Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SecDevOps
DevSecOps
DevOps
Which is it?
And what is DevOps?
And where does security fit?
In case you didn’t already know...
Why are we here?
• IT is changing fast. Attackers are changing fast. Defenders don’t.
• Security tools must change
• Secur...
What is DevOps?
(No really – what is it? Discuss.)
What is DevOps?
What is DevOps?
SPEED
7
Words: what do they mean?
• ‘Full stack’
• Automation Engineer
• DevOps Engineer
• Agile
• Waterfall
• Lean
• Cloud
• DevO...
‘New’ IT
There is a new IT: what is it?
11
Agile/Lean
Business
Cloud
DevOps
people
and
processestools
and
products
results
Welcome to the new IT: key trends
Speed
10x faster to
prod
Agility
Integration
Automation
Developers
Convenience
Resilienc...
Why DevOps?
13
DevOps Cloud
Agile
Business
Agile
Business
DevOps Cloud
Where does security fit?
Pete Cheslock’s analogy
https://twitter.com/petecheslock/status/595617204273618944
Stefan Streichsbier’s solution
https://www.slideshare.net/StefanStreichsbier/application-
security-in-an-agile-world-agile...
The new practitioner
The New Practitioner
• Influence design, architecture
standards, processes
• Automate tasks
• Forensics
• Security assessm...
The New Practitioner
• Influence design, architecture
standards, processes
• Automate tasks (code)
• Forensics
• Security ...
Understanding security’s role by
understanding IT
Traditional approach to security:
• Security is always a secondary or en...
Understanding security’s role by
understanding IT
Issues with the traditional approach:
• Few security teams can ever be ‘...
Security
Security’s changing role
An example: going ‘cloud-first’
• Lower-level IT layers are outsourced
• Most security p...
Security’s changing role
Cloud and DevOps – an opportunity to redesign
security:
• Smaller ‘well-rounded’ groups
• Dev, op...
Questions
What should security’s future role be?
• Security is redistributed into IT for all operational tasks
• Dedicated...
New rule: if you own it, own it
“Whomever is responsible for an asset – be it data,
infrastructure, code, or people – must...
Why make asset owners responsible?
• No one knows and understands the opportunities, constraints and
dependencies of the a...
Better Testing, Worse Quality?
Study done in 2000 by Elizabeth Hendrickson
Reads like a short
version of the
Phoenix Proje...
Better Testing, Worse Quality?
Study done in 2000 by Elizabeth Hendrickson
• Creating an independent testing group can enc...
Better Testing, Worse Quality?
Study done in 2000 by Elizabeth Hendrickson
• Could this apply to InfoSec?
• Surely not.
• ...
Security and DevOps Overview
Security and DevOps Overview
Security and DevOps Overview
Security and DevOps Overview
Upcoming SlideShare
Loading in …5
×

Security and DevOps Overview

546 views

Published on

Put together for a Knoxville OWASP meeting.

