Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
#LEAN
SECURIT
Y@ERNESTMUELLER // THEAGILEADMIN.COM // LASCON 2016
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
THEAGILEADMIN.COM
ERNEST MUELLER
JAMES WICKETT
@wickett
@ernestmueller
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
THE PRESENTATION
THAT JUST MIGHT
CHANGE YOUR LIFE…
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
COMPANIES ARE SPENDING A GREAT
DEAL ON SECURITY, BUT WE READ
OF MASSI...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
AGILE
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
WHAT IS AGILE?
• INDIVIDUALS AND INTERACTIONS
OVER PROCESSES AND TOOL...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
WHY AGILE?
• 45% OF ORGANIZATIONS ARE USING AGILE ON A MAJORITY OF
TH...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
WHAT IS DEVOPS?
DEVOPS IS THE PRACTICE OF OPERATIONS AND
DEVELOPMENT ...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
WHY DEVOPS?• BY 2016 “DEVOPS WILL EVOLVE FROM A NICHE TO A MAINSTREAM...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
HIGH-PERFORMING IT
ORGANIZATIONS
EXPERIENCE 60X FEWER
FAILURES AND RE...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
LEAN
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
LEAN SOFTWARE
DEVELOPMENTSEVEN PRINCIPLES:
• ELIMINATE
WASTE
• AMPLIF...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
LEAN PRODUCT
DEVELOPMENT• BUILD-MEASURE-LEARN
• BUILD – MINIMUM VIABL...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
WHY LEAN?
• BOTH DEVOPS AND AGILE BORROW KEY
CONCEPTS FROM LEAN MANUF...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
WHAT ARE THE
CHALLENGES THAT
AGILE / DEVOPS /
LEAN POSE TO
INFOSEC?
WRONG
QUESTION!
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
INSTEAD, EXAMINE HOW
ADOPTING THESE
STRATEGIES CAN HELP
YOU WIN
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
LEAN SECURITY IS
FOR WINNERS
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
THE SIX-FOLD PATH
OF LEAN SECURITY
(AND HOW TO WIN)
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
#1
SECURITY IS JUST
BEANCOUNTING
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
“[RISK ASSESSMENT]
INTRODUCES A DANGEROUS
FALLACY: THAT STRUCTURED
IN...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
WE TRADED ENGINEERING
FOR ACTUARIAL DUTIES
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
A SECURITY MANAGEMENT SYSTEM PROVIDES OPTIMAL
VALUE TO THE ORGANIZATI...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
UNDERSTAND THE
VALUE YOUR
ORGANIZATION
NEEDS FROM YOU
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
#2
SECURITY IS A
BOTTLENECK
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
THE AVERAGE TIME TO
DELIVER CORPORATE IT
PROJECTS HAS INCREASED
FROM ...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
WHY ARE COMPANIES SO SLOW?
THE GROWTH OF CONTROL AND
RISK MANAGEMENT ...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
THE THREE WASTES
• MUDA - WORK WHICH ABSORBS RESOURCE
BUT ADDS NO VAL...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
SECURITY WASTE
MUDA COMES IN SEVEN FORMS:
• EXCESS INVENTORY - DUMPIN...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
SECURITY WASTE
• HANDOFFS - LEVERAGE THE KNOWLEDGE OF THE TEAMS
DOING...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
UNDERSTAND THE
WASTE THAT YOU
GENERATE
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
#3
SECURITY IS
INVISIBLE
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
SECURITY
PROFESSIONALS
ARE QUICK TO SAY
SECURITY IS
EVERYONE’S JOB
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
SECURITY COULD
LEARN FROM WEB
PERFORMANCE
CIRCA 2008
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
PERFORMANCE
• BROWSER EXTENSIONS FOR DEVS TO
UNDERSTAND PERFORMANCE P...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
SECURITY
• BROWSER EXTENSIONS FOR DEVS TO
UNDERSTAND SECURITY PROBLEM...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
SEE THE WHOLE
• KEEP MEANINGFUL METRICS, MAKE THOSE
METRICS VISIBLE -...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
VISUALIZE
SECURITY SO
EVERYONE CAN
SEE
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
#4
SECURITY IS ALWAYS
TOO LATE
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
– W. EDWARDS DEMING
“CEASE DEPENDENCE ON MASS
INSPECTION TO ACHIEVE Q...
