SlideShare a Scribd company logo

The End of Security as We Know It - Shannon Lietz

Download as PPTX, PDF
S
SeniorStoryteller

1. The document discusses how security is changing with new technologies like cloud computing, DevOps, and agile development. Traditional security practices are no longer effective. 2. It advocates migrating security left in the development process so it is designed into applications from the beginning. This allows for a faster security feedback loop. 3. Security needs to be automated and tested using tools and data platforms. Monitoring and inspecting everything is important for the new dynamic environments. Security decisions and controls are also changing to adapt to these new realities.

1 of 30
1 The End of Security as We Know It … Shannon Lietz Intuit
2 Copyright © DevSecOps Foundation 2015-2016 • Over two decades of Tech & Security • Passionate Security Evangelist; Not a Vendor • Clean-up Crew for some of the Industry’s Biggest Breaches • Practitioner & Culture Hacker Who am I?
3 Copyright © DevSecOps Foundation 2015-2016 • DevOps • Public Cloud • Agile • Scrum • Lean • Low-Code • No-Code • No Ops • More Ops • Sec Ops • Everything Ops • … What’s Happening in the World? https://www.google.com/trends/
4 Copyright © DevSecOps Foundation 2015-2016 Who’s doing Enterprise DevOps? …
5 What’s the business benefit? Business strategy is achieved with the collaboration of all departments and providers in service to the customer who requires better, faster, cheaper, secure products and services. Copyright © DevSecOps Foundation 2015-2016
6 Copyright © DevSecOps Foundation 2015-2016 What Hinders Enterprise DevOps… 1. Manual processes & meeting culture 2. Point in time assessments 3. Friction for friction’s sake 4. Contextual misunderstandings 5. Decisions being made outside of value creation 6. Late constraints and requirements 7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration 10. Management and political interference (approvals, exceptions) ...
7 Copyright © DevSecOps Foundation 2015-2016
8 The Secure Software Supply Chain • Gating processes are not Deming-like • Security is a design constraint • Decisions made by engineering teams • Hard to avoid business catastrophes by applying one-size-fits-all strategies • Security defects is more like a security “recall” design build deploy operate How do I secure my app? What component is secure enough? How do I secure secrets for the app? Is my app getting attacked? How? Typical gates for security checks & balances Mistakes and drift often happen after design and build phases that result in weaknesses and potentially exploits Most costly mistakes Happen during design Faster security feedback loop Copyright © DevSecOps Foundation 2015-2016
9 From a traditional supply chain When will you solve my problem?!! Can we discuss my feedback? Copyright © DevSecOps Foundation 2015-2016
10 To a customer-centric supply chain Awesome!When can I bring my kids with me? Does it come in Red? Can this be motorized to go faster and for longer trips? Better than walking, for sure … but not by much... Security must shift left with a science mindset Copyright © DevSecOps Foundation 2015-2016
11 Migrating Security to the Left where it can get built-in design build deploy operate How do I secure my app? What component is secure enough? How do I secure secrets for the app? Is my app getting attacked? How? Typical gates for security checks & balances Mistakes and drift often happen after design and build phases that result in weaknesses and potentially exploits Most costly mistakes Happen during design Faster security feedback loop Security is a Design Constraint Copyright © DevSecOps Foundation 2015-2016
12 Copyright © DevSecOps Foundation 2015-2016 Security is a design constraint…
13 The Security Feedback Loop THE FEEDBACK HIGHWAY PRODUCT SCRUM TEAM THE INTEL HIGHWAY SECURITY TESTING & DATA PLATFORM SECURITY TEAM SECURITY COMMUNITY Copyright © DevSecOps Foundation 2015-2016
