Advertisement

DevSecOps for Developers: How To Start

Patricia Aas
C++ Programmer and Speaker at Vivaldi Technologies
Jan. 29, 2019
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start

Check these out next

Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
Priyanka Aash
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon
TDD and the Terminator: An Introduction to Test-Driven Development
TDD and the Terminator: An Introduction to Test-Driven Development
VMware Tanzu
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
DevSecOps Days
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
Priyanka Aash
#ATAGTR2018 Presentation " Security Testing for RESTful APIs" By Anuradha Raman
#ATAGTR2018 Presentation " Security Testing for RESTful APIs" By Anuradha Raman
Agile Testing Alliance
Peer Code Review An Agile Process
Peer Code Review An Agile Process
gsporar
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approach
Antonio Parata
1 of 58

DevSecOps for Developers: How To Start

Jan. 29, 2019
Download to read offline
Software

How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture? Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring."

Patricia Aas
C++ Programmer and Speaker at Vivaldi Technologies
Advertisement
Advertisement
Advertisement

Recommended

6 DevSecOps Hacks (femtech 2019)6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)Patricia Aas1.2K views43 slides
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne6.9K views28 slides
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchHackerOne704 views22 slides
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile823 views30 slides
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...Agile Testing Alliance330 views15 slides
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon137 views36 slides

More Related Content

Slideshows for you(20)

Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
Priyanka Aash278 views
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon668 views
TDD and the Terminator: An Introduction to Test-Driven DevelopmentTDD and the Terminator: An Introduction to Test-Driven Development
TDD and the Terminator: An Introduction to Test-Driven Development
VMware Tanzu202 views
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
DevSecOps Days2.5K views
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
Priyanka Aash127 views
#ATAGTR2018 Presentation " Security Testing for RESTful APIs" By Anuradha Raman #ATAGTR2018 Presentation " Security Testing for RESTful APIs" By Anuradha Raman
#ATAGTR2018 Presentation " Security Testing for RESTful APIs" By Anuradha Raman
Agile Testing Alliance834 views
Peer Code Review An Agile ProcessPeer Code Review An Agile Process
Peer Code Review An Agile Process
gsporar8.7K views
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
Antonio Parata533 views
Observability für alleObservability für alle
Observability für alle
QAware GmbH825 views
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
Tiago Henriques1.6K views
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav933 views
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
abend_cve_9999_00019.3K views
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash309 views
Improving Code Quality Through Effective Review ProcessImproving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review Process
Dr. Syed Hassan Amin705 views
Code Review: How and WhenCode Review: How and When
Code Review: How and When
Paul Gower672 views
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: security
Piotr Dyba764 views
Static code analysisStatic code analysis
Static code analysis
Christoforus Surjoputro158 views
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP606 views
Software Development GraveyardSoftware Development Graveyard
Software Development Graveyard
Erika Barron264 views
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
PROIDEA65 views

Similar to DevSecOps for Developers: How To Start(20)

DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
Patricia Aas402 views
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Research372 views
Make it Fixable (CppCon 2018)Make it Fixable (CppCon 2018)
Make it Fixable (CppCon 2018)
Patricia Aas263 views
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars474 views
BUSTED! How to Find Security Bugs Fast!BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!
Parasoft1.8K views
Make it Fixable (NDC Copenhagen 2018)Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)
Patricia Aas163 views
DevSecOps | How hard it is?DevSecOps | How hard it is?
DevSecOps | How hard it is?
PhishX97 views
Make it Fixable, Living with Risk (Paranoia 2017)Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)
Patricia Aas501 views
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
Franklin Mosley234 views
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
Stefan Streichsbier144 views
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
Oleg Gryb932 views
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb1.4K views
Make It Fixable (Sikkert NOK 2017)Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)
Patricia Aas396 views
Dev{sec}opsDev{sec}ops
Dev{sec}ops
Steven Carlson193 views
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
SeniorStoryteller764 views
A bug's life - Decoupled Drupal Security and Vulnerability ManagementA bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability Management
Balázs Tatár202 views
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
Haydn Johnson587 views
Building a (Really) Secure Cloud ProductBuilding a (Really) Secure Cloud Product
Building a (Really) Secure Cloud Product
Guy K. Kloss752 views
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability Management
Balázs Tatár141 views
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC267 views
Advertisement

