First presented at Cloud Security World in Boston on June 15th, 2016.
Once upon a time, walls were erected between the Linux/UNIX crowd, Windows admins and the mainframers. Each architecture had its place and its experts, and they rarely mixed. This time around, we didn’t just get a new domain, we got a new way of doing IT and running businesses. Cloud has created new opportunities and DevOps has capitalized on them. The result of this combination is so unrecognizable that it isn’t uncommon to see IT organizations split down the middle by the new and old approaches. As DevOps continues to gain in popularity, the same split is occurring in the security workforce. Will the traditional security practitioner be in danger of becoming obsolete?
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
There are over 100 endpoint security products that claim to stop malware and other attacks against Windows. Nearly every major security incident or breach that has made media headlines had two things in common: Windows running one of these 100 products. This workshop won't spend any time bashing vendors, however. In fact, many of these products can be valuable assets when part of a more comprehensive endpoint protection strategy.
Part one of this workshop will address the anatomy of malware and why it succeeds so often.
The second part will dive down into practical defensive strategies, including passive prevention, detection, response, and remediation.
- Passive prevention is effectively free and ideal
- Prevention will always fail a percentage of the time, so detection is essential
- Response, if practiced and efficient, has a chance of stopping attacks before they reach their goal
- Remediation, because someone has to clean up this mess...
Every successful security strategy includes planning to handle failure quickly and effectively.
The remainder of the workshop will be hands-on.
Part three will review the native defensive capabilities in Windows and the pros/cons associated with using them.
For the finale, brave and trusting attendees will be invited to run neutered malware on the virtual Windows systems provided for this workshop to test out our newfound defensive skills. If not, there's no shame in watching your neighbor infect themselves with ransomware as you take notes.
At a time when some say users pose the biggest threat, new tools are emerging that give users more freedom than ever.
451 Analyst, Adrian Sanabria speaks on this bold new approach to application control in our latest webinar.
KEY TOPICS
1. Learn from the past: valuing User Experience, IT workload & business/IT relations.
2. Take off the training wheels: it’s possible to trust users to make the right choices, but still have options if they don”t.
3. Drop unreasonable goals: more restrictions ≠ more security.
Even though large breaches have hit headline news in years past, some companies are still on the fence about investing in cybersecurity. As a security practitioner (or jack of all trades) how can you be expected to cover your assets with zero budget? Thankfully, there are plenty of open-source tools out there that will allow you to secure your organization. Come join me as I discuss how you can track your network assets, perform vulnerability assessments, prevent attacks with intrusion prevention systems, and even deploy HIDS. We will also jump into finding sensitive data and PII in your network, as well as incident response tools and automation. All it costs is your time (and maybe a VM or two). You really can drastically improve the security posture of your network with little to no budget, and you’ll have fun doing it! OK, maybe it won’t be fun, but at least you’ll learn something, right?
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
Enterprise security teams are facing numerous challenges because of evolving threat vectors bypassing existing technology, deluge of alerts, and lack of skilled resources to stop advanced threats. Even if enterprises have a budget to bring in outside incident response and forensics teams to stop the bleeding, by then, damages and loss have already occurred.
Security teams must change the shape of their security program to stop threats at the earliest and all stages of the attacker lifecycle. Join 451 Research Senior Analyst, Adrian Sanabria, and Director of Products at Endgame, Mike Nichols, talk about how earliest prevention and instant detection can change the shape and outcome of enterprise security program.
This talk will outline strategies for:
• Prioritizing the alerts and events that really matter
• Identifying parts of the investigation workflow that can be automated
• Building a detection methodology that creates confidence and continuously improves defenses
You’ve heard about security startups on the bleeding edge and you’ve heard early adopters sharing success stories at conferences. Meanwhile, legacy security paradigms have been falling (and failing) around us. This session will discuss building a continuous program for evaluating startups and new technologies (on a budget) while avoiding unnecessary risk and instability to existing infrastructure.
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
The security industry moves fast and is already a crazy place that's tough to keep up with. What happens when you get a window into the early-stage security startup market? You realize the rabbit hole goes, much, much deeper.
Endpoint threats have entered a new era, and the security industry has been rushing to catch up. The result is a highly fragmented and confusing market that has doubled in size to over 70 vendors in the last four years. We're in the midst of the second great endpoint security consolidation and will discuss precisely what that means. We'll discuss six progressive stages endpoint security will work through as this market continues to mature over the next five years or so.
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
There are over 100 endpoint security products that claim to stop malware and other attacks against Windows. Nearly every major security incident or breach that has made media headlines had two things in common: Windows running one of these 100 products. This workshop won't spend any time bashing vendors, however. In fact, many of these products can be valuable assets when part of a more comprehensive endpoint protection strategy.
Part one of this workshop will address the anatomy of malware and why it succeeds so often.
The second part will dive down into practical defensive strategies, including passive prevention, detection, response, and remediation.
- Passive prevention is effectively free and ideal
- Prevention will always fail a percentage of the time, so detection is essential
- Response, if practiced and efficient, has a chance of stopping attacks before they reach their goal
- Remediation, because someone has to clean up this mess...
Every successful security strategy includes planning to handle failure quickly and effectively.
The remainder of the workshop will be hands-on.
Part three will review the native defensive capabilities in Windows and the pros/cons associated with using them.
For the finale, brave and trusting attendees will be invited to run neutered malware on the virtual Windows systems provided for this workshop to test out our newfound defensive skills. If not, there's no shame in watching your neighbor infect themselves with ransomware as you take notes.
At a time when some say users pose the biggest threat, new tools are emerging that give users more freedom than ever.
451 Analyst, Adrian Sanabria speaks on this bold new approach to application control in our latest webinar.
KEY TOPICS
1. Learn from the past: valuing User Experience, IT workload & business/IT relations.
2. Take off the training wheels: it’s possible to trust users to make the right choices, but still have options if they don”t.
