Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security is everybody's job... Literally!

2,157 views

Published on

In DevOps everyone performs security work, whether they like it or not. With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody's job.

Video: https://vimeo.com/album/5189967
As presented at AppSec EU 2018.

Published in: Technology
  • Be the first to comment

Security is everybody's job... Literally!

  1. 1. Security is everybody’s job…. Literally!Changing DevOps into DevSecOps Tanya Janca
  2. 2. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple What are we going to talk about today?
  3. 3. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple DevOps
  4. 4. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple DevSecOps
  5. 5. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple Security being part of your daily work.
  6. 6. Security is everybody’s job…Literally!Tanya Janca HowsomesecuritypeopleseeDevOps @SheHacksPurpleSlide Credit: Pete Cheslock
  7. 7. Security is everybody’s job…Literally!Tanya Janca HowI see DevOps: DevSecOps @SheHacksPurple Slide Credit: DevSecCon
  8. 8. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple DevSecOps
  9. 9. Security is everybody’s job…Literally!Tanya Janca I’m Tanya Janca. @SheHacksPurple AKA: @SheHacksPurple This is me.
  10. 10. Security is everybody’s job…Literally!Tanya Janca This is me. I’m a Senior Cloud Developer Advocate at: What does THAT mean? @SheHacksPurple
  11. 11. Security is everybody’s job…Literally!Tanya Janca I work to make security features easier to use. It means I help developers use our products more securely. I provide feedback to make our products more secure. I do security research and share it with the community. Security research, such as this presentation, OWASP DevSlop, and much more. This is me. I’m a Senior Cloud Developer Advocate at: @SheHacksPurple
  12. 12. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple This is me. AppSec Evangelist.
  13. 13. Security is everybody’s job…Literally!Tanya Janca This is me. AppSec Evangelist. @SheHacksPurple
  14. 14. Security is everybody’s job…Literally!Tanya Janca This is me. Ethical hacker I want to know how things work. @SheHacksPurple
  15. 15. Security is everybody’s job…Literally!Tanya Janca This is me. I LOVE OWASP! Open Web Application Security Project An international non-profit that operates chapters, projects and conferences all over the globe, in efforts to help everyone create more secure software. @SheHacksPurple
  16. 16. Security is everybody’s job…Literally!Tanya Janca This is me. OWASP Ottawa Chapter Leader @SheHacksPurple
  17. 17. Security is everybody’s job…Literally!Tanya Janca This is me. OWASP DevSlop Project Leader @SheHacksPurple
  18. 18. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple This is me. Software Developer (since the late 90’s) That’s over 20 years! AHHHHHHHHHHHH! @SheHacksPurple@SheHacksPurple
  19. 19. Security is everybody’s job…Literally!Tanya Janca This is me. Goal: to change the way we make software so that the easiest way to do something is also the most secure way. Photo: Belfast, Ireland, AppSec EU 2017 @SheHacksPurple
  20. 20. Security is everybody’s job…Literally!Tanya Janca Let’s do this. @SheHacksPurple
  21. 21. Application Security @SheHacksPurple Introduction
  22. 22. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple
  23. 23. Security is everybody’s job…Literally!Tanya Janca Poor AppSec is a Problem! Poor AppSec Causes 29- 40%~ of Breaches! Verizon Data Breach Investigation Report (DBIR) for 2017 and 2016. @SheHacksPurple
  24. 24. Security is everybody’s job…Literally!Tanya Janca Application Security Missing! AppSec is not covered in most post-secondary Comp-Sci and Soft-Eng programs @SheHacksPurple
  25. 25. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurplePhoto: #WOCTechChat Security is Outnumbered!
  26. 26. Security is everybody’s job…Literally!Tanya Janca Dev / Ops / Sec @SheHacksPurple 100 / 10 / 1 Security is Outnumbered!
  27. 27. Security is everybody’s job…Literally!Tanya Janca And the accompanying security model was much, much worse. @SheHacksPurpleImage: Winged Beast Waterfall Never Worked Well
  28. 28. DevOps @SheHacksPurple
  29. 29. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple
  30. 30. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple
  31. 31. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple
  32. 32. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple Confidentiality Integrity Availability =
  33. 33. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple
  34. 34. Security is everybody’s job…Literally!Tanya Janca “DevOps is the best thing to happen to Application Security since OWASP. ” -Tanya Janca @SheHacksPurple
  35. 35. @SheHacksPurple DevOps The Three Ways
  36. 36. Security is everybody’s job…Literally!Tanya Janca Left -> Right = speed @SheHacksPurple
  37. 37. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple Requirements Design Code Testing Release
  38. 38. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurplePhoto: #WOCTechChat What does this mean for Security?
  39. 39. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurplePhoto: #WOCTechChat What does this mean for dev & ops?
  40. 40. Security is everybody’s job…Literally!Tanya Janca Only deploy up-to- date images and containers. @SheHacksPurplePhoto: #WOCTechChat What does this mean for dev & ops?
  41. 41. Security is everybody’s job…Literally!Tanya Janca The “Photo” Slide, #1 • Helping the AppSec team tune static code analysis tools • Add security bugs to the defect tracker • Using templates and code samples that a known- secure (sec code library) • Using freshly scanned images that are up to date/fully patched • Setup regular, automated scans for VMs and containers @SheHacksPurple What does this mean for dev & ops?
