Discussion of how security is in crisis but DevSecOps offers a new playbook and gives security a path to influence. Taking a look at the WAF space, we look at how Signal Sciences has created feedback between Dev and Ops and Security to create new value.
5. Signal Sciences secures the most important web
applications, APIs, and microservices of the world's
leading companies. Our next-gen WAF and RASP
help you increase security and maintain site
reliability without sacrificing velocity, all at the
lowest total cost of ownership.
10. The original DevOps Deep Thoughts were created by
the hilarious and awesome Josh Zimmerman
(@TheJewberwocky) as Not Jack Handey which is
parody of Deep Thoughts by Jack Handey.
These DevSecOps Deep Thoughts are not nearly as
funny nor deep, but hey what do you expect of a
parody of a parody?
18. "[Security by risk assessment]
introduces a dangerous fallacy:
that structured inadequacy is
almost as good as adequacy and
that underfunded security efforts
plus risk management are about
as good as properly funded
security work"
19. "Companies are spending a great
deal on security, but we read of
massive computer-related attacks.
Clearly something is wrong. The
root of the problem is twofold:
we’re protecting the wrong things,
and we’re hurting productivity in
the process."
23. While engineering teams are busy deploying leading-
edge technologies, security teams are still focused
on defending existing applications and fighting
yesterday’s battles.
- SANS 2018 DevSecOps Survey
24. 48% of developers say
security is important
but don't have enough
time to spend on it
32. The New Security Playbook
• Empathy and Enablement
• Be Fast and Non-Blocking
• Don’t slow delivery
• Security testing automated in every phase
• Security provides value through making security
normal
33. Security's Path to Influence
1. Identify Resource Misutilization
2. Add Telemetry and Feedback Loops
3. Automate and Monitor Across the Software
Pipeline
4. Influence Organizational Culture
34.
35. One place to start, is the
most prolific security
tool: The WAF
36.
37.
38.
39. “The web application firewall market is ripe for
disruption in 2018…As in previous years, little
innovation has occurred during the last 12 months.
Most WAF solutions still lack the more advanced
analytics that Gartner analysts observe in other
security markets.”
- Gartner
40. “every aspect of managing WAFs is an ongoing
process. This is the antithesis of set it and forget it
technology. That is the real point of this research. To
maximize value from your WAF you need to go in
with everyone’s eyes open to the effort required to
get and keep the WAF running productively.”
- Whitepaper from an Undisclosed WAF vendor
41. Legacy WAF is a Black-box
• Regex dark arts with no great way to determine
accuracy
• No developer or operations access
• Minimal integrations into today’s DevOps
toolchains
42. Legacy WAFs
focus on the
same threats as
15 years ago
Real world top ten is very different
e.g. Account Takeover, Forceful
Browsing, Feature Abuse, Evasion
Techniques, Subdomain Takeover,
Misconfiguration
43. Legacy WAF architecture doesn't scale
• Inline architecture which is often a chokepoint
• Can’t support multiple CDNs
• Expensive to deploy and maintain
53. Resources
• Agile Application Security book
• Continuous Delivery book by Jez Humble
• The DevOps Handbook
• DevSecOps: Building a Secure Continuous Delivery
Pipeline Linkedin Learning Course