Successfully reported this slideshow.
Your SlideShare is downloading. ×

swampUP - 2018 - The Divine and Felonious Nature of Cyber Security

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 37 Ad

More Related Content

Slideshows for you (20)

Similar to swampUP - 2018 - The Divine and Felonious Nature of Cyber Security (20)

Advertisement

More from John Willis (20)

Recently uploaded (20)

Advertisement

swampUP - 2018 - The Divine and Felonious Nature of Cyber Security

  1. 1. The Divine and Felonious Nature of Cyber Security ( Introduction to DevSecOps ) John Willis @botchagalupe
  2. 2. https://github.com/botchagalupe/my-presentations
  3. 3. The Felonious Nature of Cyber Security
  4. 4. Infecting
  5. 5. • 1.5M Java Modules Per Week 
 • 5M Node Modules Per Week • 31B Modules Per Year • 230k Modules Per Enterprise/Per Year
 • 8% Have Known Vulnerabilities 
 • 8M Average Cost to Remediate a Breach By The Numbers modulecounts.com and 2017 Software Supply Chain Report
  6. 6. DYNOROOT CVE 2018-1111
  7. 7. Actual Exploitation 2015 VZ DBIR
  8. 8. • Discovered 3/6/2017
 • Announced 3/9/2017
 • CVE created 3/10/2017 • Equifax Oracle Patches 4/2017 • Equifax Patches 6/30/2017
 • Equifax discovers 7/29/2017
 • Equifax announced 9/2017
 Anatomy of CVE-2017-5638
  9. 9. • Discovered - 3/9/2017
 • Action - 3/10/2017
 • Remediation - 3/14/2017
 Anatomy of CVE-2017-5638 @botchagalupe
  10. 10. Anatomy of CVE-2017-8046 (Fool Me Once) • Published 9/21/17
 • CVE created 01/04/2018
 • Discovered 2/18/17
 • Corrected 3/6/18
 @botchagalupe
  11. 11. Security and the Goldilocks Zone • The fallacious nature of cyber security relates to the standard legacy security model specifically on the idea of perimeter security. • This concept involves the implementation of a state-full firewall at a routed point within the network that very rarely gets looked at unless an operational change is required. • The problem with having only premier security is that applications have changed significantly in the last ten years and the infrastructure they run upon is playing by the same old rules.

  12. 12. Devops Meets DevSecOps
  13. 13. @botchagalupe
  14. 14. • CAMS
 • Culture • Automation • Measurement • Sharing Devops Taxonomies • The Three Ways •The First Way •The Second Way •The Third Way
  15. 15. Devops Automated Deployment Pipeline Source: Wikipedia - Continuous Delivery @botchagalupe
  16. 16. Devops Automated Deployment Pipeline @botchagalupe
  17. 17. 21 Summary • Agile took us from months to days to deliver software • Devops took from months to days to deploy software • Now security is the bottleneck @botchagalupe
  18. 18. DevSecOps
  19. 19. You Build It, You Secure It @botchagalupe
  20. 20. DevSecOps as Supply Chain? 25 Source: Wikipedia - Continuous Delivery @botchagalupe
  21. 21. Software Supply Chain 26 Delivery Team Version Control Build Test Release DevOps Example Stage Prod @botchagalupe
  22. 22. Software Supply Chain 27 Delivery Team Version Control Build Test Release DevOps Example Stage Prod @botchagalupe
  23. 23. Security in the Software Supply Chain 28 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevOps and Security Stage Prod @botchagalupe
  24. 24. Security in the Software Supply Chain 29 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod @botchagalupe
  25. 25. 30 Delivery Team Version Control Build Test Release DevSecOps Supply Chain Stage Prod The New Goldilocks Zone (DevSecOps) Security Training Security Requirements Threat Modeling Architecture Review OWASP Top 10 IDE Plugins Code Examples Fail the Build SAST/DAST/IAST Configuration Analysis Application Module Scanning Threat Modeling as Unit Test Automated Pen Testing Static Code Analysis Security Policy Testing Configuration Analysis Security Monitoring
 Configuration Monitoring
  26. 26. Best Practices for DevSecOps • Train development teams to develop secure code • Track security issues the same as software issues • Security as code, Security Built In. • Integrate security controls in the software pipeline • Automate security test in the build process • Detect known vulnerabilities during the pipeline • Monitor security in production for known states • Inject failure to ensure security is hardened Gene Kim, Jez Humble, Patrick Dubois, and John Willis. 
 The DevOps Handbook; It Revolution Press, LLC.;2016.@botchagalupe
  27. 27. Knowing Adversities and Motivations
  28. 28. Knowing Adversities and Motivations
  29. 29. The Divine
  30. 30. @botchagalupe
  31. 31. The Felonious Nature of Cyber Security @botchagalupe

×