John Willis, profile picture
Uploaded byJohn Willis
PDF, PPTX542 views

swampUP - 2018 - The Divine and Felonious Nature of Cyber Security

The document discusses the divine and felonious nature of cyber security and introduces the concept of DevSecOps. It notes that traditional perimeter-based security is no longer sufficient given changes in applications and infrastructure. DevSecOps integrates security practices like training, requirements, threat modeling directly into the development pipeline from the beginning. This helps automate security testing and monitoring throughout the software development lifecycle and supply chain. When done right, DevSecOps helps create a "new Goldilocks zone" where security is no longer a bottleneck to rapid software development and deployment.

Embed presentation

Download as PDF, PPTX
The Divine and Felonious Nature of Cyber Security ( Introduction to DevSecOps ) John Willis @botchagalupe
https://github.com/botchagalupe/my-presentations
The Felonious Nature of Cyber Security
Infecting
• 1.5M Java Modules Per Week 
 • 5M Node Modules Per Week • 31B Modules Per Year • 230k Modules Per Enterprise/Per Year
 • 8% Have Known Vulnerabilities 
 • 8M Average Cost to Remediate a Breach By The Numbers modulecounts.com and 2017 Software Supply Chain Report
DYNOROOT CVE 2018-1111
Actual Exploitation 2015 VZ DBIR
• Discovered 3/6/2017
 • Announced 3/9/2017
 • CVE created 3/10/2017 • Equifax Oracle Patches 4/2017 • Equifax Patches 6/30/2017
 • Equifax discovers 7/29/2017
 • Equifax announced 9/2017
 Anatomy of CVE-2017-5638
• Discovered - 3/9/2017
 • Action - 3/10/2017
 • Remediation - 3/14/2017
 Anatomy of CVE-2017-5638 @botchagalupe
Anatomy of CVE-2017-8046 (Fool Me Once) • Published 9/21/17
 • CVE created 01/04/2018
 • Discovered 2/18/17
 • Corrected 3/6/18
 @botchagalupe
Security and the Goldilocks Zone • The fallacious nature of cyber security relates to the standard legacy security model specifically on the idea of perimeter security. • This concept involves the implementation of a state-full firewall at a routed point within the network that very rarely gets looked at unless an operational change is required. • The problem with having only premier security is that applications have changed significantly in the last ten years and the infrastructure they run upon is playing by the same old rules.

Devops Meets DevSecOps
@botchagalupe
• CAMS
 • Culture • Automation • Measurement • Sharing Devops Taxonomies • The Three Ways •The First Way •The Second Way •The Third Way
Devops Automated Deployment Pipeline Source: Wikipedia - Continuous Delivery @botchagalupe
Devops Automated Deployment Pipeline @botchagalupe
21 Summary • Agile took us from months to days to deliver software • Devops took from months to days to deploy software • Now security is the bottleneck @botchagalupe
DevSecOps
You Build It, You Secure It @botchagalupe
DevSecOps as Supply Chain? 25 Source: Wikipedia - Continuous Delivery @botchagalupe
Software Supply Chain 26 Delivery Team Version Control Build Test Release DevOps Example Stage Prod @botchagalupe
Software Supply Chain 27 Delivery Team Version Control Build Test Release DevOps Example Stage Prod @botchagalupe
Security in the Software Supply Chain 28 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevOps and Security Stage Prod @botchagalupe
Security in the Software Supply Chain 29 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod @botchagalupe
30 Delivery Team Version Control Build Test Release DevSecOps Supply Chain Stage Prod The New Goldilocks Zone (DevSecOps) Security Training Security Requirements Threat Modeling Architecture Review OWASP Top 10 IDE Plugins Code Examples Fail the Build SAST/DAST/IAST Configuration Analysis Application Module Scanning Threat Modeling as Unit Test Automated Pen Testing Static Code Analysis Security Policy Testing Configuration Analysis Security Monitoring
 Configuration Monitoring
Best Practices for DevSecOps • Train development teams to develop secure code • Track security issues the same as software issues • Security as code, Security Built In. • Integrate security controls in the software pipeline • Automate security test in the build process • Detect known vulnerabilities during the pipeline • Monitor security in production for known states • Inject failure to ensure security is hardened Gene Kim, Jez Humble, Patrick Dubois, and John Willis. 
 The DevOps Handbook; It Revolution Press, LLC.;2016.@botchagalupe
Knowing Adversities and Motivations
Knowing Adversities and Motivations
The Divine
@botchagalupe
The Felonious Nature of Cyber Security @botchagalupe

