Ernest Mueller, profile picture
Uploaded byErnest Mueller
PPTX, PDF965 views

Lean Security - RSA 2016

The document emphasizes the need for a shift in security practices within organizations, advocating for lean security principles that prioritize productivity and efficiency while addressing security needs. It argues that traditional security measures often create bottlenecks and waste, suggesting that integrating security into agile and DevOps practices can enhance collaboration and effectiveness. The authors outline a six-fold path for implementing lean security, focusing on visibility, integration, and fostering a culture of shared responsibility among all team members.

Technology
Related topics:
Information Security

Embed presentation

Download to read offline
#LEAN SECURIT Y@WICKETT // @ERNESTMUELLER // RSA 2016
@WICKETT // @ERNESTMUELLER // #LEANSECURITY ERNEST MUELLER JAMES WICKETT @wickett @ernestmueller THEAGILEADMIN.COM
@WICKETT // @ERNESTMUELLER // #LEANSECURITY THE PRESENTATION THAT JUST MIGHT CHANGE YOUR LIFE…
@WICKETT // @ERNESTMUELLER // #LEANSECURITY COMPANIES ARE SPENDING A GREAT DEAL ON SECURITY, BUT WE READ OF MASSIVE COMPUTER-RELATED ATTACKS. CLEARLY SOMETHING IS WRONG. THE ROOT OF THE PROBLEM IS TWOFOLD: WE’RE PROTECTING (AND SPENDING MONEY ON PROTECTING) THE WRONG THINGS, AND WE’RE HURTING PRODUCTIVITY IN THE PROCESS. Thinking Security, Steven M. Bellovin 2015
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY AGILE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WHAT IS AGILE? • INDIVIDUALS AND INTERACTIONS OVER PROCESSES AND TOOLS • WORKING SOFTWARE OVER COMPREHENSIVE DOCUMENTATION • CUSTOMER COLLABORATION OVER CONTRACT NEGOTIATION • RESPONDING TO CHANGE OVER FOLLOWING A PLAN SOURCE: THE AGILE MANIFESTO (HTTP://WWW.AGILEMANIFESTO.ORG/)
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY AGILE? • 45% OF ORGANIZATIONS ARE USING AGILE ON A MAJORITY OF THEIR TEAMS ONLY 5% ARE NOT USING IT AT ALL • AGILE RESULTS: • ACCELERATE PRODUCT DELIVERY - 59% • ENHANCE ABILITY TO MANAGE CHANGING PRIORITIES - 56% • INCREASE PRODUCTIVITY - 53% • ENHANCE SOFTWARE QUALITY - 46% • ENHANCE DELIVERY PREDICTABILITY - 44% SOURCE: VERSIONONE NINTH ANNUAL STATE OF AGILE SURVEY (HTTPS://WWW.VERSIONONE.COM/PDF/STATE-OF-AGILE-DEVELOPMENT-SURVEY-NINTH.PDF)
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WHAT IS DEVOPS? DEVOPS IS THE PRACTICE OF OPERATIONS AND DEVELOPMENT ENGINEERS PARTICIPATING TOGETHER IN THE ENTIRE SERVICE LIFECYCLE, FROM DESIGN THROUGH THE DEVELOPMENT PROCESS TO PRODUCTION SUPPORT. DEVOPS IS ALSO CHARACTERIZED BY OPERATIONS STAFF MAKING USE MANY OF THE SAME TECHNIQUES AS DEVELOPERS FOR THEIR SYSTEMS WORK. SOURCE: THE AGILE ADMIN: WHAT IS DEVOPS? HTTP://THEAGILEADMIN.COM/WHAT-IS-DEVOPS/
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY DEVOPS?• BY 2016 “DEVOPS WILL EVOLVE FROM A NICHE TO A MAINSTREAM STRATEGY EMPLOYED BY 25% OF GLOBAL 2000 ORGANIZATIONS” - GARTNER, MARCH 2015 • BENEFITS OF DEVOPS: • NEW SOFTWARE/SERVICES THAT WOULD OTHERWISE NOT BE POSSIBLE - 21% • A REDUCTION IN TIME SPENT FIXING AND MAINTAINING APPLICATIONS - 21% • INCREASED COLLABORATION BETWEEN DEPARTMENTS - 21% • AN INCREASE IN REVENUE - 19% • IMPROVED QUALITY AND PERFORMANCE OF OUR DEPLOYED APPLICATIONS - 19% SOURCE: CA RESEARCH REPORT—DEVOPS: THE WORST-KEPT SECRET TO WINNING IN THE APPLICATION ECONOMY (HTTP://REWRITE.CA.COM/US/ARTICLES/DEVOPS/RESEARCH-REPORT-- DEVOPS-THE-WORST-KEPT-SECRET-TO-WINNING-IN-THE-APPLICATION-ECONOMY.HTML)
@WICKETT // @ERNESTMUELLER // #LEANSECURITY HIGH-PERFORMING IT ORGANIZATIONS EXPERIENCE 60X FEWER FAILURES AND RECOVER FROM FAILURE 168X FASTER THAN THEIR LOWER- PERFORMING PEERS. THEY ALSO DEPLOY 30X MORE FREQUENTLY WITH 200X SHORTER LEAD TIMES.
@WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN
@WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN SOFTWARE DEVELOPMENT SEVEN PRINCIPLES: • ELIMINATE WASTE • AMPLIFY LEARNING • DECIDE AS LATE AS POSSIBLE • DELIVER AS FAST AS POSSIBLE • EMPOWER THE TEAM • BUILD INTEGRITY IN • SEE THE WHOLE AN SOFTWARE DEVELOPMENT: AN AGILE TOOLKIT (2003), MARY AND TOM POPPENDIECK
@WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN PRODUCT DEVELOPMENT • BUILD-MEASURE-LEARN • BUILD – MINIMUM VIABLE PRODUCT • MEASURE – THE OUTCOME AND INTERNAL METRICS • LEARN – ABOUT YOUR PROBLEM AND YOUR SOLUTION • REPEAT – GO DEEPER WHERE IT’S NEEDED SOURCE: LEAN STARTUP (2011), ERIC RIES
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY LEAN? • BOTH DEVOPS AND AGILE BORROW KEY CONCEPTS FROM LEAN MANUFACTURING, SO IT'S ALL ABOUT COMMUNICATION AND OPENNESS." -INFORMATIONWEEK
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WHAT ARE THE CHALLENGES THAT AGILE / DEVOPS / LEAN POSE TO INFOSEC?
WRONG QUESTION!
@WICKETT // @ERNESTMUELLER // #LEANSECURITY INSTEAD, EXAMINE HOW ADOPTING THESE STRATEGIES CAN HELP YOU WIN
@WICKETT // @ERNESTMUELLER // #LEANSECURITY LEAN SECURITY IS FOR WINNERS
@WICKETT // @ERNESTMUELLER // #LEANSECURITY THE SIX-FOLD PATH OF LEAN SECURITY (AND HOW TO WIN)
@WICKETT // @ERNESTMUELLER // #LEANSECURITY #1 SECURITY IS JUST BEANCOUNTING
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WE TRADED ENGINEERING FOR ACTUARIAL DUTIES
@WICKETT // @ERNESTMUELLER // #LEANSECURITY “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”
@WICKETT // @ERNESTMUELLER // #LEANSECURITY A SECURITY MANAGEMENT SYSTEM PROVIDES OPTIMAL VALUE TO THE ORGANIZATION IF IT: • ACTIVELY SUPPORTS ACHIEVING THE BUSINESS AND COMPLIANCE OBJECTIVES OF THE ORGANIZATION (THE VARIABLE PART) • IS AN EFFICIENT, AGILE AND INTEGRATED PROCESS, CAPABLE OF DEALING WITH A DYNAMIC THREAT ENVIRONMENT • CONSUMES MINIMAL TIME AND RESOURCES • RESULTS IN ADEQUATELY MANAGED SECURITY RISK, IN LINE WITH THE RISK APPETITE OF THE ORGANIZATION • PROVIDES ONLY THE NECESSARY, YET ADEQUATE, USER FRIENDLY, EFFICIENT AND MEASURABLE SECURITY CONTROLS SOURCE: JOHAN BAKKER, LEAN SECURITY MANAGEMENT WHITE PAPER
@WICKETT // @ERNESTMUELLER // #LEANSECURITY UNDERSTAND THE VALUE YOUR ORGANIZATION WANTS FROM YOU
@WICKETT // @ERNESTMUELLER // #LEANSECURITY #2 SECURITY IS A BOTTLENECK
@WICKETT // @ERNESTMUELLER // #LEANSECURITY THE AVERAGE TIME TO DELIVER CORPORATE IT PROJECTS HAS INCREASED FROM ~8.5 MONTHS TO OVER 10 MONTHS IN THE LAST 5 YEARS Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WHY ARE COMPANIES SO SLOW? THE GROWTH OF CONTROL AND RISK MANAGEMENT FUNCTIONS WHICH IS TOO OFTEN POORLY COORDINATED… [RESULTING IN] A PROLIFERATION OF NEW TASKS IN THE AREAS OF COMPLIANCE, PRIVACY AND DATA PROTECTION. Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
@WICKETT // @ERNESTMUELLER // #LEANSECURITY THE THREE WASTES • MUDA - WORK WHICH ABSORBS RESOURCE BUT ADDS NO VALUE • MURI - UNREASONABLE WORK THAT IS IMPOSED ON WORKERS AND MACHINES • MURA - WORK COMING IN DRIBS AND DRABS WITH SUDDEN PERIODS OF RUSH RATHER THAN A CONSTANT OR REGULAR FLOW, UNEVENNESS.
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY WASTE MUDA COMES IN SEVEN FORMS: • EXCESS INVENTORY - DUMPING YOUR THOUSAND PAGE PDF OF VULNERABILITIES ON A BUSY TEAM. PRIORITIZE AND LIMIT WORK IN PROGRESS (WIP) • OVERPRODUCTION - SECURITY CONTROLS STEMMING FROM FUD OR MISALIGNMENT WITH BUSINESS NEEDS (NOT DEMANDED BY ACTUAL CUSTOMERS) - CF. PHOENIX PROJECT • EXTRA PROCESSING - FOR EXAMPLE, RELYING ON COMPLIANCE TESTING RATHER THAN DESIGNING THE PROCESS TO ELIMINATE PROBLEMS - HELP IT GET BUILT RIGHT FIRST
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY WASTE • HANDOFFS - LEVERAGE THE KNOWLEDGE OF THE TEAMS DOING THE WORK AND COLLABORATE WITH THEM TO BUILD SECURITY IN, INSTEAD OF THAT BEING SOME OTHER TEAM’S JOB • WAITING - LAG BETWEEN VALUE STEPS WAITING FOR APPROVALS OR ANALYSES OR TICKET HANDLING - USE SELF SERVICE AUTOMATION INSTEAD • TASK SWITCHING - THE THOUSAND PAGE PDF AGAIN - WORK WITH THEIR WORK INTAKE PROCESS NOT AGAINST IT • DEFECTS - FALSE POSITIVES AND FALSE NEGATIVES AND JUST PLAIN UNIMPORTANT FINDINGS YOU REPORT CAUSING ZERO-VALUE REWORK
