Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
THE SEVEN HABITS OF THE
HIGHLY EFFECTIVE DevSecOp
@WICKETT
JAMES WICKETT
Sr. Sec Eng & Dev Advocate @ Verica
Former Head of Research @ Signal Sciences
Author, LinkedIn Learning
Orga...
Slides bit.ly
@wickett
VERICA.IO
An enterprise platform for Continuous Verification,
using Chaos Engineering principles, to take a
proactive and ...
DEVSECOPS
@wickett
credit to Josh Zimmerman, the original DevOps Jack Handy
DEVSECOPS
@wickett
BUT, WHY?
@wickett
FIRST,
UNDERSTAND DEVOPS
AND HOW WE GOT HERE
@wickett
TEH CLOUD
@wickett
DATASo Big Right Now
@wickett
ALL THE WAY
DOWN
@wickett
YASSS! OPS (and security)
FOR FREE!@wickett
DevOps grew hand-in-hand with cloud
@wickett
DEVOPS WAS INEVITABLE
@wickett
DevOps is the inevitable result of needing
to do efficient operations in a distributed
computing and cloud environment.
To...
DevOps is an epistemological
breakthrough joining disparate people
around a common problem
@wickett
DevOps was needed to fix the
inequitable distribution of labor
@wickett
10:1
DEV:OPS
@wickett
DevOps is not a technological problem.
DevOps is a business problem.
- Damon Edwards
@wickett
DevOps is just another waypoint on
Agile's journey across the business
@wickett
DevOps is the application of
Agile methodology to system
administration
— The Practice of Cloud System Administration Book...
Ok DevOps, that's fine.
But why DevSecOps?
@wickett
I ASKED MYSELF THIS SAME QUESTION
@wickett
@wickett
Security finds itself in the same
position that operations did in the
movement of DevOps
@wickett
100:10:1
DEV:OPS:SEC
@wickett
SILOIZATION
@wickett
Security, like ops struggles to provide
value in most organizations
@wickett
Companies are spending a great
deal on security, but we read of
massive computer-related
attacks. Clearly something is
wro...
[Security by risk assessment]
introduces a dangerous fallacy:
that structured inadequacy is
almost as good as adequacy and...
While engineering teams are busy deploying
leading-edge technologies, security teams
are still focused on fighting yesterd...
95%OF SECURITY PROFESSIONALS SPEND THEIR
TIME PROTECTING LEGACY APPLICATIONS
@wickett
TECH BURDEN CAN ONLY BE
TRANSFERRED
@wickett
SECURITY BURDEN IS NOT
CREATED OR DESTROYED,
MERELY TRANSFERRED
@wickett
"MANY SECURITY TEAMS
WORK WITH A WORLDVIEW
WHERE THEIR GOAL IS TO
inhibit change AS MUCH
AS POSSIBLE"
@wickett
New technology (cloud, k8s,
serverless, ...) and increased
organization focus on software delivery
is why we need DevSecOp...
A Highly Desireable New Breed:
THE DEVSECOP
@wickett
...not a tool
…not a CI/CD pipeline with security in it
...can’t be bought on an expo floor
@wickett
An inclusive person participating in the
movement of security into devops.
@wickett
DEVSECOPS
@wickett
DEVSECOPS FRAMEWORK:
MEASURE@wickett
MEASURE DEVSECOPS
Maker Driven
Experimenting
Automating
Safety Aware
Unrestrained Sharing
Ruggedizing
Empathy First
MEASURE@wickett
MAKER DRIVEN
@wickett
We are software engineers who
specialize in a specific discipline:
security
@wickett
SECURITY MUST BE ABLE TO
WRITE CODE@wickett
Why is this considered
a hot take in our industry?
@wickett
With all the resources
available today...
@wickett
ADOPT THE
MAKER MINDSET
@wickett
SECURITY ALREADY USES DSLS
@wickett
The Entire Security Team
Must Write Code
Shannon Lietz, Intuit
Aaron Rinehart, United Health Group
@wickett
WHY IS THIS IMPORTANT?
