devsecops - building rugged software

Post on 15-Apr-2017

510 Views

Category:

Technology

1 Downloads

Preview:

Click to see full reader

TRANSCRIPT

1

DevSecOpsBUILD ING RUGGED SOFTWARE

SHANNONLIETZ

Copyright ©DevSecOpsFoundation 2015-2016

2 Copyright ©DevSecOpsFoundation 2015-2016

What’sHappeningintheWorld?

• DEVOPS• PUBLICCLOUD• AGILE• SCRUM• LEAN• LOW-CODE• NO-CODE• NOOPS• …

https://www.google.com/trends/

3 Copyright ©DevSecOpsFoundation 2015-2016

AHistoryLesson– GoogleTrendsResearch

• SeveralyearsaftertheAgileManifesto,DevOps.comwasregisteredin2004• Googlesearchesfor“DevOps”startedtorisein2010• Majorinfluences:

• SavingyourInfrastructure fromDevOps/ChicagoTribune• DevOps:ACultureShift,NotaTechnology/InformationWeek• DevOps:ASharder’s TalefromEtsy• DevOps.com articles

• RuggedSoftware.org wasregisteredin2010• Asof2013, DevSecOps isonthemap…

4 Copyright ©DevSecOpsFoundation 2015-2016

Who’sdoingEnterpriseDevOps?

5 Copyright ©DevSecOpsFoundation 2015-2016

What’sthebusinessbenefit?

Businessstrategyisachievedwiththecollaboration ofalldepartmentsand

providersinservicetothecustomer whorequiresbetter,faster,cheaper,secure

productsandservices.

6 Copyright ©DevSecOpsFoundation 2015-2016

WhatHindersSecureInnovation?

1. Manualprocesses&meetingculture

2. Pointintimeassessments

3. Frictionforfriction’ssake

4. Contextualmisunderstandings

5. Decisionsbeingmadeoutsideofvaluecreation

6. Lateconstraintsandrequirements

7. Bigcommitments,bigteams,andbigfailures

8. Fearoffailure,lackoflearning

9. Lackofinspiration

10. Managementandpoliticalinterference(approvals,exceptions)

...

7 Copyright ©DevSecOpsFoundation 2015-2016

SayWhat??!!

http://donsmaps.com/images22/mutta1200.jpg

8 Copyright ©DevSecOpsFoundation 2015-2016

• Innovation isacompetitiveadvantage• Cloud hasleveledtheplayingfield• DemandforCustomercentricproductdevelopment• Continuousdeliveryoffeaturesandchanges• Newgenerationofworkersdesirecollaboration• Speedandscalearenecessarytohandledemand• Integration overinventiontospeedupresults• Securitybreachesareontherise• Peopledesiretoworkwithgreaterautonomy...• ContinuousLearning...HowcanIdobetter?&better?

TheNeedforChange

commons.wikimedia.org

9 Copyright ©DevSecOpsFoundation 2015-2016

CultureHacking

Traditional Security

Security isEveryone’s

Responsibility

DEVSECOPS

10 Copyright ©DevSecOpsFoundation 2015-2016

TheArtofDevSecOps

DevSecOps

SecurityEngineering

Experiment,Automate,Test

SecurityOperations

Hunt,Detect,Contain

ComplianceOperations

Respond,Manage,Train

SecurityScience

Learn,Measure,Forecast

11

TheSecureSoftwareSupplyChain• GatingprocessesarenotDeming-like• Securityisadesignconstraint• Decisionsmadebyengineeringteams

• Hardtoavoidbusinesscatastrophesbyapplyingone-size-fits-allstrategies

• Securitydefectsismorelikeasecurity“recall”

design build deploy operate

Howdo Isecuremyapp?

Whatcomponentissecureenough?

Howdo Isecuresecretsforthe

app?

Ismyappgettingattacked?How?

Typicalgatesforsecurity

checks&balances

Mistakesanddriftoftenhappenafterdesignandbuild phases that

resultinweaknesses andpotentiallyexploits

MostcostlymistakesHappenduringdesign

Fastersecurityfeedbackloop

Copyright ©DevSecOpsFoundation 2015-2016

12 Copyright ©DevSecOpsFoundation 2015-2016

FromaTraditionalSupplyChain…

Whenwillyousolvemyproblem?!! Canwediscussmyfeedback?Didwepassthe98point inspection?