3. Drop unreasonable goals: more restrictions ≠ more security.
Even though large breaches have hit headline news in years past, some companies are still on the fence about investing in cybersecurity. As a security practitioner (or jack of all trades) how can you be expected to cover your assets with zero budget? Thankfully, there are plenty of open-source tools out there that will allow you to secure your organization. Come join me as I discuss how you can track your network assets, perform vulnerability assessments, prevent attacks with intrusion prevention systems, and even deploy HIDS. We will also jump into finding sensitive data and PII in your network, as well as incident response tools and automation. All it costs is your time (and maybe a VM or two). You really can drastically improve the security posture of your network with little to no budget, and you’ll have fun doing it! OK, maybe it won’t be fun, but at least you’ll learn something, right?
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
Enterprise security teams are facing numerous challenges because of evolving threat vectors bypassing existing technology, deluge of alerts, and lack of skilled resources to stop advanced threats. Even if enterprises have a budget to bring in outside incident response and forensics teams to stop the bleeding, by then, damages and loss have already occurred.
Security teams must change the shape of their security program to stop threats at the earliest and all stages of the attacker lifecycle. Join 451 Research Senior Analyst, Adrian Sanabria, and Director of Products at Endgame, Mike Nichols, talk about how earliest prevention and instant detection can change the shape and outcome of enterprise security program.
This talk will outline strategies for:
• Prioritizing the alerts and events that really matter
• Identifying parts of the investigation workflow that can be automated
• Building a detection methodology that creates confidence and continuously improves defenses
You’ve heard about security startups on the bleeding edge and you’ve heard early adopters sharing success stories at conferences. Meanwhile, legacy security paradigms have been falling (and failing) around us. This session will discuss building a continuous program for evaluating startups and new technologies (on a budget) while avoiding unnecessary risk and instability to existing infrastructure.
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
The security industry moves fast and is already a crazy place that's tough to keep up with. What happens when you get a window into the early-stage security startup market? You realize the rabbit hole goes, much, much deeper.
Endpoint threats have entered a new era, and the security industry has been rushing to catch up. The result is a highly fragmented and confusing market that has doubled in size to over 70 vendors in the last four years. We're in the midst of the second great endpoint security consolidation and will discuss precisely what that means. We'll discuss six progressive stages endpoint security will work through as this market continues to mature over the next five years or so.
In this session Aaron will uncover the importance of using Chaos Engineering in developing a learning culture in a DevSecOps world. Aaron will walk us through how to get started with Chaos Engineering for security and how it can be practically applied to enhance system performance, resilience and security.
Security focused Chaos Engineering allows engineering teams to derive new information about the state of security within their distributed systems that was previously unknown. This new technique of instrumentation attempts to proactively inject security turbulent conditions or faults into our systems to determine the conditions by which our security will fail so that we can fix it before it causes customer pain.
During this session we will cover some key concepts in Safety & Resilience Engineering and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive.
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs?
We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
DevSecOps adds on the DevOps by making Application Security part of the daily workflow of the team in order to improve the quality and security of a product. Shift AppSec practices left is the key enabler to making AppSec a first-class citizen in the development effort rather than an afterthought with limited ability to be successful.
Chaos engineering for cloud native securityKennedy
Human errors and misconfiguration-based vulnerabilities have become a major cause of data breaches and other forms of security attacks in cloud-native infrastructure (CNI). The dynamic and complex nature of CNI and the underlying distributed systems further complicate these challenges. Hence, novel security mechanisms are imperative to overcome these challenges. Such mechanisms must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection. We tackle these security challenges via Risk-driven Fault Injection (RDFI), a novel application of cyber security to chaos engineering. Chaos engineering concepts (e.g. Netflix’s Chaos Monkey) have become popular since they increase confidence in distributed systems by injecting non-malicious faults (essentially addressing availability concerns) via experimentation techniques. RDFI goes further by adopting security-focused approaches by injecting security faults that trigger security failures which impact on integrity, confidentiality, and availability. Safety measures are also employed such that impacted environments can be reversed to secure states. Therefore, RDFI improves security and resilience drastically, in a continuous and efficient manner and extends the benefts of chaos engineering to cyber security. We have researched and implemented a proof-of-concept for RDFI that targets multi-cloud enterprise environments deployed on AWS and Google cloud platform.
The reactionary state of the industry means that we quickly identify the ‘root cause’ in terms of ‘human-error’ as an object to attribute and shift blame. Hindsight bias often confuses our personal narrative with truth, which is an objective fact that we as investigators can never fully know. The poor state of self-reflection, human factors knowledge, and the nature of resource constraints further incentivize this vicious pattern. This approach results in unnecessary and unhelpful assignment of blame, isolation of the engineers involved, and ultimately a culture of fear throughout the organization. Mistakes will always happen.
Rather than failing fast and encouraging experimentation, the traditional process often discourages creativity and kills innovation. As an alternative to simply reacting to failures, the security industry has been overlooking valuable chances to further understand and nurture ‘accidents’ or ‘mistakes’ as opportunities to proactively strengthen system resilience. Expose the failures, build resilient systems, and develop an "Applied security" model to minimize the impact of failures. In this session we will cover discuss the role of ‘human-error’, root cause, and resilience engineering in our industry and how we can use new techniques such as Chaos Engineering to make a difference.
Security focused Chaos Engineering proposes that the only way to understand this uncertainty is to confront it objectively by introducing controlled signals. During this session we will cover some key concepts in Safety & Resilience Engineering work based on Sydney Dekker’s 30 years of research into airline accident investigations and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive
DevSecOps Personas – what Developers, Security, and Operations think when it comes to people/tech/processes/culture when it comes to rolling out DevSecOps programs.
Each of these teams have different drivers, ambitions, blockers, and challenges when it comes to a successful DevSecOps program. As Dale Carnegie said, ‘The only way to get anyone to do anything, is to make them want to do it’ - all the tech and process in the world isn’t going to make it successful if the people and culture (and heart) are not in it. So let’s share what we’ve seen from 100s of company interactions, understand better where everyone is coming from, and how to approach a DevSecOps program that can move the needle like Marty McFly playing Doc Brown’s guitar. We’ve love this to be interactive, so bring your stories and questions.