More Related Content

PPTX
DevOps Days Columbus - Derek Weeks - 2019
bySonatype
 
PDF
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
PDF
Continuous Security Testing - DevSecCon
byStephen de Vries
 
PPTX
DevOps and All the Continuouses w/ Helen Beal
bySonatype
 
PPTX
DevOps & Security: Here & Now
byCheckmarx
 
PPTX
SecDevOps: The New Black of IT
byCloudPassage
 
PPTX
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
byDevSecCon
 
PPTX
Ensuring OpenStack Version up Compatibility for CloudOpen Japan 2013-05-31
byMasayuki Igawa
 
DevOps Days Columbus - Derek Weeks - 2019
bySonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
Continuous Security Testing - DevSecCon
byStephen de Vries
 
DevOps and All the Continuouses w/ Helen Beal
bySonatype
 
DevOps & Security: Here & Now
byCheckmarx
 
SecDevOps: The New Black of IT
byCloudPassage
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
byDevSecCon
 
Ensuring OpenStack Version up Compatibility for CloudOpen Japan 2013-05-31
byMasayuki Igawa
 

What's hot

PDF
Typescript presentation
byKartik Grewal
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
PPTX
Dependency-Check Ecosystem - OWASP Summit 2017
bySteve Springett
 
PDF
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
byAgile Testing Alliance
 
PDF
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
byDevSecCon
 
PDF
Continuous Security: Using Automation to Expand Security's Reach
byMatt Tesauro
 
PPTX
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
byDevSecCon
 
PPTX
DevSecOps
byCheah Eng Soon
 
PPTX
Automating security tests for Continuous Integration
byStephen de Vries
 
PPTX
Automated Testing in Continuous Change Management
byPerforce
 
PDF
Devops, Secops, Opsec, DevSec *ops *.* ?
byKris Buytaert
 
PPTX
Software Supply Chain Security та компоненти з відомими вразливостями
byOWASP Kyiv
 
PPTX
Continuous Security Testing with Devops - OWASP EU 2014
byStephen de Vries
 
PPTX
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
byDevSecCon
 
PPTX
Continuous Security Testing in a Devops World #OWASPHelsinki
byStephen de Vries
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
PDF
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
byMatt Tesauro
 
PPTX
Security Implications for a DevOps Transformation
byDeborah Schalm
 
PDF
DevOps or DevSecOps
byMichelangelo van Dam
 
PDF
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
byDevOps.com
 
Typescript presentation
byKartik Grewal
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
Dependency-Check Ecosystem - OWASP Summit 2017
bySteve Springett
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
byAgile Testing Alliance
 
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
byDevSecCon
 
Continuous Security: Using Automation to Expand Security's Reach
byMatt Tesauro
 
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
byDevSecCon
 
DevSecOps
byCheah Eng Soon
 
Automating security tests for Continuous Integration
byStephen de Vries
 
Automated Testing in Continuous Change Management
byPerforce
 
Devops, Secops, Opsec, DevSec *ops *.* ?
byKris Buytaert
 
Software Supply Chain Security та компоненти з відомими вразливостями
byOWASP Kyiv
 
Continuous Security Testing with Devops - OWASP EU 2014
byStephen de Vries
 
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
byDevSecCon
 
Continuous Security Testing in a Devops World #OWASPHelsinki
byStephen de Vries
 
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
byMatt Tesauro
 
Security Implications for a DevOps Transformation
byDeborah Schalm
 
DevOps or DevSecOps
byMichelangelo van Dam
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
byDevOps.com
 

Similar to swampUP - 2018 - The Divine and Felonious Nature of Cyber Security

PDF
Divine and felonios cyber security devopsdays austin 2018
byJohn Willis
 
PPTX
You Build It, You Secure It: Introduction to DevSecOps
bySumo Logic
 
PDF
You build it - Cyber Chicago Keynote
byJohn Willis
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
PDF
DevSecOps - Background, Status and Future Challenges
bydsc71656
 
