Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security is everybody's job... Literally!


Published on

In DevOps everyone performs security work, whether they like it or not. With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody's job.

Published in: Technology
  • Be the first to comment

Security is everybody's job... Literally!

  1. 1. @SheHacksPurple
  2. 2. @SheHacksPurple
  3. 3. @SheHacksPurple
  4. 4. @SheHacksPurple
  5. 5. @SheHacksPurpleSlide Credit: Pete Cheslock
  6. 6. @SheHacksPurpleSlide Credit: DevSecCon
  7. 7. This is me. I’m Tanya Janca. @SheHacksPurple AKA: @SheHacksPurple
  8. 8. This is me. I’m a Senior Cloud Developer Advocate at: What does THAT mean? @SheHacksPurple
  9. 9. This is me. I’m a Senior Cloud Developer Advocate I work to make security features easier to use. It means I help developers use our products more securely. I provide feedback to make our products more secure. @SheHacksPurple I do security research and share it with the community. Security research, such as this presentation, OWASP DevSlop, and much more.
  10. 10. This is me. Application Security Evangelist @SheHacksPurple
  11. 11. This is me. Application Security Evangelist @SheHacksPurple
  12. 12. This is me. Ethical hacker I want to know how things work. @SheHacksPurple
  13. 13. This is me. I’m obsessed with OWASP! @SheHacksPurple Open Web Application Security Project An international non-profit that operates chapters, projects and conferences all over the globe, in efforts to help everyone create more secure software.
  14. 14. This is me. OWASP Ottawa Chapter Leader @SheHacksPurple
  15. 15. This is me. OWASP DevSlop Project Leader @SheHacksPurple
  16. 16. @SheHacksPurple This is me. Software Developer (since the late 90’s) That’s over 20 years! AHHHHHHHHHHHH! @SheHacksPurple
  17. 17. This is me. Goal: to change the way we make software so that the easiest way to do something is also the most secure way. @SheHacksPurplePhoto: Lucerne, Switzerland, Swiss Cyber Storm 2017
  18. 18. Let’s do this. @SheHacksPurple
  19. 19. @SheHacksPurple
  20. 20. @SheHacksPurple
  21. 21. Verizon Data Breach Investigation Report (DBIR) for 2017 and 2016. @SheHacksPurple
  22. 22. @SheHacksPurple
  23. 23. @SheHacksPurplePhoto: #WOCTechChat
  24. 24. @SheHacksPurple 100 / 10 / 1
  25. 25. @SheHacksPurplePhoto: Winged Beast
  26. 26. @SheHacksPurple
  27. 27. @SheHacksPurple
  28. 28. @SheHacksPurple
  29. 29. @SheHacksPurple
  30. 30. @SheHacksPurple
  31. 31. @SheHacksPurple
  32. 32. @SheHacksPurple
  33. 33. @SheHacksPurple The Three Ways
  34. 34. Left -> Right = speed @SheHacksPurple
  35. 35. @SheHacksPurple Requirements Design Code Testing Release
  36. 36. @SheHacksPurplePhoto: #WOCTechChat
  37. 37. @SheHacksPurplePhoto: #WOCTechChat
  38. 38. @SheHacksPurplePhoto: #WOCTechChat Only deploy up-to- date images and containers.
  39. 39. • Helping the AppSec team tune static code analysis tools • Add security bugs to the defect tracker • Using templates and code samples that a known- secure (sec code library) • Using freshly scanned images that are up to date/fully patched • Setup regular, automated scans for VMs and containers @SheHacksPurple
  40. 40. @SheHacksPurplePhoto: #WOCTechChat Help the AppSec Team tune their tools. For their sake, and yours.
  41. 41. @SheHacksPurplePhoto: #WOCTechChat Positive testing determines that your application works as expected. If an error is encountered during positive testing, the test fails. Negative testing ensures that your application can gracefully handle invalid input or unexpected user behavior.
  42. 42. • Add negative use cases as unit tests, not just positive use cases (Morgan Roman, @Hackimedes) • Helping AppSec team tune web proxy scanners • If the AppSec team creates a security pipeline for testing for you, use it! • OWASP Dependency check, Retire.js, Synk, Black Duck, etc. Tools to remove known vulnerable code/ libraries/ components @SheHacksPurple
  43. 43. @SheHacksPurple
  44. 44. @SheHacksPurple Requirements Design Code Testing Release
  45. 45. Fixing costs of quality & security issues rises significantly as the development cycle advances CODING PRODUCTIONQA & UATBUILD Source: Ponemon Institute Research $80/defect $240/defect $960/defect $7,600/defect @SheHacksPurple
  46. 46. @SheHacksPurplePhoto: #WOCTechChat FasterFeedback =ShiftingLeft
  47. 47. @SheHacksPurplePhoto: #WOCTechChat Telling the security team what you are concerned about. Feedback goes both ways.
  48. 48. @SheHacksPurple
  49. 49. @SheHacksPurplePhoto: #WOCTechChat Participating in Security Activities Incidents Threat Modelling Security Sprints Etc
  50. 50. • Faster feedback loops = fixing bugs sooner • Breaking the build if you introduce security issues • Adding security sprints to your project timeline • Participating in Threat modelling activities • Participating in incident response, if need be • Learning to use security tools • Security becomes part of the definition of quality @SheHacksPurple
  51. 51. @SheHacksPurple
  52. 52. @SheHacksPurplePhoto: #WOCTechChat
  53. 53. @SheHacksPurplePhoto: #WOCTechChat
  54. 54. @SheHacksPurplePhoto: #WOCTechChat
  55. 55. • Accept security training if offered • Train yourself • Share information widely when you fix security issues • Participate in Security Simulations • Ask for and analyze metrics from security testing, look for patterns or systemic issues • Ensure you perform blameless introspection @SheHacksPurple
  56. 56. Maintain Culture Change @SheHacksPurple
  57. 57. @SheHacksPurplePhoto: #WOCTechChat
  58. 58. @SheHacksPurplePhoto: #WOCTechChat
  59. 59. @SheHacksPurplePhoto: #WOCTechChat
  60. 60. @SheHacksPurplePhoto: #WOCTechChat
  61. 61. @SheHacksPurplePhoto: #WOCTechChat
  62. 62. @SheHacksPurple DevSecOps
  63. 63. @SheHacksPurple
  64. 64. @SheHacksPurple
  65. 65. @SheHacksPurple
  66. 66. @SheHacksPurple
  67. 67. @SheHacksPurple Twitter: @SheHacksPurple
  68. 68. @SheHacksPurple
  69. 69. @SheHacksPurple Thank You Cloud Developer Advocate, Microsoft OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader Tanya Janca @SheHacksPurple