Shannon Lietz, profile picture
Uploaded byShannon Lietz
PPTX, PDF3,100 views

DevSecCon KeyNote London 2015

This document discusses the evolution of security practices to enable secure innovation at speed and scale through a DevSecOps approach. It outlines how traditional security controls can be transformed into self-aware, self-reporting components that integrate seamlessly into the DevOps pipeline. Specific examples are provided for how perimeter testing, configuration management, encrypting sensitive data, access management, and multi-factor authentication can move from annual certifications to continuous monitoring and enforcement. The document advocates for collaboration, experimentation, and a focus on simplicity and automation to evolve security practices for DevOps.

Embed presentation

Downloaded 41 times
LONDON 2015Join the conversation #devseccon Securing Innovation @ Speed & Scale via DevSecOps DEVSECCON LONDON 2015 @devsecops
Who am I? • 25+ yrs Technology & Security Experience • Background in Security R&D • Working with the Cloud before it was called the “Cloud” • Manage teams using DevOps, Agile & Scrum • Incident Response & Crisis Management -- FOUNDER --
The Race for Competitive Advantage… Indicators that demonstrate change: • Tailoring business to the needs of customers to achieve large-scale business returns is driving Cloud & DevOps adoption • Small businesses and entrepreneurs are enabled to compete in complex business models with boutique appeal against Enterprises • High performing teams are being developed and incubated in Enterprises to mimic the DevOps teams found in Start-ups.
Startups on the Rise in 2015… From 1996 to 2015: • Increase in Startups in 2015, shows rebound • Entrepreneurs over 55 has nearly doubled • Significant Rise in Immigrant Entrepreneurs • New Entrepreneurs are on the rise again • More men than women are becoming first time Entrepreneurs kauffman.org
DevOps Growth… Google Trends • DevOps.com was bought in 2004 • Google searches for “DevOps” started to rise in 2010 • Major influences: • Saving your Infrastructure from DevOps / Chicago Tribune • DevOps: A Culture Shift, Not a Technology / Information Week • DevOps: A Sharder’s Tale from Etsy • DevOps.com articles • RuggedSoftware.org was bought in 2010 https://www.google.com/trends/
Cloud Security Boom… • Cloud Platform security features are on the rise the last few years • Security in the Cloud is becoming the norm • Default configurations are still not quite there but will become the focus with growing thought leadership • Cloud Provider’s must solve for providing security features that scale • Security teams need to learn to use these features quickly2007 2008 2009 2010 2011 2012 2013 2014 2015 48 61 82 159 280 514 ? AWS re:Invent 2015
Big Data? • Reflecting on this 2013 article • Devices & IoT drive bigger data • Instrumentation <- Security needs this • Asset management & monitoring • Service Support http://www.enterprisecioforum.com/big-data-case-study-utilities/
DevOps increases speed & scale… This collaborative effort can help DevOps-led projects make IT operational metrics 100 times better, and in so doing offers “an evolutionary fork in the road” which could lead to the “end of security as we know it,” added Joshua Corman – founder of Rugged DevOps and I am the Cavalry. http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security
So what hinders “secure” innovation @ speed & scale? 1. Friction for friction’s sake 2. Manual processes & meeting culture 3. Point in time assessments 4. Decisions being made outside of value creation 5. Contextual misunderstandings 6. Late constraints and requirements 7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration 10. Management and political interference (approvals, exceptions)
And then there’s… Security & Compliance! • The discipline is very complex • Majority of the Security Industry is Vendor dependent • Requires Meetings, Appointments, and Point in Time evaluations with low context • Requirements are dependent on what is developed • The art of “No” has become its own science
Can Security evolve? OPS SEC DEV • Security as Code • Self-Service Testing • Red Team/Blue Team • Inline Enforcement • Analytics & Insights • Detect & Contain • Incident Response • Investigations • Forensics AppSec
What’s the DevSecOps Mission? …creating targeted customer value through secure iterative innovation at speed & scale … Security is Everyone’s Job!
What should we value to evolve Security for DevOps? Leaning in over Always Saying “No” Data & Security Science over Fear, Uncertainty and Doubt Open Contribution & Collaboration over Security-Only Requirements Consumable Security Services with APIs over Mandated Security Controls & Paperwork Business Driven Security Scores over Rubber Stamp Security Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident Shared Threat Intelligence over Keeping Info to Ourselves Compliance Operations over Clipboards & Checklists In essence, don’t waste people’s time with Fear -> Uncertainty -> Doubt devsecops.org
Imagine adding Security into the DevOps pipeline… Security Self-Service skills Biz UX Dev Data App Sec Sec Eng Science Comp Ops Sec Ops Ops Training Software & Infrastructure Platforms Software Components & Resources YOUR APP STACK GOES HERE Operational Tools & Monitoring collaboration, partnership, value creation, self-service [DevOps, Agile, Scrum, Cloud]
The Art of DevSecOps (Security View) DevSecOps Security Engineering Experiment, Automate, Test Security Operations Hunt, Detect, Contain Compliance Operations Respond, Manage, Train Security Science Learn, Measure, Forecast
