Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
#LEAN
SECURITY@WICKETT // @ERNESTMUELLER // RSA 2016
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
ERNEST MUELLER
JAMES WICKETT
@wickett
@ernestmueller
THEAGILEADMIN.COM
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
THE PRESENTATION
THAT JUST MIGHT
CHANGE YOUR LIFE…
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
COMPANIES ARE SPENDING A GREAT
DEAL ON SECURITY, BUT WE READ
OF MASSIVE COMPUT...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
AGILE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WHAT IS AGILE?
• INDIVIDUALS AND INTERACTIONS
OVER PROCESSES AND TOOLS
• WORKI...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WHY AGILE?
• 45% OF ORGANIZATIONS ARE USING AGILE ON A MAJORITY OF THEIR
TEAMS...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WHAT IS DEVOPS?
DEVOPS IS THE PRACTICE OF OPERATIONS AND
DEVELOPMENT ENGINEERS...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WHY DEVOPS?• BY 2016 “DEVOPS WILL EVOLVE FROM A NICHE TO A MAINSTREAM
STRATEGY...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
HIGH-PERFORMING IT
ORGANIZATIONS
EXPERIENCE 60X FEWER
FAILURES AND RECOVER
FRO...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
LEAN
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
LEAN SOFTWARE
DEVELOPMENT
SEVEN PRINCIPLES:
• ELIMINATE
WASTE
• AMPLIFY
LEARNI...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
LEAN PRODUCT
DEVELOPMENT
• BUILD-MEASURE-LEARN
• BUILD – MINIMUM VIABLE PRODUC...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WHY LEAN?
• BOTH DEVOPS AND AGILE BORROW KEY
CONCEPTS FROM LEAN MANUFACTURING,...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WHAT ARE THE
CHALLENGES THAT
AGILE / DEVOPS /
LEAN POSE TO
INFOSEC?
WRONG
QUESTION!
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
INSTEAD, EXAMINE HOW
ADOPTING THESE
STRATEGIES CAN HELP YOU
WIN
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
LEAN SECURITY IS
FOR WINNERS
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
THE SIX-FOLD PATH OF
LEAN SECURITY
(AND HOW TO WIN)
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
#1
SECURITY IS JUST
BEANCOUNTING
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WE TRADED ENGINEERING
FOR ACTUARIAL DUTIES
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
“[RISK ASSESSMENT]
INTRODUCES A DANGEROUS
FALLACY: THAT STRUCTURED
INADEQUACY ...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
A SECURITY MANAGEMENT SYSTEM PROVIDES OPTIMAL
VALUE TO THE ORGANIZATION IF IT:...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
UNDERSTAND THE
VALUE YOUR
ORGANIZATION WANTS
FROM YOU
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
#2
SECURITY IS A
BOTTLENECK
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
THE AVERAGE TIME TO
DELIVER CORPORATE IT
PROJECTS HAS INCREASED
FROM ~8.5 MONT...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WHY ARE COMPANIES SO SLOW?
THE GROWTH OF CONTROL AND
RISK MANAGEMENT FUNCTIONS...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
THE THREE WASTES
• MUDA - WORK WHICH ABSORBS RESOURCE
BUT ADDS NO VALUE
• MURI...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SECURITY WASTE
MUDA COMES IN SEVEN FORMS:
• EXCESS INVENTORY - DUMPING YOUR TH...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SECURITY WASTE
• HANDOFFS - LEVERAGE THE KNOWLEDGE OF THE TEAMS
DOING THE WORK...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
UNDERSTAND THE
WASTE THAT YOU
GENERATE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
#3
SECURITY IS
INVISIBLE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SECURITY
PROFESSIONALS ARE
QUICK TO SAY
SECURITY IS
EVERYONE’S JOB
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SECURITY COULD
LEARN FROM WEB
PERFORMANCE
CIRCA 2008
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
PERFORMANCE
• BROWSER EXTENSIONS FOR DEVS TO
UNDERSTAND PERFORMANCE PROBLEMS
•...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SECURITY
• BROWSER EXTENSIONS FOR DEVS TO
UNDERSTAND SECURITY PROBLEMS
• RESEA...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SEE THE WHOLE
• KEEP MEANINGFUL METRICS, MAKE THOSE
METRICS VISIBLE - IN CONTE...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
VISUALIZE
SECURITY SO
EVERYONE CAN
SEE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
#4
SECURITY IS ALWAYS
TOO LATE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
BUILD INTEGRITY IN
• “CEASE DEPENDENCE ON MASS
INSPECTION TO ACHIEVE QUALITY.
