Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Continuous Security: 5 Ways DevOps Improves Security

1,083 views

Published on

David Mortman, Chief Security Architect & Distinguished Engineer, Dell Software

Josh Corman, CTO, Sonatype

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Continuous Security: 5 Ways DevOps Improves Security

  1. 1. #RSAC SESSION ID: David Mortman Joshua Corman Continuous Security: 5 Ways DevOps Improves Security ASD-T07R CTO Sonatype @joshcorman Chief Security Architect & Distinguished Engineer Dell Software @mortman
  2. 2. #RSAC @mortman @joshcorman 2   10/23/2013    @joshcorman   “It’s  not  enough  to  do  your  best;  you  must  know  what  to  do,  and  then  do  your   best”  Deming  @joshcorman  @mortman  #RSAC  #DevOps  
  3. 3. #RSAC @mortman @joshcormanON  TIME     ON  BUDGET   ACCEPTABLE   QUALITY/RISK   Dev’s  core  moJvaJons  are  to  be  OnTime,  OnBudget,  w/  Acceptable  Quality/Risk   @joshcorman  @mortman  #RSAC  #DevOps  
  4. 4. #RSAC @mortman @joshcorman 4
  5. 5. #RSAC @mortman @joshcorman 5 “Don’t  Go  Chasin’  Waterfalls”  Dev  started  w/  Waterfall,  but  modern  demands   require  us  to  go  faster  @joshcorman  @mortman  #RSAC  #DevOps  
  6. 6. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   Waterfall’s  Design  -­‐>  Dev  -­‐>  Test  -­‐>  Deploy  may  go  1.5-­‐3yrs  b/w  releases.   @joshcorman  @mortman  #RSAC  #DevOps  
  7. 7. #RSAC @mortman @joshcorman Agile  goats;  not  goat  rodeo.  “We  need  to  be  agile,  but  not  fragile.”   @RuggedSoWware  @joshcorman  @mortman  #RSAC  #DevOps  
  8. 8. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   Agile  /  CI   Agile  &  Lean  Jghtened  Design  -­‐>  Build  -­‐>  Test  cycle  releasing  6-­‐12+  smaller   batches/yr  @joshcorman  @mortman  #RSAC  #DevOps    
  9. 9. #RSAC @mortman @joshcormanDevOps It  may  feel  like  DevOps  is  Pandora’s  Box,  but  it’s  open…  and  hope  remains.  ;)   @joshcorman  @mortman  #RSAC  #DevOps  
  10. 10. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   DevOps  /  CD   Agile  /  CI   Agile  made  dev  faster  but  wasn’t  enough.  DevOps  extends  pa`erns  to  Ops  4  mutual   gains  @joshcorman  @mortman  #RSAC  #DevOps  
  11. 11. #RSAC @mortman @joshcormanSW Supply Chains 11 Deming  drove  Toyota  Supply  Chains.  We  can  EXTEND  DevOps  w/  his  quality/safety   pa`erns  @joshcorman  @mortman  #RSAC  #DevOps  
  12. 12. #RSAC @mortman @joshcorman ON  TIME.     Faster  builds.     Fewer  interrupFons.   More  innovaFon.     ON  BUDGET.   More  efficient.     More  profitable.   More  compeFFve.   ACCEPTABLE  QUALITY/RISK.   Easier  compliance.   Higher  quality.     Built-­‐in  audit  protecFon.   SW  Supply  Chain   DevOps  /  CD   Agile  /  CI   SW  SupplyChains  enable  faster,  more  efficient  dev  by  reducing  elecJve  complexity/ risk++  @joshcorman  @mortman  #RSAC  #DevOps  
  13. 13. #RSAC @mortman @joshcormanSW Supply Chains Our  SW  Supply  Chain  is  only  as  strong  as  its  weakest  link.  Can  you  say  #OpenSSL?   @joshcorman  @mortman  #RSAC  #DevOps  
  14. 14. #RSAC @mortman @joshcorman Toyota   Advantage   Toyota   Prius   Chevy   Volt   Unit  Cost   61%   $24,200   $39,900   Units  Sold   13x   23,294   1,788   In-­‐House   ProducJon   50%   27%   54%   Plant  Suppliers   16%     (10x  per)   125   800   Firm-­‐Wide   Suppliers   4%   224   5,500   Comparing the Prius and the Volt Toyota  Prius  (v  Volt)  used  1/6th  suppliers,  be`er  leveraged,  for  60%  price  &  12x   sales  @joshcorman  @mortman  #RSAC  #DevOps  
  15. 15. #RSAC @mortman @joshcormanDevOps Defined Is  #DevOps  a  Culture?  A  Process?  A  Toochain?  YES;  but  the  greatest  of  these  is   Culture/Empathy  @joshcorman  @mortman  #RSAC    
  16. 16. #RSAC @mortman @joshcorman Myths  abound  RE:  Security  &  #DevOps.  We  FUD-­‐Haters  should  deal  w/  facts   @joshcorman  @mortman  #RSAC    
  17. 17. #RSAC @mortman @joshcorman RE:  #DevOps  &  Security:  You’re  enJtled  to  your  own  opinions,  but  not  to  your  own   facts.  @joshcorman  @mortman  #RSAC    
  18. 18. #RSAC @mortman @joshcorman MythBusted:  “ITIL  &  ChangeMngt  can’t  be  done  w/  #DevOps  ”  <-­‐  It  can  even  make   it  easier/be`er  @joshcorman  @mortman  #RSAC  
  19. 19. #RSAC @mortman @joshcorman True  #DevOps  +  Security  isn’t  all  rainbows  &  unicorns.  Unicorn  p00p  has  to  be   worked  thru  @joshcorman  @mortman  #RSAC    
