DevOps is all about delivering new features as fast as possible. But what if this means that you're also shipping security issues faster than ever? Security practices must speed up to keep pace with DevOps. This session shows you how you can increase your deployment frequency while still making sure that you ship secure applications. You'll learn best practices and principles for securing your application in a cloud world. You’ll also learn about tooling such as Whitesource and Azure Security Center. In the end, you’ll have a good idea of how to integrate security checks into DevOps and deliver more secure applications.
3. How real is the threat?
Our team is good, right?
I don’t think that’s possible.
We’ve never been breached.
Endless debates about value
Let’s talk about how we change the conversation…
The Security Conversation
4. “FUNDAMENTALLY, IF SOMEBODY WANTS TO GET IN,
THEY'RE GETTING IN…ACCEPT THAT.
WHAT WE TELL CLIENTS IS:
NUMBER ONE, YOU'RE IN THE FIGHT, WHETHER YOU
THOUGHT YOU WERE OR NOT. NUMBER TWO,
YOU ALMOST CERTAINLY ARE PENETRATED. ”
Michael Hayden
Former Director of NSA & CIA
5. The Mindset Shift
Assume Breach
War game exercises
Central security monitors
Live site penetration test
Prevent Breach
Threat model
Code review
Security development
lifecycle (SDL)
Security testing
8. What is Red vs. Blue?
Blue
Team
Exercises ability to
detect & respond
Enhances situational
awareness
Measures readiness
& impact
Red
Team
Model
real-world attacks
Identify gaps
in security story
Demonstrable
impact
11. Sample Guidelines
Code of Conduct
Both the Blue Team and the Red Team will do no harm.
The Red Team should not compromise more than needed to capture target assets.
Common sense rules apply to physical attacks (no printing badges, harassing people, etc.)
Do not disclose the name of the person who was compromised in a social engineering attack.
Rules of Engagement
Do not impact availability of any system.
Do not access external customer data.
Do not significantly weaken in-place security protections on any service.
Do not intentionally perform destructive actions against any resources.
Safeguard credentials, vulnerabilities and other critical information obtained.
Deliverables
Backlog of repair items (security item SLA)
Report “read out” with entire organization as a learning opportunity.
12. “Defenders think in lists. Attackers
think in graphs. As long as this is
true, attackers win”
John Lambert (MSTIC)