First presented at Cloud Security World in Boston on June 15th, 2016.
Once upon a time, walls were erected between the Linux/UNIX crowd, Windows admins and the mainframers. Each architecture had its place and its experts, and they rarely mixed. This time around, we didn’t just get a new domain, we got a new way of doing IT and running businesses. Cloud has created new opportunities and DevOps has capitalized on them. The result of this combination is so unrecognizable that it isn’t uncommon to see IT organizations split down the middle by the new and old approaches. As DevOps continues to gain in popularity, the same split is occurring in the security workforce. Will the traditional security practitioner be in danger of becoming obsolete?
1. Cloud, DevOps and the New Security
Practitioner
15, June 2016
1:30PM
Adrian Sanabria
Senior Security Analyst
451 Research
To get a copy of these slides, send an
email to sawaba@zip.sh with CSW2016
in the subject line or scan this QR code
2. Slide 2
Why are we here?
IT changes fast. Attackers change fast. Defenders don’t.
IT is changing
Attackers are adapting
The security discipline is diverging
3. Slide 3
Understanding security’s role by
understanding IT
Traditional approach to security:
Security is always a secondary or enabling layer
Security must have direct knowledge and experience
with the underlying layer in order to be effective at
protecting it or recommending feasible solutions
Direct experience in core technical disciplines goes a
long way in earning respect and cooperation
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
Layer
Ops
4. Slide 4
Understanding security’s role by
understanding IT
Issues with the traditional approach:
Few security teams can ever be ‘well-rounded’ enough
Security team isn’t qualified to advise much of IT
Adversarial/dysfunctional relationships common
IT changes often; attackers adapt quickly
Defenders and security tools adapt slowly
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
Layer
Ops
5. Slide 5
Security
Security’s changing role
An example: going ‘cloud-first’
Lower-level IT layers are outsourced
Most security practitioner knowledge lies in these layers
Infrastructure-heavy security skillsets lose value
Concept of bi-modal IT further confuses things
As IT changes, so must security
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
Layer
Ops
6. Slide 6
Security’s changing role
Cloud and DevOps – an opportunity to redesign security:
Smaller ‘well-rounded’ groups
Dev, ops, infrastructure and security roles are shared
Everyone working towards a clear, common goal
Relationship between security and developers is crucial
Security can’t impact delivery schedule
Physical
OS
Layer
Network
Layer
Service
Desk
Dev, QA, Test;
Web/App Layer; Ops
Security
7. Slide 7
Questions
What should security’s future role be?
Security is redistributed into IT for all operational tasks
Dedicated security staff performs
high-level design, design/architectural input
monitor changes in risk/attackers/landscape
instruct/consult individual SMEs as needed
Physical
OS
Layer
Network
Layer
Service
Desk
Dev, QA, Test;
Web/App Layer; Ops
Security
SME
Internal Security Team
Security
SME
Security
SME
Security
SME
8. Slide 8
Increasingly, software resembles these
principles
Yesterday, Chef announced Habitat
https://www.chef.io/blog/2016/06/14/introducing-habitat/
So… what’s up with the yin/yang visual metaphor?
…and where’s security?
Sec
analysts are
too
10. Slide 10
New rule: if you own it, own it
“Whomever is responsible for an asset
– be it data, infrastructure, code, or
people, must secure it”
11. Slide 11
Why make asset owners responsible?
No one knows and understands the opportunities,
constraints and dependencies of the asset better
Security becomes a bottleneck for performance,
progress and often, even security
Little to no time wasted on remediation conflict: what to
fix, how to fix it, when and at what priority level
Likely that fewer security issues will occur*
Drives the cost of securing systems down, in terms of
labor, efficiency and efficacy**
* I’ll explain later
** I’ll explain after that
12. Slide 12
Better Testing, Worse Quality?
Study done in 2000 by Elizabeth Hendrickson
Reads like a short
version of the
Phoenix Project
13. Slide 13
Better Testing, Worse Quality?