▸ Empathy building
▸ Familiarity with tools
▸ Able to move up the pipeline
@wickett
A BUG IS A BUG IS A BUG
@wickett
Defect Density studies
range from .5 to 10
defects per KLOC
@wickett
DEFECT DENSITY
IS NEVER ZERO
@wickett
But my application is just
a few lines of code
@wickett
222 Lines of Code
5 Direct Dependencies
54 total deps (including indirect)
(example from snyk.io)
@wickett
460,046 LOC
@wickett
You cannot train developers
to write secure code
@wickett
INSTEAD, FOCUS ON METHODS DEVELOPERS USE
▸ TDD/BDD/ATDD
▸ Meaningful comments/commits
▸ Code Smells, Refactoring
▸ Instrum...
The goal should be to come up
with a set of automated tests
that probe and check security
configurations and runtime
syste...
Security is connected
with quality
@wickett
MAKER DRIVEN means
▸ See security as part of engineering
▸ View quality as a way to bring security in
▸ Use code, not vend...
MEASURE@wickett
EXPERIMENTING(AND
LEARNING)
@wickett
BENEFITS TO EXPERIMENTATION
▸ Measured, Repeatable
▸ Results based on your needs
@wickett
@wickett
DETECT WHAT MATTERS
▸ Account takeover attempts
▸ Areas of the site under attack
▸ Most likely vectors of attack
▸ Busines...
We can't cede home
field advantage
— Zane Lackey
@wickett
EXPERIMENTING NECESSITATES
UNDERSTANDING STEADY STATE
@wickett
RESOURCES
▸ Shannon Lietz (@devsecops)
▸ DOES 2018 Talk: youtu.be/
yuOuVC8xljw
@wickett
MEASURE@wickett
AUTOMATION OF THINGS
@wickett
@wickett
@wickett
AUTOMATION PROVIDES FEEDBACK
▸ Pre-commit
▸ At build
▸ Deploy
▸ Runtime
@wickett
@wickett
Continuous Delivery is how
little you can deploy at one
time
— Jez Humble & David Farley
@wickett
At Signal Sciences, we optimized
total cycle time--from code
commit to running in prod
@wickett
15,000
DEPLOYS IN 3.5 YEARS
@wickett
SECURITY IN THE PIPELINE
▸ Software composition analysis
▸ Lang linters, git-hound, ...
▸ Scanners, gauntlt
▸ Monitoring a...
[Deploys] can be treated as
standard or routine
changes that have been
pre-approved by
management, and that
don’t require ...
RESOURCES
@wickett
linkedin.com/learning/devsecops-building-
a-secure-continuous-delivery-pipeline
@wickett
linkedin.com/learning/devsecops-
automated-security-testing
@wickett
MEASURE@wickett
SAFETY FOR COMPLEX
SYSTEMS
@wickett
Two Stories of Failure
@wickett
A PERSONAL
PLIGHT
@wickett
@wickett
5 Why's and Linear Questioning is
Flawed
@wickett
WE ABSTRACT COMPLEXITY
▸ Human beings
▸ Societial issues
▸ Psychological issues
▸ Cognitive load
@wickett
SOFTWARE DEALS WITH COMPLEXITY THROUGH
ABSTRACTION
@wickett
ROOT CAUSE IS A MYTH
▸ Lacks full picture
▸ Blame culture
▸ Forgets organizational decisions
▸ Puts the focus on the event...
Drifting into failure is a gradual,
incremental decline into
disaster driven by
environmental pressure, unruly
technology ...
BOEING 737MAX
▸ Maneuvering Characteristics Augmentation System (MCAS)
keeps the bigger plane from stalling
▸ The MCAS is ...
These events unfolded in minutes, at low
altitudes right after takeoff, asking pilots
to realize, understand, and respond ...
in a context of being told that the
“system” they were operating was pretty
much like every other 737 they’d been
likely t...