  20. 20. #RSAC @mortman @joshcorman spending   a`ack  risk   Source:  Normalized  CObIT  spending  across  IDC,  Gartner,  The  451  Group;  since  groupings  vary   Host  Security    ~$10B   Data  Security    ~$5B   People  Security    ~$4B   Network  Security    ~$20B   SoWware   Security   ~$0.5B     Assembled  3rd  Party  &   OpenSource   Components     ~90%  of  most   applicaJons     Almost  No  Spending   Wri`en  Code  Scanning   SW Status Quo: Most attacked; least spend Worse,  w/in  SoWware,  exisJng  dollars  go  to  the  <=  10%  wri`en       StatusQuo:  SW  is  MOST  a`acked  &  gets  LEAST  SecSpend;  most  on  10%  of  code  we   write  @joshcorman  @mortman  #RSAC  #DevOps  
  21. 21. #RSAC @mortman @joshcormanInsanity Einstein's  Insanity:  We  could  do  the  same  thing  over  &  over  expecJng  different   results  @joshcorman  @mortman  #RSAC  #DevOps  
  22. 22. #RSAC @mortman @joshcorman WRT  Security  &  #DevOps  We  lose  things  AND  we  gain  things.  We’ll  look  at  5  things   we  gain  @joshcorman  @mortman  #RSAC  #DevOps  
  23. 23. #RSAC @mortman @joshcorman This  was  added  b/c  the  Red  Hat  in  the  “Lost  &  Found”  made  @mortman  giggle  &  he   forced  it  upon  @joshcorman  #RSAC  #DevOps  
  24. 24. #RSAC @mortman @joshcorman1) Instrumentation 1)  InstrumentaJon!  #DevOps  instruments  EVERYTHING  &  Security  can  use  it  in   MANY  ways  @joshcorman  @mortman  #RSAC  #DevOps  
  25. 25. #RSAC @mortman @joshcorman2) Be Mean To Your Code! 2)  Be  Mean  To  Your  Code!  To  avoid  failure;  fail  all  the  Jme  #ChaosMonkey  #Gauntlt   #BrakeMan  @joshcorman  @mortman  #RSAC  #DevOps  
  26. 26. #RSAC @mortman @joshcorman 3)  Complexity  Is  Enemy  of  “All  The  Things”!  All  #DevOps  parJes  benefit  from   reducing  complexity  @joshcorman  @mortman  #RSAC  
  27. 27. #RSAC @mortman @joshcorman DecomposiJon  lowers  complexity  adds  security  and  reliability  @mortman   @joshcorman  #RSAC  #DevOps  
  28. 28. #RSAC @mortman @joshcorman Simple  >  Complex.  Simple  !=  Easy  though.  There  is  no  easy  bu`on,  but  there  is  an   easiER  one.  @joshcorman  @mortman  #RSAC  #DevOps  
  29. 29. #RSAC @mortman @joshcorman 4)  Implicit  and  Explicit  Change  Management.  Change  is  good  and  leads  to  stability   and  fights  stagnaJon.  @joshcorman  @mortman  #rsac  #devops  
  30. 30. #RSAC @mortman @joshcorman All  of  Chuck  Norris’s  Change  Controls  are  Full  Cycle  and  they’re  always  approved!   @joshcorman  @mortman  #RSAC  #DevOps  
  31. 31. #RSAC @mortman @joshcorman 5)  Empathy  is  the  killer  app!  Silos  prohibit  sharing  and  empathy….  #RSAC  #DevOps   @mortman  @joshcorman  
  32. 32. #RSAC @mortman @joshcorman Madame  CISO,  Tear  Down  This  Wall!  #RSAC  #DevOps  @mortman  @joshcorman  
  33. 33. #RSAC @mortman @joshcorman Defensible  Infrastructure   10%     Wri`en   OperaFonal  Excellence   SituaFonal  Awareness   Counter-­‐ measures   The  soWware  &  hardware  we   build,  buy,  and  deploy.  90%  of   soWware  is  assembled  from  3rd   party  &  Open  Source     MOST  IMPACT:  BUY/BUILD  DEFENSIBLE  SOFTWARE   DefensibleIT  &  OpsExcellence  have  MOST  Security  impact,  but  elude  CISO  influence   BUT...  @joshcorman  @mortman  #RSAC  #DevOps  
  34. 34. #RSAC @mortman @joshcorman 34 10/23/2013    @joshcorman   Defensible  Infrastructure   OperaFonal  Excellence   SituaFonal  Awareness   Counter-­‐ measures   DevOps   DevOps   DevOps   [cont]  #DevOps  smashes  silos  &  finally  enables  the  MUCH  LARGER  Security  gains  in   both  @joshcorman  @mortman  #RSAC  #DevOps    
  35. 35. #RSAC @mortman @joshcormanApply! u  Stop resisting… “Survival isn’t mandatory” – Deming u  Josh’s RSAC EU Keynote http://youtu.be/m4Y_K7MXQxQ u  Read “The Phoenix Project” by Gene Kim u  http://itrevolution.com/books/phoenix-project-devops-book/ u  Watch videos from RSAC “DevOps Connect” Rugged DevOps Day u  http://www.sonatype.org/nexus/2015/04/13/devops-connect-secops-editon-at- rsac-2015-speakers-and-schedule/ u  Grab tooling: u  Gauntlt, BrakeMan, Chaos Monkey, and the Simian Army u  Start small, start anywhere, start TODAY! Get  on  the  train  before  the  train  gets  on  you!  Don’t  delay,  start  today!   @joshcorman  @mortman  #RSAC  #DevOps  
  36. 36. #RSAC Conclusion/Wrap-Up Follow  Us  &  Rugged  #DevOps  at:     @mortman  @joshcorman  @RuggedSoWware  @RuggedDevOps  @iamthecavalry    

×