Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
DevOps Days Kansas City @WICKETT
THE PATH OF
DEVOPS ENLIGHTENMENT
FOR INFOSEC
JAMES WICKETT
SIGNAL SCIENCES
DevOps Days Kansas City @WICKETT
Want the slides?
james@signalsciences.com
DevOps Days Kansas City @WICKETT
‣ HEAD OF RESEARCH AT SIGNAL SCIENCES
‣ ORGANIZER OF DEVOPS DAYS AUSTIN
‣ LYNDA.COM AUTHO...
DevOps Days Kansas City @WICKETT
‣ WHY DO WE HAVE DEVOPS?
‣ DID WE BUILD DEVOPS PROPERLY?
‣ IS THE DEVOPS CULTURE LOST?
‣ ...
DevOps Days Kansas City @WICKETT
My Journey
DevOps Days Kansas City @WICKETT
‣ WEB AND ECOMM FOR $1B COMPANY
‣ BRUTAL ONCALL ROTATIONS
‣ +24HR DEPLOYMENTS
‣ WATERFALL...
DevOps Days Kansas City @WICKETT
‣ IN 2007 WENT STARTUP AND AWS CLOUD
‣ LEARNED A BIT ABOUT FAILURE AND
HAPPINESS
‣ REJOIN...
DevOps Days Kansas City @WICKETT
‣ DEVOPS AND INFRA AS CODE
‣ NOT CD, BUT DEPLOYS DAILY
‣ AT BIGCO DELIVERED 4 SAAS PRODUC...
DevOps Days Kansas City @WICKETT
‣ FOUND RUGGED SOFTWARE
‣ MET GENE KIM IN 2012 IN A BAR IN AUSTIN
‣ CREATED GAUNTLT
‣ LAT...
DevOps Days Kansas City @WICKETT
DevOps is Friendship
DevOps Days Kansas City @WICKETT
Compassion for Ops
DevOps Days Kansas City @WICKETT
10:1
Dev:Ops
DevOps Days Kansas City @WICKETT
Labor Inequity
Permeates IT Ranks
DevOps Days Kansas City @WICKETT
100:10:1
Dev:Ops:Sec
DevOps Days Kansas City @WICKETT
Yet, I remained optimistic
for DevOps+Security
DevOps Days Kansas City @WICKETT
ENTER DOUBTS
DevOps Days Kansas City @WICKETT
‣ DEVOPS ON A BUS AT RSA
‣ EXPO FLOOR AT DOCKER CON AND THE
DEVOPS TOOLCHAIN
TWO EVENTS
DevOps Days Kansas City @WICKETT
HAD WE ALLOWED DEVOPS TO BE
A NEW GIMMICK OR SLOGAN ?
DevOps Days Kansas City @WICKETT
WHAT HAD DEVOPS BECOME?
DevOps Days Kansas City @WICKETT
‣ WHY DO WE HAVE DEVOPS?
‣ DID WE BUILD DEVOPS PROPERLY?
‣ IS THE DEVOPS CULTURE LOST?
‣ ...
DevOps Days Kansas City @WICKETT
OUR ROOTS: FRIENDSHIP
DevOps Days Kansas City @WICKETT
There is irony in my
story…
DevOps Days Kansas City @WICKETT
‣ TEACH THREE DEVOPS CLASSES IN THE DEVOPS
FOUNDATIONS SERIES AT LYNDA / LINKEDIN
LEARNIN...
DevOps Days Kansas City @WICKETT
Back to Our Roots
DevOps Days Kansas City @WICKETT
CULTURE IS THE MOST
IMPORTANT ASPECT TO DEVOPS
SUCCEEDING IN THE
ENTERPRISE
- PATRICK DEB...
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
‣ MUTUAL UNDERSTANDING
‣ SHARED LANGUAGE
‣ SHARED VIEWS
‣ COLLABORATIVE TOOLING
4 KEYS TO...
DevOps Days Kansas City @WICKETT
FRIENDSHIP
DevOps Days Kansas City @WICKETT
Make a friend at
DevOps Days KC
DevOps Days Kansas City @WICKETT
Security is in Crisis
DevOps Days Kansas City @WICKETT
Companies are spending a great deal on
security, but we read of massive computer-
related...
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
[Security by risk assessment]
introduces a dangerous fallacy: that
structured inadequacy ...