Can we make it simple? Yes! • Smaller Teams • Smaller Services • Smaller Failures • Rest APIs drive culture • Customer focus • Deep problem understanding throughout org • Deliberate dedication to solving and simplifying tech challenges • Products and Services have security built-in along the supply chain • Security removes barriers and roadblocks as self-service for DevOps • Managers map, magnify and multiply to create culture blast radius
How can we get started? Small Project Migration Big Project Approach is tailored to small experiments and pipeline testing. Pros: • Requires DevOps Approach • Fast failures • Team learns to collaborate • Higher Productivity, Less waste Cons: • Skill shortages • Team needs vision to avoid micro-focus churn Approach allows organization to map and adjust for what they already know. Pros: • Allows companies to keep operating while teams figure out what’s needed Cons: • Overload • Can be slower to accomplish completion • Failures can become complex Approach is “all-in” and used to transform an organization as a whole. Pros: • Firm commitment alleviates political back and forth • Focus & All-in Speed Cons: • Bigger Failures • Difficult for everyone to learn from mistakes and experiments
Small Project -> The Provocation How can we transform a control into a self-aware, self-reporting, self-healing component that can be consumed at speed & scale? Our challenge is to begin the process of creating self-aware and self-reporting components. This process can be achieved using configuration management tools, open source and log management systems. Let’s work with the IA Controls from NIST 800-53 today and use the implementation of MFA as an example. Specifically, IA-2 calls for multi-factor authentication which is available in some Software Defined Environments as a feature. Let’s look at how we can enable MFA within our Stack and the different use cases that are present and require security baseline components. Questions to answer: 1. How can baseline components be shared and extended? 2. Once the component is ready to be used, implemented, then what? 3. What about the feedback loop? 4. What is the best way to create an automated report that is continuously built and maintained? 5. How can we report across a full-stack? 6. What tools can assist? FW ? Web ? Compliance at Velocity (https://medium.com/compliance-at-velocity)
Migrations -> One foot in… One foot out... Web App Web DB App DB Traditional IT & Security DevOps + DevSecOps FW/IDS FW/IDS ELB App ELB DBAAS App DBAAS
Big Project -> The Hail Mary Web App Web DB App DB Traditional IT & Security DevOps? + DevSecOps? FW/IDS FW/IDS Web App Web DB App DB FW/IDS FW/IDS What is this?
Why is approach so important? API KEY EXPOSURE -> 8 HRS DEFAULT CONFIGS -> 24 HRS SECURITY GROUPS -> 24 HRS ESCALATION OF PRIVS -> 5 D KNOWN VULN -> 8 HRS
So let’s recap before we move on to examples… DevSecOps needs: • Active Collaboration • High Engagement • Experimentation • Open Contribution • Fail Fast Culture • Ability to adapt and learn • DevOps Understanding • Focusing on Simplicity Not this one… This one!!
Perimeter Testing THEN PCI DSS1.1.1 – Approve/Test/Detect firewall changes NOW Scan API, Ingest Config/Cloudtrail, trigger firewall audits and revert unapproved changes to heal to spec Labor: 40 hours/Annually Tools: Excel, Text Pad, Open Source or Commercial Config Management Labor: 40 hours/First Year, 8 hours per yr maintain Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: Depends on Resource
Configuration Management/Baselines THEN PCI DSS2.2 - Develop & Assure configuration standards for all system components. NOW Track known good CF stacks & AMIs, alert or neutralize non- compliant/non-approved deploys Labor: 40 hours/Annually/Per Major Component Tools: Excel, Text Pad, Open Source or Commercial Config Management Labor: 40 hours/First Year, 1 hour per yr maintain/Per Component Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: High
Encrypting Sensitive Data THEN HIPAA 164.312(a)(2)(iv): Implement a method to encrypt and decrypt electronic protected health information. NOW Enforce encryption of all assets by platform or data classification tags. Continuous enforcement and automated detection. Labor: 1 FTE minimum per 3 DevOps Teams Tools: Commercial, Open Source Labor: 8 hours Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: High
Access Management THEN NIST800-53 AC2(12) – Monitors and report atypical usage of information system accounts. NOW Cloudtrail/Config user attribution of use/abuse, ability to reduce team size and allow for smaller containers Labor: 1 FTE minimum Tools: Commercial, Open Source Labor: 40 hours Dev, 8 hours Maintain Tools: APIs, Logs, Open Source, Commercial Measure: Certify quarterly, annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: High
Multi-Factor Authentication THEN NIST800-53 IA-2 – The information system uniquely identifies and authenticates organizational users NOW MFA built into APIs and Cloud Platforms can be exposed for authorization decisions Labor: 1 FTE minimum Tools: Commercial, Open Source Labor: 1 hour per week Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Resolve Impact: High Global Call to Action 2015
Get Involved and Join the Community • devsecops.org • @devsecops on Twitter • DevSecOps on LinkedIn • DevSecOps on Github • RuggedSoftware.org • Compliance at Velocity • Join Us !!! • Spread the word!!!