...
SOURCE: THE THREE WAYS
OF DEVOPS, GENE KIM
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
NEEDED A WAY TO
BE MEAN TO YOUR CODE
EARLIER IN THE
DEVELOPMENT PROCESS
ENTER ...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@slow @final
Feature: Look for cross site scripting (xss) using arachni
agains...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
http://theagileadmin.com/2015/06/09/pragmatic-security-and-rugged-devops/
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
GENERATE SECURITY
FEEDBACK IN EACH
VALUE STEP
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
#5
SECURITY IS ALWAYS IN
THE WAY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
ARE YOU “THAT
GUY?”
• YOU ALREADY KNOW YOU CAN’T MAKE
THINGS SECURE BY YOURSEL...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
EMPOWER THE TEAM
• UNDERSTAND HUMAN
MOTIVATION
• NETFLIX AUTOMATION
CREATED SA...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SELF SERVICE
AUTOMATION
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
#6
SECURITY IS PERFECTIONIST
AND IS THEREFORE
UNREALISTIC
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SECURITY IS YOUR
PRODUCT
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
BUILD-MEASURE-
LEARN
• DELIVER MINIMAL VIABLE SECURITY ACROSS
EVERYTHING
• FOC...
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
MANAGE YOUR
PRODUCT
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WE’VE BEEN THERE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
ERNEST MUELLER
JAMES WICKETT
@wickett
@ernestmueller
THEAGILEADMIN.COM
Lean Security
Upcoming SlideShare
Loading in …5
×

Lean Security

6,820 views

Published on

Ernest Mueller and James Wicket persentation at DevOps Connect: Rugged DevOps 2016

Published in: Technology
  • Be the first to comment

Lean Security

  1. 1. #LEAN SECURITY@WICKETT // @ERNESTMUELLER // RSA 2016
  2. 2. @WICKETT // @ERNESTMUELLER // #LEANSECURITY ERNEST MUELLER JAMES WICKETT @wickett @ernestmueller THEAGILEADMIN.COM
  3. 3. @WICKETT // @ERNESTMUELLER // #LEANSECURITY THE PRESENTATION THAT JUST MIGHT CHANGE YOUR LIFE…
  4. 4. @WICKETT // @ERNESTMUELLER // #LEANSECURITY COMPANIES ARE SPENDING A GREAT DEAL ON SECURITY, BUT WE READ OF MASSIVE COMPUTER-RELATED ATTACKS. CLEARLY SOMETHING IS WRONG. THE ROOT OF THE PROBLEM IS TWOFOLD: WE’RE PROTECTING (AND SPENDING MONEY ON PROTECTING) THE WRONG THINGS, AND WE’RE HURTING PRODUCTIVITY IN THE PROCESS. Thinking Security, Steven M. Bellovin 2015
  5. 5. @WICKETT // @ERNESTMUELLER // #LEANSECURITY