DevOps Days Kansas City @WICKETT
Security is often the
cultural outlier in an
organization
DevOps Days Kansas City @WICKETT
many security teams work
with a worldview where their
goal is to inhibit change as
much a...
DevOps Days Kansas City @WICKETT
“SECURITY PREFERS A SYSTEM POWERED
OFF AND UNPLUGGED”
- DEVELOPER
DevOps Days Kansas City @WICKETT
“…THOSE STUPID DEVELOPERS”
- SECURITY PERSON
DevOps Days Kansas City @WICKETT
It is 30 times cheaper to
fix security defects in dev
vs. Prod
NIST, 2002, The Economic Im...
DevOps Days Kansas City @WICKETT
It is 30 times cheaper to
fix security defects in dev
vs. Prod
NIST, 2002, The Economic Im...
DevOps Days Kansas City @WICKETT
Security must
Change or Die
DevOps Days Kansas City @WICKETT
“every aspect of managing WAFs is an ongoing
process. This is the antithesis of set it an...
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
Bottleneck Approach
DevOps Days Kansas City @WICKETT
THE AVERAGE TIME TO DELIVER CORPORATE IT PROJECTS
HAS INCREASED FROM ~8.5 MONTHS TO OVER ...
DevOps Days Kansas City @WICKETT
Many security professionals
have a hard time adapting their
existing practices to a world...
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
DevOps
A New Traveling Companion
for Security
(…and probably the only way to survive)
DevOps Days Kansas City @WICKETT
High performers spend 50 percent less
time remediating security issues than
low performer...
DevOps Days Kansas City @WICKETT
High performing orgs achieve
quality by incorporating
security (and security teams)
into ...
DevOps Days Kansas City @WICKETT
http://www.youtube.com/watch?v=jQblKuMuS0Y
DevOps Days Kansas City @WICKETT
The New Path
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance a...
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance a...
DevOps Days Kansas City @WICKETT
A security team who embraces
openness about what it does and
why, spreads understanding.
...
DevOps Days Kansas City @WICKETT
Runtime is arguably the
most important place to
create feedback loops
DevOps Days Kansas City @WICKETT
‣ ACCOUNT TAKEOVER ATTEMPTS
‣ AREAS OF THE SITE UNDER ATTACK
‣ MOST LIKELY VECTORS OF ATT...
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
Are you under attack?
DevOps Days Kansas City @WICKETT
Where?
DevOps Days Kansas City @WICKETT
Options: RASP, NGWAF or
Web Protection Platform
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance a...
DevOps Days Kansas City @WICKETT
‣ POLICIES AND PROCEDURES IN PLACE
‣ EFFECTIVE EXECUTION OF THOSE POLICIES TO
ALLOW YOU T...
DevOps Days Kansas City @WICKETT
[Deploys] can be treated as
standard or routine changes
that have been pre-approved
by ma...
Separation of Duties Considered Harmful
DevOps Days Kansas City @WICKETT
Developers with Access to
Production, Oh My!!!
https://www.schellmanco.com/blog/2012/12/a...
DevOps Days Kansas City @WICKETT
Check out DevOps Audit
Defense Toolkit
https://cdn2.hubspot.net/hubfs/228391/Corporate/
D...
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance a...
DevOps Days Kansas City @WICKETT
‣ ADD IN CHAOS TO YOUR SYSTEM AND
APPLICATION
‣ CHAOS MONKEY
‣ ANTI-FRAGILE
‣ RELEASE IT!...
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
‣ ADDS MISCONFIG TO THE STACK AND CHECKS
TO SEE IF IT GETS DETECTED
‣ NEW OPEN SOURCE TOO...
DevOps Days Kansas City @WICKETT
‣ I AM BEING PEN TESTED ANYWAY, WHY NOT
FIND OUT WHAT THEY ARE FINDING?
‣ 24/7 PEN TESTIN...
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance a...
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
‣ NO PERIMETER SECURITY
‣ ASSUME COMPROMISE
‣ INSTRUMENT ALL LAYERS
‣ EXTENDS FROM LAPTOP...
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance a...
DevOps Days Kansas City @WICKETT
‣ DON’T SLOW DELIVERY
‣ CONTINUOUS TESTING AND VALIDATION
‣ TESTING ON THE SIDE OF THE PI...