More Related Content

PPTX
The Journey to DevSecOps
bySeniorStoryteller
 
KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
PDF
DevOps and DevSecOps, Incident Management
byShriniKulkarni
 
PDF
DevSecOps - The big picture
byDevSecOpsSg
 
PDF
DevSecOps - The big picture
byStefan Streichsbier
 
PPTX
Finding Security a Home in a DevOps World
byShannon Lietz
 
PDF
Security at the Speed of Software Development
byDevOps.com
 
PPTX
Security as Code owasp
byShannon Lietz
 
The Journey to DevSecOps
bySeniorStoryteller
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
DevOps and DevSecOps, Incident Management
byShriniKulkarni
 
DevSecOps - The big picture
byDevSecOpsSg
 
DevSecOps - The big picture
byStefan Streichsbier
 
Finding Security a Home in a DevOps World
byShannon Lietz
 
Security at the Speed of Software Development
byDevOps.com
 
Security as Code owasp
byShannon Lietz
 

What's hot

PPTX
Security and DevOps Overview
byAdrian Sanabria
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PDF
2019 DevSecOps Reference Architectures
bySonatype
 
PDF
DevSecCon London 2017: Shift happens ... by Colin Domoney
byDevSecCon
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PDF
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
byDevSecCon
 
PPTX
Safely Removing the Last Roadblock to Continuous Delivery
bySeniorStoryteller
 
PPTX
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
byPuppet
 
PPTX
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
bySeniorStoryteller
 
PDF
DevSecOps: Minimizing Risk, Improving Security
byFranklin Mosley
 
PPTX
Overcoming Security Challenges in DevOps
byAlert Logic
 
PPTX
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
bySeniorStoryteller
 
PDF
Integrating DevOps and Security
byStijn Muylle
 
PPTX
Integrating Security into DevOps
byCloudPassage
 
PDF
DevSecCon London 2017: How far left do you want to go with security? by Javie...
byDevSecCon
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
PDF
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
byDevSecOpsSg
 
PDF
Ast in CI/CD by Ofer Maor
byDevSecCon
 
PDF
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
Security and DevOps Overview
byAdrian Sanabria
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
2019 DevSecOps Reference Architectures
bySonatype
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
byDevSecCon
 
DevSecOps in Baby Steps
byPriyanka Aash
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
byDevSecCon
 
Safely Removing the Last Roadblock to Continuous Delivery
bySeniorStoryteller
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
byPuppet
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
bySeniorStoryteller
 