14 The Art of DevSecOps DevSecOps Security Engineering Experiment, Automate, Test Security Operations Hunt, Detect, Contain Compliance Operations Respond, Manage, Train Security Science Learn, Measure, Forecast Copyright © DevSecOps Foundation 2015-2016
15 Your reality is changing... Internet CloudProviderNetwork CloudProviderNetwork CloudProviderNetwork CloudProviderNetwork DataCenter DataCenter CloudProviderNetwork Copyright © DevSecOps Foundation 2015-2016
16 Attacks are changing… API KEY EXPOSURE -> 8 HRS DEFAULT CONFIGS -> 24 HRS SECURITY GROUPS -> 24 HRS ESCALATION OF PRIVS -> 5 D KNOWN VULN -> 8 HRS Copyright © DevSecOps Foundation 2015-2016
17 Security Events are Spreading out… Copyright © DevSecOps Foundation 2015-2016
18 Monitor & Inspect Everything insights security sciencesecurity tools & data Cloud accounts S3 Glacier EC2 CloudTrail ingestion threat intel security feedback loop continuous response Your job is changing… Copyright © DevSecOps Foundation 2015-2016
19 Security Decisions & Processes are changing… Copyright © DevSecOps Foundation 2015-2016
20 Security Controls are changing… Security Monitoring Copyright © DevSecOps Foundation 2015-2016
21 What’s this look like in practice? Etc… Etc... Etc... Copyright © DevSecOps Foundation 2015-2016
22 Account Sharding is a new control! • Splitting cloud workloads into many accounts has a benefit. • Accounts should contain less than 100% of a cloud workload. • Works well with APIs; works dismal with forklifts. • What is your appetite for risk? Cloud Workload Templates CloudProviderNetwork 33 % 33 % 33 % CloudAccount CloudAccount CloudAccount attacker Copyright © DevSecOps Foundation 2015-2016
23 Long live APIs… • Everything in the cloud should be an API, even Security… • Protocols that are not cloudy should not span across environments. • If you wouldn’t put it on the Internet then you should put an API and Authentication in front of it: • Messaging • Databases • File Transfers • Logging CloudProviderNetwork Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B User Routing Data Replication Application Gateway File Transfers Log Sharing Messaging My API Copyright © DevSecOps Foundation 2015-2016
24 Host-Based Controls • Shared Responsibility and Cloud require host-based controls. • Instrumentation is everything! • Fine-grained controls require more scrutiny and bigger big data analysis. • Agents & Outbound Reporting to an API are critical CloudProviderNetwork InstanceInstance Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B Copyright © DevSecOps Foundation 2015-2016
25 DAYS Don’t Hug Your Instances… • Research suggests that you should replace your instances at least every 10 days, and that may not be often enough. • Use Blue/Green or Red/Black deployments to reduce security issues by baking in patching. • Make sure to keep a snapshot for forensic and compliance purposes. • Use config management automation to make changes part of the stack. • Refresh routinely; refresh often! Copyright © DevSecOps Foundation 2015-2016
26 • Paper-resident policies do not stand up to constant cloud evolution and lessons learned. • Translation from paper to code can lead to mistakes. • Traditional security policies do not 1:1 translate to Full Stack deployments. Code can solve the great divide… DataCenter CloudProvider Network • LOCK YOUR DOORS • BADGE IN • AUTHORIZED PERSONNEL ONLY • BACKGROUND CHECKS • CHOOSE STRONG PASSWORDS • USE MFA • ROTATE API CREDENTIALS • CROSS-ACCOUNT ACCESS EVERYTHING AS CODE Page 3 of 433 Copyright © DevSecOps Foundation 2015-2016
27 But the change could be worth it… This could be your mean time to recovery (MTTR) MTTR Days… 6 months Copyright © DevSecOps Foundation 2015-2016
28 Still not convinced? We’ve actually been talking about it for a long time… https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf Copyright © DevSecOps Foundation 2015-2016
29 Copyright © DevSecOps Foundation 2015-2016 DevSecOps Today… https://www.google.com/trends/
30 • devsecops.org • @devsecops on Twitter • DevSecOps on LinkedIn • DevSecOps on Github • RuggedSoftware.org • Compliance at Velocity Join Us !!! Spread the word!!! Get Involved & Join the Community Copyright © DevSecOps Foundation 2015-2016