@WICKETT // @ERNESTMUELLER // #LEANSECURITY UNDERSTAND THE WASTE THAT YOU GENERATE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY #3 SECURITY IS INVISIBLE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY PROFESSIONALS ARE QUICK TO SAY SECURITY IS EVERYONE’S JOB
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY COULD LEARN FROM WEB PERFORMANCE CIRCA 2008
@WICKETT // @ERNESTMUELLER // #LEANSECURITY PERFORMANCE • BROWSER EXTENSIONS FOR DEVS TO UNDERSTAND PERFORMANCE PROBLEMS • RESEARCH SHOWING PERFORMANCE TO REVENUE CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS • CONFERENCES COMBINING FRONT END DEVS AND SYS ADMINS • COMMITMENT TO INSTRUMENT AND GRAPH ALL THE THINGS
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY • BROWSER EXTENSIONS FOR DEVS TO UNDERSTAND SECURITY PROBLEMS • RESEARCH SHOWING SECURITY TO REVENUE CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS • CONFERENCES COMBINING DEVS OPS AND SECURITY • COMMITMENT TO INSTRUMENT AND GRAPH ALL THE THINGS
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SEE THE WHOLE • KEEP MEANINGFUL METRICS, MAKE THOSE METRICS VISIBLE - IN CONTEXT OF WORKERS’ TOOLCHAIN • “LEAST PRIVILEGE” NEEDS TO BE UNLEARNED SOMEWHAT IN MODERN ORGANIZATIONS TO ALLOW EFFECTIVE INFORMATION SHARING • GET IN BUSINESS OF SHARING AND ADDING VISIBILITY TO DEV AND TO OPS.
@WICKETT // @ERNESTMUELLER // #LEANSECURITY VISUALIZE SECURITY SO EVERYONE CAN SEE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY #4 SECURITY IS ALWAYS TOO LATE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY BUILD INTEGRITY IN • “CEASE DEPENDENCE ON MASS INSPECTION TO ACHIEVE QUALITY. IMPROVE THE PROCESS AND BUILD QUALITY INTO THE PRODUCT IN THE FIRST PLACE." — W. EDWARDS DEMING • INTEGRATE INTO CONTINUOUS INTEGRATION AND USE TEST DRIVEN DEVELOPMENT (TDD) TO RECTIFY ISSUES AT THE LOWEST WASTE POINT
SOURCE: THE THREE WAYS OF DEVOPS, GENE KIM
@WICKETT // @ERNESTMUELLER // #LEANSECURITY NEEDED A WAY TO BE MEAN TO YOUR CODE EARLIER IN THE DEVELOPMENT PROCESS ENTER GAUNTLT…
@WICKETT // @ERNESTMUELLER // #LEANSECURITY @slow @final Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni —check=xss* <url> """ Then the output should contain "0 issues were detected." Given When Then What? AN ATTACK LANGUAGE FOR DEVOPS
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY theagileadmin.com/2015/06/09/pragmatic-security-and-rugged-de
@WICKETT // @ERNESTMUELLER // #LEANSECURITY GENERATE SECURITY FEEDBACK IN EACH STEP IN THE VALUE STREAM
@WICKETT // @ERNESTMUELLER // #LEANSECURITY #5 SECURITY IS ALWAYS IN THE WAY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY ARE YOU “THAT GUY?” • YOU ALREADY KNOW YOU CAN’T MAKE THINGS SECURE BY YOURSELF • YOU NEED EVERYONE ELSE TO PITCH IN - BUT DOES IT SEEM LIKE THE THINGS YOU DO JUST ANGER THEM?
@WICKETT // @ERNESTMUELLER // #LEANSECURITY EMPOWER THE TEAM • UNDERSTAND HUMAN MOTIVATION • NETFLIX AUTOMATION CREATED SAFE PATHS AS THE DEFAULT • REMOVES EMOTIONAL CHARGE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SELF SERVICE AUTOMATION
@WICKETT // @ERNESTMUELLER // #LEANSECURITY #6 SECURITY IS PERFECTIONIST AND IS THEREFORE UNREALISTIC
@WICKETT // @ERNESTMUELLER // #LEANSECURITY SECURITY IS YOUR PRODUCT
@WICKETT // @ERNESTMUELLER // #LEANSECURITY BUILD-MEASURE- LEARN • DELIVER MINIMAL VIABLE SECURITY ACROSS EVERYTHING • FOCUS ON DETECTION/METRIC GATHERING • ITERATE FROM THERE • REMEMBER THE WEAKEST LINK WINS • OVERLAP SMALLER SOLUTIONS - SEE JOSH MORE’S OWASP 2012 “LEAN SECURITY 101” PRESENTATION
@WICKETT // @ERNESTMUELLER // #LEANSECURITY MANAGE YOUR PRODUCT
@WICKETT // @ERNESTMUELLER // #LEANSECURITY WE’VE BEEN THERE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY ERNEST MUELLER JAMES WICKETT @wickett @ernestmueller THEAGILEADMIN.COM