PDF
Pragmatic Pipeline Security
byJames Wickett
 
PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PDF
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
PPTX
Defining DevSecOps
byUchit Vyas ☁
 
PDF
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
PDF
A Discussion of Automated Infrastructure Security with a Practical Example
byDevOps.com
 
PDF
A Discussion of Automated Infrastructure Security with a Practical Example
byDeborah Schalm
 
PPTX
Solnet dev secops meetup
bypbink
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
PDF
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
PPTX
Software Security Assurance for Devops
byJerika Phelps
 
PDF
Defense-Oriented DevOps for Modern Software Development
byVMware Tanzu
 
Divine and felonios cyber security devopsdays austin 2018
byJohn Willis
 
You Build It, You Secure It: Introduction to DevSecOps
bySumo Logic
 
You build it - Cyber Chicago Keynote
byJohn Willis
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
DevSecOps - Background, Status and Future Challenges
bydsc71656
 
Pragmatic Pipeline Security
byJames Wickett
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
Defining DevSecOps
byUchit Vyas ☁
 
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
A Discussion of Automated Infrastructure Security with a Practical Example
byDevOps.com
 
A Discussion of Automated Infrastructure Security with a Practical Example
byDeborah Schalm
 
Solnet dev secops meetup
bypbink
 
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
Software Security Assurance for Devops
byJerika Phelps
 
Defense-Oriented DevOps for Modern Software Development
byVMware Tanzu
 

More from John Willis

PDF
Automated Governance
byJohn Willis
 
PDF
Devops Long Strange Trip
byJohn Willis
 
PDF
I Got 99 Problems and a Bash DSL Ain't One of Them
byJohn Willis
 
PDF
Math is cool
byJohn Willis
 
PDF
The 7 deadly diseases of DevOps 2019
byJohn Willis
 
PDF
Next Generation Infrastructure - Devops Enterprise Summit 2018
byJohn Willis
 
PDF
Devops - A Long Strange Trip It's Been
byJohn Willis
 
PDF
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
byJohn Willis
 
PDF
Art of the Possible - Serverless Conference NYC 2017
byJohn Willis
 
PDF
Why Executives Can't Change
byJohn Willis
 
PDF
Devops Kaizen - DevopsDays Dallas 2017
byJohn Willis
 
PDF
Evolve 2017 - Vegas - Devops, Docker and Security
byJohn Willis
 
PDF
Alibaba Cloud Conference 2016 - Docker Open Source
byJohn Willis
 
PDF
Alibaba Cloud Conference 2016 - Docker Enterprise
byJohn Willis
 
PDF
Breaking Bad Equilibrium - Devops Connect 2017 RSAC
byJohn Willis
 
PDF
Breaking Bad Equilibrium - Devops Connect 2016 LA
byJohn Willis
 
PDF
All daydevops 2016 - Turning Human Capital into High Performance Organizati...
byJohn Willis
 
PDF
Turning Human Capital into High Performance Organizational Capital
byJohn Willis
 
PDF
Immutable Service Delivery Shenzhen 2016
byJohn Willis
 
PDF
DOES16 London - Better Faster Cheaper .. How?
byJohn Willis
 
Automated Governance
byJohn Willis
 
Devops Long Strange Trip
byJohn Willis
 
I Got 99 Problems and a Bash DSL Ain't One of Them
byJohn Willis
 
Math is cool
byJohn Willis
 
The 7 deadly diseases of DevOps 2019
byJohn Willis
 
Next Generation Infrastructure - Devops Enterprise Summit 2018
byJohn Willis
 
Devops - A Long Strange Trip It's Been
byJohn Willis
 
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
byJohn Willis
 
Art of the Possible - Serverless Conference NYC 2017
byJohn Willis
 
Why Executives Can't Change
byJohn Willis
 
Devops Kaizen - DevopsDays Dallas 2017
byJohn Willis
 
Evolve 2017 - Vegas - Devops, Docker and Security
byJohn Willis
 
Alibaba Cloud Conference 2016 - Docker Open Source
byJohn Willis
 
Alibaba Cloud Conference 2016 - Docker Enterprise
byJohn Willis
 
Breaking Bad Equilibrium - Devops Connect 2017 RSAC
byJohn Willis
 
Breaking Bad Equilibrium - Devops Connect 2016 LA
byJohn Willis
 
All daydevops 2016 - Turning Human Capital into High Performance Organizati...
byJohn Willis
 