DevSecOps: Minimizing Risk, Improving Security
byFranklin Mosley
 
Overcoming Security Challenges in DevOps
byAlert Logic
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
bySeniorStoryteller
 
Integrating DevOps and Security
byStijn Muylle
 
Integrating Security into DevOps
byCloudPassage
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
byDevSecCon
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
byDevSecOpsSg
 
Ast in CI/CD by Ofer Maor
byDevSecCon
 
Dos and Don'ts of DevSecOps
byPriyanka Aash
 

Viewers also liked

PPTX
Cloud Security Essentials 2.0 at RSA
byShannon Lietz
 
PDF
Un-broken Logging - Operability.io 2015 - Matthew Skelton
bySkelton Thatcher Consulting Ltd
 
PDF
SPOF - Single "Person" of Failure
bySasha Rosenbaum
 
PPTX
DevSecCon Keynote
byShannon Lietz
 
PPTX
ISACA Ireland Keynote 2015
byShannon Lietz
 
PDF
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
byDevSecCon
 
PPTX
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
byDevSecCon
 
PPTX
S360 2015 dev_secops_program
byShannon Lietz
 
PPTX
The Journey to DevSecOps
byShannon Lietz
 
PDF
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
byDevSecCon
 
PDF
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
byDevSecCon
 
PDF
Securing the container DevOps pipeline by William Henry
byDevSecCon
 
PPTX
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
byShannon Lietz
 
PDF
Chaos patterns - architecting for failure in distributed systems
byJos Boumans
 
PPTX
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
byDevSecCon
 
PPTX
DevSecCon Asia 2017 Arun N: Securing chatops
byDevSecCon
 
PPTX
Monitoring Is Never Done
byMelanie Cey
 
PDF
Justin collins - Practical Static Analysis for continuous application delivery
byDevSecCon
 
PDF
Devops and Immutable infrastructure - Cloud Expo 2015 NYC
byJohn Willis
 
PDF
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
byDevSecCon
 
Cloud Security Essentials 2.0 at RSA
byShannon Lietz
 
Un-broken Logging - Operability.io 2015 - Matthew Skelton
bySkelton Thatcher Consulting Ltd
 
SPOF - Single "Person" of Failure
bySasha Rosenbaum
 
DevSecCon Keynote
byShannon Lietz
 
ISACA Ireland Keynote 2015
byShannon Lietz
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
byDevSecCon
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
byDevSecCon
 
S360 2015 dev_secops_program
byShannon Lietz
 
The Journey to DevSecOps
byShannon Lietz
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
byDevSecCon
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
byDevSecCon
 
Securing the container DevOps pipeline by William Henry
byDevSecCon
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
byShannon Lietz
 
Chaos patterns - architecting for failure in distributed systems
byJos Boumans
 
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
byDevSecCon
 
DevSecCon Asia 2017 Arun N: Securing chatops
byDevSecCon
 
Monitoring Is Never Done
byMelanie Cey
 
Justin collins - Practical Static Analysis for continuous application delivery
byDevSecCon
 
Devops and Immutable infrastructure - Cloud Expo 2015 NYC
byJohn Willis
 
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
byDevSecCon
 

Similar to DevSecCon KeyNote London 2015

PDF
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
PDF
Protecting Agile Transformation through Secure DevOps (DevSecOps)
byEryk Budi Pratama
 
PPTX
Finding-Security-A-Home-In-A-DevOps-World.pptx
byalejandro415203
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PPTX
Devsec ops
byVipinYadav257
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PPTX
DevSecOps: Integrating Security Into DevOps! {Business Security}
byAlgoworks Inc
 
PPTX
Is DevOps Braking Your Company?
byconjur_inc
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PDF
How DevOps Improves Security DevSecOps Explained.pdf
byhimanshuwowit
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PPTX
The End of Security as We Know It - Shannon Lietz
bySeniorStoryteller
 
PPTX
Ensuring Secure and Efficient Operations with DevOps Security
byDev Software
 
PDF
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
PDF
Agile Relevance in the age of Continuous Everything ....
byEturnti Consulting Pvt Ltd
 
PDF
Scale security for a dollar or less
byMohammed A. Imran
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
PPTX
DevSecOps without DevOps is Just Security
byKevin Fealey
 