More Related Content

PPTX
Lean Security
bySeniorStoryteller
 
PPTX
Lean Security - LASCON 2016
byErnest Mueller
 
PPTX
Lean Security - OWASP Austin March 2016
byErnest Mueller
 
PPTX
Future of Work: Heather McGowan
byHyperloop Transportation Technologies Inc
 
PDF
Marcus Ranum on Bad Idea Zombies
byDavid Strom
 
PPTX
Problem management foundation - Significant havoc in technology
byRonald Bartels
 
PPTX
How To Develop A Company Disaster Plan
byJennifer H. Elder
 
PPTX
Failure is inevitable but it isn't permanent
byTom Stiehm
 
Lean Security
bySeniorStoryteller
 
Lean Security - LASCON 2016
byErnest Mueller
 
Lean Security - OWASP Austin March 2016
byErnest Mueller
 
Future of Work: Heather McGowan
byHyperloop Transportation Technologies Inc
 
Marcus Ranum on Bad Idea Zombies
byDavid Strom
 
Problem management foundation - Significant havoc in technology
byRonald Bartels
 
How To Develop A Company Disaster Plan
byJennifer H. Elder
 
Failure is inevitable but it isn't permanent
byTom Stiehm
 

Viewers also liked

PDF
Building Security In - A Tale of Two Stories - Laksh Raghavan
bySeniorStoryteller
 
