Download to read offline
Uploaded byDevSecOps
Speed with confidence
1) The document discusses the need for a shift from a "security-only" model to a shared responsibility model of security between developers, operations staff, and security professionals. It advocates for the ideal state being one where security is everyone's responsibility. 2) CIOs surveyed preferred having their whole staff receive security training rather than relying on a few security experts, and dedicating 1% of staff to security curation rather than 40 hours of training for all. 3) There is a journey from security professionals making all decisions to developers being enabled by self-service security capabilities to experiment with more autonomy while still achieving high confidence levels in their work.
More Related Content
Similar to Speed with confidence
Speed with confidence
- 1. 1 SPEED WITH CONFIDENCE shannonlietz @devsecops
- 2. 2 MY pseudo JOURNEYLINE... HOW I SPEND MY DAYS... WHAT MAKES ME HUMAN... <me /> Sugar plum fairies DEV SEC OPS DSO RGD 1984 1989 1996 2001 2011 COMICS #HACKERGIRL
- 3.
- 4.
- 5.
- 6. 6 That’s not howyou do security! You aren’t taking customer needs seriously! I’ve got deadlines! That’s not valuable advice!
- 7. 7 My App isSafe!
- 8.
- 9.
- 10.
- 11.
- 12.
- 13. 13 Compliance Programs won’tstop a breach • Point in time assessments don’t go far enough • 0 companies (in 10 years) have been found compliant after a breach • Compliance needs to be paired with rugged security http://www.slideshare.net/VerizonEnterpriseSolutions/webinar-new-insights-to-simplify-pci-compliance-and-manage-risk
- 14. 14 It’s a zerosum game...
- 15. 15 “What if software couldbe made safer sooner from simply checking confidence levels?”
- 16. 16 CIOs surveyed on2 questions across multiple industries 1) What would you choose? a) Your whole staff is somewhat security knowledgeable and can make decisions b) Having 3 security rocks stars on staff that make all the security decisions 2) How would you ensure the best decisions were being made? a) Your whole staff attends at least 40 hours of security awareness training per year b) You dedicate 1% of your staff to security curation by experienced security practitioners 100% chose a 100% chose b
- 17. 17 From further conversation... 1.Context moves too fast for dedicated security decision makers. 2. Training doesn’t provide enough skills and is too expensive to ensure deep capabilities. 3. Perfection is the enemy of good. We need to be good.
- 18. 18 The Journey: TransformingSecurity Decisions Do-It-For-Me Security Do-It-With-Me Security Do-It-Yourself Security Experienced Security Professionals ensure the effectiveness of security controls, limited privilege and separation of duties. DevOps present ideas and software for review. DevOps + Experienced Professionals come together to build best in class products and services. DevOps are enabled by Self-Service Security as Code capabilities available without consultation that help transform idea into experiment. Ideal state Security is Everyone’s Responsibility Security is a Shared ResponsibilitySecurity is a “Security Only” Responsibility
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28. 28 Would you behappy with 60 to 80% security?
- 29. 29 ...what if therewere no exploitable weaknesses?
- 30.
- 31.
- 32.
- 33. 33 OWASP vs. RealWorld OWASP Top 10 Advanced Adversaries % Perceive d Success Number of Adversaries + IPs Scanners Researchers Paid Noise
- 34. 34 OWASP TOP 10App Sec Risks Real-World Top 10 Attacks 1 Injection Direct Object Reference 2 Broken Authentication Forceful Browsing 3 Sensitive Data Exposure Null Byte Attack 4 XML External Exposures (XXE) Command Injection 5 Broken Access Control Feature Abuse 6 Security Misconfiguration Evasion Techniques 7 Cross Site Scripting Subdomain Takeover 8 Insecure Deserialization Misconfiguration 9 Using Components with Known Vulnerabilities Cross Site Scripting 10 Insufficient Logging/Monitoring SQL Injection Less Guessing...
- 35.
- 36. 36 • Everyone knowsMaslow… • If you can remember 5 things, remember these -> “Apps & data are as safe as where you put it, what’s in it, how you inspect it, who talks to it, and how its protected…”
- 37. 37 I think wecan make security fit like this... Hmm, I hadn’t considered that… wow it works!
- 38. 38 38 What do weneed help with? I’m are writing a book along with James Wickett, Ernest Mueller and John Willis on DevSecOps. We are looking for stories of DevSecOps transformations, journeys, successes and failures. book@devsecops.org
- 39.