Study done in 2000 by Elizabeth Hendrickson
Creating an independent testing group can encourage
counterproductive culture
“Don’t do today what you can push off onto someone else’s
plate”
Document and address low hanging fruit
Schedule time for developers to test and fix bugs
To improve code quality, stop the problem at the source
Everyone should understand what they’re building and why
Get testers involved earlier in the process
Bottleneck testing resources and developers are forced to ship
higher quality code
http://testobsessed.com/wp-content/uploads/2011/04/btwq.pdf
14. Slide 14
Better Testing, Worse Quality?
Study done in 2000 by Elizabeth Hendrickson
Could this apply to InfoSec?
Surely not.
In fact, it might be quite worse.
We’ve convinced everyone not
just that security is our job, but
that we’re the only ones that can
do it properly.
What if they believed us?
21. Slide 21
So… you want to give away our jobs?
Traditional InfoSec doesn’t have to worry for a while
Be aware of the change
Learn new things now – don’t wait for later
Currently, new security jobs are often NOT going to
security practitioners, and we’ll discuss why…
23. Slide 23
How common?
6 out of the first 10 jobs I looked at required:
coding skills
new tech generation experience and/or skills
24. Slide 24
Like what experience or skills?
“Ability to automate tasks using scripting or other
programming language”
“Scripting or general purpose programming languages”
REST, JSON, XML (API scripting)
“Experience with DevOps, CI/CD, Chef, Puppet”
“Experience testing for vulnerabilities in Ruby on Rails
applications”
“Experience with various scripting and programming
languages”
“Teach secure coding practices to software engineers”
25. Slide 25
What should I learn?
Scripting (automation)
Get familiar with cloud, agile, devops, containers,
microservices, etc.
AppSec
Data protection
Learn to write code
26. Slide 26
What should I learn?
Cloud – focus on AWS, Azure, Digital Ocean (cheap)
Containers – focus on Docker
Pick a language - ruby and python are most common
Jenkins
Ansible, Chef, Puppet, Salt
New attack surface Don’t make security worse!
Automation Make security better!
27. Slide 27
How should I learn it?
Good starting point: find a security guy that loves to
automate security and plunder his GitHub:
https://github.com/averagesecurityguy
And more: https://github.com/krmaxwell
https://github.com/nbrownus Slack makes cool stuff
Go after AWS Certs just to learn AWS
Digital Ocean Tutorials
28. Slide 28
Resources – efficiency and workflow
Learning to recognize efficiency and workflow issues;
challenging ”because we’ve always done it that way”
Better Testing, Worse Quality, Elizabeth Hendrickson
Four Hour Work Week, Tim Ferris
The Phoenix Project, Kevin Behr, George Spafford,
Gene Kim
Signal v. Noise 37Signals blogs (on medium) and books
ReWork by the Basecamp guys
29. Slide 29
Resources – new ideas
New ideas – challenge assumptions, push thinking
…also, VIDEOS!
Distributed Security Alerting by Ryan Huber (blog)
Security Automation by Ryan Huber (video)
What Got Us Here Won’t Get Us There Black Hat
keynote by Haroon Meer
Cloud Computing – Why IT Matters by Simon Wardley at
OSCON 09
30. Slide 30
Conclusion
If you want to understand where security is
going, stop looking at security, and start
following IT innovation, trends and changes
We could also throw some other things in here as well.
People (security awareness training)
HR
Data
Supply Chain/Third party partners
Compliance/regulation
Design/Architecture
Identity
We could also throw some other things in here as well.
People (security awareness training)
HR
Data
Supply Chain/Third party partners
Compliance/regulation
Design/Architecture
Identity
We could also throw some other things in here as well.
People (security awareness training)
HR
Data
Supply Chain/Third party partners
Compliance/regulation
Design/Architecture
Identity
We could also throw some other things in here as well.
People (security awareness training)
HR
Data
Supply Chain/Third party partners
Compliance/regulation
Design/Architecture
Identity
Just an idea – doesn’t have to be precisely like this. Depends on the business, the culture, trial/error and a hundred other factors. The general idea though, is to get security responsibility and expertise closer to where the work is done.
Do you have any DevOps-excitable people back at the office? They’ll have this running by the time you get back there. You’re welcome for the heads up ;) But look at that! Security! Built-in, not bolted on! Well, in theory – we still need to dig into this.
Introduced an independent test unit, which made the number of bugs go up and software quality go down.
