Successfully reported this slideshow.

DevSecOps for Developers, How To Start (ETC 2020)

2

Share

Feb. 07, 2020
2 likes 695 views
Upcoming SlideShare
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
Loading in …3
×
1 of 72
1 of 72

DevSecOps for Developers, How To Start (ETC 2020)

Feb. 07, 2020
2 likes 695 views

2

Share

Download to read offline

Software

How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture?

Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.

How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture?

Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.

Software

Recommended

More Related Content

Similar to DevSecOps for Developers, How To Start (ETC 2020)

Craft 2019 - Security Chaos Engineering - Security Precognition
Verica
Release Your Inner DevSecOp
James Wickett
Haufe #msaday - Seven More Deadly Sins of Microservices by Daniel Bryant
OpenCredo
DevOps Patterns to Enable Success in Microservices
Rich Mills
Scaling at kudo what we have learned along the way
Panji Gautama
OSCON EU 2016 "Seven (More) Deadly Sins of Microservices"
Daniel Bryant
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
Applicaiton Security - Building The Audit Program
Michael Davis
You build it - Cyber Chicago Keynote
John Willis
The Dev, Sec and Ops of API Security - NordicAPIs
42Crunch
Testing at-cloud-speed sans-app-sec-austin-2013
Matt Tesauro
RSA 2016 Realities of Data Security
Scott Carlson
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Verica
OWASP AppSec Global 2019 Security & Chaos Engineering
Verica
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
muCon 2016: "Seven (More) Deadly Sins of Microservices"
Daniel Bryant
Cloud security : Automate or die
Priyanka Aash
Epistemological Problem of Application Security
James Wickett
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
TLC2018 Tanya Kravtsov: 10 Steps to CI, Testing and Delivery
Anna Royzman

More from Patricia Aas

Classic Vulnerabilities (ACCU Keynote 2022)
Patricia Aas
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
Thoughts On Learning A New Programming Language
Patricia Aas
Trying to build an Open Source browser in 2020
Patricia Aas
Trying to build an Open Source browser in 2020
Patricia Aas
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Patricia Aas
The Anatomy of an Exploit (NDC TechTown 2019))
Patricia Aas
Elections, Trust and Critical Infrastructure (NDC TechTown)
Patricia Aas
Survival Tips for Women in Tech (JavaZone 2019)
Patricia Aas
Embedded Ethics (EuroBSDcon 2019)
Patricia Aas
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Patricia Aas
The Anatomy of an Exploit (CPPP 2019)
Patricia Aas
Make it Fixable (NDC Copenhagen 2018)
Patricia Aas
Trying to learn C# (NDC Oslo 2019)
Patricia Aas
Why Is Election Security So Hard? (Paranoia 2019)
Patricia Aas
The Anatomy of an Exploit
Patricia Aas
Reading Other Peoples Code (NDC Copenhagen 2019)
Patricia Aas
C++ The Principles of Most Surprise
Patricia Aas

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths Glenn Reynolds
(4/5)
Free
World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet Michael Chorost
(4/5)
Free
Emergence: The Connected Lives of Ants, Brains, Cities, and Software Steven Johnson
(4.5/5)
Free
Tubes: A Journey to the Center of the Internet Andrew Blum
(4/5)
Free
The Impulse Economy: Understanding Mobile Shoppers and What Makes Them Buy Gary Schwartz
(4.5/5)
Free
Hamlet's BlackBerry: A Practical Philosophy for Building a Good Life in the Digital Age William Powers
(4/5)
Free
In the Plex: How Google Thinks, Works, and Shapes Our Lives Steven Levy
(4.5/5)
Free
Socialnomics: How Social Media Transforms the Way We Live and Do Business Erik Qualman
(4/5)
Free
Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live Jeff Jarvis
(3.5/5)
Free
The Nature of the Future: Dispatches from the Socialstructed World Marina Gorbis
(4/5)
Free
Talking Back to Facebook: The Common Sense Guide to Raising Kids in the Digital Age James P. Steyer
(4.5/5)
Free
The Thank You Economy Gary Vaynerchuk
(4/5)
Free
Blog Schmog: The Truth About What Blogs Can (and Can't) Do for Your Business Robert W. Bly
(4/5)
Free
The End of Business As Usual: Rewire the Way You Work to Succeed in the Consumer Revolution Brian Solis
(5/5)
Free
Our Final Invention: Artificial Intelligence and the End of the Human Era James Barrat
(4.5/5)
Free
No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State Glenn Greenwald
(4.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Who Owns the Future? Jaron Lanier
(4/5)
Free
An Introduction to Information Theory: Symbols, Signals and Noise John R. Pierce
(4.5/5)
Free
The Social Life of Information: Updated, with a New Preface-Revised John Seely Brown
(0/5)
Free
The Dark Net: Inside the Digital Underworld Jamie Bartlett
(4/5)
Free
Cognitive Surplus: Creativity and Generosity in a Connected Age Clay Shirky
(4/5)
Free
The History of the Future: Oculus, Facebook, and the Revolution That Swept Virtual Reality Blake J. Harris
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Ten Arguments for Deleting Your Social Media Accounts Right Now Jaron Lanier
(4/5)
Free
The New New Thing: A Silicon Valley Story Michael Lewis
(4.5/5)
Free
New Dark Age: Technology and the End of the Future James Bridle
(4.5/5)
Free
Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World Don Tapscott
(4/5)
Free
The Emperor's New Mind: Concerning Computers, Minds, and the Laws of Physics Roger Penrose
(3.5/5)
Free
The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters Tom Nichols
(4.5/5)
Free
Alone Together: Why We Expect More from Technology and Less from Each Other Sherry Turkle
(4.5/5)
Free
Algorithms to Live By: The Computer Science of Human Decisions Brian Christian
(4.5/5)
Free
Kill All Normies: Online Culture Wars From 4Chan And Tumblr To Trump And The Alt-Right Angela Nagle
(4/5)
Free