Gary's Bio
Gary Robinson has been working in software and cyber security for 20+ years, as a coder, pen tester, consultant, Security Architect at Citi, Global Board member at OWASP, and heading up Uleska to focus on DevSecOps for the last 5 years. Gary’s focused on the people, process, technology, and culture aspect of DevSecOps – as someone who’s worked in all three spaces during his time – and what drivers, blockers, etc each experience with ‘DevSecOps’, ‘shift-left’, ‘secure by design’, and the rest.
--------
Find out more about us www.uleska.com/
Follow us on LinkedIn https://www.linkedin.com/company/uleska/
Follow us on Twitter https://twitter.com/uleska_sec/
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
The complex ordeal of delivering secure and reliable software in Healthcare will continue to become exponentially more difficult unless we begin approaching the craft differently.
Enter Chaos Engineering, but now also for security. Instead of a focus on resilience against service disruptions, the focus is to identify the truth behind our current state security and determine what “normal” operations actually look like when it's put to the test.
The speed, scale, and complex operations within modern systems make them tremendously difficult for humans to mentally model their behavior. Security Chaos Engineering is an emerging practice that is helping engineers and security professionals realign the actual state of operational security and build confidence that it works the way it was intended to.
Join Aaron Rinehart to learn how he implemented Security Chaos Engineering as a practice at the world’s largest healthcare company to proactively discover system weakness before they were taken advantage of by malicious adversaries. In this session Aaron will share his experience of applying Security Chaos Engineering to create highly secure, performant, and resilient distributed systems.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
Join us at Agile+DevOps East's DevSecOps Summit on November 18th to check out our new presentation: https://agiledevopseast.techwell.com/program/devsecops-summit-sessions/blameless-retrospectives-devsecops-global-healthcare-giants-agile-devops-virtual-2020
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
The chase for security perfection is not uncommon. The idea of ‘shift left’ - locating defects from the beginning of SDLC and rectifying them early is a well-founded approach. But in a competitive business landscape, companies must balance the tradeoff between speed and quality to keep their business moving. Join our application security webinar and learn how to implement an agile DevSecOps to carry out the necessary security checks without compromising on time-to-market.
This talk by Stefan Streichsbier, Co-Founder of GuardRails.io, provides a brief history of how development, operations and security testing have become highly complex. It continues to outline the key problems with traditional security solutions and why in 2020 companies around the world are still figuring out a good way to manage security as part of rapid development cycles. Specifically, the big challenge of introducing and fixing new security issues versus tackling the existing security dept of existing applications.
To quote Bishop Desmond Tutu, “There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in.”
After setting the stage, the remainder of the talk will focus on the paradigm shift that security solutions have to incorporate in order to solve the problem of sustainably secure applications on all layers. This will explore how the elements of Speed, Just in time training, and Data science have to be leveraged to empower development teams around the globe to get ahead for once and finally become able to move fast and be safe at the same time.
The 3 core takeaways for the audience are:
1.) Where security practices have gone wrong so far.
2.) What new technologies will cause a paradigm shift in how security is applied at scale.
3.) How security will look like in 5-10 years.
Finding Security a Home in a DevOps WorldShannon Lietz
Presented this talk at DevOps Summit in 2015 to a DevOps community. Discovered that security is new to most DevOps teams and this was a very good discussion.
Navigating the Unknowable: Resilience through Security Chaos Engineering
When applied to Cyber Security, Chaos Engineering is advancing our ability to reveal objective information about the effectiveness of operational security measures proactively through empirical experimentation. In this session we will introduce the core concepts behind this new technique and how you can get started in building and applying it.
In the software engineering world, change is the only constant. And in the course of the last decades, the frequency of that change has exploded. What Agile has brought to software teams, DevOps is now bringing to the entire organization. And the results speak for themselves. The DevOps high-performers are killing it. Insane deploy frequencies of features, high reliability of applications, and high productivity of cross-functional teams have amplified the speed at which ideas become a reality.
In parallel, Application Security was doing its own thing and to a large part remained oblivious to all the impressive improvements that were happening in software engineering. Because breaking an application doesn’t need any knowledge of how it was created in the first place.
This talk will cover anti-patterns that are preventing application security from being adopted by development teams, such as:
* Signals versus Noise
* Lost in Translation
* Make it easy
The security practitioner's role is changing significantly. Trends like mobile, cloud, DevOps, and Zero Trust are creating new roles and erasing others. This presentation navigates these changes and makes some recommendations for folks wanting to keep up with the curve.
In this session Aaron will uncover the importance of using Chaos Engineering in developing a learning culture in a DevSecOps world. Aaron will walk us through how to get started with Chaos Engineering for security and how it can be practically applied to enhance system performance, resilience and security.
Security focused Chaos Engineering allows engineering teams to derive new information about the state of security within their distributed systems that was previously unknown. This new technique of instrumentation attempts to proactively inject security turbulent conditions or faults into our systems to determine the conditions by which our security will fail so that we can fix it before it causes customer pain.
During this session we will cover some key concepts in Safety & Resilience Engineering and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive.
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs?
We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
DevSecOps adds on the DevOps by making Application Security part of the daily workflow of the team in order to improve the quality and security of a product. Shift AppSec practices left is the key enabler to making AppSec a first-class citizen in the development effort rather than an afterthought with limited ability to be successful.
Chaos engineering for cloud native securityKennedy
Human errors and misconfiguration-based vulnerabilities have become a major cause of data breaches and other forms of security attacks in cloud-native infrastructure (CNI). The dynamic and complex nature of CNI and the underlying distributed systems further complicate these challenges. Hence, novel security mechanisms are imperative to overcome these challenges. Such mechanisms must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection. We tackle these security challenges via Risk-driven Fault Injection (RDFI), a novel application of cyber security to chaos engineering. Chaos engineering concepts (e.g. Netflix’s Chaos Monkey) have become popular since they increase confidence in distributed systems by injecting non-malicious faults (essentially addressing availability concerns) via experimentation techniques. RDFI goes further by adopting security-focused approaches by injecting security faults that trigger security failures which impact on integrity, confidentiality, and availability. Safety measures are also employed such that impacted environments can be reversed to secure states. Therefore, RDFI improves security and resilience drastically, in a continuous and efficient manner and extends the benefts of chaos engineering to cyber security. We have researched and implemented a proof-of-concept for RDFI that targets multi-cloud enterprise environments deployed on AWS and Google cloud platform.
