The document outlines the importance and implementation of DevSecOps in software development, emphasizing that integrating security enhances both delivery performance and security quality. It discusses the Cynefin framework for classifying problems and proposes various DevSecOps strategies such as trunk-based development and leveraging existing crisis processes. Additionally, it highlights the necessity of automating processes and involving developers to enhance security measures effectively.

1. @pati_gallardo
T
S

2. @pati_gallardo
T
S
Missing
the
obvious

3. Dev[Sec]Ops for Developers
How To Start
Patricia Aas
NDC Security 2019
T
S
@pati_gallardo

4. Patricia Aas - Consultant
T
S
C++ Programmer, Application Security
Currently : T S
Previously : Vivaldi, Cisco Systems, Knowit, Opera Software
Master in Computer Science - main language Java
Pronouns: she/her

5. 5
Why DevSecOps?
@pati_gallardo
@pati_gallardo

6. 6
“Our research shows that building security into software
development not only improves delivery performance but
also improves security quality. Organizations with high
delivery performance spend significantly less time
remediating security issues.”
Accelerate, Forsgren PhD, Humble and Kim
@pati_gallardo
@pati_gallardo

7. 7
Misleading Diagrams
@pati_gallardo
@pati_gallardo

8. Kharnagy [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)], from Wikimedia Commons

9. Dev
Ops
Sec
Or maybe?

10. Dev Sec Ops
What about this one?

11. 11
Looking for Zebras
@pati_gallardo
@pati_gallardo

12. 12
“In medical school, you are taught that if, metaphorically, there is the
sound of hoofbeats pounding towards you then it’s sensible to assume
they come from horses not zebras [...]
With House it’s the opposite. We are looking for zebras.”
‘Dr Lisa Sanders’ in ‘House M.D.’
@pati_gallardo
@pati_gallardo

13. We tend to classify problems
based on the problems we are
used to.
This stops us from understanding
folks that deal with different
classes of problems.
@pati_gallardo 13
@pati_gallardo

14. 14
Cynefin Framework
by Dave Snowden
@pati_gallardo
@pati_gallardo

15. Cynefin
Framework
by
Dave Snowden
https://cognitive-edge.com/blog/liminal-cynefin-image-release/

16. Complex Complicated
ObviousChaotic
Discover Engineer
Stabilize Automate
Fixing things
Cynefin
Framework
by
Dave Snowden
Crisis
Emergent
Novel Best
Good

17. Cynefin
Framework
by
Dave Snowden
DevOps
Complex Complicated
ObviousChaotic
Probe
Prototyping
Analyze
Development
Auto
Deploy
Creativity Skill
Automation
Not critical
Critical
Incident
Response

18. Complex Complicated
ObviousChaotic
Act
Put out fires
Probe Analyze
Auto
Investigate Remediate
Change
Incident in Prod
Cynefin
Framework
by
Dave Snowden

19. Complex Complicated
ObviousChaotic
Cynefin
Framework
by
Dave Snowden
Security
Act
Fuzzing
Probe Analyze
Auto
Debugging Exploit dev
Metasploit

20. Complex Complicated
ObviousChaotic
Probe
Making the Right System
Analyze
Making the System Right
A/B Testing TDD
Chaos Monkey Static Analysis
Testing
Cynefin
Framework
by
Dave Snowden

21. @pati_gallardo
Dev[Sec]Ops

22. Coding Building Testing
Manual
Security
Gate
Keeping
Monitoring
22
Simplified Pre-DevOps Deployment Workflow
@pati_gallardo
@pati_gallardo
But you have to get out of the Critical Path?