DevOps Days Kansas City @WICKETT
Currently, at Signal
Sciences we do about 15
deploys per day
DevOps Days Kansas City @WICKETT
Roughly 10,000 deploys in
the last 2.5 yrs
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
CD is how little you can
deploy at a time
DevOps Days Kansas City @WICKETT
We optimized for cycle
time—the time from code
commit to production
Gave power to the team to deploy
DevOps Days Kansas City @WICKETT
Signal Sciences is a
software as a service
company and a security
company
DevOps Days Kansas City @WICKETT
Security is part of CI/CD
and the overall delivery
pipeline
DevOps Days Kansas City @WICKETT
‣DESIGN
‣INHERIT
‣BUILD
‣DEPLOY
‣OPERATE
PIPELINE PHASES
DevOps Days Kansas City @WICKETT
‣INHERIT
‣BUILD
‣OPERATE
SECURITY
CONSIDERATIONS
What have I bundled into my
app that lea...
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance a...
DevOps Days Kansas City @WICKETT
Be Mean to Your Code
DevOps Days Kansas City @WICKETT
The goal should be to come up with a
set of automated tests that probe and
check security...
DevOps Days Kansas City @WICKETT
Security tools are
intractably noisy and
difficult to use
DevOps Days Kansas City @WICKETT
A method of collaboration
was needed for devs, ops
and security eng.
DevOps Days Kansas City @WICKETT
There needed to be a new
language to span the
parties
DevOps Days Kansas City @WICKETT
Started Gauntlt
4 years ago
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
Open source, MIT License
Gauntlt comes with pre-canned steps that
hook security testing t...
DevOps Days Kansas City @WICKETT
gauntlt.org
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
$ gem install gauntlt
# download example attacks from github
# customize the example atta...
DevOps Days Kansas City @WICKETT
@slow @final
Feature: Look for cross site scripting (xss) using arachni
against a URL
Sce...
DevOps Days Kansas City @WICKETT
“We have saved millions of
dollars using Gauntlt for the
largest healthcare industry
proj...
DevOps Days Kansas City @WICKETT
http://bit.ly/2s8P1Ll
DevOps Days Kansas City @WICKETT
‣ 8 LABS FOR GAUNTLT
‣ HOW TO USE GAUNTLT FOR NETWORK CHECKS
‣ GAUNTLT FOR XSS, SQLI, OTH...
DevOps Days Kansas City @WICKETT
github.com/gauntlt/gauntlt-demo
DevOps Days Kansas City @WICKETT
github.com/gauntlt/gauntlt-starter-kit
DevOps Days Kansas City @WICKETT
SOURCE: THE
THREE WAYS OF
DEVOPS, GENE KIM
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
Most teams use Gauntlt
in Docker containers
DevOps Days Kansas City @WICKETT
https://github.com/
gauntlt/gauntlt-docker
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance a...
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
Red Team Mondays
at Intuit
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
OVER 30% OF OFFICIAL IMAGES IN
DOCKER HUB CONTAIN HIGH PRIORITY
SECURITY VULNERABILITIES
...
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATH
Embrace Secrecy Create Feedback Loops
Just Pass Audit! Compliance a...
DevOps Days Kansas City @WICKETT
‣ MAKE IT EASY FOR PEOPLE TO DO THE RIGHT
THING
‣ JASON CHAN, NETFLIX
‣ GOLD IMAGES
‣ BLE...
DevOps Days Kansas City @WICKETT
Don’t be a blocker, be an
enabler of the business
DevOps Days Kansas City @WICKETT
Contact me
james@signalsciences.com
@wickett
Upcoming SlideShare
Loading in …5
×

The Path of DevOps Enlightenment for InfoSec

47,865 views

Published on

Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.