SOURCE: THE THREE WAYS
OF DEVOPS, GENE KIM
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
BE MEAN TO YOUR
CODE
EARLIER IN THE
DEVELOPMENT
PROCESS
ENTER GAUNTLT…
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
@slow @final
Feature: Look for cross site scripting (xss) using arach...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
http://theagileadmin.com/2015/06/09/
pragmatic-security-and-rugged-de...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
GENERATE SECURITY
FEEDBACK IN EACH
STEP IN THE VALUE
STREAM
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
#5
SECURITY IS ALWAYS IN
THE WAY
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
ARE YOU “THAT
GUY?”• YOU ALREADY KNOW
YOU CAN’T MAKE
THINGS SECURE BY...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
EMPOWER THE TEAM
• UNDERSTAND HUMAN
MOTIVATION
• NETFLIX AUTOMATION
C...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
SELF SERVICE
AUTOMATION
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
#6
SECURITY IS PERFECTIONIST
AND IS THEREFORE
UNREALISTIC
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
SECURITY IS YOUR
PRODUCT
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
BUILD-MEASURE-
LEARN• DELIVER MINIMAL VIABLE SECURITY ACROSS
EVERYTHI...
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
MANAGE YOUR
PRODUCT
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
WE’VE BEEN THERE
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
QUESTIONS?
@ERNESTMUELLER // THEAGILEADMIN.COM //
#LEANSECURITY
THEAGILEADMIN.COM
ERNEST MUELLER
@ernestmueller
Lean Security - LASCON 2016
Upcoming SlideShare
Loading in …5
×

Lean Security - LASCON 2016

687 views

Published on

A talk on how to apply Lean Software principles to information security. Also delivered at RSA 2015 and OWASP Austin. Converted to ppt from Keynote so sorry about the fonts.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Lean Security - LASCON 2016

  1. 1. #LEAN SECURIT Y@ERNESTMUELLER // THEAGILEADMIN.COM // LASCON 2016
  2. 2. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY THEAGILEADMIN.COM ERNEST MUELLER JAMES WICKETT @wickett @ernestmueller
  3. 3. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY THE PRESENTATION THAT JUST MIGHT CHANGE YOUR LIFE…
  4. 4. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY COMPANIES ARE SPENDING A GREAT DEAL ON SECURITY, BUT WE READ OF MASSIVE COMPUTER-RELATED ATTACKS. CLEARLY SOMETHING IS WRONG. THE ROOT OF THE PROBLEM IS TWOFOLD: WE’RE PROTECTING (AND SPENDING MONEY ON PROTECTING) THE WRONG THINGS, AND WE’RE HURTING PRODUCTIVITY IN THE PROCESS. Source: Thinking Security (2005), Steven M. Bellovin
  5. 5. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY
  6. 6. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY AGILE
  7. 7. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY WHAT IS AGILE? • INDIVIDUALS AND INTERACTIONS OVER PROCESSES AND TOOLS • WORKING SOFTWARE OVER COMPREHENSIVE DOCUMENTATION • CUSTOMER COLLABORATION OVER CONTRACT NEGOTIATION • RESPONDING TO CHANGE OVER FOLLOWING A PLAN SOURCE: THE AGILE MANIFESTO (HTTP://WWW.AGILEMANIFESTO.ORG/)