More from Patricia Aas(20)

Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
Patricia Aas106 views
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
Patricia Aas26 views
Dependency Management in C++ (NDC Security 2021)Dependency Management in C++ (NDC Security 2021)
Dependency Management in C++ (NDC Security 2021)
Patricia Aas19 views
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
Patricia Aas188 views
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
Patricia Aas903 views
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
Patricia Aas489 views
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas497 views
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
Patricia Aas583 views
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
Patricia Aas1.3K views
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
Patricia Aas246 views
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas585 views
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Patricia Aas256 views
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
Patricia Aas214 views
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
Patricia Aas423 views
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
Patricia Aas2.7K views
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
Patricia Aas1.5K views
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas598 views
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Patricia Aas1.3K views
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)
Patricia Aas703 views
Trying to learn C# (NDC Oslo 2019)Trying to learn C# (NDC Oslo 2019)
Trying to learn C# (NDC Oslo 2019)
Patricia Aas971 views

Recently uploaded(20)

JPrime_JITServer.pptxJPrime_JITServer.pptx
JPrime_JITServer.pptx
Grace Jansen0 views
portfolio.pdfportfolio.pdf
portfolio.pdf
Spyne3 views
WEB PROGRAMMING FUNDAMENTAL.pptxWEB PROGRAMMING FUNDAMENTAL.pptx
WEB PROGRAMMING FUNDAMENTAL.pptx
HamzahFauzy41 view
Features of Magento 2 Plugins for Partial Payment & Payment Restriction in B2...Features of Magento 2 Plugins for Partial Payment & Payment Restriction in B2...
Features of Magento 2 Plugins for Partial Payment & Payment Restriction in B2...
Carmella Blick0 views
Prosper part 1.pdfProsper part 1.pdf
Prosper part 1.pdf
HazemKolieb2 views
在哪里可以办意大利大学文凭《佛罗伦萨美术学院毕业证成绩单仿制》在哪里可以办意大利大学文凭《佛罗伦萨美术学院毕业证成绩单仿制》
在哪里可以办意大利大学文凭《佛罗伦萨美术学院毕业证成绩单仿制》
nukotk3 views
SugarCRM.pptSugarCRM.ppt
SugarCRM.ppt
RajJar120 views
在哪里可以办澳洲大学文凭《南澳大学毕业证成绩单仿制》在哪里可以办澳洲大学文凭《南澳大学毕业证成绩单仿制》
在哪里可以办澳洲大学文凭《南澳大学毕业证成绩单仿制》
efagvah0 views
SOFTWARE.pptxSOFTWARE.pptx
SOFTWARE.pptx
CharenReposposa2 views
Memory Management with Page FoliosMemory Management with Page Folios
Memory Management with Page Folios
Adrian Huang2 views
Custom ERP softwareCustom ERP software
Custom ERP software
babuprasad380 views
Online Notice Board.pptxOnline Notice Board.pptx
Online Notice Board.pptx
ManikjitChohan0 views
ESPI IP.pdfESPI IP.pdf
ESPI IP.pdf
digitalblocksinc093 views
在哪里可以办美国大学文凭《佛蒙特大学毕业证成绩单仿制》在哪里可以办美国大学文凭《佛蒙特大学毕业证成绩单仿制》
在哪里可以办美国大学文凭《佛蒙特大学毕业证成绩单仿制》
nukotk5 views
在哪里可以办英国大学文凭《白金汉大学毕业证成绩单仿制》在哪里可以办英国大学文凭《白金汉大学毕业证成绩单仿制》
在哪里可以办英国大学文凭《白金汉大学毕业证成绩单仿制》
efagvah3 views
在哪里可以办美国大学文凭《哈佛大学毕业证成绩单仿制》在哪里可以办美国大学文凭《哈佛大学毕业证成绩单仿制》
在哪里可以办美国大学文凭《哈佛大学毕业证成绩单仿制》
nukotk3 views
Contoh Aplikasi Multimedia Pembelajaran Interaktif Logika MatematikaContoh Aplikasi Multimedia Pembelajaran Interaktif Logika Matematika
Contoh Aplikasi Multimedia Pembelajaran Interaktif Logika Matematika
PSCIndonesia24 views
natural-language-processing.pptnatural-language-processing.ppt
natural-language-processing.ppt
MuhammadAnas7293730 views
2023-06-classic2023-06-classic
2023-06-classic
Shane Coughlan15 views
意大利罗马二大毕业证文凭成绩单制作指南意大利罗马二大毕业证文凭成绩单制作指南
意大利罗马二大毕业证文凭成绩单制作指南
nahej992970 views
Advertisement