From DevOps Days KC 2017

Published in: Software
  • Dating direct: ❶❶❶ http://bit.ly/2u6xbL5 ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❤❤❤ http://bit.ly/2u6xbL5 ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Your opinions matter! get paid BIG $$$ for them! START NOW!!.. ★★★ https://tinyurl.com/make2793amonth
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • You can now be your own boss and get yourself a very generous daily income. START FREE...◆◆◆ http://ishbv.com/surveys6/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

The Path of DevOps Enlightenment for InfoSec

  1. 1. DevOps Days Kansas City @WICKETT THE PATH OF DEVOPS ENLIGHTENMENT FOR INFOSEC JAMES WICKETT SIGNAL SCIENCES
  2. 2. DevOps Days Kansas City @WICKETT Want the slides? james@signalsciences.com
  3. 3. DevOps Days Kansas City @WICKETT ‣ HEAD OF RESEARCH AT SIGNAL SCIENCES ‣ ORGANIZER OF DEVOPS DAYS AUSTIN ‣ LYNDA.COM AUTHOR ON DEVOPS ‣ BLOG AT THEAGILEADMIN.COM @WICKETT
  4. 4. DevOps Days Kansas City @WICKETT ‣ WHY DO WE HAVE DEVOPS? ‣ DID WE BUILD DEVOPS PROPERLY? ‣ IS THE DEVOPS CULTURE LOST? ‣ CAN WE GET IT BACK? ‣ CAN WE PROTECT DEVOPS FROM FURTHER DISTORTION? QUESTIONS ON MY MIND
  5. 5. DevOps Days Kansas City @WICKETT My Journey
  6. 6. DevOps Days Kansas City @WICKETT ‣ WEB AND ECOMM FOR $1B COMPANY ‣ BRUTAL ONCALL ROTATIONS ‣ +24HR DEPLOYMENTS ‣ WATERFALL, WATERFALL, WATERFALL ‣ FRIENDS ARE BORN FROM ADVERSITY FIRST BIGCO JOB
  7. 7. DevOps Days Kansas City @WICKETT ‣ IN 2007 WENT STARTUP AND AWS CLOUD ‣ LEARNED A BIT ABOUT FAILURE AND HAPPINESS ‣ REJOINED OLD TEAM IN 2010 FOR NEW CLOUD VENTURE BACK IN BIGCO CLOUDING FOR PROFIT
  8. 8. DevOps Days Kansas City @WICKETT ‣ DEVOPS AND INFRA AS CODE ‣ NOT CD, BUT DEPLOYS DAILY ‣ AT BIGCO DELIVERED 4 SAAS PRODUCTS IN 2 YEARS WITH DEVOPS AND CLOUD ENTER DEVOPS
  9. 9. DevOps Days Kansas City @WICKETT ‣ FOUND RUGGED SOFTWARE ‣ MET GENE KIM IN 2012 IN A BAR IN AUSTIN ‣ CREATED GAUNTLT ‣ LATER, JOINED SIGNAL SCIENCES DEVOPS AND SECURITY
  10. 10. DevOps Days Kansas City @WICKETT DevOps is Friendship
  11. 11. DevOps Days Kansas City @WICKETT Compassion for Ops
  12. 12. DevOps Days Kansas City @WICKETT 10:1 Dev:Ops
  13. 13. DevOps Days Kansas City @WICKETT Labor Inequity Permeates IT Ranks
  14. 14. DevOps Days Kansas City @WICKETT 100:10:1 Dev:Ops:Sec
  15. 15. DevOps Days Kansas City @WICKETT Yet, I remained optimistic for DevOps+Security
  16. 16. DevOps Days Kansas City @WICKETT ENTER DOUBTS
  17. 17. DevOps Days Kansas City @WICKETT ‣ DEVOPS ON A BUS AT RSA ‣ EXPO FLOOR AT DOCKER CON AND THE DEVOPS TOOLCHAIN TWO EVENTS
  18. 18. DevOps Days Kansas City @WICKETT HAD WE ALLOWED DEVOPS TO BE A NEW GIMMICK OR SLOGAN ?
  19. 19. DevOps Days Kansas City @WICKETT WHAT HAD DEVOPS BECOME?