PPTX
脆弱性スキャナVulsを使ってDevSecOpsを実践!
byTakayuki Ushida
 
PPTX
Making Security Agile - Oleg Gryb
bySeniorStoryteller
 
PPTX
The DevOps Panel - Innotech Austin CD Summit
byErnest Mueller
 
PDF
Ops Happens: DevOps Beyond Deployment - Damon Edwards
bySeniorStoryteller
 
PDF
Implementing DevOps in a Regulated Environment - DJ Schleen
bySeniorStoryteller
 
PPTX
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
bySeniorStoryteller
 
PDF
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
bySeniorStoryteller
 
Building Security In - A Tale of Two Stories - Laksh Raghavan
bySeniorStoryteller
 
脆弱性スキャナVulsを使ってDevSecOpsを実践!
byTakayuki Ushida
 
Making Security Agile - Oleg Gryb
bySeniorStoryteller
 
The DevOps Panel - Innotech Austin CD Summit
byErnest Mueller
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
bySeniorStoryteller
 
Implementing DevOps in a Regulated Environment - DJ Schleen
bySeniorStoryteller
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
bySeniorStoryteller
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
bySeniorStoryteller
 

Similar to Lean Security - RSA 2016

PDF
Shift Left Security – Guidance on embedding security for a Digital Transforma...
byYazad Khandhadia
 
PDF
DevSecOps at Agile 2019
byElizabeth Ayer
 
PPTX
The Journey to DevSecOps
bySeniorStoryteller
 
PDF
Defense-Oriented DevOps for Modern Software Development
byVMware Tanzu
 
PDF
Defense-Oriented DevOps for Modern Software Development
byJames Wickett
 
PDF
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
byJames Wickett
 
PDF
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
byJames Wickett
 
PDF
DevSecOps and the New Path Forward
byJames Wickett
 
PDF
The Path of DevOps Enlightenment for InfoSec
byJames Wickett
 
PDF
Epistemological Problem of Application Security
byJames Wickett
 
PPTX
2011 09 18 United "Platitudes, reality and promise"
byGene Kim
 
PDF
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
byVMware Tanzu
 
PPTX
DevSecOps - It can change your life (cycle)
byQualitest
 
PPTX
Winnipeg ISACA Security is Dead, Rugged DevOps
byGene Kim
 
PDF
Lean Security
byBen Johnson
 
PPTX
NZISF Talk: Six essential security services
byHinne Hettema
 
PDF
Your're Special (But Not That Special)
bySandra (Sandy) Dunn
 
PPTX
The Journey to DevSecOps
byShannon Lietz
 
PDF
Building Security Teams
byAstera Esther Schneeweisz
 
PDF
Can you be Safe with SAFe?
byCprime
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
byYazad Khandhadia
 
DevSecOps at Agile 2019
byElizabeth Ayer
 
The Journey to DevSecOps
bySeniorStoryteller
 
Defense-Oriented DevOps for Modern Software Development
byVMware Tanzu
 
Defense-Oriented DevOps for Modern Software Development
byJames Wickett
 
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
byJames Wickett
 
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
byJames Wickett
 
DevSecOps and the New Path Forward
byJames Wickett
 
The Path of DevOps Enlightenment for InfoSec
byJames Wickett
 
Epistemological Problem of Application Security
byJames Wickett
 
2011 09 18 United "Platitudes, reality and promise"
byGene Kim
 
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
byVMware Tanzu
 
DevSecOps - It can change your life (cycle)
byQualitest
 
Winnipeg ISACA Security is Dead, Rugged DevOps
byGene Kim
 
Lean Security
byBen Johnson
 
NZISF Talk: Six essential security services
byHinne Hettema
 
Your're Special (But Not That Special)
bySandra (Sandy) Dunn
 
The Journey to DevSecOps
byShannon Lietz
 
Building Security Teams
byAstera Esther Schneeweisz
 
Can you be Safe with SAFe?
byCprime
 

More from Ernest Mueller

PPTX
DevOps Transformations
byErnest Mueller
 
PPTX
DevOps 101
byErnest Mueller
 
PPTX
The DevOps Centipede
byErnest Mueller
 
PPTX
AlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months
byErnest Mueller
 
PPTX
Cloud Monitoring
byErnest Mueller
 
PDF
Metrics Driven Development and DevOps - Agile 2014
byErnest Mueller
 
PPTX
DevOps State of the Union 2015
byErnest Mueller
 
PPTX
Why the cloud is more secure than your existing systems
byErnest Mueller
 
PDF
Intro to DevOps
byErnest Mueller
 
PPTX
Business model driven cloud adoption - what NI is doing in the cloud
byErnest Mueller
 
PDF
2012 - A Release Odyssey
byErnest Mueller
 
PPT
Mobile and the Cloud
byErnest Mueller
 
PPTX
CloudAustin Black Friday 2013
byErnest Mueller
 
PPT
App Assessments Reloaded
byErnest Mueller
 
PPTX
DevOps and Cloud at NI
byErnest Mueller
 
PPTX
Inside Microsoft Azure
byErnest Mueller
 
PDF
DevOps at a Distance
byErnest Mueller
 
PPTX
PIE - The Programmable Infrastructure Environment
byErnest Mueller
 
DevOps Transformations
byErnest Mueller
 
DevOps 101
byErnest Mueller
 
The DevOps Centipede
byErnest Mueller
 
AlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months
byErnest Mueller
 
Cloud Monitoring
byErnest Mueller
 
Metrics Driven Development and DevOps - Agile 2014
byErnest Mueller
 
DevOps State of the Union 2015
byErnest Mueller
 
Why the cloud is more secure than your existing systems
byErnest Mueller
 
Intro to DevOps
byErnest Mueller
 
Business model driven cloud adoption - what NI is doing in the cloud
byErnest Mueller
 
