Turtle
Sec
@pati_gallardo

Turtle
Sec
@pati_gallardo
My first
real tech
job

Dev[Sec]Ops for Developers
How To Start
European Testing Conference 2020
Patricia Aas
Turtle
Sec
@pati_gallardo

Patricia Aas - Consultant
Turtle
Sec
C++ Programmer, Application Security
Currently : TurtleSec
Previously : Vivaldi, Cisco Systems, Knowit, Opera Software
Master in Computer Science
Pronouns: she/her
@pati_gallardo

@pati_gallardo 5
Quality
@pati_gallardo

@pati_gallardo
Accelerate, Nicole Forsgren PhD, Humble and Kim:
“Our research shows that building security into software
development not only improves delivery performance
but also improves security quality.
Organizations with high delivery performance
spend significantly less time remediating security issues.”
@pati_gallardo 6

@pati_gallardo
“improves security quality”
Security is a
Quality Metric
@pati_gallardo 7

@pati_gallardo
Vulnerability
@pati_gallardo 8

@pati_gallardo
Bug
Vulnerability
Exploit
If a bug can be
exploited...
...then it is a
vulnerability
@pati_gallardo 9What is a Vulnerability?

@pati_gallardo
Exploit
Write
Read Execute
Information Leaks
Intelligence Gathering
Remote Code Execution
Privilege Escalation
Denial of Service
Planting of Shellcode
@pati_gallardo 10What does an Exploit do?

@pati_gallardo
The Target The Exploit@halvarflake
Weird
State
Weird
State
Exploitation: The Weird Machine
Bug/
Vulnerability
@sergeybratus
@pati_gallardo 11

@pati_gallardo 12
There is an artificial line
between security testing and
other types of testing

@pati_gallardo 13
Vulnerabilities are Bugs

@pati_gallardo
Culture
@pati_gallardo 14

@pati_gallardo
Looking for Zebras
@pati_gallardo 15

@pati_gallardo
“In medical school, you are taught that if, metaphorically, there is the
sound of hoofbeats pounding towards you then it’s sensible to assume
they come from horses not zebras [...]
With House it’s the opposite. We are looking for zebras.”
‘Dr Lisa Sanders’ in ‘House M.D.’
@pati_gallardo 16

We tend to classify problems
based on the problems we are
used to.
This stops us from understanding
folks that deal with different
classes of problems.
@pati_gallardo
17

@pati_gallardo
Cynefin Framework
by Dave Snowden
@pati_gallardo 18

Cynefin
Framework
by
Dave Snowden
https://cognitive-edge.com/blog/liminal-cynefin-image-release/
19

Complex Complicated
ObviousChaotic
Discover Engineer
Stabilize Automate
Fixing things
Cynefin
Framework
by
Dave Snowden
Crisis
Emergent
Novel Best
Good
20

Cynefin
Framework
by
Dave Snowden
DevOps
Complex Complicated
ObviousChaotic
Probe
Prototyping
Analyze
Development
Auto
Deploy
Creativity Skill
Automation
Not critical
Critical
Incident
Response
21

Complex Complicated
ObviousChaotic
Act
Put out fires
Probe Analyze
Auto
Investigate Remediate
Change
Incident in Prod
Cynefin
Framework
by
Dave Snowden
22

Complex Complicated
ObviousChaotic
Cynefin
Framework
by
Dave Snowden
Security
Act
Fuzzing
Probe Analyze
Auto
Debugging Exploit dev
Metasploit
23

Complex Complicated
ObviousChaotic
Probe
Making the Right System
Analyze
Making the System Right
A/B Testing TDD
Chaos Monkey Static Analysis
Testing
Cynefin
Framework
by
Dave Snowden
24

@pati_gallardo
Dev[Sec]Ops
@pati_gallardo 25

@pati_gallardo
Coding Building Testing
Manual
Security
Gate
Keeping
Monitoring
Simplified Pre-DevOps Deployment Workflow
@pati_gallardo
But you have to get out of the Critical Path?
26

@pati_gallardo
- We have no “Security Team”
1 security person per 10 ops people per 100 developers*
*Accelerate, Forsgren PhD, Humble and Kim
Manual security review does not scale
@pati_gallardo 27

@pati_gallardo
Coding
IDE Plugins
Static Analysis
Building Testing Scanning Monitoring
Alerts
Dashboards
Dynamic Analysis
Dependency Checks
Warnings
Commit hooks
Simulations
Fuzzing
@pati_gallardo 28

@pati_gallardo
Risk Modeling
29

@pati_gallardo 30
Company Killer
What are you really afraid of?
What kind of event could put you out of business?

@pati_gallardo 31
Pre-mortem
Your worst headline is in the newspaper,
how did this happen?