  20. 20. DevOps Days Kansas City @WICKETT ‣ WHY DO WE HAVE DEVOPS? ‣ DID WE BUILD DEVOPS PROPERLY? ‣ IS THE DEVOPS CULTURE LOST? ‣ CAN WE GET IT BACK? ‣ CAN WE PROTECT DEVOPS FROM FURTHER DISTORTION? QUESTIONING DEVOPS
  21. 21. DevOps Days Kansas City @WICKETT OUR ROOTS: FRIENDSHIP
  22. 22. DevOps Days Kansas City @WICKETT There is irony in my story…
  23. 23. DevOps Days Kansas City @WICKETT ‣ TEACH THREE DEVOPS CLASSES IN THE DEVOPS FOUNDATIONS SERIES AT LYNDA / LINKEDIN LEARNING ‣ WRITE DEVOPS AND SECURITY ARTICLES AS PART OF MY ROLE AT SIGNAL SCIENCES
  24. 24. DevOps Days Kansas City @WICKETT Back to Our Roots
  25. 25. DevOps Days Kansas City @WICKETT CULTURE IS THE MOST IMPORTANT ASPECT TO DEVOPS SUCCEEDING IN THE ENTERPRISE - PATRICK DEBOIS
  26. 26. DevOps Days Kansas City @WICKETT
  27. 27. DevOps Days Kansas City @WICKETT ‣ MUTUAL UNDERSTANDING ‣ SHARED LANGUAGE ‣ SHARED VIEWS ‣ COLLABORATIVE TOOLING 4 KEYS TO CULTURE
  28. 28. DevOps Days Kansas City @WICKETT FRIENDSHIP
  29. 29. DevOps Days Kansas City @WICKETT Make a friend at DevOps Days KC
  30. 30. DevOps Days Kansas City @WICKETT Security is in Crisis
  31. 31. DevOps Days Kansas City @WICKETT Companies are spending a great deal on security, but we read of massive computer- related attacks. Clearly something is wrong. The root of the problem is twofold: we’re protecting the wrong things, and we’re hurting productivity in the process. THINKING SECURITY, STEVEN M. BELLOVIN 2015
  32. 32. DevOps Days Kansas City @WICKETT
  33. 33. DevOps Days Kansas City @WICKETT [Security by risk assessment] introduces a dangerous fallacy: that structured inadequacy is almost as good as adequacy and that underfunded security efforts plus risk management are about as good as properly funded security work
  34. 34. DevOps Days Kansas City @WICKETT Security is often the cultural outlier in an organization
  35. 35. DevOps Days Kansas City @WICKETT many security teams work with a worldview where their goal is to inhibit change as much as possible
  36. 36. DevOps Days Kansas City @WICKETT “SECURITY PREFERS A SYSTEM POWERED OFF AND UNPLUGGED” - DEVELOPER
  37. 37. DevOps Days Kansas City @WICKETT “…THOSE STUPID DEVELOPERS” - SECURITY PERSON
  38. 38. DevOps Days Kansas City @WICKETT It is 30 times cheaper to fix security defects in dev vs. Prod NIST, 2002, The Economic Impacts of Inadequate Infra for Software Testing
  39. 39. DevOps Days Kansas City @WICKETT It is 30 times cheaper to fix security defects in dev vs. Prod NIST, 2002, The Economic Impacts of Inadequate Infra for Software Testing
  40. 40. DevOps Days Kansas City @WICKETT Security must Change or Die
  41. 41. DevOps Days Kansas City @WICKETT “every aspect of managing WAFs is an ongoing process. This is the antithesis of set it and forget it technology. That is the real point of this research. To maximize value from your WAF you need to go in with everyone’s eyes open to the effort required to get and keep the WAF running productively.” - WHITEPAPER FROM AN UNDISCLOSED WAF VENDOR
  42. 42. DevOps Days Kansas City @WICKETT
  43. 43. DevOps Days Kansas City @WICKETT Bottleneck Approach
  44. 44. DevOps Days Kansas City @WICKETT THE AVERAGE TIME TO DELIVER CORPORATE IT PROJECTS HAS INCREASED FROM ~8.5 MONTHS TO OVER 10 MONTHS IN THE LAST 5 YEARS Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016 THE GROWTH OF [SECURITY] FUNCTIONS WHICH IS TOO OFTEN POORLY COORDINATED… [RESULTING IN] A PROLIFERATION OF NEW TASKS IN THE AREAS OF COMPLIANCE, PRIVACY AND DATA PROTECTION.
  45. 45. DevOps Days Kansas City @WICKETT Many security professionals have a hard time adapting their existing practices to a world where requirements can change every few weeks, or where they are never written down at all.