2012 - A Release Odyssey
byErnest Mueller
 
Mobile and the Cloud
byErnest Mueller
 
CloudAustin Black Friday 2013
byErnest Mueller
 
App Assessments Reloaded
byErnest Mueller
 
DevOps and Cloud at NI
byErnest Mueller
 
Inside Microsoft Azure
byErnest Mueller
 
DevOps at a Distance
byErnest Mueller
 
PIE - The Programmable Infrastructure Environment
byErnest Mueller
 

Recently uploaded

PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
MuleSoft Vibes is an AI-powered assistant
byVikalp Bhalia
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
DOCX
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
software-security-intro in information security.ppt
byismaeelsahib032
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
MuleSoft Vibes is an AI-powered assistant
byVikalp Bhalia
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 

Lean Security - RSA 2016

  • 1.
  • 2.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY ERNEST MUELLER JAMES WICKETT @wickett @ernestmueller THEAGILEADMIN.COM
  • 3.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY THE PRESENTATION THAT JUST MIGHT CHANGE YOUR LIFE…
  • 4.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY COMPANIES ARE SPENDING A GREAT DEAL ON SECURITY, BUT WE READ OF MASSIVE COMPUTER-RELATED ATTACKS. CLEARLY SOMETHING IS WRONG. THE ROOT OF THE PROBLEM IS TWOFOLD: WE’RE PROTECTING (AND SPENDING MONEY ON PROTECTING) THE WRONG THINGS, AND WE’RE HURTING PRODUCTIVITY IN THE PROCESS. Thinking Security, Steven M. Bellovin 2015
  • 5.
  • 6.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY AGILE
  • 7.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY WHAT IS AGILE? • INDIVIDUALS AND INTERACTIONS OVER PROCESSES AND TOOLS • WORKING SOFTWARE OVER COMPREHENSIVE DOCUMENTATION • CUSTOMER COLLABORATION OVER CONTRACT NEGOTIATION • RESPONDING TO CHANGE OVER FOLLOWING A PLAN SOURCE: THE AGILE MANIFESTO (HTTP://WWW.AGILEMANIFESTO.ORG/)
  • 8.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY WHY AGILE? • 45% OF ORGANIZATIONS ARE USING AGILE ON A MAJORITY OF THEIR TEAMS ONLY 5% ARE NOT USING IT AT ALL • AGILE RESULTS: • ACCELERATE PRODUCT DELIVERY - 59% • ENHANCE ABILITY TO MANAGE CHANGING PRIORITIES - 56% • INCREASE PRODUCTIVITY - 53% • ENHANCE SOFTWARE QUALITY - 46% • ENHANCE DELIVERY PREDICTABILITY - 44% SOURCE: VERSIONONE NINTH ANNUAL STATE OF AGILE SURVEY (HTTPS://WWW.VERSIONONE.COM/PDF/STATE-OF-AGILE-DEVELOPMENT-SURVEY-NINTH.PDF)
  • 9.
  • 10.
  • 11.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY WHAT IS DEVOPS? DEVOPS IS THE PRACTICE OF OPERATIONS AND DEVELOPMENT ENGINEERS PARTICIPATING TOGETHER IN THE ENTIRE SERVICE LIFECYCLE, FROM DESIGN THROUGH THE DEVELOPMENT PROCESS TO PRODUCTION SUPPORT. DEVOPS IS ALSO CHARACTERIZED BY OPERATIONS STAFF MAKING USE MANY OF THE SAME TECHNIQUES AS DEVELOPERS FOR THEIR SYSTEMS WORK. SOURCE: THE AGILE ADMIN: WHAT IS DEVOPS? HTTP://THEAGILEADMIN.COM/WHAT-IS-DEVOPS/
  • 12.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY WHY DEVOPS?• BY 2016 “DEVOPS WILL EVOLVE FROM A NICHE TO A MAINSTREAM STRATEGY EMPLOYED BY 25% OF GLOBAL 2000 ORGANIZATIONS” - GARTNER, MARCH 2015 • BENEFITS OF DEVOPS: • NEW SOFTWARE/SERVICES THAT WOULD OTHERWISE NOT BE POSSIBLE - 21% • A REDUCTION IN TIME SPENT FIXING AND MAINTAINING APPLICATIONS - 21% • INCREASED COLLABORATION BETWEEN DEPARTMENTS - 21% • AN INCREASE IN REVENUE - 19% • IMPROVED QUALITY AND PERFORMANCE OF OUR DEPLOYED APPLICATIONS - 19% SOURCE: CA RESEARCH REPORT—DEVOPS: THE WORST-KEPT SECRET TO WINNING IN THE APPLICATION ECONOMY (HTTP://REWRITE.CA.COM/US/ARTICLES/DEVOPS/RESEARCH-REPORT-- DEVOPS-THE-WORST-KEPT-SECRET-TO-WINNING-IN-THE-APPLICATION-ECONOMY.HTML)
  • 13.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY HIGH-PERFORMING IT ORGANIZATIONS EXPERIENCE 60X FEWER FAILURES AND RECOVER FROM FAILURE 168X FASTER THAN THEIR LOWER- PERFORMING PEERS. THEY ALSO DEPLOY 30X MORE FREQUENTLY WITH 200X SHORTER LEAD TIMES.
  • 14.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY LEAN
  • 15.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY LEAN SOFTWARE DEVELOPMENT SEVEN PRINCIPLES: • ELIMINATE WASTE • AMPLIFY LEARNING • DECIDE AS LATE AS POSSIBLE • DELIVER AS FAST AS POSSIBLE • EMPOWER THE TEAM • BUILD INTEGRITY IN • SEE THE WHOLE AN SOFTWARE DEVELOPMENT: AN AGILE TOOLKIT (2003), MARY AND TOM POPPENDIECK
  • 16.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY LEAN PRODUCT DEVELOPMENT • BUILD-MEASURE-LEARN • BUILD – MINIMUM VIABLE PRODUCT • MEASURE – THE OUTCOME AND INTERNAL METRICS • LEARN – ABOUT YOUR PROBLEM AND YOUR SOLUTION • REPEAT – GO DEEPER WHERE IT’S NEEDED SOURCE: LEAN STARTUP (2011), ERIC RIES
  • 17.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY WHY LEAN? • BOTH DEVOPS AND AGILE BORROW KEY CONCEPTS FROM LEAN MANUFACTURING, SO IT'S ALL ABOUT COMMUNICATION AND OPENNESS." -INFORMATIONWEEK
  • 18.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY WHAT ARE THE CHALLENGES THAT AGILE / DEVOPS / LEAN POSE TO INFOSEC?
  • 19.
  • 20.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY INSTEAD, EXAMINE HOW ADOPTING THESE STRATEGIES CAN HELP YOU WIN
  • 21.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY LEAN SECURITY IS FOR WINNERS
  • 22.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY THE SIX-FOLD PATH OF LEAN SECURITY (AND HOW TO WIN)
  • 23.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY #1 SECURITY IS JUST BEANCOUNTING
  • 24.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY WE TRADED ENGINEERING FOR ACTUARIAL DUTIES
  • 25.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”
  • 27.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY A SECURITY MANAGEMENT SYSTEM PROVIDES OPTIMAL VALUE TO THE ORGANIZATION IF IT: • ACTIVELY SUPPORTS ACHIEVING THE BUSINESS AND COMPLIANCE OBJECTIVES OF THE ORGANIZATION (THE VARIABLE PART) • IS AN EFFICIENT, AGILE AND INTEGRATED PROCESS, CAPABLE OF DEALING WITH A DYNAMIC THREAT ENVIRONMENT • CONSUMES MINIMAL TIME AND RESOURCES • RESULTS IN ADEQUATELY MANAGED SECURITY RISK, IN LINE WITH THE RISK APPETITE OF THE ORGANIZATION • PROVIDES ONLY THE NECESSARY, YET ADEQUATE, USER FRIENDLY, EFFICIENT AND MEASURABLE SECURITY CONTROLS SOURCE: JOHAN BAKKER, LEAN SECURITY MANAGEMENT WHITE PAPER
  • 28.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY UNDERSTAND THE VALUE YOUR ORGANIZATION WANTS FROM YOU