The reactionary state of the industry means that we quickly identify the ‘root cause’ in terms of ‘human-error’ as an object to attribute and shift blame. Hindsight bias often confuses our personal narrative with truth, which is an objective fact that we as investigators can never fully know. The poor state of self-reflection, human factors knowledge, and the nature of resource constraints further incentivize this vicious pattern. This approach results in unnecessary and unhelpful assignment of blame, isolation of the engineers involved, and ultimately a culture of fear throughout the organization. Mistakes will always happen.
Rather than failing fast and encouraging experimentation, the traditional process often discourages creativity and kills innovation. As an alternative to simply reacting to failures, the security industry has been overlooking valuable chances to further understand and nurture ‘accidents’ or ‘mistakes’ as opportunities to proactively strengthen system resilience. Expose the failures, build resilient systems, and develop an "Applied security" model to minimize the impact of failures. In this session we will cover discuss the role of ‘human-error’, root cause, and resilience engineering in our industry and how we can use new techniques such as Chaos Engineering to make a difference.
Security focused Chaos Engineering proposes that the only way to understand this uncertainty is to confront it objectively by introducing controlled signals. During this session we will cover some key concepts in Safety & Resilience Engineering work based on Sydney Dekker’s 30 years of research into airline accident investigations and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive
DevSecOps Personas – what Developers, Security, and Operations think when it comes to people/tech/processes/culture when it comes to rolling out DevSecOps programs.
Each of these teams have different drivers, ambitions, blockers, and challenges when it comes to a successful DevSecOps program. As Dale Carnegie said, ‘The only way to get anyone to do anything, is to make them want to do it’ - all the tech and process in the world isn’t going to make it successful if the people and culture (and heart) are not in it. So let’s share what we’ve seen from 100s of company interactions, understand better where everyone is coming from, and how to approach a DevSecOps program that can move the needle like Marty McFly playing Doc Brown’s guitar. We’ve love this to be interactive, so bring your stories and questions.
Gary's Bio
Gary Robinson has been working in software and cyber security for 20+ years, as a coder, pen tester, consultant, Security Architect at Citi, Global Board member at OWASP, and heading up Uleska to focus on DevSecOps for the last 5 years. Gary’s focused on the people, process, technology, and culture aspect of DevSecOps – as someone who’s worked in all three spaces during his time – and what drivers, blockers, etc each experience with ‘DevSecOps’, ‘shift-left’, ‘secure by design’, and the rest.
--------
Find out more about us www.uleska.com/
Follow us on LinkedIn https://www.linkedin.com/company/uleska/
Follow us on Twitter https://twitter.com/uleska_sec/
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
The complex ordeal of delivering secure and reliable software in Healthcare will continue to become exponentially more difficult unless we begin approaching the craft differently.
Enter Chaos Engineering, but now also for security. Instead of a focus on resilience against service disruptions, the focus is to identify the truth behind our current state security and determine what “normal” operations actually look like when it's put to the test.
The speed, scale, and complex operations within modern systems make them tremendously difficult for humans to mentally model their behavior. Security Chaos Engineering is an emerging practice that is helping engineers and security professionals realign the actual state of operational security and build confidence that it works the way it was intended to.
Join Aaron Rinehart to learn how he implemented Security Chaos Engineering as a practice at the world’s largest healthcare company to proactively discover system weakness before they were taken advantage of by malicious adversaries. In this session Aaron will share his experience of applying Security Chaos Engineering to create highly secure, performant, and resilient distributed systems.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)DJ Schleen
Join us at Agile+DevOps East's DevSecOps Summit on November 18th to check out our new presentation: https://agiledevopseast.techwell.com/program/devsecops-summit-sessions/blameless-retrospectives-devsecops-global-healthcare-giants-agile-devops-virtual-2020
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
The chase for security perfection is not uncommon. The idea of ‘shift left’ - locating defects from the beginning of SDLC and rectifying them early is a well-founded approach. But in a competitive business landscape, companies must balance the tradeoff between speed and quality to keep their business moving. Join our application security webinar and learn how to implement an agile DevSecOps to carry out the necessary security checks without compromising on time-to-market.
This talk by Stefan Streichsbier, Co-Founder of GuardRails.io, provides a brief history of how development, operations and security testing have become highly complex. It continues to outline the key problems with traditional security solutions and why in 2020 companies around the world are still figuring out a good way to manage security as part of rapid development cycles. Specifically, the big challenge of introducing and fixing new security issues versus tackling the existing security dept of existing applications.
To quote Bishop Desmond Tutu, “There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in.”
After setting the stage, the remainder of the talk will focus on the paradigm shift that security solutions have to incorporate in order to solve the problem of sustainably secure applications on all layers. This will explore how the elements of Speed, Just in time training, and Data science have to be leveraged to empower development teams around the globe to get ahead for once and finally become able to move fast and be safe at the same time.
The 3 core takeaways for the audience are:
1.) Where security practices have gone wrong so far.
2.) What new technologies will cause a paradigm shift in how security is applied at scale.
3.) How security will look like in 5-10 years.
Finding Security a Home in a DevOps WorldShannon Lietz
Presented this talk at DevOps Summit in 2015 to a DevOps community. Discovered that security is new to most DevOps teams and this was a very good discussion.
Navigating the Unknowable: Resilience through Security Chaos Engineering
When applied to Cyber Security, Chaos Engineering is advancing our ability to reveal objective information about the effectiveness of operational security measures proactively through empirical experimentation. In this session we will introduce the core concepts behind this new technique and how you can get started in building and applying it.
In the software engineering world, change is the only constant. And in the course of the last decades, the frequency of that change has exploded. What Agile has brought to software teams, DevOps is now bringing to the entire organization. And the results speak for themselves. The DevOps high-performers are killing it. Insane deploy frequencies of features, high reliability of applications, and high productivity of cross-functional teams have amplified the speed at which ideas become a reality.
