![Page 1: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/1.jpg)
The Road to RuggedShannon Lietz
![Page 2: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/2.jpg)
![Page 3: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/3.jpg)
Who I am• 25+ years Technology and
Security Experience • Most of my career has been
about being Rugged! • Background in Security R&D • Working with the Cloud before
it was called the “Cloud” • Manage my teams using DevOps
and Scrum • IR & Crisis Management
-- FOUNDER --
![Page 4: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/4.jpg)
Disclaimer
• Mistakes happen • The truth may be difficult to bear • Unknown unknowns will get discovered • Success means less 3am phone calls • Security is a broad topic • Rugged takes practice
![Page 5: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/5.jpg)
No one enjoys getting woken up to solve for someone else’s mistakes, especially security
breaches!!
Why is Rugged Important?
• Case for change is very compelling!
• Planning != Good Code, Less Security Breaches
• Perfection takes too long to get wrong
![Page 6: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/6.jpg)
This isn’t rugged or helpful…
• Double-click installer
• Click "Next" • Click "Next" • Click "Next" • Click "Next" • Click "Next" • Click "Next" • Click "Next"
• Click "Next" • Click "Next" • Click "Next" • Click "Next" • Click "Next" • Click "Next" • Click "Next" • Click "Next" • Click "Next"
• Click "Next" • Click "Next" • Enter credentials • Click "Next" • Click "Finish"
Page 3 of 267
Security Configuration Procedures V 3.6.0.1.1, January 2011
UBERSECRET
Frozen in Time
![Page 7: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/7.jpg)
And this just creates friction…
Why does it take so long for features?
?
YOU YOUR CUSTOMER
CISO
Hopefully it’s not going to be
another round of “No’s”…
![Page 8: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/8.jpg)
Which makes everyone…
Bang
Head
Here
![Page 9: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/9.jpg)
But - What if Security can be Rugged?
DevSecOps
Security Engineering
Experiment, Automate, Test
Security Operations
Hunt, Detect, Contain
Compliance Operations
Respond, Manage, Train
Security Science
Learn, Measure, Forecast
![Page 10: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/10.jpg)
Let’s Get Rugged!!!Problem Statement • DevOps requires continuous Deployments • Fast decision making is critical to DevOps success • Traditional Security just doesn’t scale or move fast enough…
Welcome DevSecOps!! • Customer focused Mindset • Scale, Scale, Scale • Objective Criteria • Proactive Hunting • Continuous Detection & Response
![Page 11: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/11.jpg)
What if Security were no longer just theory?
![Page 12: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/12.jpg)
What if you could checkSecurity via API? Or Self-Service?
• begin • (iam.client.list_role_policies(:role_name => role)[:policy_names]\ • - roledb.list_policies(role)).each do |policy| • log.warn("Deleting Policy \"#{policy}\", which is not part of the approved baseline.") • if policydiff("{}", • URI.decode(iam.client.get_role_policy(\ • :role_name => role, • :policy_name => policy • )[:policy_document]), • {:argv => ARGV, :diff => options.diff}) • end • options.dryrun ? nil : \ • iam.client.delete_role_policy( • :role_name => role, • :policy_name => policy • ) • end
Account Grade:
B Heal Account?
![Page 13: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/13.jpg)
Sign me up! What’s next?
Com
plia
nce
O
pera
tio
ns
Secu
rity
Ope
rati
o
ns
Secu
rity
Scien
ce
Secu
rity
Engin
eer
ing
Ops
SecDevAppSec
NEW
NEW
NEW
• Security as Code • Self-Service Testing • Red Team/Blue Team • Inline Enforcement • Analytics & Insights • Detect & Contain • Incident Response • Investigations • Forensics
![Page 14: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/14.jpg)
Migrate App Security into DevOps Teams
• Planning Security • Testing Features for
Security Defects • Integrating Security
Testing into CICD • Remediating Security
Issues
Scanners
Instrumentation
Secure Components
![Page 15: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/15.jpg)
Red Team Via Security Engineering
• #RedTeamMonday • Developing Secure Code Components • Reverse Engineering & Exploits • Increased Education • Mass Reconnaissance • Scoring & Prioritization
![Page 16: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/16.jpg)
Enforce in Real-time with Compliance Operations
• Metrics & Reporting • Discover Compliance
Issues in Real-time • Improve maturity of
controls • Prepare for Security
Operations & Red Team
![Page 17: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/17.jpg)
Blue Team via Security Operations
• Detect & Contain • Research Red Team Events • Keep Track of Threat Intel • Develop Monitoring & Alerting • Triage Events • Perform Forensics
![Page 18: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/18.jpg)
Data is Critical
insightssecurity sciencesecurity
tools & data
AWS accounts
S3
Glacier
EC2
CloudTrail
ingestion
threat intel
![Page 19: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/19.jpg)
Emerging Security Trends• Shortage of Security Professionals • Big companies are attempting to scale security to move
faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps &
Security: Joe Sullivan, Jason Chan, Gene Kim, Josh Corman • Introduction of DevSecOps at MIRCon in 2014 • SecDevOps at RSA 2015 was full day of dedicated content • LinkedIn People Search: 36 DevSecOps, 13 SecDevOps, 11
DevOpsSec, 33k+ Cloud Security
![Page 20: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/20.jpg)
![Page 21: The Road to Rugged - GOTO Conference · faster: Facebook, Netflix, LinkedIn, AWS, Intuit • Industry Leaders talking about the integration of DevOps & Security: Joe Sullivan, Jason](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7e8179b761d7a4112afcf/html5/thumbnails/21.jpg)
Thanks !