A DevSecOps Tale of Business, Engineering, and People
•
4 likes•5,047 views
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for Security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again? In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us, and even though the world has radically changed over the last century, we are still facing many of the same root challenges. Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to A DevSecOps Tale of Business, Engineering, and People
Similar to A DevSecOps Tale of Business, Engineering, and People (20)
More from James Wickett
More from James Wickett (11)
Recently uploaded
Recently uploaded (20)
A DevSecOps Tale of Business, Engineering, and People
- 2. JamesWickett Sr. Sec Eng & Dev Advocate @ Verica Author, LinkedIn Learning Organizer, DevOps Days Austin, Serverless Days ATX DevSecOps Days Austin Author, DevSecOps Handbook (In progress) @wickett
- 3. @wickett
- 4. Get the slides now wickett@verica.io @wickett
- 5. verica.io An enterprise platform for Continuous Verification, using Chaos Engineering principles, to take a proactive and measured approach to preventing availability and security incidents. @wickett
- 12. 1896 introducedthe ideaofrunningtrain crashes for Funand Profit @wickett
- 16. @wickett
- 18. 200 LawOfficersandaJail Dozenwaterwells Watertankers Concessions from Dallas Preachersand Politicians Midwaywith Games @wickett
- 20. @wickett
- 22. @wickett
- 23. Engineers evaluated boilers Laid 4 miles oftrack Crowdat200yards Pressat100yards @wickett
- 24. Word gotout, Thomas Edison wantedto film it @wickett
- 25. @wickett
- 27. “The rumble ofthetwo trains, faintand far offat firstbut growing nearer and more distinctwith each fleeting second,was likethe gathering force ofa cyclone” @wickett
- 28. @wickett
- 29. Thetrains collided atcombined speed between 90and 120 mph @wickett
- 30. @wickett
- 32. @wickett
- 33. @wickett
- 35. @wickett
- 36. Aftermath: » 4 people died » Crush fired » Widespread injuries during incident » More injuries after incident » Town shut down » Lawyers brought in for settlements @wickett
- 37. @wickett
- 38. @wickett
- 39. Fallout @wickett
- 40. Days later Crush rehired Retired from the MKT 44 years later @wickett
- 42. But, Inthe hundreds ofevents post- Crush,the boilers held @wickett
- 43. What I learned: Chronocentrism exists Engineering is hard Blame is easy @wickett
- 48. credit to Josh Zimmerman, the original DevOps Jack Handy
- 50. First, Understand DevOps and howwe got here @wickett
- 54. @wickett
- 56. “DevOps is the inevitable resultofneedingto do efficient operations in a distributed computing and cloud environment.” Tom Limoncelli @wickett
- 57. “DevOps is nota technological problem. DevOps isa business problem.” Damon Edwards @wickett
- 58. DevOps isan epistemological breakthroughjoining disparate peoplearounda common problem @wickett
- 59. DevOpswas needed to fixthe inequitable distribution of labor @wickett
- 63. Iasked myselfthis same question @wickett
- 64. @wickett
- 65. Securityfinds itselfinthe same positionthat operations did inthe movementofDevOps @wickett
- 68. Security, like ops strugglesto provide value in most organizations @wickett
- 69. “Companiesare spendingagreatdeal on security, butwe read ofmassive computer-related attacks. Clearly something iswrong. The rootofthe problem istwofold:we’re protectingthewrong things,andwe’re hurting productivity inthe process.”
- 70. “[Securitybyrisk assessment] introducesa dangerous fallacy: thatstructured inadequacyis almost as good asadequacy and that underfunded securityefforts plus risk managementare aboutas goodas properlyfunded securitywork”
- 71. “While engineeringteams are busy deploying leading-edgetechnologies, securityteamsare still focused on fighting yesterday’s battles.” SANS 2018 DevSecOps Survey @wickett
- 72. "manysecurity teamsworkwitha worldviewwhere their goalisto inhibit change as muchas possible"
- 73. Newtechnology(cloud, k8s, serverless, ...)and increased organization focus on software deliveryiswhywe need DevSecOps. @wickett
- 74. A Highly Desireable New Breed: The DevSecOp @wickett
- 76. An inclusive person participating inthe movementof securityinto devops. @wickett
- 78. Maker Driven Experimenting Automating SafetyAware Unrestrained Sharing Ruggedizing Empathy @wickett
- 79. MEASURE @wickett
- 81. Weare software engineers who specialize inaspecific discipline: security @wickett
- 83. Whyisthis considered ahottake in our industry? @wickett
- 88. @wickett
- 89. The Entire Security Team Must Participate in Software Delivery @wickett
- 90. Empathybuilding Familiaritywithtools Ableto move upthe pipeline @wickett
- 92. DefectDensity studies range from .5to 10 defects per KLOC @wickett
- 94. With framework/ deps, 500 LOCyou write can easilybe 400,000 LOC
- 95. Hot take: You cannottrain developers towrite secure code @wickett
- 96. Instead, focus on Methods Developers use » TDD/BDD/ATDD » Meaningful comments/commits » Code Smells, Patterns, Refactoring » Instrumentation, Observability @wickett
- 97. “The goalshould beto come upwithasetof automatedtests that probeand check security configurations and runtime system behavior for securityfeatures thatwillexecute everytimethe system is builtand every time itis deployed.”