DevSecOps for Developers, How To Start (ETC 2020)

  1. 1. Turtle Sec @pati_gallardo
  2. 2. Turtle Sec @pati_gallardo My first real tech job
  3. 3. Dev[Sec]Ops for Developers How To Start European Testing Conference 2020 Patricia Aas Turtle Sec @pati_gallardo
  4. 4. Patricia Aas - Consultant Turtle Sec C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/her @pati_gallardo
  5. 5. @pati_gallardo 5 Quality @pati_gallardo
  6. 6. @pati_gallardo Accelerate, Nicole Forsgren PhD, Humble and Kim: “Our research shows that building security into software development not only improves delivery performance but also improves security quality. Organizations with high delivery performance spend significantly less time remediating security issues.” @pati_gallardo 6
  7. 7. @pati_gallardo “improves security quality” Security is a Quality Metric @pati_gallardo 7
  8. 8. @pati_gallardo Vulnerability @pati_gallardo 8
  9. 9. @pati_gallardo Bug Vulnerability Exploit If a bug can be exploited... ...then it is a vulnerability @pati_gallardo 9What is a Vulnerability?
  10. 10. @pati_gallardo Exploit Write Read Execute Information Leaks Intelligence Gathering Remote Code Execution Privilege Escalation Denial of Service Planting of Shellcode @pati_gallardo 10What does an Exploit do?
  11. 11. @pati_gallardo The Target The Exploit@halvarflake Weird State Weird State Exploitation: The Weird Machine Bug/ Vulnerability @sergeybratus @pati_gallardo 11
  12. 12. @pati_gallardo 12 There is an artificial line between security testing and other types of testing
  13. 13. @pati_gallardo 13 Vulnerabilities are Bugs
  14. 14. @pati_gallardo Culture @pati_gallardo 14
  15. 15. @pati_gallardo Looking for Zebras @pati_gallardo 15
  16. 16. @pati_gallardo “In medical school, you are taught that if, metaphorically, there is the sound of hoofbeats pounding towards you then it’s sensible to assume they come from horses not zebras [...] With House it’s the opposite. We are looking for zebras.” ‘Dr Lisa Sanders’ in ‘House M.D.’ @pati_gallardo 16
  17. 17. We tend to classify problems based on the problems we are used to. This stops us from understanding folks that deal with different classes of problems. @pati_gallardo 17
  18. 18. @pati_gallardo Cynefin Framework by Dave Snowden @pati_gallardo 18
  19. 19. Cynefin Framework by Dave Snowden https://cognitive-edge.com/blog/liminal-cynefin-image-release/ 19
  20. 20. Complex Complicated ObviousChaotic Discover Engineer Stabilize Automate Fixing things Cynefin Framework by Dave Snowden Crisis Emergent Novel Best Good 20
  21. 21. Cynefin Framework by Dave Snowden DevOps Complex Complicated ObviousChaotic Probe Prototyping Analyze Development Auto Deploy Creativity Skill Automation Not critical Critical Incident Response 21
  22. 22. Complex Complicated ObviousChaotic Act Put out fires Probe Analyze Auto Investigate Remediate Change Incident in Prod Cynefin Framework by Dave Snowden 22
  23. 23. Complex Complicated ObviousChaotic Cynefin Framework by Dave Snowden Security Act Fuzzing Probe Analyze Auto Debugging Exploit dev Metasploit 23
  24. 24. Complex Complicated ObviousChaotic Probe Making the Right System Analyze Making the System Right A/B Testing TDD Chaos Monkey Static Analysis Testing Cynefin Framework by Dave Snowden 24
  25. 25. @pati_gallardo Dev[Sec]Ops @pati_gallardo 25
  26. 26. @pati_gallardo Coding Building Testing Manual Security Gate Keeping Monitoring Simplified Pre-DevOps Deployment Workflow @pati_gallardo But you have to get out of the Critical Path? 26
  27. 27. @pati_gallardo - We have no “Security Team” 1 security person per 10 ops people per 100 developers* *Accelerate, Forsgren PhD, Humble and Kim Manual security review does not scale @pati_gallardo 27
  28. 28. @pati_gallardo Coding IDE Plugins Static Analysis Building Testing Scanning Monitoring Alerts Dashboards Dynamic Analysis Dependency Checks Warnings Commit hooks Simulations Fuzzing @pati_gallardo 28
  29. 29. @pati_gallardo Risk Modeling 29
  30. 30. @pati_gallardo 30 Company Killer What are you really afraid of? What kind of event could put you out of business?
  31. 31. @pati_gallardo 31 Pre-mortem Your worst headline is in the newspaper, how did this happen?
  32. 32. @pati_gallardo External Entity Data Store Trust Boundary Data Flow Trust Boundary Trust Boundary Data Store Process Backend Process External Entity Browser/App Data Flow Data Flow Diagram Data Flow 32