@pati_gallardo
External
Entity
Data Store
Trust
Boundary
Data Flow
Trust Boundary
Trust Boundary
Data Store
Process
Backend
Process
External Entity
Browser/App
Data Flow
Data Flow Diagram
Data
Flow
32

@pati_gallardo
Hacks
33

Tooling
Incident
Response
Automation Auditability
Security
Reviews
Manpower
@pati_gallardo 34

1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 35

Tooling
Incident
Response
Automation Auditability
Security
Reviews
Manpower
@pati_gallardo 36

@pati_gallardo
Bootstrapping
Tooling
@pati_gallardo 37

Use your issue tracker
Use your chat
Use your monitoring
Use your dashboards
Integrate into your tools
Live Off the Land
@pati_gallardo
Bootstrapping
Tooling
38

1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 39

Tooling
Incident
Response
Automation Auditability
Security
Reviews
Manpower
@pati_gallardo 40

Bootstrapping
Manpower
@pati_gallardo
41

Use the devs to build integrations
Find ways to justify it
Dual purpose:
Stability and Security
Have Devs Build It
@pati_gallardo
Bootstrapping
Manpower
42

1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 43

Tooling
Incident
Response
Automation Auditability
Security
Reviews
Manpower
@pati_gallardo 44

Bootstrapping
Security Reviews
@pati_gallardo
45

Trunk-based development
Small commits
Add security to peer-review
Add threat modeling to peer-review
Feature toggles
Use feature toggles for
A/B testing
Bootstrapping
Security Reviews
Trunk-based Development
46@pati_gallardo

1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 47

Tooling
Incident
Response
Automation Auditability
Security
Reviews
Manpower
@pati_gallardo 48

@pati_gallardo
Bootstrapping
Incident Response
@pati_gallardo 49

Have a Hotline
security@example.com
https://example.com/.well-known/security.txt
50@pati_gallardo

External Vulnerability Report Flow
Bug Report
Vulnerability
Report
Social Media
QA
Security
Marketing
Triage
No bug
Bug
Vulnerability
51@pati_gallardo

Use Existing Crisis Process for
Incident Response
52@pati_gallardo

@pati_gallardo@pati_gallardo
You Know
How To
Handle A
Crisis
53

Separate priority in bug-tracker
Separate channel in Slack
Security Engineer side-duty
Simple procedure
How will people get paid in
off-hours?
Bootstrapping
Incident Response
Security Improvements to
Existing Crisis Process
54@pati_gallardo

1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 55

TurtleSec
Tooling
Incident
Response
Automation Auditability
Security
Reviews
Manpower
@pati_gallardo 56

@pati_gallardo
Bootstrapping
Automation
@pati_gallardo 57

Add IDE plugins
Add dependency scanner in CI/CD
Add scanners in CI/CD
Dynamic scan in a non-blocking
pipeline
All results in dev visualization
Automate as Much as
Possible
Bootstrapping
Automation
58@pati_gallardo

Coding
IDE Plugins
Static Analysis
Building Testing Scanning Monitoring
Alerts
Dashboards
Dynamic Analysis
Dependency Checks
Warnings
Commit hooks
Simulations
Fuzzing
59@pati_gallardo

1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 60

TurtleSec
Tooling
Incident
Response
Automation Auditability
Security
Reviews
Manpower
@pati_gallardo 61

@pati_gallardo
Bootstrapping
Auditability
@pati_gallardo 62

Fully Automated Pipeline
Configuration Management
Know what you’re running
Auditable
Bootstrapping
Auditability
Infrastructure as Code
63@pati_gallardo

1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 64

@pati_gallardo
Incremental
Security
@pati_gallardo 65

@pati_gallardo
Teach everyone what to look for
Use their Tooling and their Dashboards
Fast, stable, automated tests in the Critical Path
Use the existing Crisis Process for Incidents
Have slower tests off the Critical Path
Incremental, Layered, Security
66

@pati_gallardo
Learn
@pati_gallardo 67

Complex Complicated
ObviousChaotic
Act
Put out fires
Probe Analyze
Auto
Investigate Remediate
Change
Incident in Prod
Cynefin
Framework
by
Dave Snowden
68

1. Preparation6. Lessons Learned
5. Recovery
4. Eradication
2. Identification
3. Containment
Phases of
Incident
Response¹
¹Incident Handler’s Handbook, SANS Institute
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
@pati_gallardo 69

70
Practice
“We don't rise to the level of
our expectations, we fall to the
level of our training.”
Greek lyrical poet, Archilochus
Accident or Breach?
Does it matter?
@pati_gallardo

@pati_gallardo
Turtle
Sec
@pati_gallardo

Turtle
Sec
Questions?
Photos from pixabay.com
Patricia Aas, TurtleSec
@pati_gallardo