Findings
More QA = more bugs and longer cycles
Created the psychological impact of telling developers that quality is someone else’s problem
Insulting; percieved lack of empathy and respect for the developer
Solution
Tight relationships necessary between QA and Dev
QA remains, but with an artificial bottleneck
Developers still responsible for deadlines and therefore have to ‘budget’ time for QA
Devs write better code to ensure it goes through QA quickly
Devs need to be given 10% extra time to ensure better quality code.
Also, remember – the two are inseparably linked. When we talk about code quality, we’re also often talking about security - issues with quality is where vulnerabilities come from, right?
I’m using AWS as an example here, because it represents one extreme. There are 55 products on this page, but only one of them is for running virtual servers. Can we even call this cloud? It is probably better to think of large public clouds like AWS instead, as a development framework. You could just forklift most of your datacenter and applications into AWS, but you wouldn’t be getting a lot of value out of it.
If we’re not well equipped to handle them? Yes.
Otherwise… my research shows that they’re already being given away to non-security folks.
Turns out, it is easier to take someone with a dev background and skills and teach them security than to take security folks and teach them dev & low tolerance for inefficiency. Again, this aligns with the mainframe/Windows admin analogy
SR DevSecOps Engineer
"we are a cloud first, mobile first company"
"capable of working in a multi-platform environment"
Scripting: PowerShell, Python, Perl, Ruby
Ability to automate tasks using scripting or other programming language.
Demonstrated expertise in web services, virtualization, cloud concepts, REST, JSON, XML, SQL, PHP, LDAP, & object oriented methodologies.
Senior InfoSec Analyst (SecOps role)
Scripting or general purpose programming languages (Javascript, Perl, PHP, Powershell, Python, etc.)
Representational state transfer (REST) APIs
Software Security Analyst
Lots of software stuff
Technical Manager, AppSec
Experience deploying systems and applications using cloud solutions (e.g. Amazon AWS, Azure)
Experience with DevOps, CI/CD, Chef, Puppet
Application security – secure SDLC practices, secure coding, application vulnerabilities, DAST, SAST, RASP, WAF
Security Engineer
Teach secure coding practices to software engineers through regular code reviews
Validate and triage vulnerabilities submitted by researchers from our bug bounty program
Design automated tests to ensure secure coding practices are followed
Experience testing for vulnerabilities in Ruby on Rails applications
Solid understanding of web security fundamentals
Information Security Analyst/Engineer
Experience with various scripting and programming languages such as Python, Perl, Java, etc. Experience with C and/or C++ would be awesome.
Experience with both RDBMS (MySQL) and NoSQL (Cassandra, Couchbase, Mongo).
Experience with and proven methods for analyzing and interpreting information from Security Operations Centers (SOCs), Computer Security Incident Response Teams (CSIRTs), or SecOps systems.
Experience deploying, monitoring, and managing the information security risk posture with open source tools, to include: Moloch, ElasticSearch + Logstash + Kibana (The ELK stack), SIEMonster, Bro, Snort, Suricata, Syslog, Cuckoo, etc.
Proficiency with using and securing popular cloud services (SAAS, IAAS, etc.).
Security Ops Engineer at Slack
Responsibilities
Create and develop solutions to improve Slack’s Security stack
Build and maintain the state of the art systems that help make Slack more secure
Automate tooling and process to eliminate as much manual work as possible
Collaborate with Slack’s operations team and advise on best practices
Help improve signal detection and alerting capabilities
Participate in the on-call rotation supporting the security team’s infrastructure
Requirements
You have a background in development or operations with a strong interest in security
You are proficient in at least one programming language, such as Python, Go, Node, PHP, Ruby, *sh, etc.
You have strong written and verbal communication skills
You have a solid understanding of web application architecture
You write readable, maintainable code
You have a solid background using Linux and *nix operating systems
You have experience working with git for source code management
You have used configuration management tools (Ansible, Chef, Puppet, etc)
You have experience with administration of cloud services, such as AWS
“Learn to write code”, what does that mean?
Doesn’t mean you have to learn to write UI, mobile apps, create database schemas and all that.
It means you should be able to recognize opportunities to make a task more efficient and write the code to implement that change
Learn to do it for ordinary, boring things. ESPECIALLY that. Automate the boring.