If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk.
This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later.
This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them.
There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.
5. DevSecOps @ElizAyer
Key dynamics:
● Everyone had many responsibilities. No matter
what the official priorities, compliance paperwork
came last
● Dev had already damaged trust
● Security was severely underresourced
● Compliance sucked the oxygen from security
● At any point, the director could have made this
happen… but didn’t
6. DevSecOps @ElizAyer
Truly, everyone did the best job he or she
could, given what was known at the time, his or
her skills and abilities, the resources available,
and the situation at hand.
9. DevSecOps @ElizAyer
Why bring security into the development
process? [Crowdsourced]
● In any org with formal compliance, ignoring security may mean
delivering late or not at all.
● Can select what controls are important to YOU
○ Can also be platform specific
● Improves security - devs should understand what they might do to
cause a breach. Educate them early.
● Cost of fixing vulnerability is exponential
● Reduces schedule drift - improved flow
● Understand which tools can/can’t be used.
● Task may not be allowed at all
● May need to do major refactoring to incorporate, e.g. encryption
● Platform-level security practices.
● Brand reputation ***
11. DevSecOps @ElizAyer
DevOps is...
A combination of philosophies, practices and
tools that increases an organization’s ability to
deliver applications and services at high velocity
- AWS What is DevOps? (Dev Perspective)
12. DevSecOps @ElizAyer
DevOps is...
[A way to] reduce waste and make releases
boring
- Jez Humble, Author &18F Alumni (Ops perspective)
+Security!
14. DevSecOps @ElizAyer
Why isn’t security within the Ops in DevOps?
We call out security separately because:
1) Security is truly a specialist discipline
2) Security got left out of the first wave of DevOps
3) Security is used to encompass compliance, and
that’s definitely not part of DevOps
16. DevSecOps @ElizAyer
Why isn’t security within the Ops in DevOps?
We call out security separately because:
1) Security is truly a specialist discipline
2) Security got left out of the first wave of DevOps
3) Security is used to encompass compliance, and
that’s definitely not part of DevOps
22. DevSecOps @ElizAyer
One team handles a software system through
inception, delivery, maintenance, end-of-life of a
system.
1. People: the DevOps culture
23. DevSecOps @ElizAyer
Shared responsibility
for how software behaves in
production
23
Continuous feedback
results in tighter processes
that get better and better
Optimization of the
full system, not just one
piece, department, or interest.
Open communications and
knowledge sharing
enhance trust within the team
1. People: the DevOps culture
25. DevSecOps @ElizAyer
2. Process: Empowered Teams & Shift Left
An empowered team contains the skills and
authority it needs to develop & operate its systems.
For DevSecOps, the team needs basic security
skills and access to expertise.
26. DevSecOps @ElizAyer
2. Process: Empowered Teams & Shift Left
“Shift Left” means that operability concerns should
be considered as early in the dev cycle as possible.
+Security!
27. DevSecOps @ElizAyer
Evil User Story (aka Abuser Story) 1:
As a hacker, I want to have somebody’s benefits
paid to me instead.
2. Process: Empowered Teams & Shift Left
28. DevSecOps @ElizAyer
Evil User Story (aka Abuser Story) 2:
As the Russian government, I want to steal data and
release it so that I undermine confidence of the
American people in democracy.
2. Process: Empowered Teams & Shift Left
48. What is a threat model? (OWASP)
“Most of the time, a threat model includes:
● A description / design / model of what you’re worried about
● A list of assumptions that can be checked or challenged in the future
as the threat landscape changes
● A list of potential threats to the system
● A list of actions to be taken for each threat
● A way of validating the model and threats, and verification of success
of actions taken
Our motto is: Threat modelling: the sooner the better, but never too late.”
https://www.owasp.org/index.php/Application_Threat_Modeling
49. Threat Modelling Exercise:
Your trip home from Agile 2019 (from here to when you
walk in your front door).
1. What could go wrong?
DevSecOps @ElizAyer
50. What could go wrong Agile 2019-> Home
[Crowdsourced]
● Flight delay, cancelled,
● TSA
● Lost luggage, passport/id
● Forget keys (house, car)
● Random act of violence
● Shut down freeways/metro,
beltway traffic
● Car accident
● Personal sickness
● Lose your phone -
● GPS malfunction
●
● Wrong airport
● Alien abduction
● Uber goes out of business
● Water taxi piracy
● Car stolen/hacked
● Call from work for actual
problem, miss transport
● Oversleep
●
51. Threat Modelling Exercise:
Your trip home from Agile 2019 (from here to when you
walk in your front door).
2. What could you do to prevent or mitigate the
threats?
DevSecOps @ElizAyer
52. For me….
I would have threat modelled car accidents, traffic,
missed or delayed flights….
DevSecOps @ElizAyer
53. For me what did happen
I failed to get permissions until literally the last possible second.
All sane flights were gone by the time I could book them.
I did my best and ended up with two separate bookings.
SeaTac immigration was a madhouse, and I missed the second.
They booked me into a hotel room without a bed or shower.
I’ve revised my threat model
DevSecOps @ElizAyer
54. Why do threat modeling? (OWASP)
● Build a secure design
● Efficient investment of resources; appropriately prioritize security,
development, and other tasks
● Bring Security and Development together to collaborate on a shared
understanding, informing development of the system
● Identify threats and compliance requirements, and evaluate their risk
● Define and build required controls.
● Balance risks, controls, and usability
● Identify where building a control is unnecessary, based on acceptable risk
● Identification of security test cases / security test scenarios to test the
security requirements
https://www.owasp.org/index.php/Application_Threat_Modeling (abridged)
60. In Summary...
But Security is typically severely underresourced
compared to Development, so we can’t use the same
team structures. We need:
1) Basic dev team security education
2) Dev team access to expertise
3) Enough security capacity to engage
… which generally requires Senior Management Support!
61. In Summary...
Automation helps scale security.
You’ll get the most out of your tools investment by
prioritizing according to your threat model, involving
Security and Product.
63. DevSecOps @ElizAyer
Resources!
DevSecOps: The Missing Link in Delivering on the Promise
of Business Velocity (Webinar feat. @realgenekim
@wickett)
https://xebialabs.com/community/webinars/devsecops-missing-li
nk-of-business-velocity/
The Open Web Application Security Project
https://www.owasp.org/
GSA DevSecOps Guide https://tech.gsa.gov/guides/dev_sec_ops_guide/
Agile Application Security (Book)
https://www.oreilly.com/library/view/agile-application-security/9781491938836/