  8. 8. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY WHY AGILE? • 45% OF ORGANIZATIONS ARE USING AGILE ON A MAJORITY OF THEIR TEAMS ONLY 5% ARE NOT USING IT AT ALL • AGILE RESULTS: • ACCELERATE PRODUCT DELIVERY - 59% • ENHANCE ABILITY TO MANAGE CHANGING PRIORITIES - 56% • INCREASE PRODUCTIVITY - 53% • ENHANCE SOFTWARE QUALITY - 46% • ENHANCE DELIVERY PREDICTABILITY - 44% SOURCE: VERSIONONE NINTH ANNUAL STATE OF AGILE SURVEY (HTTPS://WWW.VERSIONONE.COM/PDF/STATE-OF-AGILE-DEVELOPMENT-SURVEY-NINTH.PDF)
  9. 9. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY
  10. 10. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY
  11. 11. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY WHAT IS DEVOPS? DEVOPS IS THE PRACTICE OF OPERATIONS AND DEVELOPMENT ENGINEERS PARTICIPATING TOGETHER IN THE ENTIRE SERVICE LIFECYCLE, FROM DESIGN THROUGH THE DEVELOPMENT PROCESS TO PRODUCTION SUPPORT. DEVOPS IS ALSO CHARACTERIZED BY OPERATIONS STAFF MAKING USE MANY OF THE SAME TECHNIQUES AS DEVELOPERS FOR THEIR SYSTEMS WORK. SOURCE: THE AGILE ADMIN: WHAT IS DEVOPS? HTTP://THEAGILEADMIN.COM/WHAT-IS-DEVOPS/
  12. 12. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY WHY DEVOPS?• BY 2016 “DEVOPS WILL EVOLVE FROM A NICHE TO A MAINSTREAM STRATEGY EMPLOYED BY 25% OF GLOBAL 2000 ORGANIZATIONS” - GARTNER, MARCH 2015 • BENEFITS OF DEVOPS: • NEW SOFTWARE/SERVICES THAT WOULD OTHERWISE NOT BE POSSIBLE - 21% • A REDUCTION IN TIME SPENT FIXING AND MAINTAINING APPLICATIONS - 21% • INCREASED COLLABORATION BETWEEN DEPARTMENTS - 21% • AN INCREASE IN REVENUE - 19% • IMPROVED QUALITY AND PERFORMANCE OF OUR DEPLOYED APPLICATIONS - 19% SOURCE: CA RESEARCH REPORT—DEVOPS: THE WORST-KEPT SECRET TO WINNING IN THE APPLICATION ECONOMY (HTTP://REWRITE.CA.COM/US/ARTICLES/DEVOPS/RESEARCH-REPORT-- DEVOPS-THE-WORST-KEPT-SECRET-TO-WINNING-IN-THE-APPLICATION-ECONOMY.HTML)
  13. 13. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY HIGH-PERFORMING IT ORGANIZATIONS EXPERIENCE 60X FEWER FAILURES AND RECOVER FROM FAILURE 168X FASTER THAN THEIR LOWER- PERFORMING PEERS. THEY ALSO DEPLOY 30X MORE FREQUENTLY WITH 200X SHORTER LEAD TIMES.
  14. 14. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY LEAN
  15. 15. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY LEAN SOFTWARE DEVELOPMENTSEVEN PRINCIPLES: • ELIMINATE WASTE • AMPLIFY LEARNING • DECIDE AS LATE AS POSSIBLE • DELIVER AS FAST AS POSSIBLE • EMPOWER THE TEAM • BUILD INTEGRITY IN • SEE THE WHOLE AN SOFTWARE DEVELOPMENT: AN AGILE TOOLKIT (2003), MARY AND TOM POPPENDIECK
  16. 16. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY LEAN PRODUCT DEVELOPMENT• BUILD-MEASURE-LEARN • BUILD – MINIMUM VIABLE PRODUCT • MEASURE – THE OUTCOME AND INTERNAL METRICS • LEARN – ABOUT YOUR PROBLEM AND YOUR SOLUTION • REPEAT – GO DEEPER WHERE IT’S NEEDED SOURCE: LEAN STARTUP (2011), ERIC RIES
  17. 17. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY WHY LEAN? • BOTH DEVOPS AND AGILE BORROW KEY CONCEPTS FROM LEAN MANUFACTURING, SO IT'S ALL ABOUT COMMUNICATION AND OPENNESS." -INFORMATIONWEEK
  18. 18. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY WHAT ARE THE CHALLENGES THAT AGILE / DEVOPS / LEAN POSE TO INFOSEC?
  19. 19. WRONG QUESTION!