PDF
Why does security matter for devops by Caroline Wong
byDevSecCon
 
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
byEryk Budi Pratama
 
Finding-Security-A-Home-In-A-DevOps-World.pptx
byalejandro415203
 
Introduction to DevSecOps
byabhimanyubhogwan
 
Devsec ops
byVipinYadav257
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
byAlgoworks Inc
 
Is DevOps Braking Your Company?
byconjur_inc
 
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
The What, Why, and How of DevSecOps
byCprime
 
How DevOps Improves Security DevSecOps Explained.pdf
byhimanshuwowit
 
Introduction to DevSecOps
bySetu Parimi
 
The End of Security as We Know It - Shannon Lietz
bySeniorStoryteller
 
Ensuring Secure and Efficient Operations with DevOps Security
byDev Software
 
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
Agile Relevance in the age of Continuous Everything ....
byEturnti Consulting Pvt Ltd
 
Scale security for a dollar or less
byMohammed A. Imran
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
DevSecOps without DevOps is Just Security
byKevin Fealey
 
Why does security matter for devops by Caroline Wong
byDevSecCon
 

Recently uploaded

PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PPTX
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
PDF
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
PDF
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
PDF
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
PPTX
Driving Smarter Decisions with Oracle Analytics Cloud Consulting
byChetu
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PPTX
AI and Digital Transformation Solutions.
byBuildingblocks
 
PPTX
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
10 Best AI Tools for Fashion Brands in 2026
bymockitseo
 
PPTX
6G and Non-Terrestrial Networks (NTN) Testing.pptx
byXRComm
 
PDF
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
PDF
Introduction to Linux and Basic Commands
byiDev Semarang
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PPT
connectives-linking words in English.ppt
byAmrMohammed82
 
PDF
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
PDF
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
PDF
Talaria: A Sound-Driven Music Search Engine for Discovery Beyond Metadata
byShuen-Huei Guan
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
Driving Smarter Decisions with Oracle Analytics Cloud Consulting
byChetu
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
AI and Digital Transformation Solutions.
byBuildingblocks
 
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
10 Best AI Tools for Fashion Brands in 2026
bymockitseo
 
6G and Non-Terrestrial Networks (NTN) Testing.pptx
byXRComm
 
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
Introduction to Linux and Basic Commands
byiDev Semarang
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
connectives-linking words in English.ppt
byAmrMohammed82
 
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
Talaria: A Sound-Driven Music Search Engine for Discovery Beyond Metadata
byShuen-Huei Guan
 

