Silver Lining for Miles: DevOps for Building Security Solutions
1. Silver Linings for Miles:
DevOps for Building Secure
Solutions
zane@signalsciences.com
@zanelackey
apb@datadoghq.com
@andrewbecherer
2. Who are these guys anyway?
• Zane built and led the Etsy Security Team
(spoiler alert: much of what this presentation
is about) and co-founded Signal Sciences
• Andrew ran a large application security
consulting practice for iSEC/NCC Group and
is now leading the Datadog Security Team
(spoiler alert: also much of what this
presentation is about)
3. This talk is about lessons learned being at
the forefront of the shift to agile/continuous
deployment/DevOps
4. For security teams, the world has changed
in three fundamental ways:
– Agility means code deployment is trending to
near-instantaneous
– Security is no longer the gatekeeper to
deployment
– If security is a blocker, it will be routed around
12. They key to realize is vulnerabilities occur in
all development methodologies
…But there’s no such thing as an out-of-
band patch in continuous deployment
13. They key to realize is vulnerabilities occur in
all development methodologies
…But there’s no such thing as an out-of-
band patch in continuous deployment
14. Compared to:
“We’ll rush that security fix. It will go out …
in about 6 weeks.”
- Former vendor at Etsy
28. Did you ever really, I
mean really, have
security eyes on code?
29. Let’s do better.
…But there’s no such thing as an out-of-
band patch in continuous deployment
30. “Communities of practice are groups of people
who share a concern, a set of problems, or a
passion about a topic, and who deepen their
knowledge and expertise in this area by
interacting on an ongoing basis.“
…But there’s no such thing as an out-of-band
patch in continuous deployment
37. Lessons Learned:
– Embracing DevOps/Agile/Continuous
Deployment helps not harms security
– Visibility is the key to moving quickly and
safely
– You (in the general case) are never going to
be able to hire enough staff, so steal everyone
else’s