Adversarial/dysfunctional relationships common
 IT changes often; attackers adapt quickly
 Defenders and security tools adapt slowly
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
Layer
Ops

5. Slide 5
Security
Security’s changing role
An example: going ‘cloud-first’
 Lower-level IT layers are outsourced
 Most security practitioner knowledge lies in these layers
 Infrastructure-heavy security skillsets lose value
 Concept of bi-modal IT further confuses things
 As IT changes, so must security
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
Layer
Ops

6. Slide 6
Security’s changing role
Cloud and DevOps – an opportunity to redesign security:
 Smaller ‘well-rounded’ groups
 Dev, ops, infrastructure and security roles are shared
 Everyone working towards a clear, common goal
 Relationship between security and developers is crucial
 Security can’t impact delivery schedule
Physical
OS
Layer
Network
Layer
Service
Desk
Dev, QA, Test;
Web/App Layer; Ops
Security

7. Slide 7
Questions
What should security’s future role be?
 Security is redistributed into IT for all operational tasks
 Dedicated security staff performs
 high-level design, design/architectural input
 monitor changes in risk/attackers/landscape
 instruct/consult individual SMEs as needed
Physical
OS
Layer
Network
Layer
Service
Desk
Dev, QA, Test;
Web/App Layer; Ops
Security
SME
Internal Security Team
Security
SME
Security
SME
Security
SME

8. Slide 8
Increasingly, software resembles these
principles
Yesterday, Chef announced Habitat
https://www.chef.io/blog/2016/06/14/introducing-habitat/
So… what’s up with the yin/yang visual metaphor?
…and where’s security?
Sec
analysts are
too

9. Slide 9
Chef Habitat, your latest shadow IT problem

10. Slide 10
New rule: if you own it, own it
“Whomever is responsible for an asset
– be it data, infrastructure, code, or
people, must secure it”

11. Slide 11
Why make asset owners responsible?
 No one knows and understands the opportunities,
constraints and dependencies of the asset better
 Security becomes a bottleneck for performance,
progress and often, even security
 Little to no time wasted on remediation conflict: what to
fix, how to fix it, when and at what priority level
 Likely that fewer security issues will occur*
 Drives the cost of securing systems down, in terms of
labor, efficiency and efficacy**
* I’ll explain later
** I’ll explain after that

12. Slide 12
Better Testing, Worse Quality?
Study done in 2000 by Elizabeth Hendrickson
Reads like a short
version of the
Phoenix Project

13. Slide 13
Better Testing, Worse Quality?
Study done in 2000 by Elizabeth Hendrickson
 Creating an independent testing group can encourage
counterproductive culture
 “Don’t do today what you can push off onto someone else’s
plate”
 Document and address low hanging fruit
 Schedule time for developers to test and fix bugs
 To improve code quality, stop the problem at the source
 Everyone should understand what they’re building and why
 Get testers involved earlier in the process
 Bottleneck testing resources and developers are forced to ship
higher quality code
http://testobsessed.com/wp-content/uploads/2011/04/btwq.pdf

14. Slide 14
Better Testing, Worse Quality?
Study done in 2000 by Elizabeth Hendrickson
 Could this apply to InfoSec?
 Surely not.
 In fact, it might be quite worse.
 We’ve convinced everyone not
just that security is our job, but
that we’re the only ones that can
do it properly.
 What if they believed us?

15. Slide 15
Jobs!

16. Slide 16
The Enterprise Looked Like This

17. Slide 17
Then, the Enterprise Looked Like This

18. Slide 18
Today, the Enterprise Looks Like This

19. Slide 19
Storage
Database
Networking Enterprise
as a
service
App
Services
Mobile
Dev Tools

20. Slide 20
This is not now.

21. Slide 21
So… you want to give away our jobs?
 Traditional InfoSec doesn’t have to worry for a while
 Be aware of the change
 Learn new things now – don’t wait for later
Currently, new security jobs are often NOT going to
security practitioners, and we’ll discuss why…

22. Slide 22
The Security Practitioner: old versus new
 Monitoring security alerts
 Manage network security
 Manage endpoint security
 IR/Forensics
 Pentesting
 Vulnerability Scanning
 Policies/Standards
 Compliance/Regs
 Log management
 DR/BCP and SecAware
 Influence design,
architecture standards,
processes
 Automate tasks
 Forensics
 Security assessments
 Identify gaps and
recommend fixes
 JSON, REST, XML, SQL
 Routing, load balancing,
nw protocols

23. Slide 23
How common?
 6 out of the first 10 jobs I looked at required:
 coding skills
 new tech generation experience and/or skills

24. Slide 24
Like what experience or skills?
 “Ability to automate tasks using scripting or other
programming language”
 “Scripting or general purpose programming languages”
 REST, JSON, XML (API scripting)
 “Experience with DevOps, CI/CD, Chef, Puppet”
 “Experience testing for vulnerabilities in Ruby on Rails
applications”
 “Experience with various scripting and programming
languages”
 “Teach secure coding practices to software engineers”

25. Slide 25
What should I learn?
 Scripting (automation)
 Get familiar with cloud, agile, devops, containers,
microservices, etc.
 AppSec
 Data protection
 Learn to write code

26. Slide 26
What should I learn?
 Cloud – focus on AWS, Azure, Digital Ocean (cheap)
 Containers – focus on Docker
 Pick a language - ruby and python are most common
 Jenkins
 Ansible, Chef, Puppet, Salt
 New attack surface  Don’t make security worse!
 Automation  Make security better!

27. Slide 27
How should I learn it?
 Good starting point: find a security guy that loves to
automate security and plunder his GitHub:
https://github.com/averagesecurityguy
 And more: https://github.com/krmaxwell
 https://github.com/nbrownus  Slack makes cool stuff
 Go after AWS Certs just to learn AWS
 Digital Ocean Tutorials

28. Slide 28
Resources – efficiency and workflow
Learning to recognize efficiency and workflow issues;
challenging ”because we’ve always done it that way”
 Better Testing, Worse Quality, Elizabeth Hendrickson
 Four Hour Work Week, Tim Ferris
 The Phoenix Project, Kevin Behr, George Spafford,
Gene Kim
 Signal v. Noise 37Signals blogs (on medium) and books
 ReWork by the Basecamp guys

29. Slide 29
Resources – new ideas
New ideas – challenge assumptions, push thinking
…also, VIDEOS!
 Distributed Security Alerting by Ryan Huber (blog)
 Security Automation by Ryan Huber (video)
 What Got Us Here Won’t Get Us There Black Hat
keynote by Haroon Meer
 Cloud Computing – Why IT Matters by Simon Wardley at
OSCON 09

30. Slide 30
Conclusion
If you want to understand where security is
going, stop looking at security, and start
following IT innovation, trends and changes

31. THANK YOU!
Adrian Sanabria
@sawaba
Adrian.Sanabria@451Research.com
To get a copy of these slides, send an email
to sawaba@zip.sh with CSW2016 in the
subject line or scan this QR code