Published in: Technology
  • Be the first to comment

Security and DevOps Overview

  1. 1. SecDevOps DevSecOps DevOps Which is it? And what is DevOps? And where does security fit?
  2. 2. In case you didn’t already know...
  3. 3. Why are we here? • IT is changing fast. Attackers are changing fast. Defenders don’t. • Security tools must change • Security processes must change • Security practitioners must change
  4. 4. What is DevOps? (No really – what is it? Discuss.)
  5. 5. What is DevOps?
  6. 6. What is DevOps?
  7. 7. SPEED 7
  8. 8. Words: what do they mean? • ‘Full stack’ • Automation Engineer • DevOps Engineer • Agile • Waterfall • Lean • Cloud • DevOps
  9. 9. ‘New’ IT
  10. 10. There is a new IT: what is it? 11 Agile/Lean Business Cloud DevOps people and processestools and products results
  11. 11. Welcome to the new IT: key trends Speed 10x faster to prod Agility Integration Automation Developers Convenience Resilience Going faster requires better safety Success Project success increases by 14%-28% 12 NOTE: Success metrics from 2013 Ambysoft and 2015 Chaos Manifesto survey data, comparing projects using Waterfall vs Agile. Agile project success improvements increase with project size.
  12. 12. Why DevOps? 13 DevOps Cloud Agile Business Agile Business DevOps Cloud
  13. 13. Where does security fit?
  14. 14. Pete Cheslock’s analogy https://twitter.com/petecheslock/status/595617204273618944
  15. 15. Stefan Streichsbier’s solution https://www.slideshare.net/StefanStreichsbier/application- security-in-an-agile-world-agile-singapore-2016
  16. 16. The new practitioner
  17. 17. The New Practitioner • Influence design, architecture standards, processes • Automate tasks • Forensics • Security assessments • Identify gaps and recommend fixes • API integration • Data science • Routing, load balancing, nw protocols The Traditional Practitioner • Monitoring security alerts • Manage network security • Manage endpoint security • IR/Forensics • Pentesting • Vulnerability Scanning • Policies/Standards • Compliance/Regs • Log management • DR/BCP and SecAware The Security Practitioner: old versus new
  18. 18. The New Practitioner • Influence design, architecture standards, processes • Automate tasks (code) • Forensics • Security assessments • Identify gaps and recommend fixes (code) • API integration (code) • Data science (code) • Routing, load balancing, network protocols The Traditional Practitioner • Monitoring security alerts • Manage network security • Manage endpoint security • IR/Forensics • Pentesting • Vulnerability Scanning • Policies/Standards • Compliance/Regs • Log management • DR/BCP and SecAware The Security Practitioner: old versus new
  19. 19. Understanding security’s role by understanding IT Traditional approach to security: • Security is always a secondary or enabling layer • Security must have direct knowledge and experience with the underlying layer in order to be effective at protecting it or recommending feasible solutions • Direct experience in core technical disciplines goes a long way in earning respect and cooperation Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
  20. 20. Understanding security’s role by understanding IT Issues with the traditional approach: • Few security teams can ever be ‘well-rounded’ enough • Security team isn’t qualified to advise much of IT • Adversarial/dysfunctional relationships common • IT changes often; attackers adapt quickly • Defenders and security tools adapt slowly Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
  21. 21. Security Security’s changing role An example: going ‘cloud-first’ • Lower-level IT layers are outsourced • Most security practitioner knowledge lies in these layers • Infrastructure-heavy security skillsets lose value • Concept of bi-modal IT further confuses things • As IT changes, so must security Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops
  22. 22. Security’s changing role Cloud and DevOps – an opportunity to redesign security: • Smaller ‘well-rounded’ groups • Dev, ops, infrastructure and security roles are shared • Everyone working towards a clear, common goal • Relationship between security and developers is crucial • Security can’t impact delivery schedule Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security
  23. 23. Questions What should security’s future role be? • Security is redistributed into IT for all operational tasks • Dedicated security staff performs • high-level design, design/architectural input • monitor changes in risk/attackers/landscape • instruct/consult individual SMEs as needed Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security SME Internal Security Team Security SME Security SME Security SME
  24. 24. New rule: if you own it, own it “Whomever is responsible for an asset – be it data, infrastructure, code, or people – must secure it”
  25. 25. Why make asset owners responsible? • No one knows and understands the opportunities, constraints and dependencies of the asset better • Security becomes a bottleneck for performance, progress and often, even security • Little to no time wasted on remediation conflict: what to fix, how to fix it, when and at what priority level • Likely that fewer security issues will occur* • Drives the cost of securing systems down, in terms of labor, efficiency and efficacy** * I’ll explain later ** I’ll explain after that
  26. 26. Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson Reads like a short version of the Phoenix Project
  27. 27. Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson • Creating an independent testing group can encourage counterproductive culture • “Don’t do today what you can push off onto someone else’s plate” • Document and address low hanging fruit • Schedule time for developers to test and fix bugs • To improve code quality, stop the problem at the source • Everyone should understand what they’re building and why • Get testers involved earlier in the process • Bottleneck testing resources and developers are forced to ship higher quality code http://testobsessed.com/wp-content/uploads/2011/04/btwq.pdf
  28. 28. Better Testing, Worse Quality? Study done in 2000 by Elizabeth Hendrickson • Could this apply to InfoSec? • Surely not. • In fact, it might be quite worse. • We’ve convinced everyone not just that security is our job, but that we’re the only ones that can do it properly. • What if they believed us?

×