  46. 46. DevOps Days Kansas City @WICKETT
  47. 47. DevOps Days Kansas City @WICKETT
  48. 48. DevOps Days Kansas City @WICKETT DevOps A New Traveling Companion for Security (…and probably the only way to survive)
  49. 49. DevOps Days Kansas City @WICKETT High performers spend 50 percent less time remediating security issues than low performers. By better integrating information security objectives into daily work, teams achieve higher levels of IT performance and build more secure systems. 2016 State of DevOps Report
  50. 50. DevOps Days Kansas City @WICKETT High performing orgs achieve quality by incorporating security (and security teams) into the delivery process 2016 State of DevOps Report
  51. 51. DevOps Days Kansas City @WICKETT http://www.youtube.com/watch?v=jQblKuMuS0Y
  52. 52. DevOps Days Kansas City @WICKETT The New Path
  53. 53. DevOps Days Kansas City @WICKETT OLD PATH VS. NEW PATH Embrace Secrecy Create Feedback Loops Just Pass Audit! Compliance adds Value Enforce Stability Create Chaos Build a Wall Zero Trust Networks Slow Validation Fast and Non-blocking Certainty Testing Adversity Testing Test when Done Shift Left Process Driven The Paved Road
  54. 54. DevOps Days Kansas City @WICKETT OLD PATH VS. NEW PATH Embrace Secrecy Create Feedback Loops Just Pass Audit! Compliance adds Value Enforce Stability Create Chaos Build a Wall Zero Trust Networks Slow Validation Fast and Non-blocking Certainty Testing Adversity Testing Test when Done Shift Left Process Driven The Paved Road
  55. 55. DevOps Days Kansas City @WICKETT A security team who embraces openness about what it does and why, spreads understanding. - Rich Smith
  56. 56. DevOps Days Kansas City @WICKETT Runtime is arguably the most important place to create feedback loops
  57. 57. DevOps Days Kansas City @WICKETT ‣ ACCOUNT TAKEOVER ATTEMPTS ‣ AREAS OF THE SITE UNDER ATTACK ‣ MOST LIKELY VECTORS OF ATTACK ‣ BUSINESS LOGIC FLOWS DETECT WHAT MATTERS
  58. 58. DevOps Days Kansas City @WICKETT
  59. 59. DevOps Days Kansas City @WICKETT Are you under attack?
  60. 60. DevOps Days Kansas City @WICKETT Where?
  61. 61. DevOps Days Kansas City @WICKETT Options: RASP, NGWAF or Web Protection Platform
  62. 62. DevOps Days Kansas City @WICKETT OLD PATH VS. NEW PATH Embrace Secrecy Create Feedback Loops Just Pass Audit! Compliance adds Value Enforce Stability Create Chaos Build a Wall Zero Trust Networks Slow Validation Fast and Non-blocking Certainty Testing Adversity Testing Test when Done Shift Left Process Driven The Paved Road
  63. 63. DevOps Days Kansas City @WICKETT ‣ POLICIES AND PROCEDURES IN PLACE ‣ EFFECTIVE EXECUTION OF THOSE POLICIES TO ALLOW YOU TO KEEP FUNCTIONING ‣ MOST OF PCI AND OTHER FRAMEWORKS PROVIDE REASONABLY GOOD PRACTICES *IF* YOU REMOVE ALL THE WATERFALL BITS UNDERSTAND AUDITORS
  64. 64. DevOps Days Kansas City @WICKETT [Deploys] can be treated as standard or routine changes that have been pre-approved by management, and that don’t require a heavyweight change review meeting.
