Iftach Ian Amit, profile picture
Uploaded byIftach Ian Amit
PDF, PPTX321 views

Devsecops at Cimpress

This document discusses DevSecOps at Cimpress, an online printing company. It outlines some of the challenges of their worldwide and decentralized operations with varying technology stacks. Their approach involves threat modeling to identify threats, assets, and controls. They create security assertions based on the threat model and assure test case coverage. The focus is on integrating security into development in a way that is not burdensome to developers. The expected deliverables include automated unit test coverage and tool scans to address the threat model.

Embed presentation

Download as PDF, PPTX
DevSecOps at Cimpress Ian Amit Chief Security Officer
Cimpress Security Engineering Operations Program Management
Challenges • Worldwide operations • Decentralized (14 business units, and counting ;-) ) • Varying technology stacks (from latest and greatest, to factory IT/OT running legacy software) • Rapid deployment cycles • Major cloudification (AWS, Azure and GCP)
Our approach - the road to DevSecOps Threat Modeling Threats Assets Prioritization/ Execution Controls Assertions Response Tests
Threat Modeling • STRIDE? DREAD? • MITRE ATT&CK Framework [1] • CAPEC [2] https://attack.mitre.org/wiki/Main_Page https://capec.mitre.org/ What are you protecting? What’s the value of it? Who/what are you protecting it from? Threats Assets Controls Assertions Tests
DevSecOps Controls Assertions Tests • Create assertions based on threat model • What is supposed to happen? What’s not supposed to happen?… • Assure test case coverage in dev. • Add external validation through scanners. SAST/DAST. • Integrate controls over assertions/tests.
But forget all of that
Think about the developer first
This is how developers want/need to see us security people Minus the suit of course. Everyone knows we wear hoodies ;-)
The Sec in DevSecOps • Every additional interaction needed from dev is a speed bump • Every additional interface is a traffic light • Every new language/term is a “calculating new route”…
Expected Deliverables Unit Test Coverage Automated tool scans Implies existence of unit testing that address the threat model scenarios Implies fixes to the code where applicable and coverage for the “hygiene” elements of the threat model
Rinse, Repeat… Threat Modeling Prioritization/ Execution Response

More Related Content

PPTX
Security Champions - Introduce them in your Organisation
byIves Laaf
 
PPTX
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
byOutpost24
 
PPTX
DevOps
byJeremiah Tillman
 
PDF
Legacy-SecDevOps (AppSec Management Debrief)
byDinis Cruz
 
PDF
Application Security at DevOps Speed - DevOpsDays Singapore 2016
byStefan Streichsbier
 
PDF
Principles of Chaos Engineering
byh_marvin
 
PDF
Using threat models to control project brief
byDinis Cruz
 
PPTX
Overcoming Security Challenges in DevOps
byAlert Logic
 
Security Champions - Introduce them in your Organisation
byIves Laaf
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
byOutpost24
 
DevOps
byJeremiah Tillman
 
Legacy-SecDevOps (AppSec Management Debrief)
byDinis Cruz
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
byStefan Streichsbier
 
Principles of Chaos Engineering
byh_marvin
 
Using threat models to control project brief
byDinis Cruz
 
Overcoming Security Challenges in DevOps
byAlert Logic
 

What's hot

PDF
Security champions v1.0
byDinis Cruz
 
PDF
PIACERE - DevSecOps Automated
byPIACERE
 
PDF
Principles Of Chaos Engineering - Chaos Engineering Hamburg
byNils Meder
 
PDF
From Gates to Guardrails: Alternate Approaches to Product Security
byJason Chan
 
PDF
Chaos Engineering - Limiting Damage During Chaos Experiments
byNils Meder
 
PDF
Integrating DevOps and Security
byStijn Muylle
 
PDF
The Challenges of Scaling DevSecOps
byWhiteSource
 
PPTX
Integrating Security into DevOps
byCloudPassage
 
PPTX
A journey from dev ops to devsecops
byVeritis Group, Inc
 
PPTX
Turning security into code by Jeff Williams
byDevSecCon
 
PDF
Security in a Continuous Delivery World
byDinis Cruz
 
PDF
Embracing the Rise of SecDevOps
byTom Cappetta
 
PDF
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
byDevSecCon
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
PDF
Vulnerabilities are bugs, Let's Test For Them!
byVAddy
 
KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
PDF
DevSecOps for you Full Stack
byRon Nixon
 
PDF
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
PPTX
How to Get Started with DevSecOps
byCYBRIC
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
Security champions v1.0
byDinis Cruz
 
