The Unlikely Couple, DevOps and Security. Can it work?
•Download as PPTX, PDF•
0 likes•325 views
This document discusses how DevOps and security can work together. It begins by noting that DevOps often scares security professionals and security is not always helpful to developers. However, both are needed for companies to quickly get applications to market while limiting new vulnerabilities. The document recommends opening communications between DevOps and security, automating processes when possible, and educating and empathizing with one another. It provides examples of how to start integrating security into DevOps pipelines through threat modeling, scans, tests and audits. The document argues DevOps helps security by shifting it left into the software development lifecycle and enabling automation, versioning, monitoring and quick fixes.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to The Unlikely Couple, DevOps and Security. Can it work?
Similar to The Unlikely Couple, DevOps and Security. Can it work? (20)
More from Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
More from Todd Benson (I.T. SPECIALIST and I.T. SECURITY) (9)
Recently uploaded
Recently uploaded (12)
The Unlikely Couple, DevOps and Security. Can it work?
- 1. The Unlikely Couple, DevOps And Security. CAN IT WO RK?
- 2. THIS TALK WILL COVER • Why DevOps scares security • Why Security isn’t always very helpful to development • How DevOps can help security be an integrated, important part of the development process
- 3. THIS TALK WILL NOT COVER Securing the pipeline or technical details
- 4. INTRODUCTION - ME • An IT Professional who has worn many hats • Last 7 years a Security Engineer • Last 2 DevOps engineer who specializes in security • Still learning
- 5. INTRODUCTION - YOU • How many are non-security professionals? • Using DevOps? • How many are Security professionals? • Security professional on a development team?
- 7. Security isn’t always very helpful to development
- 10. But they need each other
- 11. COMPANIES NEED TO • Get their applications to market quicker while limiting the introduction of new, or previously existing, security vulnerabilities • Learn how to add security throughout the SDLC by providing seamless automation at key points in the pipeline.
- 12. Siloing has made the company goals unachievable
- 13. HOW TO FIX Open communications Automate when possible EducateEmpathize Make sure we don’t go backwards
- 16. Traditional View of the Agile SDLC UAT YES NO Back to define requirements Define requirements IU Design Development QA Threat modeling Design review SAST on PR SAST Security Acceptance tests Other Security tests Runtime Checks Nightly Dynamic Scans Automated Audits
- 18. Where to start with non-automated process? • Create a Standard Operating Procedure (SOP) • Create a threat modeling template and teach devs to use it • Use a version control system (Github, etc.) to store tests • Create a risk acceptance document/process, if your company doesn’t have one
- 19. Where to start with automation? • Simple Dynamic Scans • Basic Runtime Checks • Simple Acceptance Tests, create stories as you go • Automate Audits • Iterate and improve as time goes on
- 20. How does DevOps help security? • Shifts security left and include it throughout the SDLC (including Prod) • Automate, automate, automate • Small Changes • Everything is version controlled and logged • Everything relevant is monitored, alerted, and dashboard • Human review/notification is often built into the process • Quick turn-around time for fixes
Editor's Notes
- They don’t have a seat at the table Still trying to catch up There is lack of insight (trust) It’s fast It doesn’t allow for full security testing There is no way every release can be fully tested There is usually a lack of “formal” documentation There is a perceived lack of accountability Non-functional security requirement are often ignored or de-prioritized
- Slow test cycles Too many false positives Risk analysis is myopic Reporting on results leave A LOT to be desired – results are difficult for a non-security professional to interpret They attempt to dictate instead of guide Security becomes a blocker instead of a partner A lack of AppSec support to developers
- Knowledge gaps on both sides Security and development don’t speak the same language developers THINK they know security hasn’t been helpful in saying what they wanted developers don’t involve security sooner developers try to do everything THEN throw it to security security isn’t pragmatic (unrealistic expectations)
- Security theater Security is a road block Security jumps up and down Developers release code Security risk remains the same or gets worse Everyone works against each other
- Devops offers a huge potential to fix a number of security problem No one knows how people break into houses better than a cop No one knows how to break into MY house better than me No one knows what are high value targets better than cops No one knows what is of high value to ME There should be a dedicated security professional or champion for each team
- Developers need to understand security is a feature which should be built and designed in. It’s not an addition to development, it IS development Security needs to understand that they are there for the benefit of the company, and not the other way around - Businesses don't go into business primarily to write secure code Both need to understand that security is only one part of application risks Business priorities and security priorities aren't always the same
- Communications – security MUST have a seat at the table and must be willing to work with developers; developers must involve security early an often Empathize – build partnerships; security must learn how to help get code to PROD quicker and developers must understand that development IS security and that compliance IS important Educate – teaching core concepts I more important than individual vulns or technical details; developers can’t be silent about possible issue Automation – Just like developers, security must go faster. Automation frees up time, but must be in the story que and prioritized Don’t go backwards – Often because of full lack of support throughout the company and upper management. DevOps takes discipline. Security should help with this
- time for complete security assessment decreased risk increased compliance to report “everything” no vulnerabilities some human decision making/accountability A seat at the table to be taken serious
- decreased time to market improved deployment experience (more frequent, less issues) shortened lead time between fixes faster recovery lower deployment failure rate to be secure but are often not motivated to build in security
- Never too early about thinking about security View the security “gates” as engagement points and not enforcement points DevOps helps solve a number of security problems Helps get code to PROD quicker, including security fixes DevOps makes security developer’s responsibility Goal is to reduce friction as you insert security into the SDLC Shifts security left ** Add manual testing
- Speeding up is dangerous; security are the safety features that allow companies to go fast
- Build on earlier successes Mature as you move along
- Automation ensures consistency Developers don’t directly interact with systems Higher visibility and meaningful security metrics