- 101. Maker Driven means » See security as part of engineering » View quality as a way to bring security in » Use code, not vendors to solve problems @wickett
- 102. MEASURE @wickett
- 104. Benefitsto Experimentation » Measured, Repeatable » Results based on your needs » Actionable Outcomes @wickett
- 105. “Securityincidents are not effective measures ofdetection becauseatthatpoint it'salreadytoo late” Aaron Rinehart @wickett
- 107. KnowMostLikelyAttacks and Howto MeasureAbuse and Misuse @wickett
- 108. “We can'tcede home fieldadvantage” Zane Lackey @wickett
- 110. Resources » Shannon Lietz (@devsecops) » DOES 2018 Talk: youtu.be/yuOuVC8xljw @wickett
- 111. MEASURE @wickett
- 112. Automation @wickett
- 115. “Continuous Deliveryis how littleyou can deployatonetime” Jez Humble & David Farley @wickett
- 116. Optimizetotalcycle time from code committo running in prod @wickett
- 117. 15,000deploys in 3.5 years @wickett
- 118. Securityinthe Pipeline » Software composition analysis » Lang linters, git-hound, ... » Scanners, gauntlt » Monitoring and telemetry @wickett
- 119. “[Deploys] can be treatedas standard or routine changes thathave been pre-approved by management,and thatdon’trequire a heavyweight change review meeting.”
- 120. Resources: @wickett
- 123. MEASURE @wickett
- 124. SafetyAware @wickett
- 126. Simple Systems: Linear in nature Easyto Predict Ableto comprehend @wickett
- 127. Complex Systems: Non-linear (bullwhipeffect) Unpredictable in nature No mentalmodelavailable @wickett
- 128. Weabstractcomplexity » Human beings » Societial issues » Psychological issues » Cognitive load @wickett
- 129. Software deals with complexitythrough abstraction @wickett
- 130. RootCause (inacomplex system) isaMyth » Lacks full picture » Complex systems are not linear » Result of blame culture » Forgets organizational decisions » Puts the focus on the event over situation @wickett
- 131. “Drifting into failure is a gradual, incremental decline into disaster driven by environmental pressure, unruly technologyand social proccessesthat normalize growing risk. No organization is exempt from drifting into failure” @wickett
- 132. Boeing 737Max » Maneuvering Characteristics Augmentation System (MCAS) » MCAS commands the trim without notifying the pilots » This is software @wickett
- 134. High-speed decision making inan up- tempo environment @wickett
- 135. Software is eating theworld @wickett
- 136. “The growth of complexityin societyhas got ahead ofour understaindin g of how complex systemswork and fail”
- 137. @wickett
- 138. @wickett
- 140. “Failures are a systems problem because there is not enough safety margin. ” @adrianco @wickett
- 142. Where SecurityFits » Add safety margin » Telemetry and instrumentation » Blameless retros » ...more to explore in this area @wickett
- 143. Resources » Drift into Failure by Dekker » Understanding Human Error Video Series youtu.be/ Fw3SwEXc3PU » @jpaulreed coverage of Boeing medium.com/ @jpaulreed » Richard Cook paper bit.ly/2ydDQS2 @wickett
- 144. MEASURE @wickett
- 146. “Culture isthe most importantaspectto devops succeeding inthe enterprise” Patrick DeBois @wickett
- 147. DevSecOps isthe extension ofthe DevOps culture for the inclusion of Security @wickett
- 148. “Asecurityteamwho embraces openness aboutwhatitdoes and why, spreads understanding.” Rich Smith @wickett
- 153. Four Keysto Culture » Mutual Understanding » Shared Language » Shared Views » Collaborative Tooling @wickett
- 155. SecuritySharesThrough » Making invisible as visible » Security Observability » APIs, webhooks, dev tooling @wickett
- 158. Resources » Phoenix Project » Agile Application Security » dearauditor.org @wickett
- 159. MEASURE @wickett
- 161. @wickett
- 163. Favor ShortLived Systems Cattle notPets @wickett
- 165. Ruggedization in 2020 1. Deception 2. Chaos Engineering @wickett
- 166. Deception » Honeypots, Tarpits, Mantraps » Simple to get started (http headers) » HoneyPy, DeceptionLogic @wickett
- 167. “We’re moving from disaster recovery to chaos engineering to resiliency” @adrianco @wickett
- 168. “[Chaos Engineering is] empiricalratherthan formal. We don’tuse modelsto understandwhatthe system should do.We run experiments to learnwhat itdoes.” Michael Nygard, Release It 2nd Ed. @wickett
- 169. “The security discipline of [chaos] experimentation is done in orderto build confidence inthe system’s abilityto defend against malicious conditions.” Aaron Rinehart @wickett
- 170. Chaos Engineering » Experiments that span eng and security » Manual opt-out » Valuable Learning » Controlled experiment blast radius @wickett
- 171. Resources » Aaron Rinehart's talk at RSA youtu.be/wLlME4Ve1go » principlesofchaos.org » Release It! 2nd ed., Nygard » Phillip Maddux's talk: youtu.be/k81xKjCEeqE » Herb Todd's talk: youtu.be/Cf_XXmRLnRQ @wickett
- 172. MEASURE @wickett
- 173. Empathy @wickett