DevSecOps for Developers: How To Start

  1. @pati_gallardo T S
  2. @pati_gallardo T S Missing the obvious
  3. Dev[Sec]Ops for Developers How To Start Patricia Aas NDC Security 2019 T S @pati_gallardo
  4. Patricia Aas - Consultant T S C++ Programmer, Application Security Currently : T S Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science - main language Java Pronouns: she/her
  5. 5 Why DevSecOps? @pati_gallardo @pati_gallardo
  6. 6 “Our research shows that building security into software development not only improves delivery performance but also improves security quality. Organizations with high delivery performance spend significantly less time remediating security issues.” Accelerate, Forsgren PhD, Humble and Kim @pati_gallardo @pati_gallardo
  7. 7 Misleading Diagrams @pati_gallardo @pati_gallardo
  8. Kharnagy [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)], from Wikimedia Commons
  9. Dev Ops Sec Or maybe?
  10. Dev Sec Ops What about this one?
  11. 11 Looking for Zebras @pati_gallardo @pati_gallardo
  12. 12 “In medical school, you are taught that if, metaphorically, there is the sound of hoofbeats pounding towards you then it’s sensible to assume they come from horses not zebras [...] With House it’s the opposite. We are looking for zebras.” ‘Dr Lisa Sanders’ in ‘House M.D.’ @pati_gallardo @pati_gallardo
  13. We tend to classify problems based on the problems we are used to. This stops us from understanding folks that deal with different classes of problems. @pati_gallardo 13 @pati_gallardo
  14. 14 Cynefin Framework by Dave Snowden @pati_gallardo @pati_gallardo
  15. Cynefin Framework by Dave Snowden https://cognitive-edge.com/blog/liminal-cynefin-image-release/
  16. Complex Complicated ObviousChaotic Discover Engineer Stabilize Automate Fixing things Cynefin Framework by Dave Snowden Crisis Emergent Novel Best Good
  17. Cynefin Framework by Dave Snowden DevOps Complex Complicated ObviousChaotic Probe Prototyping Analyze Development Auto Deploy Creativity Skill Automation Not critical Critical Incident Response
  18. Complex Complicated ObviousChaotic Act Put out fires Probe Analyze Auto Investigate Remediate Change Incident in Prod Cynefin Framework by Dave Snowden
  19. Complex Complicated ObviousChaotic Cynefin Framework by Dave Snowden Security Act Fuzzing Probe Analyze Auto Debugging Exploit dev Metasploit
  20. Complex Complicated ObviousChaotic Probe Making the Right System Analyze Making the System Right A/B Testing TDD Chaos Monkey Static Analysis Testing Cynefin Framework by Dave Snowden
  21. @pati_gallardo Dev[Sec]Ops
  22. Coding Building Testing Manual Security Gate Keeping Monitoring 22 Simplified Pre-DevOps Deployment Workflow @pati_gallardo @pati_gallardo But you have to get out of the Critical Path?
  23. Coding IDE Plugins Static Analysis Building Testing Scanning Monitoring 23 Alerts Dashboards Dynamic Analysis Dependency Checks Warnings Commit hooks Simulations Fuzzing
  24. 24 - We have no “Security Team” 1 security person per 10 ops people per 100 developers* *Accelerate, Forsgren PhD, Humble and Kim @pati_gallardo
  25. 6 Dev[Sec]Ops Hacks @pati_gallardo 25 @pati_gallardo
  26. 26 1. Live Off the Land @pati_gallardo @pati_gallardo
  27. Use their issue tracker Use their slack Use their monitoring Use their dashboards Integrate into their tools @pati_gallardo 27 @pati_gallardo