In parallel, Application Security was doing its own thing and to a large part remained oblivious to all the impressive improvements that were happening in software engineering. Because breaking an application doesn’t need any knowledge of how it was created in the first place.
This talk will cover anti-patterns that are preventing application security from being adopted by development teams, such as:
* Signals versus Noise
* Lost in Translation
* Make it easy
The security practitioner's role is changing significantly. Trends like mobile, cloud, DevOps, and Zero Trust are creating new roles and erasing others. This presentation navigates these changes and makes some recommendations for folks wanting to keep up with the curve.
Agile has made it possible to deliver a lot product lines and service lines almost like instant coffee , tea and instant everything. It has created a lot of diverse needs especially the need to keep pace with Dev and Operations and everything is expected to continuous along the pipeline without breaking anything along the way. This would mean features , security , builds , releases and the whole nine yards that go with putting your app or product out there. We shall look at DEVSECOPS along with why everything else associated with this initiative that needs to be continuous . Without this mindset agile shall be a term that shall not have much of relevance let alone deliver a product or feature in the best quality and time frame.
2016 - Safely Removing the Last Roadblock to Continuous Deliverydevopsdaysaustin
Presentation by Shannon Lietz
Software needs to be awesome, resilient, available and “secure”, but Security has long been a big roadblock to fast deployments and software improvement. What if it wasn’t?
Continuous delivery requires operational functions to shift left and for an iterative approach to be taken. Security has not been easy to shift left and taking an iterative approach requires everyone to take responsibility. With a continuos security approach and everyone in the Software Supply Chain taking on the tasks of including security, its possible to achieve Rugged Software. This talk aims to provide a journey towards this approach and provide the path.
Software needs to be awesome, resilient, available and “secure”, but Security has long been a big roadblock to fast deployments and software improvement. What if it wasn’t?
Continuous delivery requires operational functions to shift left and for an iterative approach to be taken. Security has not been easy to shift left and taking an iterative approach requires everyone to take responsibility. With a continuos security approach and everyone in the Software Supply Chain taking on the tasks of including security, its possible to achieve Rugged Software. This talk aims to provide a journey towards this approach and provide the path.
Security in the cloud is fundamentally different. Not so much due to the technology--though there's plenty of differences there--but more with respect to the way that security is applied and how it's run.
Over the past few years, we've seen a radical shift in how development and operational teams work together. Security teams have been left out in the cold and are still viewed as the "No" team.
It doesn't have to be that way.
Cloud technologies have enabled new work flows and models for businesses and other teams...security is no different. We just have to wake up and take advantage of the new ecosystem.
When security teams embrace change, the boundaries start to dissolve and security can finally be built in instead of bolted on.
In this session, we'll look at some of the challenges involved in this shift, how it impacts your teams, your skill set, and how a modern approach to defence will improve your security posture.
Presented at BC Aware Day, 31-Jan-2017
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
DIY guide to runbooks, incident reports, and incident responseNathan Case
In this session, we explore the cost of incidents and consider creative ways to look at future threats. We walk you through the threat landscape, looking at what has happened over the last year. Learn about the best open-source tools to have in your security arsenal now and in the future to help you detect and deal with the threats of today and tomorrow. Finally, learn how to identify where these threats are coming from and how to detect them more easily. The information in this session is provided by various teams and sources
Vendors are lured by visions of long-term residual subscription income, while customers dream of IT services and software without significant upfront costs. Sounds like techno Shangri-La, but what of security? Pessimists warn us away from the Cloud on the grounds that we should maintain control over the security of our property. Those bullish on the Cloud argue often delusionaly that your data is safer in the Cloud than on your own hard drives. Make no mistake: the Internet is the lion's den, and the Cloud sits squarely in it. This session will discuss the security realities of traditional IT software and infrastructure, and contrast them with those of Cloud-based resources.
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
Security is an ever more important topic for system designers. As our world becomes digital, today’s safely-hidden back office system is tomorrow’s public API, open to anyone on the Internet with a hacking tool and time on their hands. So the days of hoping that security is someone else’s problem are over.
The security community has developed a well understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers, assuming that it’s only relevant to security specialists.
In this talk, we will briefly discuss why security needs to be addressed as part of architecture work and then introduce a set of proven principles for the architecture of secure systems, explaining each in the context of mainstream system design, rather than in the specialised language of security engineering.
This version of the talk was presented at GOTO London in October 2016.
Secure by Design - Security Design Principles for the Working ArchitectEoin Woods
As our world becomes digital, the systems we build must be secure by design. The security community has developed a well-understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers. And when the principles are explained, they are often shrouded in the jargon of the security engineering community, so mainstream developers struggle to understand and apply them.
This talk explains why secure design matters and introduces 10 of the most important proven principles for designing secure systems, distilled from the wisdom of the security engineering community.
Similar to Cloud, DevOps and the New Security Practitioner (20)
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
In decades past, cybersecurity professionals spent a lot of their time warning organizations away from bleeding-edge technology. As a group, we’re inherently nervous around new technology. It’s unproven, it has bugs, there’s no basis for trust, and sometimes it violates or pushes back on traditional boundaries and best practices.
Traditionally, you were a fool to rush into new technology, but these days… would you be a fool not to?
Modern businesses are hyper-aware of the competitive advantages emerging technology can give. While every new technology doesn’t become an advantage, organizations in many industries can’t afford to wait and see before experimenting with it.
This talk will explore the cybersecurity professional’s role in each of the five stages of adoption, from innovators to laggards. The talk will also explore what we can do to better guide our employers and clients to make safer and more informed decisions as they try to balance the growth and stability of their businesses.
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Adrian Sanabria
### Part 1 (20 min) - Avoiding Bad Stats
Bad and even fake statistics are commonly found in mainstream media, but did you know that they're even more common in InfoSec? Cybersecurity vendors and media can often be found using statistics that are poorly interpreted, come from bad data, or are even entirely fabricated! I'll cover some high-profile examples of bad and fake stats. Then, I'll walk through some strategies and tools you can use to spot and debunk bad stats yourself! This skill isn't just useful for your InfoSec day job, either - these same approaches will work for bad stats you come across in any field.