  6. 6. @WICKETT // @ERNESTMUELLER // #LEANSECURITY AGILE
  7. 7. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WHAT IS AGILE? • INDIVIDUALS AND INTERACTIONS OVER PROCESSES AND TOOLS • WORKING SOFTWARE OVER COMPREHENSIVE DOCUMENTATION • CUSTOMER COLLABORATION OVER CONTRACT NEGOTIATION • RESPONDING TO CHANGE OVER FOLLOWING A PLAN SOURCE: THE AGILE MANIFESTO (HTTP://WWW.AGILEMANIFESTO.ORG/)
  8. 8. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY AGILE? • 45% OF ORGANIZATIONS ARE USING AGILE ON A MAJORITY OF THEIR TEAMS ONLY 5% ARE NOT USING IT AT ALL • AGILE RESULTS: • ACCELERATE PRODUCT DELIVERY - 59% • ENHANCE ABILITY TO MANAGE CHANGING PRIORITIES - 56% • INCREASE PRODUCTIVITY - 53% • ENHANCE SOFTWARE QUALITY - 46% • ENHANCE DELIVERY PREDICTABILITY - 44% SOURCE: VERSIONONE NINTH ANNUAL STATE OF AGILE SURVEY (HTTPS://WWW.VERSIONONE.COM/PDF/STATE-OF-AGILE-DEVELOPMENT-SURVEY-NINTH.PDF)
  9. 9. @WICKETT // @ERNESTMUELLER // #LEANSECURITY
  10. 10. @WICKETT // @ERNESTMUELLER // #LEANSECURITY
  11. 11. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WHAT IS DEVOPS? DEVOPS IS THE PRACTICE OF OPERATIONS AND DEVELOPMENT ENGINEERS PARTICIPATING TOGETHER IN THE ENTIRE SERVICE LIFECYCLE, FROM DESIGN THROUGH THE DEVELOPMENT PROCESS TO PRODUCTION SUPPORT. DEVOPS IS ALSO CHARACTERIZED BY OPERATIONS STAFF MAKING USE MANY OF THE SAME TECHNIQUES AS DEVELOPERS FOR THEIR SYSTEMS WORK. SOURCE: THE AGILE ADMIN: WHAT IS DEVOPS? HTTP://THEAGILEADMIN.COM/WHAT-IS-DEVOPS/
  12. 12. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY DEVOPS?• BY 2016 “DEVOPS WILL EVOLVE FROM A NICHE TO A MAINSTREAM STRATEGY EMPLOYED BY 25% OF GLOBAL 2000 ORGANIZATIONS” - GARTNER, MARCH 2015 • BENEFITS OF DEVOPS: • NEW SOFTWARE/SERVICES THAT WOULD OTHERWISE NOT BE POSSIBLE - 21% • A REDUCTION IN TIME SPENT FIXING AND MAINTAINING APPLICATIONS - 21% • INCREASED COLLABORATION BETWEEN DEPARTMENTS - 21% • AN INCREASE IN REVENUE - 19% • IMPROVED QUALITY AND PERFORMANCE OF OUR DEPLOYED APPLICATIONS - 19% SOURCE: CA RESEARCH REPORT—DEVOPS: THE WORST-KEPT SECRET TO WINNING IN THE APPLICATION ECONOMY (HTTP://REWRITE.CA.COM/US/ARTICLES/DEVOPS/RESEARCH-REPORT-- DEVOPS-THE-WORST-KEPT-SECRET-TO-WINNING-IN-THE-APPLICATION-ECONOMY.HTML)
  13. 13. @WICKETT // @ERNESTMUELLER // #LEANSECURITY HIGH-PERFORMING IT ORGANIZATIONS EXPERIENCE 60X FEWER FAILURES AND RECOVER FROM FAILURE 168X FASTER THAN THEIR LOWER- PERFORMING PEERS. THEY ALSO DEPLOY 30X MORE FREQUENTLY WITH 200X SHORTER LEAD TIMES.