This new safety automation is capable of
overriding operator input in silence and in
ways that were poorly documented by
d...
that nobody had to get new training on — a
selling point — and this safety automation
proved to cause the system to become...
HIGH-SPEED DECISIONS
ABOUT SYSTEMS, SOUND
FAMILIAR?
@wickett
SOFTWARE IS EATING THE
WORLD
@wickett
The growth of complexity
in society has got ahead of
our understainding of how
complex systems work and
fail
@wickett
@wickett
Operations and Security's
burden to rationalize
system models
@wickett
Failures are a systems
problem because there is
not enough safety margin.
— @adrianco
Failure is an inevitable by-
product of a complex
system's normal
functioning
WHERE SECURITY FITS
▸ Add safety margin
▸ Telemetry and instrumentation
▸ Blameless retros
▸ ...more to explore in this ar...
RESOURCES
▸ Drift into Failure by Dekker
▸ Understanding Human Error Video Series youtu.be/Fw3SwEXc3PU
▸ @jpaulreed covera...
MEASURE@wickett
UNRESTRAINED SHARING
@wickett
Culture is the most
important aspect to devops
succeeding in the enterprise
— Patrick DeBois
DevSecOps is the extension of the
DevOps culture for the inclusion of
Security
@wickett
A security team who embraces
openness about what it does and
why, spreads understanding.
— Rich Smith
SHARING
AFFECTS CULTURE
@wickett
Unrestrained Sharing
goes against security's
standard operating procedure
@wickett
IT MIGHT FEEL
UNCOMFORTABLE
@wickett
SHARING BREAKS
DOWN SILOS@wickett
FOUR KEYS TO CULTURE
▸ Mutual Understanding
▸ Shared Language
▸ Shared Views
▸ Collaborative Tooling
@wickett
@wickett
SECURITY SHARES THROUGH
▸ Making invisible as visible
▸ Security Observability
▸ APIs, webhooks, dev tooling
@wickett
Security Observability gives
applications the ability to
expose the attacks that are
happening below the
surface with feed...
A PAVED ROAD APPROACH
▸ Security as normal
▸ Security is "free"
@wickett
THIS INCLUDES THE
AUDITORS@wickett
RESOURCES
▸ Phoenix Project
▸ Agile Application Security
▸ dearauditor.org
@wickett
MEASURE@wickett
RUGGEDIZATION
@wickett
SOFTWARE BILL OF MATERIALS
KNOW WHAT YOU HAVE
@wickett
FAVOR SHORT LIVED SYSTEMS
CATTLE NOT PETS
@wickett
DIE FRAMEWORK
▸ Distributed
▸ Immutable
▸ Ephemeral
▸ source: @sounilyu
@wickett
RUGGEDIZATION IN 2020
▸ Deception
▸ Chaos Engineering
@wickett
DECEPTION
▸ Honeypots, Tarpits, Mantraps
▸ Simple to get started (http headers)
▸ HoneyPy, DeceptionLogic
@wickett
We’re moving from disaster
recovery to chaos
engineering to resiliency
— @adrianco
@wickett
[Chaos Engineering is] empirical rather
than formal. We don’t use models to
understand what the system should do.
We run e...
CHAOS ENGINEERING
▸ Experiments that span eng and security
▸ Manual opt-out
▸ Valuable Learning
▸ ChaosSlingr, CHAP, Chaos...
RESOURCES
▸ Aaron Rinehart's talk at RSA youtu.be/wLlME4Ve1go
▸ Release It! 2nd ed., Nygard
▸ Phillip Maddux's talk: youtu...