  65. 65. Separation of Duties Considered Harmful
  66. 66. DevOps Days Kansas City @WICKETT Developers with Access to Production, Oh My!!! https://www.schellmanco.com/blog/2012/12/auditing-devops- developers-with-access-to-production/
  67. 67. DevOps Days Kansas City @WICKETT Check out DevOps Audit Defense Toolkit https://cdn2.hubspot.net/hubfs/228391/Corporate/ DevOps_Audit_Defense_Toolkit_v1.0.pdf
  68. 68. DevOps Days Kansas City @WICKETT OLD PATH VS. NEW PATH Embrace Secrecy Create Feedback Loops Just Pass Audit! Compliance adds Value Enforce Stability Create Chaos Build a Wall Zero Trust Networks Slow Validation Fast and Non-blocking Certainty Testing Adversity Testing Test when Done Shift Left Process Driven The Paved Road
  69. 69. DevOps Days Kansas City @WICKETT ‣ ADD IN CHAOS TO YOUR SYSTEM AND APPLICATION ‣ CHAOS MONKEY ‣ ANTI-FRAGILE ‣ RELEASE IT! BOOK CHAOS ENGINEERING
  70. 70. DevOps Days Kansas City @WICKETT
  71. 71. DevOps Days Kansas City @WICKETT ‣ ADDS MISCONFIG TO THE STACK AND CHECKS TO SEE IF IT GETS DETECTED ‣ NEW OPEN SOURCE TOOL! ‣ RUNS AS A LAMBDA CHAOS SLINGR
  72. 72. DevOps Days Kansas City @WICKETT ‣ I AM BEING PEN TESTED ANYWAY, WHY NOT FIND OUT WHAT THEY ARE FINDING? ‣ 24/7 PEN TESTING ‣ BUILDS DEVELOPER CONFIDENCE ‣ FINDS MIX OF LOW HANGING FRUIT AND SOMETIMES MUCH MORE! BUG BOUNTIES
  73. 73. DevOps Days Kansas City @WICKETT OLD PATH VS. NEW PATH Embrace Secrecy Create Feedback Loops Just Pass Audit! Compliance adds Value Enforce Stability Create Chaos Build a Wall Zero Trust Networks Slow Validation Fast and Non-blocking Certainty Testing Adversity Testing Test when Done Shift Left Process Driven The Paved Road
  74. 74. DevOps Days Kansas City @WICKETT
  75. 75. DevOps Days Kansas City @WICKETT ‣ NO PERIMETER SECURITY ‣ ASSUME COMPROMISE ‣ INSTRUMENT ALL LAYERS ‣ EXTENDS FROM LAPTOPS TO WEB APPS TO CUSTOMER ACCOUNTS ZERO TRUST NETWORKS
  76. 76. DevOps Days Kansas City @WICKETT OLD PATH VS. NEW PATH Embrace Secrecy Create Feedback Loops Just Pass Audit! Compliance adds Value Enforce Stability Create Chaos Build a Wall Zero Trust Networks Slow Validation Fast and Non-blocking Certainty Testing Adversity Testing Test when Done Shift Left Process Driven The Paved Road
  77. 77. DevOps Days Kansas City @WICKETT ‣ DON’T SLOW DELIVERY ‣ CONTINUOUS TESTING AND VALIDATION ‣ TESTING ON THE SIDE OF THE PIPELINE ‣ PENETRATION TESTING OUTSIDE OF DELIVERY FAST AND NON-BLOCKING
  78. 78. DevOps Days Kansas City @WICKETT Currently, at Signal Sciences we do about 15 deploys per day
  79. 79. DevOps Days Kansas City @WICKETT Roughly 10,000 deploys in the last 2.5 yrs
  80. 80. DevOps Days Kansas City @WICKETT
  81. 81. DevOps Days Kansas City @WICKETT CD is how little you can deploy at a time
  82. 82. DevOps Days Kansas City @WICKETT We optimized for cycle time—the time from code commit to production
  83. 83. Gave power to the team to deploy
  84. 84. DevOps Days Kansas City @WICKETT Signal Sciences is a software as a service company and a security company
  85. 85. DevOps Days Kansas City @WICKETT Security is part of CI/CD and the overall delivery pipeline
  86. 86. DevOps Days Kansas City @WICKETT ‣DESIGN ‣INHERIT ‣BUILD ‣DEPLOY ‣OPERATE PIPELINE PHASES
  87. 87. DevOps Days Kansas City @WICKETT ‣INHERIT ‣BUILD ‣OPERATE SECURITY CONSIDERATIONS What have I bundled into my app that leaves me vulnerable? Do my build acceptance tests and integration tests catch security issues before release? Am I being attacked right now? Is it working?
  88. 88. DevOps Days Kansas City @WICKETT OLD PATH VS. NEW PATH Embrace Secrecy Create Feedback Loops Just Pass Audit! Compliance adds Value Enforce Stability Create Chaos Build a Wall Zero Trust Networks Slow Validation Fast and Non-blocking Certainty Testing Adversity Testing Test when Done Shift Left Process Driven The Paved Road
  89. 89. DevOps Days Kansas City @WICKETT Be Mean to Your Code
  90. 90. DevOps Days Kansas City @WICKETT The goal should be to come up with a set of automated tests that probe and check security configurations and runtime system behavior for security features that will execute every time the system is built and every time it is deployed.
