How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture? Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.

1. Turtle
Sec
@pati_gallardo

2. Turtle
Sec
@pati_gallardo
My first
real tech
job

3. Dev[Sec]Ops for Developers
How To Start
European Testing Conference 2020
Patricia Aas
Turtle
Sec
@pati_gallardo

4. Patricia Aas - Consultant
Turtle
Sec
C++ Programmer, Application Security
Currently : TurtleSec
Previously : Vivaldi, Cisco Systems, Knowit, Opera Software
Master in Computer Science
Pronouns: she/her
@pati_gallardo

5. @pati_gallardo 5
Quality
@pati_gallardo

6. @pati_gallardo
Accelerate, Nicole Forsgren PhD, Humble and Kim:
“Our research shows that building security into software
development not only improves delivery performance
but also improves security quality.
Organizations with high delivery performance
spend significantly less time remediating security issues.”
@pati_gallardo 6

7. @pati_gallardo
“improves security quality”
Security is a
Quality Metric
@pati_gallardo 7

8. @pati_gallardo
Vulnerability
@pati_gallardo 8

9. @pati_gallardo
Bug
Vulnerability
Exploit
If a bug can be
exploited...
...then it is a
vulnerability
@pati_gallardo 9What is a Vulnerability?

10. @pati_gallardo
Exploit
Write
Read Execute
Information Leaks
Intelligence Gathering
Remote Code Execution
Privilege Escalation
Denial of Service
Planting of Shellcode
@pati_gallardo 10What does an Exploit do?

11. @pati_gallardo
The Target The Exploit@halvarflake
Weird
State
Weird
State
Exploitation: The Weird Machine
Bug/
Vulnerability
@sergeybratus
@pati_gallardo 11

12. @pati_gallardo 12
There is an artificial line
between security testing and
other types of testing

13. @pati_gallardo 13
Vulnerabilities are Bugs

14. @pati_gallardo
Culture
@pati_gallardo 14

15. @pati_gallardo
Looking for Zebras
@pati_gallardo 15

16. @pati_gallardo
“In medical school, you are taught that if, metaphorically, there is the
sound of hoofbeats pounding towards you then it’s sensible to assume
they come from horses not zebras [...]
With House it’s the opposite. We are looking for zebras.”
‘Dr Lisa Sanders’ in ‘House M.D.’
@pati_gallardo 16

17. We tend to classify problems
based on the problems we are
used to.
This stops us from understanding
folks that deal with different
classes of problems.
@pati_gallardo
17

18. @pati_gallardo
Cynefin Framework
by Dave Snowden
@pati_gallardo 18

19. Cynefin
Framework
by
Dave Snowden
https://cognitive-edge.com/blog/liminal-cynefin-image-release/
19

20. Complex Complicated
ObviousChaotic
Discover Engineer
Stabilize Automate
Fixing things
Cynefin
Framework
by
Dave Snowden
Crisis
Emergent
Novel Best
Good
20

21. Cynefin
Framework
by
Dave Snowden
DevOps
Complex Complicated
ObviousChaotic
Probe
Prototyping
Analyze
Development
Auto
Deploy
Creativity Skill
Automation
Not critical
Critical
Incident
Response
21

22. Complex Complicated
ObviousChaotic
Act
Put out fires
Probe Analyze
Auto
Investigate Remediate
Change
Incident in Prod
Cynefin
Framework
by
Dave Snowden
22

23. Complex Complicated
ObviousChaotic
Cynefin
Framework
by
Dave Snowden
Security
Act
Fuzzing
Probe Analyze
Auto
Debugging Exploit dev
Metasploit
23

24. Complex Complicated
ObviousChaotic
Probe
Making the Right System
Analyze
Making the System Right
A/B Testing TDD
Chaos Monkey Static Analysis
Testing
Cynefin
Framework
by
Dave Snowden
24

25. @pati_gallardo
Dev[Sec]Ops
@pati_gallardo 25

26. @pati_gallardo
Coding Building Testing
Manual
Security
Gate
Keeping
Monitoring
Simplified Pre-DevOps Deployment Workflow
@pati_gallardo
But you have to get out of the Critical Path?
26

27. @pati_gallardo
- We have no “Security Team”
1 security person per 10 ops people per 100 developers*
*Accelerate, Forsgren PhD, Humble and Kim
Manual security review does not scale
@pati_gallardo 27

28. @pati_gallardo
Coding
IDE Plugins
Static Analysis
Building Testing Scanning Monitoring
Alerts
Dashboards
Dynamic Analysis
Dependency Checks
Warnings
Commit hooks
Simulations
Fuzzing
@pati_gallardo 28

29. @pati_gallardo
Risk Modeling
29

30. @pati_gallardo 30
Company Killer
What are you really afraid of?
What kind of event could put you out of business?

31. @pati_gallardo 31
Pre-mortem
Your worst headline is in the newspaper,
how did this happen?