MEASURE@wickett
EMPATHY BASED TEAMS
@wickett
"those stupid
developers"
— Security
@wickett
"you want a machine
powered off and unplugged"
— Developer
@wickett
DON’T BE A BLOCKER
BE AN ENABLER
@wickett
MEASURE DEVSECOPS
Maker Driven
Experimenting
Automating
Safety Aware
Unrestrained Sharing
Ruggedizing
Empathy First
SHARE YOUR STORY
book@devsecops.org
@wickett
Slides bit.ly
@wickett
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
The Seven Habits of the Highly Effective DevSecOp
Upcoming SlideShare
Loading in …5
×

The Seven Habits of the Highly Effective DevSecOp

1,458 views

Published on

DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And really, what makes a good DevSecOp?

This talk highlights the seven habits that the high-performing DevSecOp of today (and tomorrow) should develop. Topics range from empathy to lean to system safety with the hope to uncover a new playbook for devs, ops, and security to work together.

Published in: Software

The Seven Habits of the Highly Effective DevSecOp

  1. 1. THE SEVEN HABITS OF THE HIGHLY EFFECTIVE DevSecOp @WICKETT
  2. 2. JAMES WICKETT Sr. Sec Eng & Dev Advocate @ Verica Former Head of Research @ Signal Sciences Author, LinkedIn Learning Organizer, DevOps Days Austin, Serverless Days ATX, DevSecOps Days Austin Author, DevSecOps Handbook @wickett
  3. 3. Slides bit.ly @wickett
  4. 4. VERICA.IO An enterprise platform for Continuous Verification, using Chaos Engineering principles, to take a proactive and measured approach to preventing availability and security incidents. @wickett
  5. 5. DEVSECOPS @wickett
  6. 6. credit to Josh Zimmerman, the original DevOps Jack Handy
  7. 7. DEVSECOPS @wickett
  8. 8. BUT, WHY? @wickett
  9. 9. FIRST, UNDERSTAND DEVOPS AND HOW WE GOT HERE @wickett
  10. 10. TEH CLOUD @wickett
  11. 11. DATASo Big Right Now @wickett
  12. 12. ALL THE WAY DOWN @wickett
  13. 13. YASSS! OPS (and security) FOR FREE!@wickett
  14. 14. DevOps grew hand-in-hand with cloud @wickett
  15. 15. DEVOPS WAS INEVITABLE @wickett
  16. 16. DevOps is the inevitable result of needing to do efficient operations in a distributed computing and cloud environment. Tom Limoncelli @wickett
  17. 17. DevOps is an epistemological breakthrough joining disparate people around a common problem @wickett
  18. 18. DevOps was needed to fix the inequitable distribution of labor @wickett
  19. 19. 10:1 DEV:OPS @wickett
  20. 20. DevOps is not a technological problem. DevOps is a business problem. - Damon Edwards @wickett
  21. 21. DevOps is just another waypoint on Agile's journey across the business @wickett
  22. 22. DevOps is the application of Agile methodology to system administration — The Practice of Cloud System Administration Book @wickett
  23. 23. Ok DevOps, that's fine. But why DevSecOps? @wickett
  24. 24. I ASKED MYSELF THIS SAME QUESTION @wickett
  25. 25. @wickett
  26. 26. Security finds itself in the same position that operations did in the movement of DevOps @wickett
  27. 27. 100:10:1 DEV:OPS:SEC @wickett
  28. 28. SILOIZATION @wickett
  29. 29. Security, like ops struggles to provide value in most organizations @wickett
  30. 30. Companies are spending a great deal on security, but we read of massive computer-related attacks. Clearly something is wrong. The root of the problem is twofold: we’re protecting the wrong things, and we’re hurting productivity in the process. @wickett
  31. 31. [Security by risk assessment] introduces a dangerous fallacy: that structured inadequacy is almost as good as adequacy and that underfunded security efforts plus risk management are about as good as properly funded security work @wickett
  32. 32. While engineering teams are busy deploying leading-edge technologies, security teams are still focused on fighting yesterday’s battles. SANS 2018 DevSecOps Survey @wickett
  33. 33. 95%OF SECURITY PROFESSIONALS SPEND THEIR TIME PROTECTING LEGACY APPLICATIONS @wickett
  34. 34. TECH BURDEN CAN ONLY BE TRANSFERRED @wickett