Recommended

Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
SeniorStoryteller
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
SeniorStoryteller
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
SeniorStoryteller
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
SeniorStoryteller
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
Qualitest
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon Edwards
SeniorStoryteller
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 

Recommended

Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
SeniorStoryteller
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
SeniorStoryteller
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
SeniorStoryteller
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
SeniorStoryteller
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
Qualitest
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon Edwards
SeniorStoryteller
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
SeniorStoryteller
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
DevSecOpsSg
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
WhiteSource
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementThe Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration Management
Jules Pierre-Louis
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOps
Jules Pierre-Louis
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
James Wickett
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
Amazon Web Services
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
WhiteSource
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
Priyanka Aash
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for Success
SeniorStoryteller
 
The DevOps Hero Toolkit: Nexus, Jenkins and Docker
The DevOps Hero Toolkit: Nexus, Jenkins and DockerThe DevOps Hero Toolkit: Nexus, Jenkins and Docker
The DevOps Hero Toolkit: Nexus, Jenkins and Docker
SeniorStoryteller
 

More Related Content

What's hot

Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
SeniorStoryteller
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
DevSecOpsSg
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
WhiteSource
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementThe Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration Management
Jules Pierre-Louis
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOps
Jules Pierre-Louis
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
James Wickett
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
Amazon Web Services
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
WhiteSource
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
Priyanka Aash
 

What's hot (20)

Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementThe Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration Management
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOps
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
 

Viewers also liked

Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for Success
SeniorStoryteller
 
The DevOps Hero Toolkit: Nexus, Jenkins and Docker
The DevOps Hero Toolkit: Nexus, Jenkins and DockerThe DevOps Hero Toolkit: Nexus, Jenkins and Docker
The DevOps Hero Toolkit: Nexus, Jenkins and Docker
SeniorStoryteller
 
Rundeck + Nexus (from Nexus Live on June 5, 2014)
Rundeck + Nexus (from Nexus Live on June 5, 2014)Rundeck + Nexus (from Nexus Live on June 5, 2014)
Rundeck + Nexus (from Nexus Live on June 5, 2014)
dev2ops
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
DevSecCon
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CD
Franklin Mosley
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
Stefan Streichsbier
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
DevSecCon
 
DevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August MeetupDevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August Meetup
DevSecOpsSg
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
Priyanka Aash
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
Canturk Isci
 
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dominic Tancredi
 
Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016
Adam Baldwin
 
The Art of Identifying Vulnerabilities - CascadiaFest 2015
The Art of Identifying Vulnerabilities - CascadiaFest 2015The Art of Identifying Vulnerabilities - CascadiaFest 2015
The Art of Identifying Vulnerabilities - CascadiaFest 2015
Adam Baldwin
 
Evident io Continuous Compliance - Mar 2017
Evident io Continuous Compliance - Mar 2017Evident io Continuous Compliance - Mar 2017
Evident io Continuous Compliance - Mar 2017
Sebastian Taphanel CISSP-ISSEP
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
Stefan Streichsbier
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
Ulf Mattsson
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Ulf Mattsson
 
Cloudsolutionday 2016: Compliance and cost controlling on AWS
Cloudsolutionday 2016: Compliance and cost controlling on AWSCloudsolutionday 2016: Compliance and cost controlling on AWS
Cloudsolutionday 2016: Compliance and cost controlling on AWS
AWS Vietnam Community
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
Suman Sourav
 
The Changing Landscape of Information Security
The Changing Landscape of Information SecurityThe Changing Landscape of Information Security
The Changing Landscape of Information Security
DevSecOpsSg
 

Viewers also liked (20)

Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for Success
 
The DevOps Hero Toolkit: Nexus, Jenkins and Docker
The DevOps Hero Toolkit: Nexus, Jenkins and DockerThe DevOps Hero Toolkit: Nexus, Jenkins and Docker
The DevOps Hero Toolkit: Nexus, Jenkins and Docker
 
Rundeck + Nexus (from Nexus Live on June 5, 2014)
Rundeck + Nexus (from Nexus Live on June 5, 2014)Rundeck + Nexus (from Nexus Live on June 5, 2014)
Rundeck + Nexus (from Nexus Live on June 5, 2014)
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CD
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
 
DevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August MeetupDevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August Meetup
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
 
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
 
Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016
 
The Art of Identifying Vulnerabilities - CascadiaFest 2015
The Art of Identifying Vulnerabilities - CascadiaFest 2015The Art of Identifying Vulnerabilities - CascadiaFest 2015
The Art of Identifying Vulnerabilities - CascadiaFest 2015
 
Evident io Continuous Compliance - Mar 2017
Evident io Continuous Compliance - Mar 2017Evident io Continuous Compliance - Mar 2017
Evident io Continuous Compliance - Mar 2017
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
 
Cloudsolutionday 2016: Compliance and cost controlling on AWS
Cloudsolutionday 2016: Compliance and cost controlling on AWSCloudsolutionday 2016: Compliance and cost controlling on AWS
Cloudsolutionday 2016: Compliance and cost controlling on AWS
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
The Changing Landscape of Information Security
The Changing Landscape of Information SecurityThe Changing Landscape of Information Security
The Changing Landscape of Information Security
 

Similar to The End of Security as We Know It - Shannon Lietz

ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
devopsdaysaustin
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
Shannon Lietz
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
Agility and Control from AWS [FutureStack16]
Agility and Control from AWS [FutureStack16]Agility and Control from AWS [FutureStack16]
Agility and Control from AWS [FutureStack16]
New Relic
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Sebastian Taphanel CISSP-ISSEP
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Dawn of the DevOps - TJ Randall - EMC World 2015
Dawn of the DevOps - TJ Randall - EMC World 2015Dawn of the DevOps - TJ Randall - EMC World 2015
Dawn of the DevOps - TJ Randall - EMC World 2015
XebiaLabs
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud World
Mark Nunnikhoven
 
DevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a StartupDevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems
 
OpenDevOps 2019 - Disconnected pipelines the missing link
OpenDevOps 2019 - Disconnected pipelines the missing linkOpenDevOps 2019 - Disconnected pipelines the missing link
OpenDevOps 2019 - Disconnected pipelines the missing link
Emerasoft, solutions to collaborate
 
Gartner IT Symposium 2014 - VMware Cloud Services
Gartner IT Symposium 2014 - VMware Cloud ServicesGartner IT Symposium 2014 - VMware Cloud Services
Gartner IT Symposium 2014 - VMware Cloud Services
Philip Say
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
Vishwas N
 

Similar to The End of Security as We Know It - Shannon Lietz (20)

ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
Agility and Control from AWS [FutureStack16]
Agility and Control from AWS [FutureStack16]Agility and Control from AWS [FutureStack16]
Agility and Control from AWS [FutureStack16]
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Dawn of the DevOps - TJ Randall - EMC World 2015
Dawn of the DevOps - TJ Randall - EMC World 2015Dawn of the DevOps - TJ Randall - EMC World 2015
Dawn of the DevOps - TJ Randall - EMC World 2015
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud World
 
DevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a StartupDevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a Startup
 
OpenDevOps 2019 - Disconnected pipelines the missing link
OpenDevOps 2019 - Disconnected pipelines the missing linkOpenDevOps 2019 - Disconnected pipelines the missing link
OpenDevOps 2019 - Disconnected pipelines the missing link
 
