DevSecOps and the New Path Forward

@WICKETT
DevSecOps and The New
Path Forward
JAMES WICKETT @ SIGNAL SCIENCES

@WICKETT
Want the slides and
referenced links?
james@signalsciences.com

@WICKETT
‣ HEAD OF RESEARCH AT SIGNAL SCIENCES
‣ ORGANIZER OF DEVOPS DAYS AUSTIN
‣ LYNDA.COM AUTHOR ON DEVOPS
‣ BLOG AT THEAGILEADMIN.COM
@WICKETT

@WICKETT
‣ DEVOPS IS CHANGING AND THERE IS A BIG RISK
TO LOSE OUR WAY.
‣ SECURITY IS IN CRISIS
‣ SECURITY AT FORWARD-LEANING SHOPS HAVE
FOUND THE NEW WAY.
‣ LET’S JUXTAPOSE THE OLD WAY AND THE NEW
WAY OF SECURITY IN DEVOPS.
SUMMARY

@WICKETT
‣ CAN SECURITY AS AN INDUSTRY RISE TO THE
DEMANDS OF DEVOPS?
‣ IS THE DEVOPS CULTURE ABLE TO HANDLE
SECURITY AND ALL OF OUR BAGGAGE?
‣ WILL SECURITY DESTROY THE DEVOPS
CULTURE?
QUESTIONS ON MY MIND

@WICKETT
Maybe in order to understand devsecops, we have to
look at the word itself. Basically, it’s made up of three
separate words: de, vseco, and ps. What do these
words mean? It’s a mystery, and that’s why so is
devsecops.
- DevSecOps Deep Thoughts

@WICKETT
Whenever someone asks
me to define devsecops, I
usually think for a minute,
then I spin around and pin
the guy's arm behind his
back. NOW who's asking the
questions?
- DevSecOps Deep Thoughts
Shoutout to the @TheJewberwocky the original DevOps Deep Thoughts

@WICKETT
The original DevOps Deep Thoughts were created by the
hilarious and awesome Josh Zimmerman
(@TheJewberwocky) as Not Jack Handey which is
parody of Deep Thoughts by Jack Handey.
These DevSecOps Deep Thoughts are not nearly as
funny nor deep, but hey what do you expect of a parody
of a parody?

@WICKETT
Many people don't realize that
playing dead can help not only
with bears, but also at
important business meetings.
- Jack Handey

@WICKETT
‣ WEB AND ECOMM FOR $1B COMPANY
‣ BRUTAL ONCALL ROTATIONS
‣ +24HR DEPLOYMENTS
‣ WATERFALL, WATERFALL, WATERFALL
‣ FRIENDS ARE BORN FROM ADVERSITY
FIRST BIGCO JOB

@WICKETT
‣ IN 2007 WENT STARTUP AND AWS CLOUD
‣ LEARNED A BIT ABOUT FAILURE AND
HAPPINESS
‣ REJOINED OLD TEAM IN 2010 FOR NEW CLOUD
VENTURE BACK IN BIGCO
CLOUDING FOR PROFIT

@WICKETT
‣ DEVOPS AND INFRA AS CODE
‣ NOT CD, BUT DEPLOYS DAILY
‣ AT BIGCO DELIVERED 4 SAAS PRODUCTS IN 2
YEARS WITH DEVOPS AND CLOUD
ENTER DEVOPS

@WICKETT
‣ FOUND RUGGED SOFTWARE
‣ MET GENE KIM IN 2012 IN A BAR IN AUSTIN
‣ CREATED GAUNTLT
‣ LATER, JOINED SIGNAL SCIENCES
DEVOPS AND SECURITY

@WICKETT
Labor Inequity
Permeates IT Ranks

@WICKETT
Yet, I remained optimistic
for DevOps+Security

@WICKETT
OUR ROOTS: FRIENDSHIP

@WICKETT
CULTURE IS THE MOST
IMPORTANT ASPECT TO DEVOPS
SUCCEEDING IN THE
ENTERPRISE
- PATRICK DEBOIS

@WICKETT
‣ MUTUAL UNDERSTANDING
‣ SHARED LANGUAGE
‣ SHARED VIEWS
‣ COLLABORATIVE TOOLING
4 KEYS TO CULTURE

@WICKETT
DevSecOps is the
extension of the DevOps
culture for the inclusion
of Security

@WICKETT
Security is in Crisis

@WICKETT
Companies are spending a great deal on
security, but we read of massive computer-
related attacks. Clearly something is wrong.
The root of the problem is twofold:
we’re protecting the wrong things,
and we’re hurting productivity in the process.
THINKING SECURITY, STEVEN M. BELLOVIN 2015

@WICKETT
[Security by risk assessment]
introduces a dangerous fallacy: that
structured inadequacy is almost as
good as adequacy and that
underfunded security efforts plus risk
management are about as good as
properly funded security work

@WICKETT
many security teams work
with a worldview where their
goal is to inhibit change as
much as possible