PIACERE - DevSecOps Automated
byPIACERE
 
Principles Of Chaos Engineering - Chaos Engineering Hamburg
byNils Meder
 
From Gates to Guardrails: Alternate Approaches to Product Security
byJason Chan
 
Chaos Engineering - Limiting Damage During Chaos Experiments
byNils Meder
 
Integrating DevOps and Security
byStijn Muylle
 
The Challenges of Scaling DevSecOps
byWhiteSource
 
Integrating Security into DevOps
byCloudPassage
 
A journey from dev ops to devsecops
byVeritis Group, Inc
 
Turning security into code by Jeff Williams
byDevSecCon
 
Security in a Continuous Delivery World
byDinis Cruz
 
Embracing the Rise of SecDevOps
byTom Cappetta
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
byDevSecCon
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
Vulnerabilities are bugs, Let's Test For Them!
byVAddy
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
DevSecOps for you Full Stack
byRon Nixon
 
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
How to Get Started with DevSecOps
byCYBRIC
 
Introduction to DevSecOps
byabhimanyubhogwan
 

Similar to Devsecops at Cimpress

PDF
The What, Why, and How of DevSecOps
byCprime
 
PPTX
S360 2015 dev_secops_program
byShannon Lietz
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PPTX
DevOpsDays 2022: Security is about to become a DevOps Problem
byCharles Johnson
 
PDF
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
PPTX
A recommendation for software development responses for future
byMax Justice
 
PDF
Working on DevSecOps culture - a team centric view
byPatrick Debois
 
PPTX
What is devsecops and what is the characteristics of it
byamalsalah25
 
PDF
Threat Modelling in DevSecOps Cultures
byDevOps Indonesia
 
PPTX
Is DevOps Braking Your Company?
byconjur_inc
 
PPTX
DevOpsDays 2023: Security is about to become a DevOps Problem
byCharles Johnson
 
PPTX
State of DevSecOps - DevSecOpsDays 2019
byStefan Streichsbier
 
PPTX
The Journey to DevSecOps
byShannon Lietz
 
PPTX
The Journey to DevSecOps
bySeniorStoryteller
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PPTX
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
byDevSecCon
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PPTX
Hacking DevOps
byPhillip Marlow
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
The What, Why, and How of DevSecOps
byCprime
 
S360 2015 dev_secops_program
byShannon Lietz
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
DevOpsDays 2022: Security is about to become a DevOps Problem
byCharles Johnson
 
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
A recommendation for software development responses for future
byMax Justice
 
Working on DevSecOps culture - a team centric view
byPatrick Debois
 
What is devsecops and what is the characteristics of it
byamalsalah25
 
Threat Modelling in DevSecOps Cultures
byDevOps Indonesia
 
Is DevOps Braking Your Company?
byconjur_inc
 
DevOpsDays 2023: Security is about to become a DevOps Problem
byCharles Johnson
 
State of DevSecOps - DevSecOpsDays 2019
byStefan Streichsbier
 
The Journey to DevSecOps
byShannon Lietz
 
The Journey to DevSecOps
bySeniorStoryteller
 
Introduction to DevSecOps
bySetu Parimi
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
byDevSecCon
 
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
Hacking DevOps
byPhillip Marlow
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 