  35. 35. SECURITY BURDEN IS NOT CREATED OR DESTROYED, MERELY TRANSFERRED @wickett
  36. 36. "MANY SECURITY TEAMS WORK WITH A WORLDVIEW WHERE THEIR GOAL IS TO inhibit change AS MUCH AS POSSIBLE" @wickett
  37. 37. New technology (cloud, k8s, serverless, ...) and increased organization focus on software delivery is why we need DevSecOps. @wickett
  38. 38. A Highly Desireable New Breed: THE DEVSECOP @wickett
  39. 39. ...not a tool …not a CI/CD pipeline with security in it ...can’t be bought on an expo floor @wickett
  40. 40. An inclusive person participating in the movement of security into devops. @wickett
  41. 41. DEVSECOPS @wickett
  42. 42. DEVSECOPS FRAMEWORK: MEASURE@wickett
  43. 43. MEASURE DEVSECOPS Maker Driven Experimenting Automating Safety Aware Unrestrained Sharing Ruggedizing Empathy First
  44. 44. MEASURE@wickett
  45. 45. MAKER DRIVEN @wickett
  46. 46. We are software engineers who specialize in a specific discipline: security @wickett
  47. 47. SECURITY MUST BE ABLE TO WRITE CODE@wickett
  48. 48. Why is this considered a hot take in our industry? @wickett
  49. 49. With all the resources available today... @wickett
  50. 50. ADOPT THE MAKER MINDSET @wickett
  51. 51. SECURITY ALREADY USES DSLS @wickett
  52. 52. The Entire Security Team Must Write Code Shannon Lietz, Intuit Aaron Rinehart, United Health Group @wickett
  53. 53. WHY IS THIS IMPORTANT? ▸ Empathy building ▸ Familiarity with tools ▸ Able to move up the pipeline @wickett
  54. 54. A BUG IS A BUG IS A BUG @wickett
  55. 55. Defect Density studies range from .5 to 10 defects per KLOC @wickett
  56. 56. DEFECT DENSITY IS NEVER ZERO @wickett
  57. 57. But my application is just a few lines of code @wickett
  58. 58. 222 Lines of Code 5 Direct Dependencies 54 total deps (including indirect) (example from snyk.io) @wickett
  59. 59. 460,046 LOC @wickett
  60. 60. You cannot train developers to write secure code @wickett
  61. 61. INSTEAD, FOCUS ON METHODS DEVELOPERS USE ▸ TDD/BDD/ATDD ▸ Meaningful comments/commits ▸ Code Smells, Refactoring ▸ Instrumentation @wickett
  62. 62. The goal should be to come up with a set of automated tests that probe and check security configurations and runtime system behavior for security features that will execute every time the system is built and every time it is deployed.
  63. 63. Security is connected with quality @wickett
  64. 64. MAKER DRIVEN means ▸ See security as part of engineering ▸ View quality as a way to bring security in ▸ Use code, not vendors to solve problems @wickett
  65. 65. MEASURE@wickett
  66. 66. EXPERIMENTING(AND LEARNING) @wickett
  67. 67. BENEFITS TO EXPERIMENTATION ▸ Measured, Repeatable ▸ Results based on your needs @wickett
  68. 68. @wickett
  69. 69. DETECT WHAT MATTERS ▸ Account takeover attempts ▸ Areas of the site under attack ▸ Most likely vectors of attack ▸ Business logic flows ▸ Abuse and Misuse @wickett
  70. 70. We can't cede home field advantage — Zane Lackey @wickett
  71. 71. EXPERIMENTING NECESSITATES UNDERSTANDING STEADY STATE @wickett
  72. 72. RESOURCES ▸ Shannon Lietz (@devsecops) ▸ DOES 2018 Talk: youtu.be/ yuOuVC8xljw @wickett
  73. 73. MEASURE@wickett
  74. 74. AUTOMATION OF THINGS @wickett
  75. 75. @wickett
  76. 76. @wickett
  77. 77. AUTOMATION PROVIDES FEEDBACK ▸ Pre-commit ▸ At build ▸ Deploy ▸ Runtime @wickett
  78. 78. @wickett
  79. 79. Continuous Delivery is how little you can deploy at one time — Jez Humble & David Farley @wickett
  80. 80. At Signal Sciences, we optimized total cycle time--from code commit to running in prod @wickett
  81. 81. 15,000 DEPLOYS IN 3.5 YEARS @wickett
  82. 82. SECURITY IN THE PIPELINE ▸ Software composition analysis ▸ Lang linters, git-hound, ... ▸ Scanners, gauntlt ▸ Monitoring and telemetry @wickett
  83. 83. [Deploys] can be treated as standard or routine changes that have been pre-approved by management, and that don’t require a heavyweight change review meeting.
