How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture?
Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.
6. @pati_gallardo
Accelerate, Nicole Forsgren PhD, Humble and Kim:
“Our research shows that building security into software
development not only improves delivery performance
but also improves security quality.
Organizations with high delivery performance
spend significantly less time remediating security issues.”
@pati_gallardo 6
11. @pati_gallardo
The Target The Exploit@halvarflake
Weird
State
Weird
State
Exploitation: The Weird Machine
Bug/
Vulnerability
@sergeybratus
@pati_gallardo 11
16. @pati_gallardo
“In medical school, you are taught that if, metaphorically, there is the
sound of hoofbeats pounding towards you then it’s sensible to assume
they come from horses not zebras [...]
With House it’s the opposite. We are looking for zebras.”
‘Dr Lisa Sanders’ in ‘House M.D.’
@pati_gallardo 16
17. We tend to classify problems
based on the problems we are
used to.
This stops us from understanding
folks that deal with different
classes of problems.
@pati_gallardo
17
27. @pati_gallardo
- We have no “Security Team”
1 security person per 10 ops people per 100 developers*
*Accelerate, Forsgren PhD, Humble and Kim
Manual security review does not scale
@pati_gallardo 27
35. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 35
38. Use your issue tracker
Use your chat
Use your monitoring
Use your dashboards
Integrate into your tools
Live Off the Land
@pati_gallardo
Bootstrapping
Tooling
38
39. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 39
42. Use the devs to build integrations
Find ways to justify it
Dual purpose:
Stability and Security
Have Devs Build It
@pati_gallardo
Bootstrapping
Manpower
42
43. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 43
46. Trunk-based development
Small commits
Add security to peer-review
Add threat modeling to peer-review
Feature toggles
Use feature toggles for
A/B testing
Bootstrapping
Security Reviews
Trunk-based Development
46@pati_gallardo
47. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 47
54. Separate priority in bug-tracker
Separate channel in Slack
Security Engineer side-duty
Simple procedure
How will people get paid in
off-hours?
Bootstrapping
Incident Response
Security Improvements to
Existing Crisis Process
54@pati_gallardo
55. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 55
58. Add IDE plugins
Add dependency scanner in CI/CD
Add scanners in CI/CD
Dynamic scan in a non-blocking
pipeline
All results in dev visualization
Automate as Much as
Possible
Bootstrapping
Automation
58@pati_gallardo
60. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 60
63. Fully Automated Pipeline
Configuration Management
Know what you’re running
Auditable
Bootstrapping
Auditability
Infrastructure as Code
63@pati_gallardo
64. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 64
66. @pati_gallardo
Teach everyone what to look for
Use their Tooling and their Dashboards
Fast, stable, automated tests in the Critical Path
Use the existing Crisis Process for Incidents
Have slower tests off the Critical Path
Incremental, Layered, Security
66
69. 1. Preparation6. Lessons Learned
5. Recovery
4. Eradication
2. Identification
3. Containment
Phases of
Incident
Response¹
¹Incident Handler’s Handbook, SANS Institute
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
@pati_gallardo 69
70. 70
Practice
“We don't rise to the level of
our expectations, we fall to the
level of our training.”
Greek lyrical poet, Archilochus
Accident or Breach?
Does it matter?
@pati_gallardo