  • 29.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY #2 SECURITY IS A BOTTLENECK
  • 30.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY THE AVERAGE TIME TO DELIVER CORPORATE IT PROJECTS HAS INCREASED FROM ~8.5 MONTHS TO OVER 10 MONTHS IN THE LAST 5 YEARS Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
  • 31.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY WHY ARE COMPANIES SO SLOW? THE GROWTH OF CONTROL AND RISK MANAGEMENT FUNCTIONS WHICH IS TOO OFTEN POORLY COORDINATED… [RESULTING IN] A PROLIFERATION OF NEW TASKS IN THE AREAS OF COMPLIANCE, PRIVACY AND DATA PROTECTION. Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
  • 32.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY THE THREE WASTES • MUDA - WORK WHICH ABSORBS RESOURCE BUT ADDS NO VALUE • MURI - UNREASONABLE WORK THAT IS IMPOSED ON WORKERS AND MACHINES • MURA - WORK COMING IN DRIBS AND DRABS WITH SUDDEN PERIODS OF RUSH RATHER THAN A CONSTANT OR REGULAR FLOW, UNEVENNESS.
  • 33.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY SECURITY WASTE MUDA COMES IN SEVEN FORMS: • EXCESS INVENTORY - DUMPING YOUR THOUSAND PAGE PDF OF VULNERABILITIES ON A BUSY TEAM. PRIORITIZE AND LIMIT WORK IN PROGRESS (WIP) • OVERPRODUCTION - SECURITY CONTROLS STEMMING FROM FUD OR MISALIGNMENT WITH BUSINESS NEEDS (NOT DEMANDED BY ACTUAL CUSTOMERS) - CF. PHOENIX PROJECT • EXTRA PROCESSING - FOR EXAMPLE, RELYING ON COMPLIANCE TESTING RATHER THAN DESIGNING THE PROCESS TO ELIMINATE PROBLEMS - HELP IT GET BUILT RIGHT FIRST
  • 34.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY SECURITY WASTE • HANDOFFS - LEVERAGE THE KNOWLEDGE OF THE TEAMS DOING THE WORK AND COLLABORATE WITH THEM TO BUILD SECURITY IN, INSTEAD OF THAT BEING SOME OTHER TEAM’S JOB • WAITING - LAG BETWEEN VALUE STEPS WAITING FOR APPROVALS OR ANALYSES OR TICKET HANDLING - USE SELF SERVICE AUTOMATION INSTEAD • TASK SWITCHING - THE THOUSAND PAGE PDF AGAIN - WORK WITH THEIR WORK INTAKE PROCESS NOT AGAINST IT • DEFECTS - FALSE POSITIVES AND FALSE NEGATIVES AND JUST PLAIN UNIMPORTANT FINDINGS YOU REPORT CAUSING ZERO-VALUE REWORK
  • 35.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY UNDERSTAND THE WASTE THAT YOU GENERATE
  • 36.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY #3 SECURITY IS INVISIBLE
  • 37.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY SECURITY PROFESSIONALS ARE QUICK TO SAY SECURITY IS EVERYONE’S JOB
  • 38.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY SECURITY COULD LEARN FROM WEB PERFORMANCE CIRCA 2008
  • 39.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY PERFORMANCE • BROWSER EXTENSIONS FOR DEVS TO UNDERSTAND PERFORMANCE PROBLEMS • RESEARCH SHOWING PERFORMANCE TO REVENUE CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS • CONFERENCES COMBINING FRONT END DEVS AND SYS ADMINS • COMMITMENT TO INSTRUMENT AND GRAPH ALL THE THINGS
  • 40.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY SECURITY • BROWSER EXTENSIONS FOR DEVS TO UNDERSTAND SECURITY PROBLEMS • RESEARCH SHOWING SECURITY TO REVENUE CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS • CONFERENCES COMBINING DEVS OPS AND SECURITY • COMMITMENT TO INSTRUMENT AND GRAPH ALL THE THINGS
  • 41.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY SEE THE WHOLE • KEEP MEANINGFUL METRICS, MAKE THOSE METRICS VISIBLE - IN CONTEXT OF WORKERS’ TOOLCHAIN • “LEAST PRIVILEGE” NEEDS TO BE UNLEARNED SOMEWHAT IN MODERN ORGANIZATIONS TO ALLOW EFFECTIVE INFORMATION SHARING • GET IN BUSINESS OF SHARING AND ADDING VISIBILITY TO DEV AND TO OPS.
  • 42.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY VISUALIZE SECURITY SO EVERYONE CAN SEE
  • 43.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY #4 SECURITY IS ALWAYS TOO LATE
  • 44.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY BUILD INTEGRITY IN • “CEASE DEPENDENCE ON MASS INSPECTION TO ACHIEVE QUALITY. IMPROVE THE PROCESS AND BUILD QUALITY INTO THE PRODUCT IN THE FIRST PLACE." — W. EDWARDS DEMING • INTEGRATE INTO CONTINUOUS INTEGRATION AND USE TEST DRIVEN DEVELOPMENT (TDD) TO RECTIFY ISSUES AT THE LOWEST WASTE POINT
  • 45.
    SOURCE: THE THREEWAYS OF DEVOPS, GENE KIM
  • 46.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY NEEDED A WAY TO BE MEAN TO YOUR CODE EARLIER IN THE DEVELOPMENT PROCESS ENTER GAUNTLT…
  • 47.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY @slow @final Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni —check=xss* <url> """ Then the output should contain "0 issues were detected." Given When Then What? AN ATTACK LANGUAGE FOR DEVOPS
  • 48.
  • 49.
  • 50.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY theagileadmin.com/2015/06/09/pragmatic-security-and-rugged-de
  • 51.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY GENERATE SECURITY FEEDBACK IN EACH STEP IN THE VALUE STREAM
  • 52.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY #5 SECURITY IS ALWAYS IN THE WAY
  • 53.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY ARE YOU “THAT GUY?” • YOU ALREADY KNOW YOU CAN’T MAKE THINGS SECURE BY YOURSELF • YOU NEED EVERYONE ELSE TO PITCH IN - BUT DOES IT SEEM LIKE THE THINGS YOU DO JUST ANGER THEM?
  • 54.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY EMPOWER THE TEAM • UNDERSTAND HUMAN MOTIVATION • NETFLIX AUTOMATION CREATED SAFE PATHS AS THE DEFAULT • REMOVES EMOTIONAL CHARGE
  • 55.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY SELF SERVICE AUTOMATION
  • 56.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY #6 SECURITY IS PERFECTIONIST AND IS THEREFORE UNREALISTIC
  • 57.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY SECURITY IS YOUR PRODUCT
  • 58.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY BUILD-MEASURE- LEARN • DELIVER MINIMAL VIABLE SECURITY ACROSS EVERYTHING • FOCUS ON DETECTION/METRIC GATHERING • ITERATE FROM THERE • REMEMBER THE WEAKEST LINK WINS • OVERLAP SMALLER SOLUTIONS - SEE JOSH MORE’S OWASP 2012 “LEAN SECURITY 101” PRESENTATION
  • 59.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY MANAGE YOUR PRODUCT
  • 60.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY WE’VE BEEN THERE
  • 61.
    @WICKETT // @ERNESTMUELLER// #LEANSECURITY ERNEST MUELLER JAMES WICKETT @wickett @ernestmueller THEAGILEADMIN.COM