  14. 14. @WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN
  15. 15. @WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN SOFTWARE DEVELOPMENT SEVEN PRINCIPLES: • ELIMINATE WASTE • AMPLIFY LEARNING • DECIDE AS LATE AS POSSIBLE • DELIVER AS FAST AS POSSIBLE • EMPOWER THE TEAM • BUILD INTEGRITY IN • SEE THE WHOLE AN SOFTWARE DEVELOPMENT: AN AGILE TOOLKIT (2003), MARY AND TOM POPPENDIECK
  16. 16. @WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN PRODUCT DEVELOPMENT • BUILD-MEASURE-LEARN • BUILD – MINIMUM VIABLE PRODUCT • MEASURE – THE OUTCOME AND INTERNAL METRICS • LEARN – ABOUT YOUR PROBLEM AND YOUR SOLUTION • REPEAT – GO DEEPER WHERE IT’S NEEDED SOURCE: LEAN STARTUP (2011), ERIC RIES
  17. 17. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY LEAN? • BOTH DEVOPS AND AGILE BORROW KEY CONCEPTS FROM LEAN MANUFACTURING, SO IT'S ALL ABOUT COMMUNICATION AND OPENNESS." -INFORMATIONWEEK
  18. 18. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WHAT ARE THE CHALLENGES THAT AGILE / DEVOPS / LEAN POSE TO INFOSEC?
  19. 19. WRONG QUESTION!
  20. 20. @WICKETT // @ERNESTMUELLER // #LEANSECURITY INSTEAD, EXAMINE HOW ADOPTING THESE STRATEGIES CAN HELP YOU WIN
  21. 21. @WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN SECURITY IS FOR WINNERS
  22. 22. @WICKETT // @ERNESTMUELLER // #LEANSECURITY THE SIX-FOLD PATH OF LEAN SECURITY (AND HOW TO WIN)
  23. 23. @WICKETT // @ERNESTMUELLER // #LEANSECURITY #1 SECURITY IS JUST BEANCOUNTING
  24. 24. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WE TRADED ENGINEERING FOR ACTUARIAL DUTIES
  25. 25. @WICKETT // @ERNESTMUELLER // #LEANSECURITY “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”
  26. 26. @WICKETT // @ERNESTMUELLER // #LEANSECURITY A SECURITY MANAGEMENT SYSTEM PROVIDES OPTIMAL VALUE TO THE ORGANIZATION IF IT: • ACTIVELY SUPPORTS ACHIEVING THE BUSINESS AND COMPLIANCE OBJECTIVES OF THE ORGANIZATION (THE VARIABLE PART) • IS AN EFFICIENT, AGILE AND INTEGRATED PROCESS, CAPABLE OF DEALING WITH A DYNAMIC THREAT ENVIRONMENT • CONSUMES MINIMAL TIME AND RESOURCES • RESULTS IN ADEQUATELY MANAGED SECURITY RISK, IN LINE WITH THE RISK APPETITE OF THE ORGANIZATION • PROVIDES ONLY THE NECESSARY, YET ADEQUATE, USER FRIENDLY, EFFICIENT AND MEASURABLE SECURITY CONTROLS SOURCE: JOHAN BAKKER, LEAN SECURITY MANAGEMENT WHITE PAPER
  27. 27. @WICKETT // @ERNESTMUELLER // #LEANSECURITY UNDERSTAND THE VALUE YOUR ORGANIZATION WANTS FROM YOU
  28. 28. @WICKETT // @ERNESTMUELLER // #LEANSECURITY #2 SECURITY IS A BOTTLENECK
  29. 29. @WICKETT // @ERNESTMUELLER // #LEANSECURITY THE AVERAGE TIME TO DELIVER CORPORATE IT PROJECTS HAS INCREASED FROM ~8.5 MONTHS TO OVER 10 MONTHS IN THE LAST 5 YEARS Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
  30. 30. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY ARE COMPANIES SO SLOW? THE GROWTH OF CONTROL AND RISK MANAGEMENT FUNCTIONS WHICH IS TOO OFTEN POORLY COORDINATED… [RESULTING IN] A PROLIFERATION OF NEW TASKS IN THE AREAS OF COMPLIANCE, PRIVACY AND DATA PROTECTION. Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
  31. 31. @WICKETT // @ERNESTMUELLER // #LEANSECURITY THE THREE WASTES • MUDA - WORK WHICH ABSORBS RESOURCE BUT ADDS NO VALUE • MURI - UNREASONABLE WORK THAT IS IMPOSED ON WORKERS AND MACHINES • MURA - WORK COMING IN DRIBS AND DRABS WITH SUDDEN PERIODS OF RUSH RATHER THAN A CONSTANT OR REGULAR FLOW, UNEVENNESS.