  84. 84. RESOURCES @wickett
  85. 85. linkedin.com/learning/devsecops-building- a-secure-continuous-delivery-pipeline @wickett
  86. 86. linkedin.com/learning/devsecops- automated-security-testing @wickett
  87. 87. MEASURE@wickett
  88. 88. SAFETY FOR COMPLEX SYSTEMS @wickett
  89. 89. Two Stories of Failure @wickett
  90. 90. A PERSONAL PLIGHT @wickett
  91. 91. @wickett
  92. 92. 5 Why's and Linear Questioning is Flawed @wickett
  93. 93. WE ABSTRACT COMPLEXITY ▸ Human beings ▸ Societial issues ▸ Psychological issues ▸ Cognitive load @wickett
  94. 94. SOFTWARE DEALS WITH COMPLEXITY THROUGH ABSTRACTION @wickett
  95. 95. ROOT CAUSE IS A MYTH ▸ Lacks full picture ▸ Blame culture ▸ Forgets organizational decisions ▸ Puts the focus on the event over situation ▸ Complex systems are not linear @wickett
  96. 96. Drifting into failure is a gradual, incremental decline into disaster driven by environmental pressure, unruly technology and social proccesses that normalize growing risk. No organization is exempt from drifting into failure
  97. 97. BOEING 737MAX ▸ Maneuvering Characteristics Augmentation System (MCAS) keeps the bigger plane from stalling ▸ The MCAS is automation software ▸ In certain situations, MCAS commands the trim in this condition without notifying the pilots @wickett
  98. 98. These events unfolded in minutes, at low altitudes right after takeoff, asking pilots to realize, understand, and respond to why their aircraft was silently fighting their inputs
  99. 99. in a context of being told that the “system” they were operating was pretty much like every other 737 they’d been likely to operate in their careers, ever. @jpaulreed
  100. 100. This new safety automation is capable of overriding operator input in silence and in ways that were poorly documented by designers, unclear to operators, and promised by developers
  101. 101. that nobody had to get new training on — a selling point — and this safety automation proved to cause the system to become critically unrecoverable in, at least, one case. -- @jpaulreed
  102. 102. HIGH-SPEED DECISIONS ABOUT SYSTEMS, SOUND FAMILIAR? @wickett
  103. 103. SOFTWARE IS EATING THE WORLD @wickett
  104. 104. The growth of complexity in society has got ahead of our understainding of how complex systems work and fail
  105. 105. @wickett
  106. 106. @wickett
  107. 107. Operations and Security's burden to rationalize system models @wickett
  108. 108. Failures are a systems problem because there is not enough safety margin. — @adrianco
  109. 109. Failure is an inevitable by- product of a complex system's normal functioning
  110. 110. WHERE SECURITY FITS ▸ Add safety margin ▸ Telemetry and instrumentation ▸ Blameless retros ▸ ...more to explore in this area @wickett
  111. 111. RESOURCES ▸ Drift into Failure by Dekker ▸ Understanding Human Error Video Series youtu.be/Fw3SwEXc3PU ▸ @jpaulreed coverage of Boeing medium.com/@jpaulreed ▸ Richard Cook paper bit.ly/2ydDQS2 @wickett
