"The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications", Christoph Hartmann

"The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications", Christoph Hartmann
Platform and Security Engineering join forces to build more secure and robust applications. The death of #security as we know it Christoph Hartmann @chri_hartmann
Hi, I am Chris. I am CTO at Mondoo - leader in Security Posture Management What is your background? Y I co-created the open source security projects DevSec Project and InSpec, Co-Founded Vulcano Security (acquired by Chef Software) and was Director of Engineering at Chef Software @chri_hartmann
What is the problem? @chri_hartmann
4 Hackers used to look like this
5 Ransomware is a business Name Name Words words Sales Quotas Playbooks Customer Support Afﬁliate Programs
6 Average of 20% increase of YoY CVE publication
Vulnerability Discovery 0⃣ 0-Day Exploit 💥 Vulnerability discovered 📢 CVE published 🏗 Patch by vendor 📝 CVE assigned 0⃣ Exploit ~25% of CVEs have known exploits 14% exploits published before the patches 23% exploits published in the first week after CVE 50% exploits were published in the first month after CVE
Patch Rollout 🎟 Tickets created 🐌 Rollout Slow 🏗 Fixed in dev 🔎 Identify in dev 🛑 Report created According to NTT Application Security average time to fix high severity vulnerabilities is about 246 days
9 🔥 Yearly increase of 20% of known vulnerabilities 🏎 Hackers use full automation to discover and hack targets, about 90% of exploits are available within the first month after the CVE has been published 🐌 Rollout of fixes is way too slow Issues outpace the fix
10 Independent survey of 1100 IT and security professionals
11 Hardening of Infrastructure (Cloud, Servers, Workstation) Patch Management 01 02 Main Problems: Why Hackers are so successful? The same root causes are also corroborated in the Cyber Signals Report by Microsoft that revealed 80% of attacks can be attributed to outdated software and misconfiguration.
Why is it so difficult? @chri_hartmann
13 Software delivery Local Development Source Control CI/CD Pre-Production Production
14 Use Case: Ensure that Cloud Storage Buckets have a uniform bucket level access enabled
15 Ensure that Cloud Storage Buckets have a uniform bucket level access enabled Security Engineers focus on attack paths
16 Ensure that Cloud Storage Buckets have a uniform bucket level access enabled Platform Engineers focus on automation
18 Leads to frustration
19 Security Therapy
Interviewed and worked with 100+ Sec/DevOps Leaders Theme In their words…... More organized threats Software is eating the world so hackers are having a feast Wait days/weeks to data Coordinating over 30+ security tools to answer if we have the vulnerability and then waiting for verification it’s been fixed Security owns all the tools DevOps don’t have consistent access to what security uses, just their outputs aka a giant spreadsheet Security vendors are slow Their product roadmap is the same every year, so we hacked a solution to dump into Splunk Unclear on the right priority for the business The trade off between shipping new features vs fixing what security wants us to fix. Re-enforces good practices I need my teams to have a way continuous improve our posture and for management to recognize the effort
Security is Hard
What is the solution? @chri_hartmann
Cloud Services Cluster Nodes Workloads (Deployments / Pods) Cluster Configuration Application Containers Unified View Tech Stack
Cloud Services Cluster Nodes Workloads (Deployments / Pods) Cluster Configuration Application Containers Application Delivery Pipeline Local Development Source Control CI/CD
25 Ensure that Cloud Storage Buckets have a uniform bucket level access enabled Reach the next level: Focus on Problem
27 What are successful security engineers using Access: Every developer and security engineer has access to the same tooling Coverage: security tooling that supports build and runtime Automation: security tooling that works hand-in-hand with automation Extensible: security tooling that has open source foundation, not hard-coded rules 1 2 3 4
28 open source security https://cnquery.io Asset Inventory, search and gather information about your infrastructure https://cnspec.io Security Scanner, scan for vulnerabilities and misconfiguration
29 Amazon S3 buckets do not allow public read access S3 Buckets are configured with 'Block public access' Easily ask questions with GraphQL-based MQL
30 Use Security as Code to define requirements
31 Discover Security Content Security Registry mondoo.com/registry Security Policies github.com/mondoohq/cnspec-policies Inventory and Incident Response Query Packs github.com/mondoohq/cnquery-packs
32 We can be more secure! Local Development Source Control CI/CD Pre-Production Production
We built a platform we are using we worked at Soo Choi CEO Dominik Richter CPO Christoph Hartmann CTO Patrick Münch CISO
Christoph Hartmann 🐦 @chri_hartmann ✉ chris@mondoo.com 🏠 mondoo.com Thank you

Check these out next

"The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications", Christoph Hartmann

Recommended

More Related Content

Similar to "The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications", Christoph Hartmann (20)

More from Fwdays(20)

Recently uploaded(20)

"The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications", Christoph Hartmann