More from Iftach Ian Amit

PPTX
Cyber Risk Quantification - CyberTLV
byIftach Ian Amit
 
PPTX
BSidesTLV Closing Keynote
byIftach Ian Amit
 
PDF
Social Media Risk Metrics
byIftach Ian Amit
 
PDF
ISTS12 Keynote
byIftach Ian Amit
 
PDF
From your Pocket to your Heart and Back
byIftach Ian Amit
 
PDF
Painting a Company Red and Blue
byIftach Ian Amit
 
PDF
"Cyber" security - all good, no need to worry?
byIftach Ian Amit
 
PDF
Armorizing applications
byIftach Ian Amit
 
PDF
Seeing Red In Your Future?
byIftach Ian Amit
 
PPTX
Hacking cyber-iamit
byIftach Ian Amit
 
PDF
Passwords good badugly181212-2
byIftach Ian Amit
 
PDF
Bitcoin
byIftach Ian Amit
 
PDF
Sexy defense
byIftach Ian Amit
 
PDF
Cyber state
byIftach Ian Amit
 
PDF
Advanced Data Exfiltration - the way Q would have done it
byIftach Ian Amit
 
PDF
Infecting Python Bytecode
byIftach Ian Amit
 
PDF
Exploiting Second life
byIftach Ian Amit
 
PDF
Dtmf phreaking
byIftach Ian Amit
 
PDF
Cheating in Computer Games
byIftach Ian Amit
 
PDF
Telecommunication basics dc9723
byIftach Ian Amit
 
Cyber Risk Quantification - CyberTLV
byIftach Ian Amit
 
BSidesTLV Closing Keynote
byIftach Ian Amit
 
Social Media Risk Metrics
byIftach Ian Amit
 
ISTS12 Keynote
byIftach Ian Amit
 
From your Pocket to your Heart and Back
byIftach Ian Amit
 
Painting a Company Red and Blue
byIftach Ian Amit
 
"Cyber" security - all good, no need to worry?
byIftach Ian Amit
 
Armorizing applications
byIftach Ian Amit
 
Seeing Red In Your Future?
byIftach Ian Amit
 
Hacking cyber-iamit
byIftach Ian Amit
 
Passwords good badugly181212-2
byIftach Ian Amit
 
Bitcoin
byIftach Ian Amit
 
Sexy defense
byIftach Ian Amit
 
Cyber state
byIftach Ian Amit
 
Advanced Data Exfiltration - the way Q would have done it
byIftach Ian Amit
 
Infecting Python Bytecode
byIftach Ian Amit
 
Exploiting Second life
byIftach Ian Amit
 
Dtmf phreaking
byIftach Ian Amit
 
Cheating in Computer Games
byIftach Ian Amit
 
Telecommunication basics dc9723
byIftach Ian Amit
 

Recently uploaded

PDF
How Oversize Embroidery Design Size Is Measured
byInkdnylon
 
DOCX
Buy Old Gmail Accounts in 2026_ Complete Buyer’s Guide
bypvasmmpath
 
PDF
Serhii Herasymov: Expert sales in outsource companies: your technical special...
byLviv Startup Club
 
PDF
Ultra Map Section II Multifaceted Second Edition.pdf
byBrij Consulting, LLC
 
PDF
Lessons on Branding from the Team Behind the World's Biggest Brands
byNeil Horowitz
 
PPTX
5, Money Number Tax and Wages 19072017.pptx
byAdrian Hawkes
 
PDF
Stablecoins beyond narrow banking - Lombard Notes
byGiorgio Giuliani
 
PDF
Kirill Klip GEM Royalty TNR Gold Presentation
byKirill Klip
 
DOCX
Buy Aged Verified PayPal Accounts with 2+ Years History and Clean Record.docx
bysebastianparsonst8
 
PDF
KGA - Governing administration in a consolidated market
byHenry Tapper
 
DOCX
How to Buy Verified Bybit Accounts in 2026 not risk .docx
bymarketing
 
PDF
Top Five Trends Shaping RCM in 2026 - Revenue Cycle Resources-HUB
byRevenue Cycle Resources-HUB
 
PDF
How to Buy Verified Bybit Accounts in 2026.pdf
bymarketing
 
PDF
rf_mccaffrey_stocksforthelongrun_revisited_online.v2 (1).pdf
byHenry Tapper
 
PDF
Best Place to Learn Old or Aged Verified Paysera Accounts in WWW.pdf
byTopSelleriT
 
DOCX
Buy Old Gmail Accounts_ Top Benefits and Legal Considerations.docx
bypvasmmpath
 
PDF
Safe Ways to Purchase Gmail Accounts (PVA & Aged) for Your Team.pdf
bypvaisback
 
PDF
Top Platform to Buy Facebook Accounts in Bulk Safely.pdf
byBuy Facebook Accounts
 
PDF
Iryna Rudenko: Follow the Money: How Investment Trends Define IT Niches (UA)
byLviv Startup Club
 
DOCX
What Are Telegram Accounts and Why Are They Important for Global Communicatio...
byx24gm4qs23vusc8s2b53
 
How Oversize Embroidery Design Size Is Measured
byInkdnylon
 
Buy Old Gmail Accounts in 2026_ Complete Buyer’s Guide
bypvasmmpath
 
Serhii Herasymov: Expert sales in outsource companies: your technical special...
byLviv Startup Club
 
Ultra Map Section II Multifaceted Second Edition.pdf
byBrij Consulting, LLC
 
Lessons on Branding from the Team Behind the World's Biggest Brands
byNeil Horowitz
 
5, Money Number Tax and Wages 19072017.pptx
byAdrian Hawkes
 
Stablecoins beyond narrow banking - Lombard Notes
byGiorgio Giuliani
 
Kirill Klip GEM Royalty TNR Gold Presentation
byKirill Klip
 
Buy Aged Verified PayPal Accounts with 2+ Years History and Clean Record.docx
bysebastianparsonst8
 
KGA - Governing administration in a consolidated market
byHenry Tapper
 
How to Buy Verified Bybit Accounts in 2026 not risk .docx
bymarketing
 
Top Five Trends Shaping RCM in 2026 - Revenue Cycle Resources-HUB
byRevenue Cycle Resources-HUB
 
How to Buy Verified Bybit Accounts in 2026.pdf
bymarketing
 
rf_mccaffrey_stocksforthelongrun_revisited_online.v2 (1).pdf
byHenry Tapper
 
Best Place to Learn Old or Aged Verified Paysera Accounts in WWW.pdf
byTopSelleriT
 
Buy Old Gmail Accounts_ Top Benefits and Legal Considerations.docx
bypvasmmpath
 
Safe Ways to Purchase Gmail Accounts (PVA & Aged) for Your Team.pdf
bypvaisback
 
Top Platform to Buy Facebook Accounts in Bulk Safely.pdf
byBuy Facebook Accounts
 
Iryna Rudenko: Follow the Money: How Investment Trends Define IT Niches (UA)
byLviv Startup Club
 
What Are Telegram Accounts and Why Are They Important for Global Communicatio...
byx24gm4qs23vusc8s2b53
 

Devsecops at Cimpress