  20. 20. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY INSTEAD, EXAMINE HOW ADOPTING THESE STRATEGIES CAN HELP YOU WIN
  21. 21. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY LEAN SECURITY IS FOR WINNERS
  22. 22. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY THE SIX-FOLD PATH OF LEAN SECURITY (AND HOW TO WIN)
  23. 23. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY #1 SECURITY IS JUST BEANCOUNTING
  24. 24. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”SOURCE: THE TANGLED WEB (2011), MICHAEL ZALEWSKI
  25. 25. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY WE TRADED ENGINEERING FOR ACTUARIAL DUTIES
  26. 26. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY A SECURITY MANAGEMENT SYSTEM PROVIDES OPTIMAL VALUE TO THE ORGANIZATION IF IT: • ACTIVELY SUPPORTS ACHIEVING THE BUSINESS AND COMPLIANCE OBJECTIVES OF THE ORGANIZATION (THE VARIABLE PART) • IS AN EFFICIENT, AGILE AND INTEGRATED PROCESS, CAPABLE OF DEALING WITH A DYNAMIC THREAT ENVIRONMENT • CONSUMES MINIMAL TIME AND RESOURCES • RESULTS IN ADEQUATELY MANAGED SECURITY RISK, IN LINE WITH THE RISK APPETITE OF THE ORGANIZATION • PROVIDES ONLY THE NECESSARY, YET ADEQUATE, USER FRIENDLY, EFFICIENT AND MEASURABLE SECURITY CONTROLS SOURCE: JOHAN BAKKER, LEAN SECURITY MANAGEMENT WHITE PAPER
  27. 27. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY UNDERSTAND THE VALUE YOUR ORGANIZATION NEEDS FROM YOU
  28. 28. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY #2 SECURITY IS A BOTTLENECK
  29. 29. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY THE AVERAGE TIME TO DELIVER CORPORATE IT PROJECTS HAS INCREASED FROM ~8.5 MONTHS TO OVER 10 MONTHS IN THE LAST 5 YEARS Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
  30. 30. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY WHY ARE COMPANIES SO SLOW? THE GROWTH OF CONTROL AND RISK MANAGEMENT FUNCTIONS WHICH IS TOO OFTEN POORLY COORDINATED… RESULTING IN] A PROLIFERATION OF NEW TASKS IN THE AREAS OF COMPLIANCE, PRIVACY AND DATA PROTECTION. Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
  31. 31. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY
  32. 32. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY THE THREE WASTES • MUDA - WORK WHICH ABSORBS RESOURCE BUT ADDS NO VALUE • MURI - UNREASONABLE WORK THAT IS IMPOSED ON WORKERS AND MACHINES • MURA - WORK COMING IN DRIBS AND DRABS WITH SUDDEN PERIODS OF RUSH RATHER THAN A CONSTANT OR REGULAR FLOW, UNEVENNESS.
  33. 33. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY SECURITY WASTE MUDA COMES IN SEVEN FORMS: • EXCESS INVENTORY - DUMPING YOUR THOUSAND PAGE PDF OF VULNERABILITIES ON A BUSY TEAM. PRIORITIZE AND LIMIT WORK IN PROGRESS (WIP) • OVERPRODUCTION - SECURITY CONTROLS STEMMING FROM FUD OR MISALIGNMENT WITH BUSINESS NEEDS (NOT DEMANDED BY ACTUAL CUSTOMERS) - CF. PHOENIX PROJECT • EXTRA PROCESSING - FOR EXAMPLE, RELYING ON COMPLIANCE TESTING RATHER THAN DESIGNING THE PROCESS TO ELIMINATE PROBLEMS - HELP IT GET BUILT RIGHT FIRST
  34. 34. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY SECURITY WASTE • HANDOFFS - LEVERAGE THE KNOWLEDGE OF THE TEAMS DOING THE WORK AND COLLABORATE WITH THEM TO BUILD SECURITY IN, INSTEAD OF THAT BEING SOME OTHER TEAM’S JOB • WAITING - LAG BETWEEN VALUE STEPS WAITING FOR APPROVALS OR ANALYSES OR TICKET HANDLING - USE SELF SERVICE AUTOMATION INSTEAD • TASK SWITCHING - THE THOUSAND PAGE PDF AGAIN - WORK WITH THEIR WORK INTAKE PROCESS NOT AGAINST IT • DEFECTS - FALSE POSITIVES AND FALSE NEGATIVES AND JUST PLAIN UNIMPORTANT FINDINGS YOU REPORT CAUSING ZERO-VALUE REWORK
  35. 35. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY UNDERSTAND THE WASTE THAT YOU GENERATE
  36. 36. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY #3 SECURITY IS INVISIBLE
  37. 37. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY SECURITY PROFESSIONALS ARE QUICK TO SAY SECURITY IS EVERYONE’S JOB