ThankstoHenrikKniberg

13 Copyright ©DevSecOpsFoundation 2015-2016

ToaCustomerCentricSupplyChain

ThankstoHenrikKniberg

Awesome!WhencanIbringmykidswithme?DoesitcomeinRed?

Canthisbemotorizedtogofasterandforlongertrips?

Betterthanwalking,forsure…butnotbymuch...

SecuritymustshiftleftwithaScienceMindsetlikeallotherOps…

14 Copyright ©DevSecOpsFoundation 2015-2016

ShiftingSecuritytotheLeftmeansbuilt-in

design build deploy operate

Howdo Isecuremyapp?

Whatcomponentissecureenough?

Howdo Isecuresecretsforthe

app?

Ismyappgettingattacked?How?

Typicalgatesforsecurity

checks&balances

Mistakesanddriftoftenhappenafterdesignandbuild phases that

resultinweaknesses andpotentiallyexploits

MostcostlymistakesHappenduringdesign

Fastersecurityfeedbackloop

SecurityisaDesignConstraint

15

• EveryoneknowsMaslow…• Ifyoucanremember5things,rememberthese->

“Apps&dataareassafeaswhereyouputit,what’sinit,howyouinspect it,whotalkstoit,andhowitsprotected…”

Copyright ©DevSecOpsFoundation 2015-2016

SecurityisandhasalwaysbeenaDesignConstraint…

16 Copyright ©DevSecOpsFoundation 2015-2016

ButPleaseNoChecklists&SavetheTrees!!

Page 3of 433Xdeforestation:https://www.flickr.com/photos/foreignoffice/3509228297

17

SecurityGovernanceTransparencyviaContinuousImprovement

https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf

18 Copyright ©DevSecOps Foundation 2015-2016

SecurityasCode/EverythingasCode

• Paper-residentpoliciesdonotstanduptoconstantcloudevolutionandlessonslearned.

• Translationfrompapertocodeandbackcanleadtoseriousmistakes.

• Traditionalsecuritypoliciesdonot1:1translatetoFullStackdeployments.

DataCe

nter

Clou

dProvider

Network

• LOCKYOURDOORS• BADGEIN• AUTHORIZEDPERSONNELONLY• BACKGROUNDCHECKS

• CHOOSESTRONGPASSWORDS• USEMFA• ROTATEAPICREDENTIALS• CROSS-ACCOUNTACCESS

EVERYTHINGASCODE

Page 3of 433

19 Copyright ©DevSecOpsFoundation 2015-2016

ExampleofContinuousDelivery+Security

SourceCode CIServer Artifacts MonitoringDeployTest&Scan

DevOpsCode- CreatingValue&Availability

DevSecOps Code- CreatingTrust&Confidence

20 Copyright ©DevSecOpsFoundation 2015-2016

ContinuousFeedback

THEFEEDBACKHIGHWAY

PRODUCTSCRUMTEAM

THEINTELHIGHWAY

SECURITYTESTING&DATAPLATFORMSECURITYTEAM SECURITYCOMMUNITY

21 Copyright ©DevSecOpsFoundation 2015-2016

ContinuousSecurityEngineering&Science

Monitor&InspectEverything

insightssecuritysciencesecurity

tools&data

Cloudaccounts

S3

Glacier

EC2

CloudTrail

ingestion

threatintel

securityfeedbackloop continuous response

22

RedTeam,SecurityOperations&Science

APIKEY EXPOSURE ->8HRS

DEFAULT CONFIGS ->24HRS

SECURITY GROUPS ->24HRS

ESCALATION OF PRIVS ->5D

KNOWN VULN ->8HRS

Copyright ©DevSecOpsFoundation 2015-2016

23

SecurityDecisionSupport

Copyright ©DevSecOpsFoundation 2015-2016

24

ThisCouldBeYourMeanTimetoResolution…

Copyright ©DevSecOpsFoundation 2015-2016

MTTR

Days… 6months

25 Copyright ©DevSecOpsFoundation 2015-2016

GetInvolvedandJointheCommunity

• devsecops.org• @devsecopsonTwitter• DevSecOpsonLinkedIn• DevSecOpsonGithub• RuggedSoftware.org• ComplianceatVelocity

top related