Gartner IT Symposium 2014 - VMware Cloud Services
Gartner IT Symposium 2014 - VMware Cloud ServicesGartner IT Symposium 2014 - VMware Cloud Services
Gartner IT Symposium 2014 - VMware Cloud Services
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 

More from SeniorStoryteller

Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanWhere Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
SeniorStoryteller
 
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
SeniorStoryteller
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedRelease Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
SeniorStoryteller
 
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
SeniorStoryteller
 
Building Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh RaghavanBuilding Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh Raghavan
SeniorStoryteller
 
Breaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John WillisBreaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John Willis
SeniorStoryteller
 
NuGet Package Management Done Right
NuGet Package Management Done RightNuGet Package Management Done Right
NuGet Package Management Done Right
SeniorStoryteller
 
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and DockerHero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
SeniorStoryteller
 
Heroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps TransformationsHeroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps Transformations
SeniorStoryteller
 
Create Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply ChainCreate Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply Chain
SeniorStoryteller
 
Aligning Your Team and Your Powers for Success
Aligning Your Team and Your Powers for SuccessAligning Your Team and Your Powers for Success
Aligning Your Team and Your Powers for Success
SeniorStoryteller
 
Leveraging Nexus Repository Manager at the Heart of DevOps
Leveraging Nexus Repository Manager at the Heart of DevOpsLeveraging Nexus Repository Manager at the Heart of DevOps
Leveraging Nexus Repository Manager at the Heart of DevOps
SeniorStoryteller
 
Guns, Germs and Microservices w/ John Willis and Josh Corman
Guns, Germs and Microservices w/ John Willis and Josh CormanGuns, Germs and Microservices w/ John Willis and Josh Corman
Guns, Germs and Microservices w/ John Willis and Josh Corman
SeniorStoryteller
 
What We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsWhat We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOps
SeniorStoryteller
 
Release Engineering and Rugged DevOps: An Intersection?
Release Engineering and Rugged DevOps: An Intersection?Release Engineering and Rugged DevOps: An Intersection?
Release Engineering and Rugged DevOps: An Intersection?
SeniorStoryteller
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
SeniorStoryteller
 
What We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsWhat We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOps
SeniorStoryteller
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
SeniorStoryteller
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
SeniorStoryteller
 

More from SeniorStoryteller (20)

Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanWhere Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
 
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedRelease Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
 
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
 
Building Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh RaghavanBuilding Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh Raghavan
 
Breaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John WillisBreaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John Willis
 
NuGet Package Management Done Right
NuGet Package Management Done RightNuGet Package Management Done Right
NuGet Package Management Done Right
 
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and DockerHero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
 
Heroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps TransformationsHeroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps Transformations
 
Create Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply ChainCreate Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply Chain
 
Aligning Your Team and Your Powers for Success
Aligning Your Team and Your Powers for SuccessAligning Your Team and Your Powers for Success
Aligning Your Team and Your Powers for Success
 
Leveraging Nexus Repository Manager at the Heart of DevOps
Leveraging Nexus Repository Manager at the Heart of DevOpsLeveraging Nexus Repository Manager at the Heart of DevOps
Leveraging Nexus Repository Manager at the Heart of DevOps
 
Guns, Germs and Microservices w/ John Willis and Josh Corman
Guns, Germs and Microservices w/ John Willis and Josh CormanGuns, Germs and Microservices w/ John Willis and Josh Corman
Guns, Germs and Microservices w/ John Willis and Josh Corman
 
What We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsWhat We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOps
 
Release Engineering and Rugged DevOps: An Intersection?
Release Engineering and Rugged DevOps: An Intersection?Release Engineering and Rugged DevOps: An Intersection?
Release Engineering and Rugged DevOps: An Intersection?
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
 
What We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsWhat We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOps
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
 

Recently uploaded

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 

Recently uploaded (20)