  38. 38. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY SECURITY COULD LEARN FROM WEB PERFORMANCE CIRCA 2008
  39. 39. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY PERFORMANCE • BROWSER EXTENSIONS FOR DEVS TO UNDERSTAND PERFORMANCE PROBLEMS • RESEARCH SHOWING PERFORMANCE TO REVENUE CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS • CONFERENCES COMBINING FRONT END DEVS AND SYS ADMINS • COMMITMENT TO INSTRUMENT AND GRAPH ALL THE THINGS
  40. 40. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY SECURITY • BROWSER EXTENSIONS FOR DEVS TO UNDERSTAND SECURITY PROBLEMS • RESEARCH SHOWING SECURITY TO REVENUE CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS • CONFERENCES COMBINING DEVS, OPS, AND SECURITY • COMMITMENT TO INSTRUMENT AND GRAPH ALL THE THINGS
  41. 41. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY SEE THE WHOLE • KEEP MEANINGFUL METRICS, MAKE THOSE METRICS VISIBLE - IN CONTEXT OF WORKERS’ TOOLCHAIN • “LEAST PRIVILEGE” NEEDS TO BE UNLEARNED SOMEWHAT IN MODERN ORGANIZATIONS TO ALLOW EFFECTIVE INFORMATION SHARING • GET IN BUSINESS OF SHARING AND ADDING VISIBILITY TO DEV AND TO OPS.
  42. 42. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY VISUALIZE SECURITY SO EVERYONE CAN SEE
  43. 43. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY #4 SECURITY IS ALWAYS TOO LATE
  44. 44. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY – W. EDWARDS DEMING “CEASE DEPENDENCE ON MASS INSPECTION TO ACHIEVE QUALITY. IMPROVE THE PROCESS AND BUILD QUALITY INTO THE PRODUCT IN THE FIRST PLACE."
  45. 45. SOURCE: THE THREE WAYS OF DEVOPS, GENE KIM
  46. 46. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY BE MEAN TO YOUR CODE EARLIER IN THE DEVELOPMENT PROCESS ENTER GAUNTLT…
  47. 47. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY @slow @final Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni —check=xss* <url> """ Then the output should contain "0 issues were detected." Given When Then What? AN ATTACK LANGUAGE FOR DEVOPS
  48. 48. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY
  49. 49. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY
  50. 50. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY http://theagileadmin.com/2015/06/09/ pragmatic-security-and-rugged-devops/
  51. 51. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY GENERATE SECURITY FEEDBACK IN EACH STEP IN THE VALUE STREAM
  52. 52. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY #5 SECURITY IS ALWAYS IN THE WAY
  53. 53. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY ARE YOU “THAT GUY?”• YOU ALREADY KNOW YOU CAN’T MAKE THINGS SECURE BY YOURSELF • YOU NEED EVERYONE ELSE TO COOPERATE WITH YOU • BUT DOES IT SEEM LIKE THE THINGS YOU DO JUST ANGER THEM?
  54. 54. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY EMPOWER THE TEAM • UNDERSTAND HUMAN MOTIVATION • NETFLIX AUTOMATION CREATED SAFE PATHS AS THE DEFAULT • AUTOMATING PROCESS REMOVES EMOTIONAL CHARGE
  55. 55. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY SELF SERVICE AUTOMATION
  56. 56. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY #6 SECURITY IS PERFECTIONIST AND IS THEREFORE UNREALISTIC
  57. 57. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY SECURITY IS YOUR PRODUCT
  58. 58. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY
  59. 59. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY BUILD-MEASURE- LEARN• DELIVER MINIMAL VIABLE SECURITY ACROSS EVERYTHING • FOCUS ON DETECTION/METRIC GATHERING • ITERATE FROM THERE • REMEMBER THE WEAKEST LINK WINS • OVERLAP SMALLER SOLUTIONS - SEE JOSH MORE’S OWASP 2012 “LEAN SECURITY 101” PRESENTATION
  60. 60. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY MANAGE YOUR PRODUCT
  61. 61. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY WE’VE BEEN THERE
  62. 62. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY QUESTIONS?
  63. 63. @ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY THEAGILEADMIN.COM ERNEST MUELLER @ernestmueller

×