  112. 112. MEASURE@wickett
  113. 113. UNRESTRAINED SHARING @wickett
  114. 114. Culture is the most important aspect to devops succeeding in the enterprise — Patrick DeBois
  115. 115. DevSecOps is the extension of the DevOps culture for the inclusion of Security @wickett
  116. 116. A security team who embraces openness about what it does and why, spreads understanding. — Rich Smith
  117. 117. SHARING AFFECTS CULTURE @wickett
  118. 118. Unrestrained Sharing goes against security's standard operating procedure @wickett
  119. 119. IT MIGHT FEEL UNCOMFORTABLE @wickett
  120. 120. SHARING BREAKS DOWN SILOS@wickett
  121. 121. FOUR KEYS TO CULTURE ▸ Mutual Understanding ▸ Shared Language ▸ Shared Views ▸ Collaborative Tooling @wickett
  122. 122. @wickett
  123. 123. SECURITY SHARES THROUGH ▸ Making invisible as visible ▸ Security Observability ▸ APIs, webhooks, dev tooling @wickett
  124. 124. Security Observability gives applications the ability to expose the attacks that are happening below the surface with feedback to devs, ops, and security. @wickett
  125. 125. A PAVED ROAD APPROACH ▸ Security as normal ▸ Security is "free" @wickett
  126. 126. THIS INCLUDES THE AUDITORS@wickett
  127. 127. RESOURCES ▸ Phoenix Project ▸ Agile Application Security ▸ dearauditor.org @wickett
  128. 128. MEASURE@wickett
  129. 129. RUGGEDIZATION @wickett
  130. 130. SOFTWARE BILL OF MATERIALS KNOW WHAT YOU HAVE @wickett
  131. 131. FAVOR SHORT LIVED SYSTEMS CATTLE NOT PETS @wickett
  132. 132. DIE FRAMEWORK ▸ Distributed ▸ Immutable ▸ Ephemeral ▸ source: @sounilyu @wickett
  133. 133. RUGGEDIZATION IN 2020 ▸ Deception ▸ Chaos Engineering @wickett
  134. 134. DECEPTION ▸ Honeypots, Tarpits, Mantraps ▸ Simple to get started (http headers) ▸ HoneyPy, DeceptionLogic @wickett
  135. 135. We’re moving from disaster recovery to chaos engineering to resiliency — @adrianco @wickett
  136. 136. [Chaos Engineering is] empirical rather than formal. We don’t use models to understand what the system should do. We run experiments to learn what it does. — Michael Nygard, Release It 2nd Ed. @wickett
  137. 137. CHAOS ENGINEERING ▸ Experiments that span eng and security ▸ Manual opt-out ▸ Valuable Learning ▸ ChaosSlingr, CHAP, ChaosMonkey @wickett
  138. 138. RESOURCES ▸ Aaron Rinehart's talk at RSA youtu.be/wLlME4Ve1go ▸ Release It! 2nd ed., Nygard ▸ Phillip Maddux's talk: youtu.be/k81xKjCEeqE ▸ Herb Todd's talk: youtu.be/Cf_XXmRLnRQ @wickett
  139. 139. MEASURE@wickett
  140. 140. EMPATHY BASED TEAMS @wickett
  141. 141. "those stupid developers" — Security @wickett
  142. 142. "you want a machine powered off and unplugged" — Developer @wickett
  143. 143. DON’T BE A BLOCKER BE AN ENABLER @wickett
  144. 144. MEASURE DEVSECOPS Maker Driven Experimenting Automating Safety Aware Unrestrained Sharing Ruggedizing Empathy First
  145. 145. SHARE YOUR STORY book@devsecops.org @wickett
  146. 146. Slides bit.ly @wickett

×