DevSecCon KeyNote London 2015

  • 1.
    LONDON 2015Join theconversation #devseccon Securing Innovation @ Speed & Scale via DevSecOps DEVSECCON LONDON 2015 @devsecops
  • 2.
    Who am I? •25+ yrs Technology & Security Experience • Background in Security R&D • Working with the Cloud before it was called the “Cloud” • Manage teams using DevOps, Agile & Scrum • Incident Response & Crisis Management -- FOUNDER --
  • 3.
    The Race forCompetitive Advantage… Indicators that demonstrate change: • Tailoring business to the needs of customers to achieve large-scale business returns is driving Cloud & DevOps adoption • Small businesses and entrepreneurs are enabled to compete in complex business models with boutique appeal against Enterprises • High performing teams are being developed and incubated in Enterprises to mimic the DevOps teams found in Start-ups.
  • 4.
    Startups on theRise in 2015… From 1996 to 2015: • Increase in Startups in 2015, shows rebound • Entrepreneurs over 55 has nearly doubled • Significant Rise in Immigrant Entrepreneurs • New Entrepreneurs are on the rise again • More men than women are becoming first time Entrepreneurs kauffman.org
  • 5.
    DevOps Growth… Google Trends •DevOps.com was bought in 2004 • Google searches for “DevOps” started to rise in 2010 • Major influences: • Saving your Infrastructure from DevOps / Chicago Tribune • DevOps: A Culture Shift, Not a Technology / Information Week • DevOps: A Sharder’s Tale from Etsy • DevOps.com articles • RuggedSoftware.org was bought in 2010 https://www.google.com/trends/
  • 6.
    Cloud Security Boom… •Cloud Platform security features are on the rise the last few years • Security in the Cloud is becoming the norm • Default configurations are still not quite there but will become the focus with growing thought leadership • Cloud Provider’s must solve for providing security features that scale • Security teams need to learn to use these features quickly2007 2008 2009 2010 2011 2012 2013 2014 2015 48 61 82 159 280 514 ? AWS re:Invent 2015
  • 7.
    Big Data? • Reflectingon this 2013 article • Devices & IoT drive bigger data • Instrumentation <- Security needs this • Asset management & monitoring • Service Support http://www.enterprisecioforum.com/big-data-case-study-utilities/
  • 8.
    DevOps increases speed& scale… This collaborative effort can help DevOps-led projects make IT operational metrics 100 times better, and in so doing offers “an evolutionary fork in the road” which could lead to the “end of security as we know it,” added Joshua Corman – founder of Rugged DevOps and I am the Cavalry. http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security
  • 9.
    So what hinders“secure” innovation @ speed & scale? 1. Friction for friction’s sake 2. Manual processes & meeting culture 3. Point in time assessments 4. Decisions being made outside of value creation 5. Contextual misunderstandings 6. Late constraints and requirements 7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration 10. Management and political interference (approvals, exceptions)
  • 10.
    And then there’s…Security & Compliance! • The discipline is very complex • Majority of the Security Industry is Vendor dependent • Requires Meetings, Appointments, and Point in Time evaluations with low context • Requirements are dependent on what is developed • The art of “No” has become its own science
  • 11.
    Can Security evolve? OPS SEC DEV •Security as Code • Self-Service Testing • Red Team/Blue Team • Inline Enforcement • Analytics & Insights • Detect & Contain • Incident Response • Investigations • Forensics AppSec
  • 12.
    What’s the DevSecOpsMission? …creating targeted customer value through secure iterative innovation at speed & scale … Security is Everyone’s Job!
  • 13.
    What should wevalue to evolve Security for DevOps? Leaning in over Always Saying “No” Data & Security Science over Fear, Uncertainty and Doubt Open Contribution & Collaboration over Security-Only Requirements Consumable Security Services with APIs over Mandated Security Controls & Paperwork Business Driven Security Scores over Rubber Stamp Security Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident Shared Threat Intelligence over Keeping Info to Ourselves Compliance Operations over Clipboards & Checklists In essence, don’t waste people’s time with Fear -> Uncertainty -> Doubt devsecops.org
  • 14.
    Imagine adding Securityinto the DevOps pipeline… Security Self-Service skills Biz UX Dev Data App Sec Sec Eng Science Comp Ops Sec Ops Ops Training Software & Infrastructure Platforms Software Components & Resources YOUR APP STACK GOES HERE Operational Tools & Monitoring collaboration, partnership, value creation, self-service [DevOps, Agile, Scrum, Cloud]
  • 15.
    The Art ofDevSecOps (Security View) DevSecOps Security Engineering Experiment, Automate, Test Security Operations Hunt, Detect, Contain Compliance Operations Respond, Manage, Train Security Science Learn, Measure, Forecast
  • 16.
    Can we makeit simple? Yes! • Smaller Teams • Smaller Services • Smaller Failures • Rest APIs drive culture • Customer focus • Deep problem understanding throughout org • Deliberate dedication to solving and simplifying tech challenges • Products and Services have security built-in along the supply chain • Security removes barriers and roadblocks as self-service for DevOps • Managers map, magnify and multiply to create culture blast radius
