Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecOps & Supply Chain Attacks


Published on

How to create a DevSecOps culture? Setting the path from anarchy towards a SDL process and security conscious culture.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

DevSecOps & Supply Chain Attacks

  1. 1. DevSecOps & Supply Chain Attacks- goodbye @Anakondantti 21.5. 2018, TreSec
  2. 2. Jare makes webscale apps. A cool hipster programmer.
  3. 3. Jare has a firm opinion Original: Pekkos Bill from Pahkasika. This version: no idea about the author..
  4. 4. Jare never thinks about this..
  5. 5. .. or this, the phase 2 of the attack.
  6. 6. What was the impact? How did that happen? Why ?
  7. 7. The Impact varies a lot Direct monetary costs. Imago / Reputation lost. Lost trust -> lost sales and customers.
  8. 8. HOWTO: Supply Chain Attack State Level Actors Cybercriminal groups Individual hackers Script kiddies Insider threat? Backdoored tools and 3rd party deps Automated scanning Phishing Backdoored HW Stolen HW ...
  9. 9. Our software is secure! #NoProcess for the win!
  10. 10. The result of #noprocess
  11. 11. Process vs. Requirements
  12. 12. Katakri 2015, requirement I06 Suojaustasolla IV vaatimus voidaan täyttää siten, että toteutetaan alla mainitut toimenpiteet: 1) Järjestelmien käyttöoikeuksien hallintaan on nimetty vastuuhenkilö(t). 2) Järjestelmän käyttäjistä on olemassa lista. 3) Käyttöoikeuden myöntämisen yhteydessä tarkistetaan, että oikeuden saaja kuuluu henkilöstöön tai on muutoin oikeutettu. 4) Käyttöoikeuksien käsittely ja myöntäminen on ohjeistettu. ….
  13. 13. Very reasonable! Good against social engineering. Prevents stupid mistakes.
  14. 14. Solitan yleinen policy Sopimusten, tietoturva-ohjeistusten ja asiakasvaatimusten noudattamisesta vastaava henkilö. Tämä henkilö vastaa myös siitä, että tietoturvaan ja ympäristöihin liittyvät tehtävät nousevat projektin tehtävälistalle ja ne toteutetaan. Tyypillisesti tätä roolia toteuttaa projekti-/palvelupäällikkö. ….
  15. 15. Very clear! Make certain that someone is responsible.
  16. 16. Using Katakri as an example.. Katakri talks about dependency management It talks about securing communications between networks. It refers to static analysis of source code .. It doesn’t give tools or practical guidance. It doesn’t explain the threat model. It is not a process, it’s a list of requirements.
  17. 17. a Technical issue? or a Process issue?
  18. 18. What is wrong with this?
  19. 19. What is wrong with this!?
  20. 20. DevOps or DevSecOps Process? CIA of audit logs? In Finnish, “vaarallinen työyhdistelmä” This is actually very difficult to handle! Expect resistance from DevOps enthusiasts!
  21. 21. How to make Jare follow your process?
  22. 22. Easy part.. Make a clear and short process. Set a standard. Demand professional conduct.
  23. 23. The harder part Motivate! Explain the threat model. Demonstrate attacks. Give tools, educate, give support.
  24. 24. The super difficult What to do if someone wants to be an anarchist? How to change attitudes and customs? How to create a culture? Culture always trumps process!
  25. 25. DevSecOps - it’s a culture WHY. The Threat model. Demonstrations. Motivation. Requirements The Process. Support. Templates, education, material, tools. Security Oriented Culture!