32. @pati_gallardo
External
Entity
Data Store
Trust
Boundary
Data Flow
Trust Boundary
Trust Boundary
Data Store
Process
Backend
Process
External Entity
Browser/App
Data Flow
Data Flow Diagram
Data
Flow
32

33. @pati_gallardo
Hacks
33

34. Tooling
Incident
Response
Automation Auditability
Security
Reviews
Manpower
@pati_gallardo 34

35. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 35

36. Tooling
Incident
Response
Automation Auditability
Security
Reviews
Manpower
@pati_gallardo 36

37. @pati_gallardo
Bootstrapping
Tooling
@pati_gallardo 37

38. Use your issue tracker
Use your chat
Use your monitoring
Use your dashboards
Integrate into your tools
Live Off the Land
@pati_gallardo
Bootstrapping
Tooling
38

39. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 39

40. Tooling
Incident
Response
Automation Auditability
Security
Reviews
Manpower
@pati_gallardo 40

41. Bootstrapping
Manpower
@pati_gallardo
41

42. Use the devs to build integrations
Find ways to justify it
Dual purpose:
Stability and Security
Have Devs Build It
@pati_gallardo
Bootstrapping
Manpower
42

43. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 43

44. Tooling
Incident
Response
Automation Auditability
Security
Reviews
Manpower
@pati_gallardo 44

45. Bootstrapping
Security Reviews
@pati_gallardo
45

46. Trunk-based development
Small commits
Add security to peer-review
Add threat modeling to peer-review
Feature toggles
Use feature toggles for
A/B testing
Bootstrapping
Security Reviews
Trunk-based Development
46@pati_gallardo

47. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 47

48. Tooling
Incident
Response
Automation Auditability
Security
Reviews
Manpower
@pati_gallardo 48

49. @pati_gallardo
Bootstrapping
Incident Response
@pati_gallardo 49

50. Have a Hotline
security@example.com
https://example.com/.well-known/security.txt
50@pati_gallardo

51. External Vulnerability Report Flow
Bug Report
Vulnerability
Report
Social Media
QA
Security
Marketing
Triage
No bug
Bug
Vulnerability
51@pati_gallardo

52. Use Existing Crisis Process for
Incident Response
52@pati_gallardo

53. @pati_gallardo@pati_gallardo
You Know
How To
Handle A
Crisis
53

54. Separate priority in bug-tracker
Separate channel in Slack
Security Engineer side-duty
Simple procedure
How will people get paid in
off-hours?
Bootstrapping
Incident Response
Security Improvements to
Existing Crisis Process
54@pati_gallardo

55. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 55

56. TurtleSec
Tooling
Incident
Response
Automation Auditability
Security
Reviews
Manpower
@pati_gallardo 56

57. @pati_gallardo
Bootstrapping
Automation
@pati_gallardo 57

58. Add IDE plugins
Add dependency scanner in CI/CD
Add scanners in CI/CD
Dynamic scan in a non-blocking
pipeline
All results in dev visualization
Automate as Much as
Possible
Bootstrapping
Automation
58@pati_gallardo

59. Coding
IDE Plugins
Static Analysis
Building Testing Scanning Monitoring
Alerts
Dashboards
Dynamic Analysis
Dependency Checks
Warnings
Commit hooks
Simulations
Fuzzing
59@pati_gallardo

60. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 60

61. TurtleSec
Tooling
Incident
Response
Automation Auditability
Security
Reviews
Manpower
@pati_gallardo 61

62. @pati_gallardo
Bootstrapping
Auditability
@pati_gallardo 62

63. Fully Automated Pipeline
Configuration Management
Know what you’re running
Auditable
Bootstrapping
Auditability
Infrastructure as Code
63@pati_gallardo

64. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
6 Dev[Sec]Ops Hacks
@pati_gallardo 64

65. @pati_gallardo
Incremental
Security
@pati_gallardo 65

66. @pati_gallardo
Teach everyone what to look for
Use their Tooling and their Dashboards
Fast, stable, automated tests in the Critical Path
Use the existing Crisis Process for Incidents
Have slower tests off the Critical Path
Incremental, Layered, Security
66

67. @pati_gallardo
Learn
@pati_gallardo 67

68. Complex Complicated
ObviousChaotic
Act
Put out fires
Probe Analyze
Auto
Investigate Remediate
Change
Incident in Prod
Cynefin
Framework
by
Dave Snowden
68

69. 1. Preparation6. Lessons Learned
5. Recovery
4. Eradication
2. Identification
3. Containment
Phases of
Incident
Response¹
¹Incident Handler’s Handbook, SANS Institute
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
@pati_gallardo 69

70. 70
Practice
“We don't rise to the level of
our expectations, we fall to the
level of our training.”
Greek lyrical poet, Archilochus
Accident or Breach?
Does it matter?
@pati_gallardo

71. @pati_gallardo
Turtle
Sec
@pati_gallardo

72. Turtle
Sec
Questions?
Photos from pixabay.com
Patricia Aas, TurtleSec
@pati_gallardo