23. Coding
IDE Plugins
Static Analysis
Building Testing Scanning Monitoring
23
Alerts
Dashboards
Dynamic Analysis
Dependency Checks
Warnings
Commit hooks
Simulations
Fuzzing

24. 24
- We have no “Security Team”
1 security person per 10 ops people per 100 developers*
*Accelerate, Forsgren PhD, Humble and Kim
@pati_gallardo

25. 6
Dev[Sec]Ops
Hacks
@pati_gallardo 25
@pati_gallardo

26. 26
1. Live Off the Land
@pati_gallardo
@pati_gallardo

27. Use their issue tracker
Use their slack
Use their monitoring
Use their dashboards
Integrate into their tools
@pati_gallardo 27
@pati_gallardo

28. 28
2. Have Devs Build It
@pati_gallardo
@pati_gallardo

29. Use the devs to build integrations
Find ways to justify it
Make sure it has dual purpose
@pati_gallardo 29
@pati_gallardo

30. 30
3. Trunk-based Development
@pati_gallardo
@pati_gallardo

31. Trunk-based development
Small commits
Add security to peer-review
Add threat modeling to peer-review
Feature toggles
Use feature toggles for A/B testing
@pati_gallardo 31
@pati_gallardo

32. 32
4. Use Existing Crisis Process for
Incident Response
@pati_gallardo
@pati_gallardo

33. @pati_gallardo
Bootstrapping
Incident Response

34. 34
Have a Hotline
security@example.com
https://example.com/.well-known/security.txt
@pati_gallardo

35. gitlab.com
- “rm -rf”
- Sysadmin maintenance
- Cascading errors as backups fail
- All logged publicly in real time
Accident or Breach
Does it matter?
35
@pati_gallardo

36. 36
External Vulnerability Report Flow
@pati_gallardo
@pati_gallardo
Bug Report
Vulnerability
Report
Social Media
QA
Security
Marketing
Triage
No bug
Bug
Vulnerability

37. @pati_gallardo
They Know
How To
Handle A
Crisis

38. Security Improvements to
Existing Crisis Process
● Separate priority in bug-tracker
● Separate channel in Slack
● Explicit side-duty in every team:
Security Engineer
● Simple procedure based on
information sharing and empowering
● Have a procedure on how people will
get paid in off-hours
@pati_gallardo 38
@pati_gallardo

39. 39
5. Automate as Much as Possible
@pati_gallardo
@pati_gallardo

40. Add IDE plugins
Add dependency scanner in CI/CD
Add scanners in CI/CD
Dynamic scan in a non-blocking
pipeline
All results in dev visualization
@pati_gallardo 40
@pati_gallardo

41. 41
6. Infrastructure as Code
@pati_gallardo
@pati_gallardo

42. Configuration Management
Auditable
Know what you’re running
Enable safe rollback
@pati_gallardo 42
@pati_gallardo

43. 1. Live Off the Land
2. Have Devs Build It
3. Trunk-based Development
4. Use Existing Crisis Process
5. Automate as Much as Possible
6. Infrastructure as Code
@pati_gallardo 43
@pati_gallardo

44. Complex Complicated
ObviousChaotic
Discover Engineer
Stabilize Automate
Fixing things
Cynefin
Framework
by
Dave Snowden
Crisis
Security
Development
Operations

45. Kharnagy [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)], from Wikimedia Commons

46. Dev
Ops
Sec
Or maybe?

47. Dev Sec Ops
What about this one?

48. @pati_gallardo
Dev[Sec]Ops

49. 49
Shifting Security Left?
What Does That Even Mean?
@pati_gallardo
@pati_gallardo

50. @pati_gallardo

51. 51
I
S
@pati_gallardo
@pati_gallardo

52. 52
Hacking the existing
tools and processes
@pati_gallardo
@pati_gallardo

53. 53
@pati_gallardo
Teach everyone what to look for
Use their Tooling and their Dashboards
Fast, stable, automated tests in the Critical Path
Use the existing Crisis Process for Incidents
Have slower tests off the Critical Path
I , L , S

54. Complex Complicated
ObviousChaotic
Act
Put out fires
Probe Analyze
Auto
Investigate Remediate
Change
Incident in Prod
Cynefin
Framework
by
Dave Snowden

55. We tend to classify problems
based on the problems we are
used to.
This stops us from understanding
folks that deal with different
classes of problems.
@pati_gallardo 55
@pati_gallardo

56. 56
Some people are always
looking for Zebras
@pati_gallardo
@pati_gallardo

57. @pati_gallardo
T
S

58. T
S
P f .
Patricia Aas, T S
@pati_gallardo