How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture?
Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring."
4. Patricia Aas - Consultant
T
S
C++ Programmer, Application Security
Currently : T S
Previously : Vivaldi, Cisco Systems, Knowit, Opera Software
Master in Computer Science - main language Java
Pronouns: she/her
6. 6
“Our research shows that building security into software
development not only improves delivery performance but
also improves security quality. Organizations with high
delivery performance spend significantly less time
remediating security issues.”
Accelerate, Forsgren PhD, Humble and Kim
@pati_gallardo
@pati_gallardo
12. 12
“In medical school, you are taught that if, metaphorically, there is the
sound of hoofbeats pounding towards you then it’s sensible to assume
they come from horses not zebras [...]
With House it’s the opposite. We are looking for zebras.”
‘Dr Lisa Sanders’ in ‘House M.D.’
@pati_gallardo
@pati_gallardo
13. We tend to classify problems
based on the problems we are
used to.
This stops us from understanding
folks that deal with different
classes of problems.
@pati_gallardo 13
@pati_gallardo
31. Trunk-based development
Small commits
Add security to peer-review
Add threat modeling to peer-review
Feature toggles
Use feature toggles for A/B testing
@pati_gallardo 31
@pati_gallardo
32. 32
4. Use Existing Crisis Process for
Incident Response
@pati_gallardo
@pati_gallardo
35. gitlab.com
- “rm -rf”
- Sysadmin maintenance
- Cascading errors as backups fail
- All logged publicly in real time
Accident or Breach
Does it matter?
35
@pati_gallardo
36. 36
External Vulnerability Report Flow
@pati_gallardo
@pati_gallardo
Bug Report
Vulnerability
Report
Social Media
QA
Security
Marketing
Triage
No bug
Bug
Vulnerability
38. Security Improvements to
Existing Crisis Process
● Separate priority in bug-tracker
● Separate channel in Slack
● Explicit side-duty in every team:
Security Engineer
● Simple procedure based on
information sharing and empowering
● Have a procedure on how people will
get paid in off-hours
@pati_gallardo 38
@pati_gallardo
40. Add IDE plugins
Add dependency scanner in CI/CD
Add scanners in CI/CD
Dynamic scan in a non-blocking
pipeline
All results in dev visualization
@pati_gallardo 40
@pati_gallardo
43. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
@pati_gallardo 43
@pati_gallardo
53. 53
@pati_gallardo
Teach everyone what to look for
Use their Tooling and their Dashboards
Fast, stable, automated tests in the Critical Path
Use the existing Crisis Process for Incidents
Have slower tests off the Critical Path
I , L , S
55. We tend to classify problems
based on the problems we are
used to.
This stops us from understanding
folks that deal with different
classes of problems.
@pati_gallardo 55
@pati_gallardo
56. 56
Some people are always
looking for Zebras
@pati_gallardo
@pati_gallardo