Turning Human Capital into High Performance Organizational Capital
byJohn Willis
 
Immutable Service Delivery Shenzhen 2016
byJohn Willis
 
DOES16 London - Better Faster Cheaper .. How?
byJohn Willis
 

Recently uploaded

PDF
Transforming Compliance Through Policy & Procedure Management
byInsurance Tech Services
 
PPTX
Modern Claims Automation Solutions for Operational Agility
byInsurance Tech Services
 
PPTX
GDS Integration Solution | GDS Integration Service
byyugababu033
 
PPTX
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
PPTX
AI Clinic Management Software for Otolaryngology Clinics Bringing Precision, ...
byEasy Clinic
 
PDF
API_SECURITY CONSULTANCY SERVICES IN USA
bydavidjohansen1597
 
PDF
Digitizing Banquet Management_ Why It Matters for Modern Hotels.pdf
byHotelogix
 
PPTX
Binance Smart Chain Development Guide.pptx
bylakshubadai
 
PPTX
#15 All About Anypoint MQ - Calicut MuleSoft Meetup Group
bycalicutmulesoftmeetu
 
PDF
Resource-Levelled Critical-Path Analysis Balancing Time, Cost and Constraints
byOrangescrum
 
PPTX
Why Your Business Needs Snowflake Consulting_ From Data Silos to AI-Ready Cloud
byChetu
 
PDF
Navigating SEC Regulations for Crypto Exchanges Preparing for a Compliant Fut...
byzak jasper
 
PDF
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
PDF
Data structure using C :UNIT-I Introduction to Data structures and Stacks BCA...
byKuvempu University
 
PPT
This-Project-Demonstrates-How-to-Create.ppt
byjayasuryanexinfo
 
PDF
Design and Analysis of Algorithms(DAA): Unit-II Asymptotic Notations and Basi...
byKuvempu University
 
PDF
KoderXpert – Odoo, Web & AI Solutions for Growing Businesses
byDhvanil Trivedi
 
PDF
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
PDF
Why Zoho Notebook’s AI-Fueled Upgrade Matters for Knowledge Workers in 2026
byEvoluz Global Solutions
 
PDF
Blueprint to build quality before the code exists - StackConnect Milan 2025
byLudovicoBesana1
 
Transforming Compliance Through Policy & Procedure Management
byInsurance Tech Services
 
Modern Claims Automation Solutions for Operational Agility
byInsurance Tech Services
 
GDS Integration Solution | GDS Integration Service
byyugababu033
 
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
AI Clinic Management Software for Otolaryngology Clinics Bringing Precision, ...
byEasy Clinic
 
API_SECURITY CONSULTANCY SERVICES IN USA
bydavidjohansen1597
 
Digitizing Banquet Management_ Why It Matters for Modern Hotels.pdf
byHotelogix
 
Binance Smart Chain Development Guide.pptx
bylakshubadai
 
#15 All About Anypoint MQ - Calicut MuleSoft Meetup Group
bycalicutmulesoftmeetu
 
Resource-Levelled Critical-Path Analysis Balancing Time, Cost and Constraints
byOrangescrum
 
Why Your Business Needs Snowflake Consulting_ From Data Silos to AI-Ready Cloud
byChetu
 
Navigating SEC Regulations for Crypto Exchanges Preparing for a Compliant Fut...
byzak jasper
 
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
Data structure using C :UNIT-I Introduction to Data structures and Stacks BCA...
byKuvempu University
 
This-Project-Demonstrates-How-to-Create.ppt
byjayasuryanexinfo
 
Design and Analysis of Algorithms(DAA): Unit-II Asymptotic Notations and Basi...
byKuvempu University
 
KoderXpert – Odoo, Web & AI Solutions for Growing Businesses
byDhvanil Trivedi
 
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
Why Zoho Notebook’s AI-Fueled Upgrade Matters for Knowledge Workers in 2026
byEvoluz Global Solutions
 