  • 17.
    How can weget started? Small Project Migration Big Project Approach is tailored to small experiments and pipeline testing. Pros: • Requires DevOps Approach • Fast failures • Team learns to collaborate • Higher Productivity, Less waste Cons: • Skill shortages • Team needs vision to avoid micro-focus churn Approach allows organization to map and adjust for what they already know. Pros: • Allows companies to keep operating while teams figure out what’s needed Cons: • Overload • Can be slower to accomplish completion • Failures can become complex Approach is “all-in” and used to transform an organization as a whole. Pros: • Firm commitment alleviates political back and forth • Focus & All-in Speed Cons: • Bigger Failures • Difficult for everyone to learn from mistakes and experiments
  • 18.
    Small Project ->The Provocation How can we transform a control into a self-aware, self-reporting, self-healing component that can be consumed at speed & scale? Our challenge is to begin the process of creating self-aware and self-reporting components. This process can be achieved using configuration management tools, open source and log management systems. Let’s work with the IA Controls from NIST 800-53 today and use the implementation of MFA as an example. Specifically, IA-2 calls for multi-factor authentication which is available in some Software Defined Environments as a feature. Let’s look at how we can enable MFA within our Stack and the different use cases that are present and require security baseline components. Questions to answer: 1. How can baseline components be shared and extended? 2. Once the component is ready to be used, implemented, then what? 3. What about the feedback loop? 4. What is the best way to create an automated report that is continuously built and maintained? 5. How can we report across a full-stack? 6. What tools can assist? FW ? Web ? Compliance at Velocity (https://medium.com/compliance-at-velocity)
  • 19.
    Migrations -> Onefoot in… One foot out... Web App Web DB App DB Traditional IT & Security DevOps + DevSecOps FW/IDS FW/IDS ELB App ELB DBAAS App DBAAS
  • 20.
    Big Project ->The Hail Mary Web App Web DB App DB Traditional IT & Security DevOps? + DevSecOps? FW/IDS FW/IDS Web App Web DB App DB FW/IDS FW/IDS What is this?
  • 21.
    Why is approachso important? API KEY EXPOSURE -> 8 HRS DEFAULT CONFIGS -> 24 HRS SECURITY GROUPS -> 24 HRS ESCALATION OF PRIVS -> 5 D KNOWN VULN -> 8 HRS
  • 22.
    So let’s recapbefore we move on to examples… DevSecOps needs: • Active Collaboration • High Engagement • Experimentation • Open Contribution • Fail Fast Culture • Ability to adapt and learn • DevOps Understanding • Focusing on Simplicity Not this one… This one!!
  • 23.
    Perimeter Testing THEN PCI DSS1.1.1– Approve/Test/Detect firewall changes NOW Scan API, Ingest Config/Cloudtrail, trigger firewall audits and revert unapproved changes to heal to spec Labor: 40 hours/Annually Tools: Excel, Text Pad, Open Source or Commercial Config Management Labor: 40 hours/First Year, 8 hours per yr maintain Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: Depends on Resource
  • 24.
    Configuration Management/Baselines THEN PCI DSS2.2- Develop & Assure configuration standards for all system components. NOW Track known good CF stacks & AMIs, alert or neutralize non- compliant/non-approved deploys Labor: 40 hours/Annually/Per Major Component Tools: Excel, Text Pad, Open Source or Commercial Config Management Labor: 40 hours/First Year, 1 hour per yr maintain/Per Component Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: High
  • 25.
    Encrypting Sensitive Data THEN HIPAA164.312(a)(2)(iv): Implement a method to encrypt and decrypt electronic protected health information. NOW Enforce encryption of all assets by platform or data classification tags. Continuous enforcement and automated detection. Labor: 1 FTE minimum per 3 DevOps Teams Tools: Commercial, Open Source Labor: 8 hours Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: High
  • 26.
    Access Management THEN NIST800-53 AC2(12)– Monitors and report atypical usage of information system accounts. NOW Cloudtrail/Config user attribution of use/abuse, ability to reduce team size and allow for smaller containers Labor: 1 FTE minimum Tools: Commercial, Open Source Labor: 40 hours Dev, 8 hours Maintain Tools: APIs, Logs, Open Source, Commercial Measure: Certify quarterly, annually Impact: High Measure: Mean time to Detection, Mean time to Resolve Impact: High
  • 27.
    Multi-Factor Authentication THEN NIST800-53 IA-2– The information system uniquely identifies and authenticates organizational users NOW MFA built into APIs and Cloud Platforms can be exposed for authorization decisions Labor: 1 FTE minimum Tools: Commercial, Open Source Labor: 1 hour per week Tools: APIs, Logs, Open Source, Commercial Measure: Certify annually Impact: High Measure: Mean time to Resolve Impact: High Global Call to Action 2015
  • 28.
    Get Involved andJoin the Community • devsecops.org • @devsecops on Twitter • DevSecOps on LinkedIn • DevSecOps on Github • RuggedSoftware.org • Compliance at Velocity • Join Us !!! • Spread the word!!!