  28. 28 2. Have Devs Build It @pati_gallardo @pati_gallardo
  29. Use the devs to build integrations Find ways to justify it Make sure it has dual purpose @pati_gallardo 29 @pati_gallardo
  30. 30 3. Trunk-based Development @pati_gallardo @pati_gallardo
  31. Trunk-based development Small commits Add security to peer-review Add threat modeling to peer-review Feature toggles Use feature toggles for A/B testing @pati_gallardo 31 @pati_gallardo
  32. 32 4. Use Existing Crisis Process for Incident Response @pati_gallardo @pati_gallardo
  33. @pati_gallardo Bootstrapping Incident Response
  34. 34 Have a Hotline security@example.com https://example.com/.well-known/security.txt @pati_gallardo
  35. gitlab.com - “rm -rf” - Sysadmin maintenance - Cascading errors as backups fail - All logged publicly in real time Accident or Breach Does it matter? 35 @pati_gallardo
  36. 36 External Vulnerability Report Flow @pati_gallardo @pati_gallardo Bug Report Vulnerability Report Social Media QA Security Marketing Triage No bug Bug Vulnerability
  37. @pati_gallardo They Know How To Handle A Crisis
  38. Security Improvements to Existing Crisis Process ● Separate priority in bug-tracker ● Separate channel in Slack ● Explicit side-duty in every team: Security Engineer ● Simple procedure based on information sharing and empowering ● Have a procedure on how people will get paid in off-hours @pati_gallardo 38 @pati_gallardo
  39. 39 5. Automate as Much as Possible @pati_gallardo @pati_gallardo
  40. Add IDE plugins Add dependency scanner in CI/CD Add scanners in CI/CD Dynamic scan in a non-blocking pipeline All results in dev visualization @pati_gallardo 40 @pati_gallardo
  41. 41 6. Infrastructure as Code @pati_gallardo @pati_gallardo
  42. Configuration Management Auditable Know what you’re running Enable safe rollback @pati_gallardo 42 @pati_gallardo
  43. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code @pati_gallardo 43 @pati_gallardo
  44. Complex Complicated ObviousChaotic Discover Engineer Stabilize Automate Fixing things Cynefin Framework by Dave Snowden Crisis Security Development Operations
  45. Kharnagy [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)], from Wikimedia Commons
  46. Dev Ops Sec Or maybe?
  47. Dev Sec Ops What about this one?
  48. @pati_gallardo Dev[Sec]Ops
  49. 49 Shifting Security Left? What Does That Even Mean? @pati_gallardo @pati_gallardo
  50. @pati_gallardo
  51. 51 I S @pati_gallardo @pati_gallardo
  52. 52 Hacking the existing tools and processes @pati_gallardo @pati_gallardo
  53. 53 @pati_gallardo Teach everyone what to look for Use their Tooling and their Dashboards Fast, stable, automated tests in the Critical Path Use the existing Crisis Process for Incidents Have slower tests off the Critical Path I , L , S
  54. Complex Complicated ObviousChaotic Act Put out fires Probe Analyze Auto Investigate Remediate Change Incident in Prod Cynefin Framework by Dave Snowden
  55. We tend to classify problems based on the problems we are used to. This stops us from understanding folks that deal with different classes of problems. @pati_gallardo 55 @pati_gallardo
  56. 56 Some people are always looking for Zebras @pati_gallardo @pati_gallardo
  57. @pati_gallardo T S
  58. T S P f . Patricia Aas, T S @pati_gallardo
Advertisement