  32. 32. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY WASTE MUDA COMES IN SEVEN FORMS: • EXCESS INVENTORY - DUMPING YOUR THOUSAND PAGE PDF OF VULNERABILITIES ON A BUSY TEAM. PRIORITIZE AND LIMIT WORK IN PROGRESS (WIP) • OVERPRODUCTION - SECURITY CONTROLS STEMMING FROM FUD OR MISALIGNMENT WITH BUSINESS NEEDS (NOT DEMANDED BY ACTUAL CUSTOMERS) - CF. PHOENIX PROJECT • EXTRA PROCESSING - FOR EXAMPLE, RELYING ON COMPLIANCE TESTING RATHER THAN DESIGNING THE PROCESS TO ELIMINATE PROBLEMS - HELP IT GET BUILT RIGHT FIRST
  33. 33. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY WASTE • HANDOFFS - LEVERAGE THE KNOWLEDGE OF THE TEAMS DOING THE WORK AND COLLABORATE WITH THEM TO BUILD SECURITY IN, INSTEAD OF THAT BEING SOME OTHER TEAM’S JOB • WAITING - LAG BETWEEN VALUE STEPS WAITING FOR APPROVALS OR ANALYSES OR TICKET HANDLING - USE SELF SERVICE AUTOMATION INSTEAD • TASK SWITCHING - THE THOUSAND PAGE PDF AGAIN - WORK WITH THEIR WORK INTAKE PROCESS NOT AGAINST IT • DEFECTS - FALSE POSITIVES AND FALSE NEGATIVES AND JUST PLAIN UNIMPORTANT FINDINGS YOU REPORT CAUSING ZERO-VALUE REWORK
  34. 34. @WICKETT // @ERNESTMUELLER // #LEANSECURITY UNDERSTAND THE WASTE THAT YOU GENERATE
  35. 35. @WICKETT // @ERNESTMUELLER // #LEANSECURITY #3 SECURITY IS INVISIBLE
  36. 36. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY PROFESSIONALS ARE QUICK TO SAY SECURITY IS EVERYONE’S JOB
  37. 37. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY COULD LEARN FROM WEB PERFORMANCE CIRCA 2008
  38. 38. @WICKETT // @ERNESTMUELLER // #LEANSECURITY PERFORMANCE • BROWSER EXTENSIONS FOR DEVS TO UNDERSTAND PERFORMANCE PROBLEMS • RESEARCH SHOWING PERFORMANCE TO REVENUE CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS • CONFERENCES COMBINING FRONT END DEVS AND SYS ADMINS • COMMITMENT TO INSTRUMENT AND GRAPH ALL THE THINGS
  39. 39. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY • BROWSER EXTENSIONS FOR DEVS TO UNDERSTAND SECURITY PROBLEMS • RESEARCH SHOWING SECURITY TO REVENUE CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS • CONFERENCES COMBINING DEVS OPS AND SECURITY • COMMITMENT TO INSTRUMENT AND GRAPH ALL THE THINGS
  40. 40. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SEE THE WHOLE • KEEP MEANINGFUL METRICS, MAKE THOSE METRICS VISIBLE - IN CONTEXT OF WORKERS’ TOOLCHAIN • “LEAST PRIVILEGE” NEEDS TO BE UNLEARNED SOMEWHAT IN MODERN ORGANIZATIONS TO ALLOW EFFECTIVE INFORMATION SHARING • GET IN BUSINESS OF SHARING AND ADDING VISIBILITY TO DEV AND TO OPS.