Blueprint to build quality before the code exists - StackConnect Milan 2025
byLudovicoBesana1
 

swampUP - 2018 - The Divine and Felonious Nature of Cyber Security

  • 1.
    The Divine andFelonious Nature of Cyber Security ( Introduction to DevSecOps ) John Willis @botchagalupe
  • 2.
  • 4.
    The Felonious Nature of Cyber Security
  • 5.
  • 6.
    • 1.5M JavaModules Per Week 
 • 5M Node Modules Per Week • 31B Modules Per Year • 230k Modules Per Enterprise/Per Year
 • 8% Have Known Vulnerabilities 
 • 8M Average Cost to Remediate a Breach By The Numbers modulecounts.com and 2017 Software Supply Chain Report
  • 7.
  • 9.
  • 10.
    • Discovered 3/6/2017
 •Announced 3/9/2017
 • CVE created 3/10/2017 • Equifax Oracle Patches 4/2017 • Equifax Patches 6/30/2017
 • Equifax discovers 7/29/2017
 • Equifax announced 9/2017
 Anatomy of CVE-2017-5638
  • 12.
    • Discovered -3/9/2017
 • Action - 3/10/2017
 • Remediation - 3/14/2017
 Anatomy of CVE-2017-5638 @botchagalupe
  • 13.
    Anatomy of CVE-2017-8046 (FoolMe Once) • Published 9/21/17
 • CVE created 01/04/2018
 • Discovered 2/18/17
 • Corrected 3/6/18
 @botchagalupe
  • 14.
    Security and theGoldilocks Zone • The fallacious nature of cyber security relates to the standard legacy security model specifically on the idea of perimeter security. • This concept involves the implementation of a state-full firewall at a routed point within the network that very rarely gets looked at unless an operational change is required. • The problem with having only premier security is that applications have changed significantly in the last ten years and the infrastructure they run upon is playing by the same old rules.

  • 15.
  • 16.
  • 17.
    • CAMS
 • Culture •Automation • Measurement • Sharing Devops Taxonomies • The Three Ways •The First Way •The Second Way •The Third Way
  • 19.
    Devops Automated DeploymentPipeline Source: Wikipedia - Continuous Delivery @botchagalupe
  • 20.
    Devops Automated DeploymentPipeline @botchagalupe
  • 21.
    21 Summary • Agile tookus from months to days to deliver software • Devops took from months to days to deploy software • Now security is the bottleneck @botchagalupe
  • 22.
  • 23.
    You Build It,You Secure It @botchagalupe
  • 25.
    DevSecOps as SupplyChain? 25 Source: Wikipedia - Continuous Delivery @botchagalupe
  • 26.
    Software Supply Chain 26 Delivery Team Version Control BuildTest Release DevOps Example Stage Prod @botchagalupe
  • 27.
    Software Supply Chain 27 Delivery Team Version Control BuildTest Release DevOps Example Stage Prod @botchagalupe
  • 28.
    Security in theSoftware Supply Chain 28 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevOps and Security Stage Prod @botchagalupe
  • 29.
    Security in theSoftware Supply Chain 29 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod @botchagalupe
  • 30.
    30 Delivery Team Version Control Build Test Release DevSecOpsSupply Chain Stage Prod The New Goldilocks Zone (DevSecOps) Security Training Security Requirements Threat Modeling Architecture Review OWASP Top 10 IDE Plugins Code Examples Fail the Build SAST/DAST/IAST Configuration Analysis Application Module Scanning Threat Modeling as Unit Test Automated Pen Testing Static Code Analysis Security Policy Testing Configuration Analysis Security Monitoring
 Configuration Monitoring
  • 31.
    Best Practices forDevSecOps • Train development teams to develop secure code • Track security issues the same as software issues • Security as code, Security Built In. • Integrate security controls in the software pipeline • Automate security test in the build process • Detect known vulnerabilities during the pipeline • Monitor security in production for known states • Inject failure to ensure security is hardened Gene Kim, Jez Humble, Patrick Dubois, and John Willis. 
 The DevOps Handbook; It Revolution Press, LLC.;2016.@botchagalupe
  • 32.
  • 33.
  • 35.
  • 36.
  • 37.
    The Felonious Natureof Cyber Security @botchagalupe