  33. 33. @pati_gallardo Hacks 33
  34. 34. Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 34
  35. 35. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 35
  36. 36. Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 36
  37. 37. @pati_gallardo Bootstrapping Tooling @pati_gallardo 37
  38. 38. Use your issue tracker Use your chat Use your monitoring Use your dashboards Integrate into your tools Live Off the Land @pati_gallardo Bootstrapping Tooling 38
  39. 39. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 39
  40. 40. Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 40
  41. 41. Bootstrapping Manpower @pati_gallardo 41
  42. 42. Use the devs to build integrations Find ways to justify it Dual purpose: Stability and Security Have Devs Build It @pati_gallardo Bootstrapping Manpower 42
  43. 43. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 43
  44. 44. Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 44
  45. 45. Bootstrapping Security Reviews @pati_gallardo 45
  46. 46. Trunk-based development Small commits Add security to peer-review Add threat modeling to peer-review Feature toggles Use feature toggles for A/B testing Bootstrapping Security Reviews Trunk-based Development 46@pati_gallardo
  47. 47. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 47
  48. 48. Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 48
  49. 49. @pati_gallardo Bootstrapping Incident Response @pati_gallardo 49
  50. 50. Have a Hotline security@example.com https://example.com/.well-known/security.txt 50@pati_gallardo
  51. 51. External Vulnerability Report Flow Bug Report Vulnerability Report Social Media QA Security Marketing Triage No bug Bug Vulnerability 51@pati_gallardo
  52. 52. Use Existing Crisis Process for Incident Response 52@pati_gallardo
  53. 53. @pati_gallardo@pati_gallardo You Know How To Handle A Crisis 53
  54. 54. Separate priority in bug-tracker Separate channel in Slack Security Engineer side-duty Simple procedure How will people get paid in off-hours? Bootstrapping Incident Response Security Improvements to Existing Crisis Process 54@pati_gallardo
  55. 55. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 55
  56. 56. TurtleSec Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 56
  57. 57. @pati_gallardo Bootstrapping Automation @pati_gallardo 57
  58. 58. Add IDE plugins Add dependency scanner in CI/CD Add scanners in CI/CD Dynamic scan in a non-blocking pipeline All results in dev visualization Automate as Much as Possible Bootstrapping Automation 58@pati_gallardo
  59. 59. Coding IDE Plugins Static Analysis Building Testing Scanning Monitoring Alerts Dashboards Dynamic Analysis Dependency Checks Warnings Commit hooks Simulations Fuzzing 59@pati_gallardo
  60. 60. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 60
  61. 61. TurtleSec Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 61
  62. 62. @pati_gallardo Bootstrapping Auditability @pati_gallardo 62
  63. 63. Fully Automated Pipeline Configuration Management Know what you’re running Auditable Bootstrapping Auditability Infrastructure as Code 63@pati_gallardo
  64. 64. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 64
  65. 65. @pati_gallardo Incremental Security @pati_gallardo 65
  66. 66. @pati_gallardo Teach everyone what to look for Use their Tooling and their Dashboards Fast, stable, automated tests in the Critical Path Use the existing Crisis Process for Incidents Have slower tests off the Critical Path Incremental, Layered, Security 66
  67. 67. @pati_gallardo Learn @pati_gallardo 67
  68. 68. Complex Complicated ObviousChaotic Act Put out fires Probe Analyze Auto Investigate Remediate Change Incident in Prod Cynefin Framework by Dave Snowden 68
  69. 69. 1. Preparation6. Lessons Learned 5. Recovery 4. Eradication 2. Identification 3. Containment Phases of Incident Response¹ ¹Incident Handler’s Handbook, SANS Institute https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 @pati_gallardo 69
  70. 70. 70 Practice “We don't rise to the level of our expectations, we fall to the level of our training.” Greek lyrical poet, Archilochus Accident or Breach? Does it matter? @pati_gallardo
  71. 71. @pati_gallardo Turtle Sec @pati_gallardo
  72. 72. Turtle Sec Questions? Photos from pixabay.com Patricia Aas, TurtleSec @pati_gallardo

×