  91. 91. DevOps Days Kansas City @WICKETT Security tools are intractably noisy and difficult to use
  92. 92. DevOps Days Kansas City @WICKETT A method of collaboration was needed for devs, ops and security eng.
  93. 93. DevOps Days Kansas City @WICKETT There needed to be a new language to span the parties
  94. 94. DevOps Days Kansas City @WICKETT Started Gauntlt 4 years ago
  95. 95. DevOps Days Kansas City @WICKETT
  96. 96. DevOps Days Kansas City @WICKETT Open source, MIT License Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt wants to be part of the CI/CD pipeline Be a good citizen of exit status and stdout/ stderr
  97. 97. DevOps Days Kansas City @WICKETT gauntlt.org
  98. 98. DevOps Days Kansas City @WICKETT
  99. 99. DevOps Days Kansas City @WICKETT
  100. 100. DevOps Days Kansas City @WICKETT
  101. 101. DevOps Days Kansas City @WICKETT $ gem install gauntlt # download example attacks from github # customize the example attacks # now you can run gauntlt $ gauntlt
  102. 102. DevOps Days Kansas City @WICKETT @slow @final Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni —check=xss* <url> """ Then the output should contain "0 issues were detected." Given When Then What?
  103. 103. DevOps Days Kansas City @WICKETT “We have saved millions of dollars using Gauntlt for the largest healthcare industry project.” - Aaron Rinehart, UnitedHealthCare
  104. 104. DevOps Days Kansas City @WICKETT http://bit.ly/2s8P1Ll
  105. 105. DevOps Days Kansas City @WICKETT ‣ 8 LABS FOR GAUNTLT ‣ HOW TO USE GAUNTLT FOR NETWORK CHECKS ‣ GAUNTLT FOR XSS, SQLI, OTHER APSES ‣ HANDLING REPORTING ‣ USING ENV VARS ‣ CI SYSTEM SETUP WORKSHOP INCLUDES:
  106. 106. DevOps Days Kansas City @WICKETT github.com/gauntlt/gauntlt-demo
  107. 107. DevOps Days Kansas City @WICKETT github.com/gauntlt/gauntlt-starter-kit
  108. 108. DevOps Days Kansas City @WICKETT SOURCE: THE THREE WAYS OF DEVOPS, GENE KIM
  109. 109. DevOps Days Kansas City @WICKETT
  110. 110. DevOps Days Kansas City @WICKETT
  111. 111. DevOps Days Kansas City @WICKETT Most teams use Gauntlt in Docker containers
  112. 112. DevOps Days Kansas City @WICKETT https://github.com/ gauntlt/gauntlt-docker
  113. 113. DevOps Days Kansas City @WICKETT OLD PATH VS. NEW PATH Embrace Secrecy Create Feedback Loops Just Pass Audit! Compliance adds Value Enforce Stability Create Chaos Build a Wall Zero Trust Networks Slow Validation Fast and Non-blocking Certainty Testing Adversity Testing Test when Done Shift Left Process Driven The Paved Road
  114. 114. DevOps Days Kansas City @WICKETT
  115. 115. DevOps Days Kansas City @WICKETT Red Team Mondays at Intuit
  116. 116. DevOps Days Kansas City @WICKETT
  117. 117. DevOps Days Kansas City @WICKETT OVER 30% OF OFFICIAL IMAGES IN DOCKER HUB CONTAIN HIGH PRIORITY SECURITY VULNERABILITIES https://banyanops.com/blog/analyzing-docker-hub/
  118. 118. DevOps Days Kansas City @WICKETT OLD PATH VS. NEW PATH Embrace Secrecy Create Feedback Loops Just Pass Audit! Compliance adds Value Enforce Stability Create Chaos Build a Wall Zero Trust Networks Slow Validation Fast and Non-blocking Certainty Testing Adversity Testing Test when Done Shift Left Process Driven The Paved Road
  119. 119. DevOps Days Kansas City @WICKETT ‣ MAKE IT EASY FOR PEOPLE TO DO THE RIGHT THING ‣ JASON CHAN, NETFLIX ‣ GOLD IMAGES ‣ BLESSED BUILDS AND DEPENDENCIES THE PAVED ROAD
  120. 120. DevOps Days Kansas City @WICKETT Don’t be a blocker, be an enabler of the business
  121. 121. DevOps Days Kansas City @WICKETT Contact me james@signalsciences.com @wickett

×