@WICKETT
“SECURITY PREFERS A SYSTEM POWERED
OFF AND UNPLUGGED”
- DEVELOPER

@WICKETT
“…THOSE STUPID DEVELOPERS”
- SECURITY PERSON

@WICKETT
Security must
Change or Die

@WICKETT
“every aspect of managing WAFs is an ongoing
process. This is the antithesis of set it and forget it
technology. That is the real point of this research.
To maximize value from your WAF you need to go
in with everyone’s eyes open to the eﬀort required
to get and keep the WAF running productively.”
- WHITEPAPER FROM AN UNDISCLOSED WAF VENDOR

@WICKETT
The World has Changed

@WICKETT
* - yes, we know there is container reuse and writability
Serverless encourages functions as
deploy units and run as one-time*,
read-only containers*, coupled with
third party services that allow running
end-to-end applications without
worrying about system operation.

@WICKETT
VMsHardware Serverless
Inspiration from @adrianco
Waste
Value

@WICKETT
Read-only containers and
serverless shift the
security story to almost
100% application security

@WICKETT
DevOps
A New Traveling Companion
for Security
(…and probably the only way to survive)

@WICKETT
High performers spend 50 percent less
time remediating security issues than
low performers.
By better integrating information security
objectives into daily work, teams achieve
higher levels of IT performance and build
more secure systems.
2016 State of DevOps Report

@WICKETT
High performing orgs achieve
quality by incorporating
security (and security teams)
into the delivery process
2016 State of DevOps Report

@WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance adds Value
Enforce Stability Create Chaos
Build a Wall Zero Trust Networks
Slow Validation Fast and Non-blocking
Certainty Testing Adversity Testing
Test when Done Shift Left
Process Driven The Paved Road

@WICKETT
A security team who embraces
openness about what it does and
why, spreads understanding.
- Rich Smith

@WICKETT
Runtime is arguably the
most important place to
create feedback loops

@WICKETT
‣ ACCOUNT TAKEOVER ATTEMPTS
‣ AREAS OF THE SITE UNDER ATTACK
‣ MOST LIKELY VECTORS OF ATTACK
‣ BUSINESS LOGIC FLOWS
DETECT WHAT MATTERS

@WICKETT
Are you under attack?

@WICKETT
Which is a better feedback loop?

@WICKETT
Develop Inherit Build Deploy Operate
- Open Source: modSecurity +
ELK To gain application insight
monitoring.
- Paid NGWAF / RASP Options:
Signal Sciences, Contrast, Prevoty
Runtime Defense Tooling
- Pro-tip: Avoid adding appsec
defense at the CDN

@WICKETT
‣ POLICIES AND PROCEDURES IN PLACE
‣ EFFECTIVE EXECUTION OF THOSE POLICIES TO
ALLOW YOU TO KEEP FUNCTIONING
‣ MOST OF PCI AND OTHER FRAMEWORKS
PROVIDE REASONABLY GOOD PRACTICES *IF*
YOU REMOVE ALL THE WATERFALL BITS
UNDERSTAND AUDITORS

@WICKETT
[Deploys] can be treated as
standard or routine changes
that have been pre-approved
by management, and that
don’t require a heavyweight
change review meeting.

Separation of Duties Considered Harmful

@WICKETT
Developers with Access to
Production, Oh My!!!
https://www.schellmanco.com/blog/2012/12/auditing-devops-
developers-with-access-to-production/

@WICKETT
Check out DevOps Audit
Defense Toolkit
https://cdn2.hubspot.net/hubfs/228391/Corporate/
DevOps_Audit_Defense_Toolkit_v1.0.pdf

@WICKETT
‣ ADD IN CHAOS TO YOUR SYSTEM AND
APPLICATION
‣ CHAOS MONKEY
‣ ANTI-FRAGILE
‣ RELEASE IT! BOOK
CHAOS ENGINEERING

@WICKETT
‣ ADDS MISCONFIG TO THE STACK AND CHECKS
TO SEE IF IT GETS DETECTED
‣ NEW OPEN SOURCE TOOL!
‣ RUNS AS A LAMBDA
CHAOS SLINGR

@WICKETT
‣ VALIDATE YOUR SYSTEM CAN HANDLE CHAOS
THROUGH THE USE OF CHAOS EXPERIMENTS
‣ MANUAL OPT-OUT OF CHAOS
‣ ENGINEERING CULTURE THAT SECURITY CAN
ADOPT
‣ MICHAEL NYGARD’S RELEASE IT (2ND EDITION)
CHAOS EXPERIMENTS

@WICKETT
‣ I AM BEING PEN TESTED ANYWAY, WHY NOT
FIND OUT WHAT THEY ARE FINDING?
‣ 24/7 PEN TESTING
‣ BUILDS DEVELOPER CONFIDENCE
‣ FINDS MIX OF LOW HANGING FRUIT AND
SOMETIMES MUCH MORE!
BUG BOUNTIES