### Part 2 (20 min) - The Benefits of Playing Live Trivia with Friends
Now that you understand how to spot and validate bad stats, I'll talk about how doing weekly live trivia with friends can improve your self-awareness, confidence, and humility. We'll talk about how trivia can help you spot and avoid your own cognitive biases and some fallacies that often lead us down dangerous paths.
Lies and Myths in InfoSec - 2023 Usenix EnigmaAdrian Sanabria
In InfoSec, many closely held beliefs, commonly accepted best practices, and accepted ‘facts’ are just wrong. These myths and lies spread quickly. Collectively, they can point security teams in the wrong direction. They can give rise to ineffective products. They often make their way into legitimate research, clouding results.
"Sixty percent of small businesses close within 6 months of being hacked."
There's a good chance you've seen this stat before. It has no basis in reality. The available evidence suggests quite the opposite.
"Attackers only need to get it right once, defenders have to get it right every single time."
This idea has been repeated so often in InfoSec that it has become generally accepted as a true statement. It isn't just wrong, it's demotivating and encourages defeatist thinking that can sink the morale of a security team.
Most of the myths and lies in InfoSec take hold because they seem correct, or sound logical. Similar cognitive biases make it possible for even the most preposterous conspiracy theories to become commonly accepted in some groups.
This is a talk about the importance of critical thinking and checking sources in InfoSec. Our industry is relatively new and constantly changing. Too often, we operate more off faith and hope than fact or results. Exhausted and overworked defenders often don't have the time to seek direct evidence for claims, question sources, or test theories for themselves.
This talk compiles some of the most interesting research I’ve done over the past decade. My goal is to convince you to treat vendor claims, commonly accepted industry statistics, and best practices with healthy skepticism. You don't need to be a data scientist or OSINT expert to test theories and discover the truth - you just need to sacrifice a bit of your time now and then. I'll show you how.
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...Adrian Sanabria
The phrase low-hanging fruit is an apt metaphor to explain how security market growth and cybercrime success have mirrored each other. For early humans, it made sense to go for maximum calories with the least effort. As with most things in security, traditional logic doesn't always apply.
We got the budget we asked for.
We got the shiny products.
We got the training.
We got the staff.
We got breached.
Something is clearly still missing in security.
This won't be a vendor-bashing, anti-products talk. In fact, I'll argue that products are the least of the problem. In nearly ever breach I've analyzed, the target had all the products and people they needed to prevent, detect, and stop the attack.
What's missing is more nuanced. While it isn't low hanging fruit, it isn't rocket science either. What's missing isn't even unique to security - other disciplines and industries figured it out long ago (usually the hard way, after a lot of accidental deaths).
We’ve made a lot of progress over the 20+ years I’ve been involved in the industry, but to make the next leap in maturity, we have to shift our focus a bit. This talk will argue we need to shift some of our focus to things like resilient processes, more feedback loops, and improving response through team practice.
You've got security issues to solve. Should you build a solution or buy something pre-built? If you choose to buy, what should your selection criteria be? What questions should you ask the vendor? How should you run a POC? How do you put a security product through it's paces?
You can view a recording of this presentation here: https://www.youtube.com/watch?v=SPFam1FtPRY
What do you remember about the Equifax? Something about someone forgetting to patch Struts, and then the bad guys were able to get in and steal all the data? What actually happened was much more nuanced, and there's much to learn by diving into the details.
Endpoint threats aren't threats if proper defenses are in place. Listen and learn from Adrian on how to set up proper defenses for endpoints in your organization.
Presentation made for HexCon21
Everybody decries the state of the industry. Everyone hates the over-hyped headlines, the obvious FUD and the shameless snake-oil.
So why do we have so much of it?
This talk aims to examine several of the dark-patterns that have become perfectly acceptable in infosec and then aims to drill down to their root causes. With any luck, we will also get to discuss some options to chart our way out of this mess.
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
It's 2019 and we still don't know if we have a complete inventory of our assets. It is impossible to guarantee that they are all safe. The last penetration test resulted in a bloodbath. Every day we worry about whether today is the day they hack us. This cycle of stress and worry MAY break, but each stage of securing system has its complexities and challenges. We will analyze these challenges, these difficulties, and provide strategies to address them.
From asset discovery to system tightening to vulnerability management - this presentation will show you how to build lasting trust in the security we provide to our organizations.
One of the more common IoT, "cloud-based" device mistakes is one that leaves 100% of customer devices at risk. I share an example I discovered while doing due diligence in the course of my job back in 2012.
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
In recent years, endpoint security has evolved well beyond signature-based antivirus which proved unable to keep pace with the speed and volume of evolving threats. With the onslaught of new security technologies available, it can be difficult to determine where to begin. In this webinar, 451 Senior Analyst, Adrian Sanabria and Cylance Product Marketing Manager, Steve Salinas will discuss a proven approach to securing your endpoints.
Adrian and Steve will present the fundamental steps to securing endpoints:
• Step 1: A Better Malware Mousetrap
• Step 2: More Resilient Endpoints
• Step 3: Stopping Non-Malware Attacks
• Step 4: Full System Visibility with Endpoint Detection and Response
• Step 5: Dynamic Defense with User Behavior
• Step 6: Data Visibility
• Conclusion: Malware is Solved! What Now?
Endpoint security can be complex. Join us for this webinar to learn how applying a reasoned, results-based approach can help you can take control of your endpoints and silence attackers.
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not NightmaresAdrian Sanabria
A presentation I gave at 451's inaugural Digital Infrastructure Summit in May 2015. The basic premise is that security can actually be easier, not more difficult in the cloud. I also explain why security is often listed as a top concern with using cloud providers.