  42. 42. Security is everybody’s job…Literally!Tanya Janca Help the AppSec Team tune their tools. For their sake, and yours. What does this mean for dev & ops? @SheHacksPurplePhoto: #WOCTechChat
  43. 43. Security is everybody’s job…Literally!Tanya Janca Positive testing determines that your application works as expected. If an error is encountered during positive testing, the test fails. Negative testing ensures that your application can gracefully handle invalid input or unexpected user behavior. @SheHacksPurplePhoto: #WOCTechChat What does this mean for dev & ops?
  44. 44. Security is everybody’s job…Literally!Tanya Janca What does this mean for dev & ops? The “Photo” Slide, #2 • Add negative use cases as unit tests, not just positive use cases (Morgan Roman, @Hackimedes) • Helping AppSec team tune web proxy scanners (DAST) • If the AppSec team creates a security pipeline for testing for you, use it! • OWASP Dependency check, Retire.js, Synk, Black Duck, etc. Tools to remove known vulnerable code/ libraries/ components @SheHacksPurple
  45. 45. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple
  46. 46. Security is everybody’s job…Literally!Tanya Janca Requirements Design Code Testing Release @SheHacksPurple
  47. 47. Security is everybody’s job…Literally!Tanya Janca Fixing costs of quality & security issues rises significantly as the development cycle advances CODING PRODUCTIONQA & SECURITYBUILD Source: Ponemon Institute Research $80/defect $240/defect $960/defect $7,600/defect DevOps and the “Shift Left” principal @SheHacksPurple
  48. 48. Security is everybody’s job…Literally!Tanya Janca What does this mean for Security? @SheHacksPurplePhoto: #WOCTechChat FasterFeedback =ShiftingLeft
  49. 49. Security is everybody’s job…Literally!Tanya Janca What does this mean for dev & ops? Telling the security team what you are concerned about. Feedback goes both ways. @SheHacksPurplePhoto: #WOCTechChat
  50. 50. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple Side Tangent: The SecDevOpronomicon
  51. 51. Security is everybody’s job…Literally!Tanya Janca What does this mean for dev & ops? Participating in Security Activities • Incidents • Threat Modelling • Security Sprints • Etc. @SheHacksPurplePhoto: #WOCTechChat
  52. 52. Security is everybody’s job…Literally!Tanya Janca What does this mean for dev & ops? The “Photo” Slide, #3 • Faster feedback loops = fixing bugs sooner • Breaking the build if you introduce security issues • Adding security sprints to your project timeline • Participating in Threat modelling activities • Participating in incident response, if need be • Learning to use security tools • Security becomes part of the definition of quality @SheHacksPurple
  53. 53. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple
  54. 54. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurplePhoto: #WOCTechChat What does this mean for Security?
  55. 55. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurplePhoto: #WOCTechChat What does this mean for dev & ops?
  56. 56. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurplePhoto: #WOCTechChat What does this mean for dev & ops?
  57. 57. Security is everybody’s job…Literally!Tanya Janca What does this mean for dev & ops? The “Photo” Slide, #4 • Accept security training if offered • Train yourself • Share information widely when you fix security issues • Participate in Security Simulations • Ask for and analyze metrics from security testing, look for patterns or systemic issues • Ensure you perform blameless introspection @SheHacksPurple
  58. 58. Security is Everybody’s Job Culture Change @SheHacksPurple
  59. 59. Security is everybody’s job…Literally!Tanya Janca Photo: #WOCTechChat Celebrate Security Wins! Reinforce Culture Change @SheHacksPurple
  60. 60. Security is everybody’s job…Literally!Tanya Janca Photo: #WOCTechChat @SheHacksPurple Work More Closely: Security + Dev + Ops Reinforce Culture Change
  61. 61. Security is everybody’s job…Literally!Tanya Janca Photo: #WOCTechChat @SheHacksPurple Reinforce Culture Change No More Blaming
  62. 62. Security is everybody’s job…Literally!Tanya Janca Photo: #WOCTechChat Reinforce Culture Change @SheHacksPurple Be a Security Champion
  63. 63. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple Call To Action
  64. 64. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple Call To Action
  65. 65. Conclusion @SheHacksPurple
  66. 66. Security is everybody’s job…Literally!Tanya Janca Resources @SheHacksPurple The Microsoft DevOps Journey https://stories.visualstudio.com/
  67. 67. Security is everybody’s job…Literally!Tanya Janca OWASP DevSlop Has Your Back @SheHacksPurplehttps://www.owasp.org/index.php/OWASP_DevSlop_Project DevSlop.co
  68. 68. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple Links for Getting Started in Application Security https://aka.ms/GettingStartedWithAppSec Resources
  69. 69. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple Security Learns To Sprint
  70. 70. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple Follow me? Twitter: @SheHacksPurple https://medium.com/@shehackspurple https://DevSlop.co Resources
  71. 71. Security is everybody’s job…Literally!Tanya Janca @SheHacksPurple Security is now a part of your daily work. Resources
  72. 72. Security is everybody’s job…Literally!Tanya Janca Subject divider Subject divider Tanya Janca Security is everybody’s job…Literally! Thank You Cloud Developer Advocate, Microsoft OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader Tanya Janca Tanya.Janca@Microsoft.com Tanya.Janca@owasp.org @SheHacksPurple

×