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 

The End of Security as We Know It - Shannon Lietz

  • 1. 1 The End of Security as We Know It … Shannon Lietz Intuit
  • 2. 2 Copyright © DevSecOps Foundation 2015-2016 • Over two decades of Tech & Security • Passionate Security Evangelist; Not a Vendor • Clean-up Crew for some of the Industry’s Biggest Breaches • Practitioner & Culture Hacker Who am I?
  • 3. 3 Copyright © DevSecOps Foundation 2015-2016 • DevOps • Public Cloud • Agile • Scrum • Lean • Low-Code • No-Code • No Ops • More Ops • Sec Ops • Everything Ops • … What’s Happening in the World? https://www.google.com/trends/
  • 4. 4 Copyright © DevSecOps Foundation 2015-2016 Who’s doing Enterprise DevOps? …
  • 5. 5 What’s the business benefit? Business strategy is achieved with the collaboration of all departments and providers in service to the customer who requires better, faster, cheaper, secure products and services. Copyright © DevSecOps Foundation 2015-2016
  • 6. 6 Copyright © DevSecOps Foundation 2015-2016 What Hinders Enterprise DevOps… 1. Manual processes & meeting culture 2. Point in time assessments 3. Friction for friction’s sake 4. Contextual misunderstandings 5. Decisions being made outside of value creation 6. Late constraints and requirements 7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration 10. Management and political interference (approvals, exceptions) ...
  • 7. 7 Copyright © DevSecOps Foundation 2015-2016
  • 8. 8 The Secure Software Supply Chain • Gating processes are not Deming-like • Security is a design constraint • Decisions made by engineering teams • Hard to avoid business catastrophes by applying one-size-fits-all strategies • Security defects is more like a security “recall” design build deploy operate How do I secure my app? What component is secure enough? How do I secure secrets for the app? Is my app getting attacked? How? Typical gates for security checks & balances Mistakes and drift often happen after design and build phases that result in weaknesses and potentially exploits Most costly mistakes Happen during design Faster security feedback loop Copyright © DevSecOps Foundation 2015-2016
  • 9. 9 From a traditional supply chain When will you solve my problem?!! Can we discuss my feedback? Copyright © DevSecOps Foundation 2015-2016
  • 10. 10 To a customer-centric supply chain Awesome!When can I bring my kids with me? Does it come in Red? Can this be motorized to go faster and for longer trips? Better than walking, for sure … but not by much... Security must shift left with a science mindset Copyright © DevSecOps Foundation 2015-2016
  • 11. 11 Migrating Security to the Left where it can get built-in design build deploy operate How do I secure my app? What component is secure enough? How do I secure secrets for the app? Is my app getting attacked? How? Typical gates for security checks & balances Mistakes and drift often happen after design and build phases that result in weaknesses and potentially exploits Most costly mistakes Happen during design Faster security feedback loop Security is a Design Constraint Copyright © DevSecOps Foundation 2015-2016
  • 12. 12 Copyright © DevSecOps Foundation 2015-2016 Security is a design constraint…
  • 13. 13 The Security Feedback Loop THE FEEDBACK HIGHWAY PRODUCT SCRUM TEAM THE INTEL HIGHWAY SECURITY TESTING & DATA PLATFORM SECURITY TEAM SECURITY COMMUNITY Copyright © DevSecOps Foundation 2015-2016
  • 14. 14 The Art of DevSecOps DevSecOps Security Engineering Experiment, Automate, Test Security Operations Hunt, Detect, Contain Compliance Operations Respond, Manage, Train Security Science Learn, Measure, Forecast Copyright © DevSecOps Foundation 2015-2016
  • 15. 15 Your reality is changing... Internet CloudProviderNetwork CloudProviderNetwork CloudProviderNetwork CloudProviderNetwork DataCenter DataCenter CloudProviderNetwork Copyright © DevSecOps Foundation 2015-2016