@WICKETT
The ACL is moved from
Network Layer to the
Application Layer

@WICKETT
‣ NO PERIMETER SECURITY
‣ ASSUME COMPROMISE
‣ INSTRUMENT ALL LAYERS
‣ EXTENDS FROM LAPTOPS TO WEB
APPS TO CUSTOMER ACCOUNTS
ZERO TRUST NETWORKS

@WICKETT
Replay: Wendy Nather
Modern Security Series
https://info.signalsciences.com/mfa-multi-factor-authentication-modern-
security-series

@WICKETT
‣ DON’T SLOW DELIVERY
‣ CONTINUOUS TESTING AND VALIDATION
‣ TESTING ON THE SIDE OF THE PIPELINE
‣ PENETRATION TESTING OUTSIDE OF DELIVERY
FAST AND NON-BLOCKING

@WICKETT
Currently, at Signal
Sciences we do about 15
deploys per day

@WICKETT
Roughly 10,000 deploys in
the last 2.5 yrs

@WICKETT
CD is how little you can
deploy at a time

@WICKETT
We optimized for cycle
time—the time from code
commit to production

Gave power to the team to deploy

@WICKETT
Signal Sciences is a
software as a service
company and a security
company

@WICKETT
Security is part of CI/CD
and the overall delivery
pipeline

@WICKETT
‣DESIGN
‣INHERIT
‣BUILD
‣DEPLOY
‣OPERATE
PIPELINE PHASES

@WICKETT
‣INHERIT
‣BUILD
‣OPERATE
SECURITY
CONSIDERATIONS
What have I bundled into my
app that leaves me
vulnerable?
Do my build acceptance
tests and integration tests
catch security issues before
release?
Am I being attacked right
now? Is it working?

@WICKETT
Shifting testing left with
Red Team Mondays
at Intuit

@WICKETT
The goal should be to come up with a
set of automated tests that probe and
check security configurations and
runtime system behavior for security
features that will execute every time
the system is built and every time it is
deployed.

@WICKETT
Security tools are
intractably noisy and
diﬃcult to use

@WICKETT
A method of collaboration
was needed for devs, ops
and security eng.

@WICKETT
There needed to be a new
language to span the
parties

@WICKETT
Framework with Security testing written in a natural
language that developers, security and operations can
understand.
Gauntlt wraps security testing tools but does not install tools
Gauntlt was built to be part of the CI/CD pipeline
Open source, MIT License,
gauntlt.org

@WICKETT
@slow @final
Feature: Look for cross site scripting (xss) using arachni
against a URL
Scenario: Using arachni, look for cross site scripting and verify
no issues are found
Given "arachni" is installed
And the following profile:
| name | value |
| url | http://localhost:8008 |
When I launch an "arachni" attack with:
"""
arachni —check=xss* <url>
"""
Then the output should contain "0 issues were detected."
Given
When
Then
What?

@WICKETT
“We have saved millions of
dollars using Gauntlt for the
largest healthcare industry
project.”
- Aaron Rinehart, UnitedHealthCare

@WICKETT
http://bit.ly/2s8P1Ll

@WICKETT
‣ 8 LABS FOR GAUNTLT
‣ HOW TO USE GAUNTLT FOR NETWORK CHECKS
‣ GAUNTLT FOR XSS, SQLI, OTHER APSES
‣ HANDLING REPORTING
‣ USING ENV VARS
‣ CI SYSTEM SETUP
WORKSHOP INCLUDES:

@WICKETT
github.com/gauntlt/gauntlt-demo

@WICKETT
Advice: Use Gauntlt in a
docker container

@WICKETT
https://github.com/
gauntlt/gauntlt-docker

@WICKETT
https://www.slideshare.net/wickett/the-emergent-cloud-security-toolchain-for-cicd

@WICKETT
- This is your real LOC count!
- The Software Delivery Supply
Chain
- Publish a Bill of Materials and
trace back
Inheriting Code
- This is not just application
dependencies and libraries,
but also OS-level (remember
shellshock, heartbleed, ..)

@WICKETT
Inheritance ﬂaws are in
containers too.

@WICKETT
OVER 30% OF OFFICIAL IMAGES IN
DOCKER HUB CONTAIN HIGH PRIORITY
SECURITY VULNERABILITIES
https://banyanops.com/blog/analyzing-docker-hub/

@WICKETT
‣ MAKE IT EASY FOR PEOPLE TO DO THE RIGHT
THING
‣ JASON CHAN, NETFLIX
‣ GOLD IMAGES
‣ BLESSED BUILDS AND DEPENDENCIES
THE PAVED ROAD

@WICKETT
Don’t be a blocker, be an
enabler of the business

@WICKETT
Empathy and Enablement
Be Fast and Non-Blocking
Don’t slow delivery
Join with continuous testing efforts
Security testing automated in every phase
Penetration Testing alongside the Pipeline
Security provides value through making security normal

DevSecOps and the New Path Forward

More Related Content

What's hot

Similar to DevSecOps and the New Path Forward

Recently uploaded

DevSecOps and the New Path Forward