  41. 41. @WICKETT // @ERNESTMUELLER // #LEANSECURITY VISUALIZE SECURITY SO EVERYONE CAN SEE
  42. 42. @WICKETT // @ERNESTMUELLER // #LEANSECURITY #4 SECURITY IS ALWAYS TOO LATE
  43. 43. @WICKETT // @ERNESTMUELLER // #LEANSECURITY BUILD INTEGRITY IN • “CEASE DEPENDENCE ON MASS INSPECTION TO ACHIEVE QUALITY. IMPROVE THE PROCESS AND BUILD QUALITY INTO THE PRODUCT IN THE FIRST PLACE." — W. EDWARDS DEMING • INTEGRATE INTO CONTINUOUS INTEGRATION AND USE TEST DRIVEN DEVELOPMENT (TDD) TO RECTIFY ISSUES AT THE LOWEST WASTE POINT
  44. 44. SOURCE: THE THREE WAYS OF DEVOPS, GENE KIM
  45. 45. @WICKETT // @ERNESTMUELLER // #LEANSECURITY NEEDED A WAY TO BE MEAN TO YOUR CODE EARLIER IN THE DEVELOPMENT PROCESS ENTER GAUNTLT…
  46. 46. @WICKETT // @ERNESTMUELLER // #LEANSECURITY @slow @final Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni —check=xss* <url> """ Then the output should contain "0 issues were detected." Given When Then What? AN ATTACK LANGUAGE FOR DEVOPS
  47. 47. @WICKETT // @ERNESTMUELLER // #LEANSECURITY
  48. 48. @WICKETT // @ERNESTMUELLER // #LEANSECURITY
  49. 49. @WICKETT // @ERNESTMUELLER // #LEANSECURITY http://theagileadmin.com/2015/06/09/pragmatic-security-and-rugged-devops/
  50. 50. @WICKETT // @ERNESTMUELLER // #LEANSECURITY GENERATE SECURITY FEEDBACK IN EACH VALUE STEP
  51. 51. @WICKETT // @ERNESTMUELLER // #LEANSECURITY #5 SECURITY IS ALWAYS IN THE WAY
  52. 52. @WICKETT // @ERNESTMUELLER // #LEANSECURITY ARE YOU “THAT GUY?” • YOU ALREADY KNOW YOU CAN’T MAKE THINGS SECURE BY YOURSELF • YOU NEED EVERYONE ELSE TO PITCH IN - BUT IT SEEMS LIKE THE THINGS YOU DO JUST ANGER THEM
  53. 53. @WICKETT // @ERNESTMUELLER // #LEANSECURITY EMPOWER THE TEAM • UNDERSTAND HUMAN MOTIVATION • NETFLIX AUTOMATION CREATED SAFE PATHS AS THE DEFAULT • REMOVES EMOTIONAL CHARGE
  54. 54. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SELF SERVICE AUTOMATION
  55. 55. @WICKETT // @ERNESTMUELLER // #LEANSECURITY #6 SECURITY IS PERFECTIONIST AND IS THEREFORE UNREALISTIC
  56. 56. @WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY IS YOUR PRODUCT
  57. 57. @WICKETT // @ERNESTMUELLER // #LEANSECURITY BUILD-MEASURE- LEARN • DELIVER MINIMAL VIABLE SECURITY ACROSS EVERYTHING • FOCUS ON DETECTION/METRIC GATHERING • ITERATE FROM THERE • REMEMBER THE WEAKEST LINK WINS • OVERLAP SMALLER SOLUTIONS - SEE JOSH MORE’S OWASP 2012 “LEAN SECURITY 101” PRESENTATION
  58. 58. @WICKETT // @ERNESTMUELLER // #LEANSECURITY MANAGE YOUR PRODUCT
  59. 59. @WICKETT // @ERNESTMUELLER // #LEANSECURITY WE’VE BEEN THERE
  60. 60. @WICKETT // @ERNESTMUELLER // #LEANSECURITY ERNEST MUELLER JAMES WICKETT @wickett @ernestmueller THEAGILEADMIN.COM

×