Editor's Notes

  • #3 Howdy from Austin, Texas. We are James and Ernest and both have worked together doing devops and security and have been friends for the last 12 years. We are both actively involved with DevOps (we run devopsdays austin) and the security community and user groups like OWASP. We blog together at theagileadmin.com.
  • #4 DevOps changed our life and we and are here to share how understanding the same Lean techniques can improve the effectiveness of your security work.
  • #5 In the recent book by Steven Bellovin, “Thinking Security,” he points out that as we are failing in our attempts to turn security spend into real security because we’re addressing the wrong things and hurting productivity.
  • #6 This might be how you feel…. Well, lets get to some solutions.
  • #7 To talk about Lean, we also want to talk about Agile and DevOps because they’re closely interrelated.
  • #8 Most of you probably have an understanding of Agile. You have seen it done right, seen it done wrong… There’s a lot more to it, but this is the core manifesto.
  • #9 Agile has become widespread and has provided clear benefits to software development in organizations.
  • #10 Next, DevOps!
  • #11 We had a problem with development and operations being siloed and chasing opposing goals.
  • #12 DevOps was conceptualized as a way to correct that. “DevOps is the application of Agile methodology to system administration” - The Practice of Cloud System Administration Book
  • #13 We are no longer having conversations about whether it is or isn't a thing. We are now talking about DevOps adoption and how it’s quickly growing, and is showing the same kind of benefits to adopting organizations.
  • #14 As we saw earlier in Jez and Nicole’s presentation, companies are getting real ORDERS OF MAGNITUDE value out of devops.
  • #15 And that brings us to Lean. You have heard other speakers today mention lean, waste, WIP, and the theory of constraints - who’s familiar with Lean (manufacturing, software development, or product development)?
  • #16 What is Lean? Lean started off by revolutionizing the world of manufacturing (W. Edwards Deming, Toyota Production System) but since then it has been adapted to software development. Its practices include value stream mapping, waste, pull, queueing theory, human motivation, measurement and visualization of metrics, TDD… We’ll go over many of these in the context of improving security work later in the presentation.
  • #17 Eric Ries also applied lean principles to product development in his book Lean Startup, which characterizes the core loop inside the product development cycle as “Build – Measure – Learn.” Lean is about bringing your effort onto the item with the highest leverage at any given time.
  • #18 The Puppet State of DevOps Report says: “One can describe DevOps as the pattern that emerges when you apply these same lean principles to technology.” Lean product, lean software, agile, and devops all come together into a single mutually reinforcing picture for a technology organization.
  • #20 If you look at every new innovation, whether it’s Lean, devops, cloud, social mobile, etc. as simply a “threat” to security then you’ve adopted a losing mindset out of the gate.
  • #21 Every single field has to innovate to stay relevant, and InfoSec doesn’t get a pass on that.
  • #23 We’ll now examine common challenges faced by InfoSec organizations and explain how you might be able to bring Lean to bear on implementing security more effectively in your organization. Each of these is a problem that we had in Ops before we found DevOps.
  • #24 Each one of these is a perception you have probably heard from someone at some point. While these are not all fair, they are also not completely random and unfounded. The first is that you’re just there to check boxes and don’t do much to make the apps and systems really more secure.
  • #26 In his book on browser security, Michael Zalewski has a great intro covering the history of information security and he poignantly notes that we decided risk management was able to fill the development and operations gaps we experienced. We became experts of structured inadequacy and wrapping problems with policies and “Accept the risk” statements. This is not value creation.
  • #27 The foundation of Lean is to understand what the real value add steps are in the creation of your product or service. This is an example value stream mapping representing the value steps between the initiation of a product and delivery to the customer. In Lean Software, this is called “Concept to Cash.” Do you really understand what value you are creating and where?
  • #28 Johan Bakker took a stab at what the true value of security management looks like to an organization. Note that it hinges on creating a solution that is custom to your organization. Whatever stock answers you got taught in Security School are not necessarily the value your customers need from you.
  • #29 Where can you add real security value that improves the value of your organization’s core business?
  • #30 The second complaint is that security is just a bottleneck to getting “the real work done.”
  • #31 Fortune Magazine just a few weeks reported that the average time to deliver corporate IT Projects has increased from ~8.5 months to over 10 months in the last 5 years.
  • #32 And the reason is… Security. Security has resulted in a proliferation of new work that, if badly coordinated, slows everything else down.
  • #33 Lean focuses a lot on the identification and removal of waste; it’s the very first Lean principle. In today’s business environment time is a critical resource, and to be honest, Security is often guilty of squandering it.
  • #34 The seven forms of muda can be seen in security operations frequently. These are a couple security-centric examples, but the takeaway is to analyze what you’re doing and identify the areas of waste in it.
  • #35 Two kinds of muda - type 1 (necessary) and type 2 (unnecessary)
  • #36 Your net value to the organization is the value you create minus the waste that you generate.
  • #37 People are tempted to see security as a solution in search of a problem when they don’t see how it fits in to everything.
  • #38 Security is everyone’s job, right?
  • #39 In Operations, Performance used to be invisible and we would say performance was everyone’s job… Then we did something about it. Security has a lot of corollaries to performance problems 5-10 years ago.
  • #40 To help people actually see and address the problems, performance experts focused on visualizing performance metrics directly in context to workers.
  • #41 We could do the same thing with security…
  • #42 This is an example of another Lean principle, “See the whole”; lean software development speaks extensively about metrics collection and visualization’
  • #44 It’s easy to get forced into reacting after there’s a breach, or even just after a vulnerability has gone live into production.
  • #46 The more you can create fast feedback loops which detect and remediate security problems continually as part of your customers’ normal work process, the less waste you generate.
  • #47 I wanted to find a way to be mean to your code in the development process. I knew that attack tooling had to move upstream.
  • #53 You know - not just a bottleneck due to constraints, but actively messing with us.
  • #55 Adrian Cockroft from Netflix claimed they had “No process” at AppSec one year. What he really meant is that they have made doing the right thing a part of the systems everyone uses, so the perception is that there’s no process.
  • #56 Use automation to build integrity in, don’t rely on mass inspection after things have already been done wrong.
  • #58 Security is a product, like any other. And all products have to make tradeoffs about what they will do and what they won’t do.
  • #59 If you listen to some folks you can’t “do security” without a $1.2M budget to get the six or seven huge products you need, and that’s the way to achieve perfection. But these tools are not only maybe not a good fit for your needs, but take a lot of time to implement. Rather than add additional waste via long analysis cycles, implement something small and fast, analyze results, and iterate. Often layers of a couple imperfect items yields better security than one “perfect” item.
  • #61 The whole reason there’s a DevOps track at this conference is that not too many years ago we were in the same situation and had all the exact same criticisms leveled at us. Operations was the at-best-invisible, beancounting bottleneck that was always a day late and a dollar short. But these time-tested principles has helped our entire industry begin to innovate its way out of that rut. Check them out and see if they can help you in the same way.
  • #62 Thanks for your time! You can find more of our thoughts at theagileadmin.com and we’re both here with companies working on solutions that we think are aligned with this vision of the future of security work.