  • 16. 16 Attacks are changing… API KEY EXPOSURE -> 8 HRS DEFAULT CONFIGS -> 24 HRS SECURITY GROUPS -> 24 HRS ESCALATION OF PRIVS -> 5 D KNOWN VULN -> 8 HRS Copyright © DevSecOps Foundation 2015-2016
  • 17. 17 Security Events are Spreading out… Copyright © DevSecOps Foundation 2015-2016
  • 18. 18 Monitor & Inspect Everything insights security sciencesecurity tools & data Cloud accounts S3 Glacier EC2 CloudTrail ingestion threat intel security feedback loop continuous response Your job is changing… Copyright © DevSecOps Foundation 2015-2016
  • 19. 19 Security Decisions & Processes are changing… Copyright © DevSecOps Foundation 2015-2016
  • 20. 20 Security Controls are changing… Security Monitoring Copyright © DevSecOps Foundation 2015-2016
  • 21. 21 What’s this look like in practice? Etc… Etc... Etc... Copyright © DevSecOps Foundation 2015-2016
  • 22. 22 Account Sharding is a new control! • Splitting cloud workloads into many accounts has a benefit. • Accounts should contain less than 100% of a cloud workload. • Works well with APIs; works dismal with forklifts. • What is your appetite for risk? Cloud Workload Templates CloudProviderNetwork 33 % 33 % 33 % CloudAccount CloudAccount CloudAccount attacker Copyright © DevSecOps Foundation 2015-2016
  • 23. 23 Long live APIs… • Everything in the cloud should be an API, even Security… • Protocols that are not cloudy should not span across environments. • If you wouldn’t put it on the Internet then you should put an API and Authentication in front of it: • Messaging • Databases • File Transfers • Logging CloudProviderNetwork Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B User Routing Data Replication Application Gateway File Transfers Log Sharing Messaging My API Copyright © DevSecOps Foundation 2015-2016
  • 24. 24 Host-Based Controls • Shared Responsibility and Cloud require host-based controls. • Instrumentation is everything! • Fine-grained controls require more scrutiny and bigger big data analysis. • Agents & Outbound Reporting to an API are critical CloudProviderNetwork InstanceInstance Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B Copyright © DevSecOps Foundation 2015-2016
  • 25. 25 DAYS Don’t Hug Your Instances… • Research suggests that you should replace your instances at least every 10 days, and that may not be often enough. • Use Blue/Green or Red/Black deployments to reduce security issues by baking in patching. • Make sure to keep a snapshot for forensic and compliance purposes. • Use config management automation to make changes part of the stack. • Refresh routinely; refresh often! Copyright © DevSecOps Foundation 2015-2016
  • 26. 26 • Paper-resident policies do not stand up to constant cloud evolution and lessons learned. • Translation from paper to code can lead to mistakes. • Traditional security policies do not 1:1 translate to Full Stack deployments. Code can solve the great divide… DataCenter CloudProvider Network • LOCK YOUR DOORS • BADGE IN • AUTHORIZED PERSONNEL ONLY • BACKGROUND CHECKS • CHOOSE STRONG PASSWORDS • USE MFA • ROTATE API CREDENTIALS • CROSS-ACCOUNT ACCESS EVERYTHING AS CODE Page 3 of 433 Copyright © DevSecOps Foundation 2015-2016
  • 27. 27 But the change could be worth it… This could be your mean time to recovery (MTTR) MTTR Days… 6 months Copyright © DevSecOps Foundation 2015-2016
  • 28. 28 Still not convinced? We’ve actually been talking about it for a long time… https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf Copyright © DevSecOps Foundation 2015-2016
  • 29. 29 Copyright © DevSecOps Foundation 2015-2016 DevSecOps Today… https://www.google.com/trends/
  • 30. 30 • devsecops.org • @devsecops on Twitter • DevSecOps on LinkedIn • DevSecOps on Github • RuggedSoftware.org • Compliance at Velocity Join Us !!! Spread the word!!! Get Involved & Join the Community Copyright © DevSecOps Foundation 2015-2016