The video is also available, though I had to cut my presentation time by a third, so it doesn't go quite as deep as some of the slides might suggest. The following YouTube link drops you about 65 minutes in, which is when my talk begins.
https://youtu.be/tHkVTSfTZtA?t=3903
Shortly after I was convinced to join Twitter and get engaged with the security community, I started noticing patterns with the people I was meeting. Namely, I noticed that many were also musicians and that the vast majority played the electric bass. As a bass player myself, I understand that the general rule is, if you show up to an open-mic blues jam, you’ll get to play bass all night, and the guitarists will be relieved that none of them have to ‘do bass duty’. I became fascinated with how this pattern seems to reverse in the infosec/hacker community and started to see parallels between security and this particular instrument. I plan to share my research, ideas and theories that I’ve collected on my journey to understand this strange anomaly and look forward to hearing more.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
1. Cloud, DevOps and the New Security
Practitioner
15, June 2016
1:30PM
Adrian Sanabria
Senior Security Analyst
451 Research
To get a copy of these slides, send an
email to sawaba@zip.sh with CSW2016
in the subject line or scan this QR code
2. Slide 2
Why are we here?
IT changes fast. Attackers change fast. Defenders don’t.
IT is changing
Attackers are adapting
The security discipline is diverging
3. Slide 3
Understanding security’s role by
understanding IT
Traditional approach to security:
Security is always a secondary or enabling layer
Security must have direct knowledge and experience
with the underlying layer in order to be effective at
protecting it or recommending feasible solutions
Direct experience in core technical disciplines goes a
long way in earning respect and cooperation
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
Layer
Ops
4. Slide 4
Understanding security’s role by
understanding IT
Issues with the traditional approach:
Few security teams can ever be ‘well-rounded’ enough
Security team isn’t qualified to advise much of IT
Adversarial/dysfunctional relationships common
IT changes often; attackers adapt quickly
Defenders and security tools adapt slowly
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
Layer
Ops
5. Slide 5
Security
Security’s changing role
An example: going ‘cloud-first’
Lower-level IT layers are outsourced
Most security practitioner knowledge lies in these layers
Infrastructure-heavy security skillsets lose value
Concept of bi-modal IT further confuses things
As IT changes, so must security
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
Layer
Ops
6. Slide 6
Security’s changing role
Cloud and DevOps – an opportunity to redesign security:
Smaller ‘well-rounded’ groups
Dev, ops, infrastructure and security roles are shared
Everyone working towards a clear, common goal
Relationship between security and developers is crucial
Security can’t impact delivery schedule
Physical
OS
Layer
Network
Layer
Service
Desk
Dev, QA, Test;
Web/App Layer; Ops
Security
7. Slide 7
Questions
What should security’s future role be?
Security is redistributed into IT for all operational tasks
Dedicated security staff performs
high-level design, design/architectural input
monitor changes in risk/attackers/landscape
instruct/consult individual SMEs as needed
Physical
OS
Layer
Network
Layer
Service
Desk
Dev, QA, Test;
Web/App Layer; Ops
Security
SME
Internal Security Team
Security
SME
Security
SME
Security
SME
8. Slide 8
Increasingly, software resembles these
principles
Yesterday, Chef announced Habitat
https://www.chef.io/blog/2016/06/14/introducing-habitat/
So… what’s up with the yin/yang visual metaphor?
…and where’s security?
Sec
analysts are
too
10. Slide 10
New rule: if you own it, own it
“Whomever is responsible for an asset
– be it data, infrastructure, code, or
people, must secure it”
11. Slide 11
Why make asset owners responsible?
No one knows and understands the opportunities,
constraints and dependencies of the asset better
Security becomes a bottleneck for performance,
progress and often, even security
Little to no time wasted on remediation conflict: what to
fix, how to fix it, when and at what priority level
Likely that fewer security issues will occur*
Drives the cost of securing systems down, in terms of
labor, efficiency and efficacy**
* I’ll explain later
** I’ll explain after that
12. Slide 12
Better Testing, Worse Quality?
Study done in 2000 by Elizabeth Hendrickson
Reads like a short
version of the
Phoenix Project
13. Slide 13
Better Testing, Worse Quality?
Study done in 2000 by Elizabeth Hendrickson
Creating an independent testing group can encourage
counterproductive culture
“Don’t do today what you can push off onto someone else’s
plate”
Document and address low hanging fruit
Schedule time for developers to test and fix bugs
To improve code quality, stop the problem at the source
Everyone should understand what they’re building and why
Get testers involved earlier in the process
Bottleneck testing resources and developers are forced to ship
higher quality code
http://testobsessed.com/wp-content/uploads/2011/04/btwq.pdf
14. Slide 14
Better Testing, Worse Quality?
Study done in 2000 by Elizabeth Hendrickson
Could this apply to InfoSec?
Surely not.
In fact, it might be quite worse.
We’ve convinced everyone not
just that security is our job, but
that we’re the only ones that can
do it properly.
What if they believed us?
21. Slide 21
So… you want to give away our jobs?
Traditional InfoSec doesn’t have to worry for a while
Be aware of the change
Learn new things now – don’t wait for later
Currently, new security jobs are often NOT going to
security practitioners, and we’ll discuss why…
23. Slide 23
How common?
6 out of the first 10 jobs I looked at required:
coding skills
new tech generation experience and/or skills
24. Slide 24
Like what experience or skills?
“Ability to automate tasks using scripting or other
programming language”
“Scripting or general purpose programming languages”
REST, JSON, XML (API scripting)
“Experience with DevOps, CI/CD, Chef, Puppet”
“Experience testing for vulnerabilities in Ruby on Rails
applications”
“Experience with various scripting and programming
languages”
“Teach secure coding practices to software engineers”
25. Slide 25
What should I learn?
Scripting (automation)
Get familiar with cloud, agile, devops, containers,
microservices, etc.
AppSec
Data protection
Learn to write code
26. Slide 26
What should I learn?
Cloud – focus on AWS, Azure, Digital Ocean (cheap)
Containers – focus on Docker
Pick a language - ruby and python are most common
Jenkins
Ansible, Chef, Puppet, Salt
New attack surface Don’t make security worse!
Automation Make security better!
27. Slide 27
How should I learn it?
