Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Nsc42 the security phoenix

19 views

Published on

DEVSECOPS & Cloud security

Published in: Education
  • Be the first to comment

  • Be the first to like this

Nsc42 the security phoenix

  1. 1. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) The Security Phoenix raises from DEV-OPS ashes Cyber Security & Cloud Expo - North America @FrankSEC42 From DEV-OPS Security raises in DEV-SEC-OPS-BIZ-RISK-GOV https://uk.linkedin.com/in/fracipo
  2. 2. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) Agenda About the author Conclusions Q&A Security Phoenix – Security Ops Security Phoenix – Visualization & Security Phoenix Tech Evolution of DEVOPS in Security Phoenix Context @FrankSEC42 Security Phoenix – Governance & Education
  3. 3. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo About the Francesco 3 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Speaker, Researcher and Chair of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks Website Articles NSC42 LinkedIn Security is everybody’s job We need to make security cool and frictionless Copyright © NSC42 Ltd 2019 Email@FrankSec42 Fracipo Linkein
  4. 4. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What the hek is DEV-SEC-OPS? 4 What kind of animal is the DEV-SEC-OPS? Integrate security into the OPS team (and add a spark of BIZ)
  5. 5. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Anatomy of a phoenix 5 What Are the core component of Security Pheonix Secure Operate Secure Design Build & Test People & Education Governance & Risk mng
  6. 6. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 6 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why fixing Security Vulnerabilities is everybody’s job? Equifax Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … …because we all get affected by it
  7. 7. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 7 Image Credit Information is Beautiful
  8. 8. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo The Crisis 8 DEV-OPS & SEC -> SEC - how to go from problem to enabler? Let’s see how security is reborn in DEV-OPS world Blending architecture DEV-OPS and Business/Risk
  9. 9. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 9 1. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 2. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 3. Security Design, Governance and Education
  10. 10. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 10 1. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 2. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 3. Security Design, Governance and Education
  11. 11. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Core – Fast & Confident – Core Concepts 11 Going fast but with confidence (SEC) 1. Trust & Verify 2. License to operate/code 3. Day in Day fix Vulnerabilities >> Set Thresholds: Bild vs Fix, Vulnerability trending Operate People & Education
  12. 12. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo DEVSECOPS - Fast and Confident 12 Trusted DEV-OPS team can operate at speed… as long as they have the license to operate DEV Security Productio n Security
  13. 13. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify – Under the hood 13 Learning & Education Build vs FIX Target Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod nt to prod he License erate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Vulnerability Targets (Quarter) Phoenix Aggregator DB License to operate Risk/BIZ?
  14. 14. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Team Structure 14 Ap Se Job Qu Defec Bugs Am i still compliant with Overall Build vs FIX Targets ? Code 3rd parties Components (FOSS + Libraries) Deployment to prod Relies on the License to Operate Security Vulnerabilities Bugs& Errors NEWFeatures ThresholdsApplication Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Am i still compliant with Overall Build vs FIX Targets ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod Deployment to prod Relies on the License to Operate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds License to operate
  15. 15. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Key concepts - Summary 15 Developer can operate fast and deploy as long as they have a license 1. Trust your developers and apply a ‘license to operate’ 2. Apply governance (light and heavy weight) 3. Visualize and keep everyone accountable 4. Make security resource available to the developers and document the fixes
  16. 16. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Am i still compliant with Overall Build vs FIX Targets ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod Deployment to prod Relies on the License to Operate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Trust & Verify Framework 16 Learning & Education
  17. 17. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 17 1. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 2. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 3. Security Design and Education
  18. 18. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects 18 Example of a dashboard for Vulnerability Visualization DEV Security Productio n Security
  19. 19. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects -> Under the hood 19 Repositories Build/Staging/UAT/ Test Environments Scanner for Code Scanner for Build Dashboards For SAST DEV Dashboard Scanner for Test Dashboard Build/ Test Production Prod Scnner Dashboards PROD Dashboards Development-Testing Production Scanner for prod Triage the vulnerabilities Scan At various Stages Scanners to Tickets or aggregators DEV Security Productio n Security SET Targets For Prod & DEV Vuln
  20. 20. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Operation 20 Secure Operate: What to do 1. OS & App – Patch 2. Framework – Scan & Patch 3. Libraries & Open source components 4. Code – From your DEV Pipeline 5. Libraries – from your Build/DEV DEV Security Productio n Security Hardware OS/Container Apps (3rd Party) Frameworks Libraries (3rd) / FOSS Code/Build
  21. 21. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 22 1. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 2. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 3. Security Design and Education
  22. 22. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Definition of security Impacting Change 23 Governanc e Functional Change OPS Test Small Change/ FIX/ Patching Small Change/ Bugfix/ Patching Sandbox/Prototyping Deployment Environment Functional Change - Any Change impacting the core functionalities of an application DEV-OPS PhaseDesign Phase Governance Delegated to the Champion(s) and Application owner(s) Governance on the Security DesignAuthority & Security Architects Iterations DEV Initial Design (Iterations) Functional Change
  23. 23. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Education in DEV-SEC-OPS 24 1. Awareness Training For your users 2. Craft Training based on the scanner (faults) data 3. Education on the job – What good looks like 4. Make the training entertaining (CTF and Rewards) Security Education Education:
  24. 24. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Conclusion 25 - Trust And Verify - Vulnerability Management every day life - Automation vs people aspect – is a transformation - Data Driven Education - Governance at scale Security at scale and pace Security is everybody’s job
  25. 25. Every 2 weeks 1.30 PM UK Time Cyber #MentoringMonday Podcast @FrankSEC42
  26. 26. Cyber Security Awards 2020 Cloud Security Influencer of the Year Submission – 10 of May 2020 (TBD) Ceremony 4 July 2020 #CYSECAWARDS20https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info:
  27. 27. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Q&A 29
  28. 28. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Contacts 30 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42

×