Good starting point: find a security guy that loves to
automate security and plunder his GitHub:
https://github.com/averagesecurityguy
And more: https://github.com/krmaxwell
https://github.com/nbrownus Slack makes cool stuff
Go after AWS Certs just to learn AWS
Digital Ocean Tutorials
28. Slide 28
Resources – efficiency and workflow
Learning to recognize efficiency and workflow issues;
challenging ”because we’ve always done it that way”
Better Testing, Worse Quality, Elizabeth Hendrickson
Four Hour Work Week, Tim Ferris
The Phoenix Project, Kevin Behr, George Spafford,
Gene Kim
Signal v. Noise 37Signals blogs (on medium) and books
ReWork by the Basecamp guys
29. Slide 29
Resources – new ideas
New ideas – challenge assumptions, push thinking
…also, VIDEOS!
Distributed Security Alerting by Ryan Huber (blog)
Security Automation by Ryan Huber (video)
What Got Us Here Won’t Get Us There Black Hat
keynote by Haroon Meer
Cloud Computing – Why IT Matters by Simon Wardley at
OSCON 09
30. Slide 30
Conclusion
If you want to understand where security is
going, stop looking at security, and start
following IT innovation, trends and changes
We could also throw some other things in here as well.
People (security awareness training)
HR
Data
Supply Chain/Third party partners
Compliance/regulation
Design/Architecture
Identity
We could also throw some other things in here as well.
People (security awareness training)
HR
Data
Supply Chain/Third party partners
Compliance/regulation
Design/Architecture
Identity
We could also throw some other things in here as well.
People (security awareness training)
HR
Data
Supply Chain/Third party partners
Compliance/regulation
Design/Architecture
Identity
We could also throw some other things in here as well.
People (security awareness training)
HR
Data
Supply Chain/Third party partners
Compliance/regulation
Design/Architecture
Identity
Just an idea – doesn’t have to be precisely like this. Depends on the business, the culture, trial/error and a hundred other factors. The general idea though, is to get security responsibility and expertise closer to where the work is done.
Do you have any DevOps-excitable people back at the office? They’ll have this running by the time you get back there. You’re welcome for the heads up ;) But look at that! Security! Built-in, not bolted on! Well, in theory – we still need to dig into this.
Introduced an independent test unit, which made the number of bugs go up and software quality go down.
Findings
More QA = more bugs and longer cycles
Created the psychological impact of telling developers that quality is someone else’s problem
Insulting; percieved lack of empathy and respect for the developer
Solution
Tight relationships necessary between QA and Dev
QA remains, but with an artificial bottleneck
Developers still responsible for deadlines and therefore have to ‘budget’ time for QA
Devs write better code to ensure it goes through QA quickly
Devs need to be given 10% extra time to ensure better quality code.
Also, remember – the two are inseparably linked. When we talk about code quality, we’re also often talking about security - issues with quality is where vulnerabilities come from, right?
I’m using AWS as an example here, because it represents one extreme. There are 55 products on this page, but only one of them is for running virtual servers. Can we even call this cloud? It is probably better to think of large public clouds like AWS instead, as a development framework. You could just forklift most of your datacenter and applications into AWS, but you wouldn’t be getting a lot of value out of it.
If we’re not well equipped to handle them? Yes.
Otherwise… my research shows that they’re already being given away to non-security folks.
Turns out, it is easier to take someone with a dev background and skills and teach them security than to take security folks and teach them dev & low tolerance for inefficiency. Again, this aligns with the mainframe/Windows admin analogy
SR DevSecOps Engineer
"we are a cloud first, mobile first company"
"capable of working in a multi-platform environment"
Scripting: PowerShell, Python, Perl, Ruby
Ability to automate tasks using scripting or other programming language.
Demonstrated expertise in web services, virtualization, cloud concepts, REST, JSON, XML, SQL, PHP, LDAP, & object oriented methodologies.
Senior InfoSec Analyst (SecOps role)
Scripting or general purpose programming languages (Javascript, Perl, PHP, Powershell, Python, etc.)
Representational state transfer (REST) APIs
Software Security Analyst
Lots of software stuff
Technical Manager, AppSec
Experience deploying systems and applications using cloud solutions (e.g. Amazon AWS, Azure)
Experience with DevOps, CI/CD, Chef, Puppet
Application security – secure SDLC practices, secure coding, application vulnerabilities, DAST, SAST, RASP, WAF
Security Engineer
Teach secure coding practices to software engineers through regular code reviews
Validate and triage vulnerabilities submitted by researchers from our bug bounty program
Design automated tests to ensure secure coding practices are followed
Experience testing for vulnerabilities in Ruby on Rails applications
Solid understanding of web security fundamentals
Information Security Analyst/Engineer
Experience with various scripting and programming languages such as Python, Perl, Java, etc. Experience with C and/or C++ would be awesome.
Experience with both RDBMS (MySQL) and NoSQL (Cassandra, Couchbase, Mongo).
Experience with and proven methods for analyzing and interpreting information from Security Operations Centers (SOCs), Computer Security Incident Response Teams (CSIRTs), or SecOps systems.
Experience deploying, monitoring, and managing the information security risk posture with open source tools, to include: Moloch, ElasticSearch + Logstash + Kibana (The ELK stack), SIEMonster, Bro, Snort, Suricata, Syslog, Cuckoo, etc.
Proficiency with using and securing popular cloud services (SAAS, IAAS, etc.).
Security Ops Engineer at Slack
Responsibilities
Create and develop solutions to improve Slack’s Security stack
Build and maintain the state of the art systems that help make Slack more secure
Automate tooling and process to eliminate as much manual work as possible
Collaborate with Slack’s operations team and advise on best practices
Help improve signal detection and alerting capabilities
Participate in the on-call rotation supporting the security team’s infrastructure
Requirements
You have a background in development or operations with a strong interest in security
You are proficient in at least one programming language, such as Python, Go, Node, PHP, Ruby, *sh, etc.
You have strong written and verbal communication skills
You have a solid understanding of web application architecture
You write readable, maintainable code
You have a solid background using Linux and *nix operating systems
You have experience working with git for source code management
You have used configuration management tools (Ansible, Chef, Puppet, etc)
You have experience with administration of cloud services, such as AWS
“Learn to write code”, what does that mean?
Doesn’t mean you have to learn to write UI, mobile apps, create database schemas and all that.
It means you should be able to recognize opportunities to make a task more efficient and write the code to implement that change
Learn to do it for ordinary, boring things. ESPECIALLY that. Automate the boring.